Jump to content

64.70.19.* OR possibly 64.70.*


apanowicz

Recommended Posts

Hi,

I work for WebSite.ws and was informed when using your product our IPs/sites are being blocked. I am hoping this is a False Positive and the IPs can be whitelisted. But if there is an issue, we would like to fix it.

I've attached a log of blocked IPs generated by attempting to reach the following sites:

www.website.ws

www.freedom.ws

www.email.ws

www.dvd.ws

www.samoa.ws

Please let me know what needs to be done to correct this. BTW - you guys have a GREAT product!!!!!!

Thanks,

Paul

protection_log_2009_10_27.txt

Link to post
Share on other sites

Apologies for taking so long. This /24 is currently blocked due to exploits;

20091024014406	64.70.19.52	mailrelay.52.website.ws	4business.ws	http://4business.ws/words69/hours/havent46.html

20091024014408 64.70.19.52 mailrelay.52.website.ws 4business.ws http://4business.ws/words69/hours/message91.html

20091024014413 64.70.19.52 mailrelay.52.website.ws 4business.ws http://4business.ws/words69/hours/thought54.html

20091024020030 64.70.19.52 mailrelay.52.website.ws tifarm.ws http://tifarm.ws/tissa.htm

20091024230613 64.70.19.52 mailrelay.52.website.ws afaizal.ws http://afaizal.ws/fourth50/action/early87.htm

20091024230615 64.70.19.52 mailrelay.52.website.ws afaizal.ws http://afaizal.ws/fourth50/action/first37.htm

20091026173255 64.70.19.52 mailrelay.52.website.ws financnisvoboda.ws http://financnisvoboda.ws/research47/demand/there18.php

And other malware;

http://hosts-file.net/pest.asp?show=64.70.19.&direct=1

Validation results as of a couple seconds ago, show only a couple have moved elsewhere, but if you could get the rest taken down, I'll be happy to remove the block.

Validation results

http://hosts-file.net/misc/hpObserver_Resu...-_64.70.19.html

Link to post
Share on other sites

MysteryFCM,

Thanks for the reply! Please bare with me as I am not very familiar with this type of thing but have been working with our Abuse department on this. We absolutely want to handle these issues as they arise so we do not get into this situation again. We believe we've taken proper action on all domains listed except for:

trustbid.ws

viejobueno.com

warewz.ws

e-service.ws

alssayer.ws

xsex.ws

We were unable to find anything currently wrong with the domains. Also, some domains reported are not even registered now. Since new to this, I did look at many posts in your forums as well as http://hosts-file.net forum, but still have the following questions:

1. Is there someplace we can monitor our IPs and immediately take necessary actions so we don't keep getting blocked?

2. Does Malwarebytes IP blocking basically coincide with what http://hosts-file.net/ offers as far as a list of bad IPs to avoid?

3. Do you recommend any proactive actions we could begin taking in order to prevent this? Since we are a hosting company, it's difficult to monitor what users have on their sites.

I know how forums work, so don't hesitate to tell me to do the research(just won't be as timely :) ). We just want to take care of this ASAP, so any direction would be much appreciated.

Thanks,

Paul

Link to post
Share on other sites

MysteryFCM,

Thanks for the reply! Please bare with me as I am not very familiar with this type of thing but have been working with our Abuse department on this. We absolutely want to handle these issues as they arise so we do not get into this situation again. We believe we've taken proper action on all domains listed except for:

trustbid.ws

viejobueno.com

warewz.ws

e-service.ws

alssayer.ws

xsex.ws

We were unable to find anything currently wrong with the domains. Also, some domains reported are not even registered now. Since new to this, I did look at many posts in your forums as well as http://hosts-file.net forum, but still have the following questions:

I'm on the train with a totally rubbish connection atm, but I'll take a look, thanks for letting me know. Based on the removal of the rest, I've removed the blocks and will publish an update once I've posted this.

1. Is there someplace we can monitor our IPs and immediately take necessary actions so we don't keep getting blocked?

The sources I use include those I find myself, along with MalwareURL, MalwareDomainList, Clean-MX, and of course, other researchers, so monitoring the feeds for these and the researchers, will help you keep track of them to a degree.

2. Does Malwarebytes IP blocking basically coincide with what http://hosts-file.net/ offers as far as a list of bad IPs to avoid?

Not quite, no. Whilst I run hpHosts, the IPBL for Malwarebytes is ran seperately to it. In saying this, domains found containing malicious content, will be added to hpHosts, and if it's on a dedicated IP, it's IP is added to the IPBL. If it's on a shared IP, then the IP/range is only added if a significant amount of malicious content is present, and even then, I try to only add such if I've received no response from the hosting company.

3. Do you recommend any proactive actions we could begin taking in order to prevent this? Since we are a hosting company, it's difficult to monitor what users have on their sites.

First and foremost, get some network level filters in place. These, depending on how they're setup, can help trigger alerts for malicious content (e.g. Squid, Snort etc etc), irrespective of whether you've got direct access to the servers themselves or not.

Secondly, monitoring your customers sites, whilst time consuming and an on-going task, is an absolute must for all hosting companies that want to prevent malicious content appearing on their networks, either deliberately, or due to compromised servers/sites etc.

I know how forums work, so don't hesitate to tell me to do the research(just won't be as timely :) ). We just want to take care of this ASAP, so any direction would be much appreciated.

No problem :)

Link to post
Share on other sites

Oks, only one that needs disabling, out of those you referenced is;

viejobueno.com = phish (courtesy of the PPC networks)

The rest aren't on your network anymore, and at least two of them are now parked with *.information.com

Link to post
Share on other sites

MysteryFCM,

WRT viejobueno.com, our Abuse department did find something on a 2nd look:

It's likely the IFRAME on http://viejobueno.com/Hogar . There are discrepancies between what the IFRAME is displaying and the company's actual website. We'll suspend the user and tell him to take it down on the grounds of potential phishing.

They are handling now, so we should be all set for now after the block is lifted.

Thanks much for your excellent info and prompt assistance. Our sysadmins are looking into Squid and Snort to see about putting in place, great suggestions.

Please let me know if anything further required from my end.

Paul

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.