Jump to content

52.247.175.244 (MB FP)


Go to solution Solved by thisisu,

Recommended Posts

Malwarebytes Website Blocking False Positive Report

Reported By

Christian Boynton, CIO at LensLock, Inc.

Reporting Date

Nov. 13, 2020

Backup Servers / Other Affected IPs

  • 52.247.175.244
  • 52.247.170.110
  • 52.247.170.82
  • 52.247.170.209
  • 52.247.172.3
  • 13.72.23.59
  • 52.227.155.240
  • 52.227.136.127

Affected Hostnames/URLs

  • hxxp://portal.lenslock.com/
  • hxxp://lenslock-app-prod.azurewebsites.us/
  • hxxp://mppd.lenslock.com/
  • hxxp://lenslock-app-mppd.azurewebsites.us/

Search for Pre-Existing Post

This task is complete. No duplicate posts exist for any of our provided IPs in the Website Blocking forum.

Excerpt of Protection Log

Our customers have not provided log files. However, many customers are affected. We are attempting to gather logs from our customers at this time.

Issue Summary

Our users with Malwarebytes OEM software or derivative off-brand builds (utilizing the Malwarebytes engine and definition files) are experiencing web browser errors. They cannot access our site. The browser indicates the URL timed-out. After disabling the Malwarebytes website blocking services, our sites are accessible again. Systems on the same network without Malwarebytes services installed are not affected.

Requested Resolution

Please delist our stated websites and IP addresses from your list of malicious websites. We personally know and work closely with our customers and have no intention of harming them or their staff. If possible, we want to understand why our sites are on the malicious website list. Thank you for the assist! 

Link to post
Share on other sites
  • Staff
  • Solution

Ok I found the issue. There was a parent block active due to a phish - https://www.virustotal.com/gui/url/aa280b901f78db08d76fdc28f0bdc5c9cebc0a3448233b85b8346a6327d87946/details

I've removed the block which should be reflected in our next database update. Thanks for your patience and for having the site cleaned. Let us know if there are any other outstanding issues.

Regards

Link to post
Share on other sites

Thank you for the sleuthing @thisisu and also @Porthos. Though, we might be dealing with multiple issues here.

The IP 162.241.158.222 given by VirusTotal hosts our production marketing website and is operated by a third-party. I believe that some other unrelated marketing sites are also hosted by that IP. It was not in the original list of our affected IPs submitted here. That said, the marketing site may also be affected by this block. We are actively reaching out to the marketing firm to identify any issues. We are beginning a security review process on that site. Thank you for finding this!

Our customers reported that some of the 8 IPs listed in the OP as inaccessible (they use the domain name and a controller selects from the IPs provided). We weren't aware that the marketing site also unavailable.

Link to post
Share on other sites
  • Staff
18 hours ago, LensLock said:

Thank you for the sleuthing @thisisu and also @Porthos. Though, we might be dealing with multiple issues here.

The IP 162.241.158.222 given by VirusTotal hosts our production marketing website and is operated by a third-party. I believe that some other unrelated marketing sites are also hosted by that IP. It was not in the original list of our affected IPs submitted here. That said, the marketing site may also be affected by this block. We are actively reaching out to the marketing firm to identify any issues. We are beginning a security review process on that site. Thank you for finding this!

Our customers reported that some of the 8 IPs listed in the OP as inaccessible (they use the domain name and a controller selects from the IPs provided). We weren't aware that the marketing site also unavailable.

In regards to the IP 162.241.158.222, it looks like there was a phish directly on the IP address : https://www.virustotal.com/gui/url/90c3bbad560580a2178af45d654f72d6e33f7171315e21b9969e0f5bf6a8fab3/details

We used to block it but it's an older block and an inactive phish and has since been removed from our database. Side note, all the IPs listed in the OP belong to Microsoft. We can't / shouldn't ever be blocking those. Little information snippet below for your reference

IP Address:   52.247.175.244
Network Name: MSFT
Owner Name:   Microsoft Corporation
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
IP Address:   52.247.170.110
Network Name: MSFT
Owner Name:   Microsoft Corporation
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
IP Address:   52.247.170.82
Network Name: MSFT
Owner Name:   Microsoft Corporation
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
IP Address:   52.247.170.209
Network Name: MSFT
Owner Name:   Microsoft Corporation
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
IP Address:   52.247.172.3
Network Name: MSFT
Owner Name:   Microsoft Corporation
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
IP Address:   13.72.23.59
Network Name: MSFT
Owner Name:   Microsoft Corporation
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
IP Address:   52.227.155.240
Network Name: MSFT
Owner Name:   Microsoft Corporation
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
IP Address:   52.227.136.127
Network Name: MSFT
Owner Name:   Microsoft Corporation
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Hope this helps. If you have any other domains you need checked let us know

Regards

Link to post
Share on other sites

@thisisu it seems that the security response to the marketing site breach here was to block *.lenslock.com which has broken our email system, these other websites. Is this a standard practice in the industry to blacklist an entire domain and all its sub-domains when a breach is detected? This would be similar to a police department shutting down an entire neighborhood after detecting a crime was committed in one house. Was the rule automatically generated or manually created?

We're still dealing with this issue and will likely be dealing with it continuously over the next few months as we remediate and protect this marketing site.

The good news is that the root issue does appear to be resolved and our customers are slowly updating their definition files. We're still getting calls, much less now.

 

Link to post
Share on other sites
  • Staff
3 hours ago, LensLock said:

@thisisu it seems that the security response to the marketing site breach here was to block *.lenslock.com which has broken our email system, these other websites. Is this a standard practice in the industry to blacklist an entire domain and all its sub-domains when a breach is detected? This would be similar to a police department shutting down an entire neighborhood after detecting a crime was committed in one house. Was the rule automatically generated or manually created?

We're still dealing with this issue and will likely be dealing with it continuously over the next few months as we remediate and protect this marketing site.

The good news is that the root issue does appear to be resolved and our customers are slowly updating their definition files. We're still getting calls, much less now.

 

Hi,

I'm glad to hear that it has helped some. As far as whether or not it's standard or not I can't really comment. I don't know what others in the industry do. It's not unusual IMO since two or more subdomains were compromised. The rule was manually created. Hope this helps

Regards

Link to post
Share on other sites
  • Staff

Sorry, my mistake. I read your OP again and noticed you listed two subdomains of lenslock.com. But it was the root/parent itself that was compromised only:

 

http://lenslock.com/oho/onedrive.html

This is also why I couldn't initially find your domain in our database because I did search them with the subdomains provided in the OP. And yes it's standard for us to add a block as *.lenslock.com incase someone tries to access it via www. prefix. Hope this clears things up. Sorry about the false alarm on subdomains.

Regards

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.