Jump to content

67.212.74.234

SeanieB

By SeanieB
in Website Blocking

 Share

Recommended Posts

SeanieB

SeanieB

Posted
Posted

Hi!

The webmaster of a site on my server reports that Malwarebytes is preventing him from using his own site since it blocks our IP.

We've had one instance of malware in the past, but it has been long resolved, and it was a single instance.

Our IP is clear on all blacklists, including hpHosts, Why does malwarebytes still block it?

Link to post
Share on other sites
SeanieB

SeanieB

Posted
  • Author
Posted

Really. That's news to me, have any proof? My IP's not blocked anywhere else... and I haven't heard Netelligent pop up anywhere scuzzy except for adult sites and torrents, does that mean everyone else who uses the however many more IP's are necessarily malicious?

Link to post
Share on other sites
SeanieB

SeanieB

Posted
  • Author
Posted

Hmm. I do see quite a lot of hphosts noise on 67.212.74.234, but http://hosts-file.net/default.asp?s=67.212.74. isn't that bad. I dont see why you'd block out an entire ISP for security issues... That's thousands and thousands of addresses and a lot of lost traffic. I'm still waiting for an official response, but I'm trying to put something together myself.

Link to post
Share on other sites
SeanieB

SeanieB

Posted
  • Author
Posted
Hmm. I do see quite a lot of hphosts noise on 67.212.74.234, but http://hosts-file.net/default.asp?s=67.212.74. isn't that bad. I dont see why you'd block out an entire ISP for security issues... That's thousands and thousands of addresses and a lot of lost traffic. I'm still waiting for an official response, but I'm trying to put something together myself.

I meant 67.212.74. Can someone edit that in?

Link to post
Share on other sites
mo.mentum

mo.mentum

Posted
Posted

Hi,

I'm an abuse agent at Netelligent Hosting Services. I'm actually alarmed that these listing are still on here. The malware outbreak caused by 209.44.126.xx and 209.44.111.xx were stopped MONTHS AGO, yet we still see listings for them.

And more recently, 67.212.74.xx also had an outbreak, but client who caused this has been stopped as well.

Another outbreak on 209.44.114.xx was also stopped this week.

So not sure why we still have this reputation that we willingly host these people, we have hundreds of clients, and these guys dont even account for 1% of those clients. Our abuse department is very aggressive when it comes to these things.

Is there anything more Netelligent needs to do to clean up its name. Where else can i check for active malware and threats? I find these forums are grossly outdated with their links and information that go back to several months back and are irrelevant for us.

Link to post
Share on other sites
MysteryFCM

MysteryFCM

Posted
Posted

Actually, Netelligent was recently caught hosting malware;

http://hphosts.blogspot.com/2009/10/capthc...chastopcom.html

http://hphosts.blogspot.com/2009/10/crimew...etelligent.html

Woops?

As far as "anything more", the first thing you need to do, is put monitors in place to catch this stuff on your network (i.e. network filters, if you're going to claim you don't have access to customers servers). Verifying your customers data (i.e. name/address and that they aren't either using a stolen CC, or don't have a record for hosting malicious content, or weren't previously booted for such) would go a long way to helping.

Incidentally, we previously had someone from Netelligent in here, trying to claim innocence too, and have never heard from them again since their last response.

As for where you can check for active threats, I've got an RSS feed for hpHosts, as have MalwareURL, and MalwareDomainList. Danchev and the other sec blogs, also have such, that you can use for monitoring.

/edit

As an addendum, I've *still* (even after the Netelligent staff popping in here) never had a response to e-mails I've sent to you guys, and I don't believe any of the other blacklist ops have either.

Link to post
Share on other sites
mo.mentum

mo.mentum

Posted
Posted

Hi Steven,

Alot of the IPs/domains on the links you sent me are not even up! Many of them have been offline for months. How often are these updated? We've reiterated many times that 209.44.126.xx and 209.44.111.xx issues were taken care of months ago, yet the perception is that we've taken no action. The more recent ones like 209.44.114.xx and 209.44.117.xx were taken care of last week. Alot of the rest are false positives. The only one remaining to be dealt with that I can see is 67.212.65.118. Also, alot of the domains you list aren't even hosted with us or anything, so not sure why they're still being listed under our record.

Just a reminder that we're a fairly large ISP with thousands of servers and multiple /19 IP blocks. Many of our clients are resellers or hosting providers themselves. So when malware does end up on our network, it was never intentional nor is it condoned! The biggest offender on 209.44.126.xx was removed a while ago. Hope this helps!

Kind regards,

--

Mohamed S.

Netelligent Abuse Team

Link to post
Share on other sites
MysteryFCM

MysteryFCM

Posted
Posted

The IP's in the DB are the IP's they resolved to the last time they were checked (reflected by the "Updated" field), I don't expect them all to be current, and am working on a monitor that will go through and constantly update them. Point is, they were reported to you the same day they were added to the DB, and I've yet to have a response.

As for those in the MalwareURL/Clean-MX DB's, I don't control those DB's, my friends do, and just like myself, they report them the day they're added to their respective DB's aswell. I've been advised by Anthony (MalwareURL) that you've recently contacted him aswell, and we'll see how that goes.

Which ones do you consider to be F/P's? Those in the following aren't F/P's, yet still resolve to your network and are STILL alive;

http://hphosts.blogspot.com/2009/10/capthc...chastopcom.html

Coinkydink?

Link to post
Share on other sites
mo.mentum

mo.mentum

Posted
Posted
The IP's in the DB are the IP's they resolved to the last time they were checked (reflected by the "Updated" field), I don't expect them all to be current, and am working on a monitor that will go through and constantly update them. Point is, they were reported to you the same day they were added to the DB, and I've yet to have a response.

Ok is there a way to manually run the updates, because most of them are off and have been for weeks.

Which ones do you consider to be F/P's? Those in the following aren't F/P's, yet still resolve to your network and are STILL alive;

Pardon my ignorance, what's an F/P?

Not sure what you mean by the coincidence? Also, I have no way of legally ceasing the operation of this site as providing a captcha break tool is not illegal in Canada and not a violation of our AUP. This might be beyond our reach. But everything else has been taken care of, so please run an updated check so we can confirm what is left!

Link to post
Share on other sites
MysteryFCM

MysteryFCM

Posted
Posted

F/P = False Positive

Providing captcha breaking may not be against your AUP, but isn't the fact this is done via malware, against your AUP at the very least?

The only DB I can run updates on, is hpHosts as I don't control MalwareURL, Clean-MX or MDL, but I'll get that done within the next few days or so (I'm going away in just under 12 hours and have had no sleep for over 24 hours, so though I'll try and get something thrown together to do the processing before then, there's no way it'll be done before I go).

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.