Malwarebytes is blocking Cloudflare IPs for domain name flightkelly.com

[P44]

I have installed a trial of Malwarebytes Premium on Windows 10, and it is blocking multiple IP addresses associated with the domain flightkelly.com. When I look up the IP addresses, they belong to Cloudflare. 

IPs include

172.67.156.213

104.21.8.45

Google finds at least one similar report about Malwarebytes blocking Cloudflare access, but I was disappointed to see your response was, you would check it out, but you closed it out after that without any further info about what, if anything, you found, and what you did about it.

 

[Porthos]

I will request you post to be moved to the correct section for this issue.

[AdvancedSetup]

Hello @P44

Do you own this site?

The site was blocked 3 months ago for a Trojan. I have asked for someone to review the site again, but it appears to be offline or preventing access.

 

Sucuri also received a 403 error and was not able to scan the system

https://sitecheck.sucuri.net/results/flightkelly.com

Virus Total was also unable to scan the site

 

[Dashke]

Hello P44,

This is a legit detection -

https://www.virustotal.com/gui/file/d3e66a87065ccc02fe47bb2611e3e49f8af311e7eff9ecc6178461fd16c98c03/detection

Can you please post the protection log? As it is possible that your browser has been infected by a malicious extension.

[P44]

13 hours ago, AdvancedSetup said:

Hello @P44

Do you own this site?

The site was blocked 3 months ago for a Trojan. I have asked for someone to review the site again, but it appears to be offline or preventing access.

 

Sucuri also received a 403 error and was not able to scan the system

https://sitecheck.sucuri.net/results/flightkelly.com

Virus Total was also unable to scan the site

 

@porthos:  I would be happy to post it in the correct spot. As a newbie, I thought i was. You told me I did it wrong but you didn't tell me where i should post it.

@AdvancedSetup:  I do not own the site flightkelly.com 

@Dashke : I don't know what the "protection log" is.  Malwarebytes help doesn't seem to know that precise term either. If you tell me precisely what you want me to post, i will be happy to do so.

It is possible I have a bad extension in Microsoft Edge, but Malwarebytes scan has shown 0 problems since I installed it.  What Malware bytes does is alert me about a possible trojan at the website I am accessing. The message doesn't look to me like it is telling me i have a trojan on my system.  Here is the message:

Website blocked due to a Trojan
Your Malwarebytes Premium trial blocked this website because it may contain a Trojan.

I use CloudFlare's DNS server. As a guess, your database (and others) appears to associate those two IPs with a domain name, flightkelly.com that doesn't appear to be current. Its registration record has blanks for registrar and abuse contacts but does list cloudflare.com name servers.

Maybe I am misunderstanding, but I don't think the error is telling me it is detecting a trojan on my system, and the fact that virustotal.com correctly identified a file as a trojan does not demonstrate that one still exists at those two IP addresses, and I see no evidence those two IP addresses are associated with the domain, flightkelly.com.

[P44]

@dashke I am taking a stab at what you meant by "protection log". Here is one of several identical entries that appears under "notifications".

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 3/18/21
Protection Event Time: 12:04 PM
Log File: c4d37196-881c-11eb-8dc5-d8eb97b3abce.json

-Software Information-
Version: 4.3.0.98
Components Version: 1.0.1173
Update Package Version: 1.0.38347
License: Trial

-System Information-
OS: Windows 10 (Build 21337.1000)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe, Blocked, -1, -1, 0.0.0, , 

-Website Data-
Category: Trojan
Domain: flightkelly.com
IP Address: 104.21.8.45
Port: 443
Type: Outbound
File: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

(end)

[Porthos]

4 minutes ago, P44 said:

I would be happy to post it in the correct spot. As a newbie, I thought i was. You told me I did it wrong but you didn't tell me where i should post it.

That is because it was going to be moved for you. We did not want duplicate topics.

 

[P44]

What is the conclusion? 

[AdvancedSetup]

The site is not online. It returns an error 403 -

So, even without Malwarebytes on your system you should not be able to access that domain @P44

The verdict is the site is hosting a malicious javascript file, so when they do come back online they need to remove that file if they want Antivirus vendors to stop listing them.

 

The domain name for

flightkelly.com

It has an alias for 172.67.209.245 as well
addresses:
104.21.77.165
172.67.209.245
2606:4700:3032::ac43:d1f5
2606:4700:3032::6815:4da5

Both of the IP in your first post are not for the flightkelly domain
172.67.156.213
104.21.8.45

This IP you listed is not associated to any domain
172.67.156.213

Address lookup
lookup failed     172.67.156.213
      Could not find a domain name corresponding to this IP address.

Domain Whois record

Don't have a domain name for which to get a record

The same thing for the other IP you listed
104.21.8.45

Address lookup
lookup failed     104.21.8.45
      Could not find a domain name corresponding to this IP address.

Domain Whois record

Don't have a domain name for which to get a record

 

flightkelly.com

though, site is blocked for malware and has been for 3 months now.
You can see the list here on Virus Total showing 20 engines detect the javascript running on the site as malicuous

https://www.virustotal.com/gui/file/d3e66a87065ccc02fe47bb2611e3e49f8af311e7eff9ecc6178461fd16c98c03/detection

 

The IP range may be on Cloudflare but that does not mean that Cloudflare actually owns or runs the site. They provide infrastructure

If you attempt to scan the site or visit the site it does not respond

 

 

 

 

 

[P44]

I never tried to access flightkelly.com in the first place. Malwarebytes generated an error referencing that site.

To repeat what i wrote above, Malwarebytes blocked these two IP addresses owned by Cloudflare.:

172.67.156.213

104.21.8.45

I use Cloudflare's DNS server.  Some program on my system referenced those IPs, but I did not explicitly try to access them.  Malwarebytes popped up an alert saying those two IPs were blocked. The Malwarebytes alert referenced flightkelly.com.

My guess is that previously those IPs were associated with flightkelly.com, but no longer are, and Malwarebytes should not be blocking them any longer.

At the moment, the Windows 10 laptop I installed the Premium trial on is out of service because the fan needs to be replaced.

[AdvancedSetup]

The only one we blocked based on the report you posted is this one. Do you have a log with other IP blocks?

-Website Data-
Category: Trojan
Domain: flightkelly.com
IP Address: 104.21.8.45
Port: 443
Type: Outbound
File: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

 

If you did not visit that site it's possible it was just an Ad and will probably not show up again.

Is this an ongoing issue? If so then maybe you simply need to clean up your browser?

 

[JPopovic]

Hello,

We do not block any of these IP addresses.

We only block the domain (flightkelly.com) due to the malicious script:

 http://flightkelly.com/23062bfb7a4c805067.js 

 

We will be able to remove the block only after the script is removed.

If you claim that any of these IP addresses is blocked, please send us a log, or at least a screenshot showing the block/blocks.

I would also advice you to clean browser cache and to make sure to check for available MB Premium updates.

Thank you for your understanding!

[P44]

AdvancedSetup said:

Both of the IP in your first post are not for the flightkelly domain
172.67.156.213
104.21.8.45

I knew that before I made my first post because I looked them up. That is how I knew (and reported) they were in Cloudflare's assigned ranges.

The reason flightkelly.com appeared is because it was reported by Malwarebytes as being associated with IP=104.21.8.45 (as that above log I submitted shows).

I reported both IPs because Malwarebytes blocked reported both. I don't have access to the laptop this happened on is out of service waiting on a fan replacement.

Your explanation sounds perfectly reasonable.  If you did not visit that site it's possible it was just an Ad and will probably not show up again.

I cannot get to the logs on my end, or tell if it is still a problem until I get the laptop Malwarebytes Premium is on.

I am surprised that Malwarebytes doesn't have an internal diagnostic  tool to check the two IPs in whatever data lake Malwarebytes uses (or didn't use it) before responding to my first post.

[P44]

I got computer repaired so was able to access the logs. There are about 20 entries reporting blocking IP addresses that Malwarebytes associated with the domain name flightkelly.com. The two IP addresses are: 172.67.156.213, in the first and several subsequent reports on 3/16/21 and 104.21.8.45. Here is the first one from the 20+ from 3/16, followed by the last on I received on 3/18:

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 3/16/21
Protection Event Time: 5:11 PM
Log File: 4ab02796-86b5-11eb-a9da-d8eb97b3abce.json

-Software Information-
Version: 4.3.0.98
Components Version: 1.0.1173
Update Package Version: 1.0.38267
License: Trial

-System Information-
OS: Windows 10 (Build 21332.1010)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe, Blocked, -1, -1, 0.0.0, , 

-Website Data-
Category: Trojan
Domain: flightkelly.com
IP Address: 172.67.156.213
Port: 443
Type: Outbound
File: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

(end)

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 3/18/21
Protection Event Time: 12:04 PM
Log File: c4d37196-881c-11eb-8dc5-d8eb97b3abce.json

-Software Information-
Version: 4.3.0.98
Components Version: 1.0.1173
Update Package Version: 1.0.38347
License: Trial

-System Information-
OS: Windows 10 (Build 21337.1000)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe, Blocked, -1, -1, 0.0.0, , 

-Website Data-
Category: Trojan
Domain: flightkelly.com
IP Address: 104.21.8.45
Port: 443
Type: Outbound
File: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

(end)

[JPopovic]

Hello,

Like I said in my previous post, we do not block any of these IP address.

We DO block the domain (flightkelly.com) only. This domain is associated with these IP addresses, but that doesn't mean that we are blocking them. As long as we block the domain you will get those reports.

The domain is infected with malicious script and it is a legit block.

Thank you!