False Information

[daqua]

I had a potential customer contact us that Malwarebytes on his computer was flagging up daqua.co.uk had a virus. This is FALSE information. Please advise why this has happened.

[JPopovic]

Hello,

It is IP address that is blocked and it is legit block due to malicious PDF files:

79.170.40.182

Example of malicious file:
 

 http://79.170.40.182/boothtastic.com/wp-content/plugins/formcraft/file-upload/server/content/files/162d1ae69887e6---47302204014.pdf 

We wouldn't be able remove the block until it is cleaned.

Thank you.

[daqua]

Hello,

Thanks, you have answered my question. that Malware bytes actually does not give live data. That is not our IP address as the information you gather is from virustotal.com which when I search my website the last visit was 2 years ago?

 

Therefore can you please message me your legal team as I wish to take this to court. 

 

My website has a unique IP address and you have just provided evidence the data you are using is old and out of date.

[JPopovic]

Like I already said, your domain is not blocked.

If your domain is not hosted on the above mentioned IP address, then you shouldn't get any blocks.

 

[daqua]

Thanks. I will contact the customer to try again and email us a screen shot

[daqua]

From customer "My virus checker , MALWAREBYTES reports an unsafe site due to a Trojan which is stopping me from searching any further on your site"

[JPopovic]

No problem. Is there any chance that they can provide a screenshot or even better a log?

[Porthos]

5 minutes ago, daqua said:

Thanks. I will contact the customer to try again and email us a screen shot

The IP is blocked not your site.

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 8/14/23
Protection Event Time: 3:01 AM
Log File: bf766c4c-3a78-11ee-b906-4439c43a4aa3.json

-Software Information-
Version: 4.6.0.277
Components Version: 1.0.2110
Update Package Version: 1.0.74003
License: Premium

-System Information-
OS: Windows 10 (Build 19045.3324)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Program Files\Mozilla Firefox\firefox.exe, Blocked, -1, -1, 0.0.0, ,

-Website Data-
Category: Trojan
Domain:
IP Address: 79.170.40.182
Port: 80
Type: Outbound
File: C:\Program Files\Mozilla Firefox\firefox.exe

 

(end)

This is a screenshot of the link That was an issue.

 

[Porthos]

2 minutes ago, JPopovic said:

No problem. Is there any chance that they can provide a screenshot or even better a log?

here is the screenshot.

[daqua]

Hi Porthos,

Many thanks for the information. This is a major issue for legit businesses who do their upmost to keep their websites virus free. This issue will be effecting every business that shares that IP address and Malware can argue they are in the right but other virus like AVG etc.. do not do this. So potentially loosing businesses loads of money which in this case the customer did not place the order.

We changed over to a server where we are the only site on the server which costs a fair amount of money.

So for Malware to continue blocking us I strongly feel we have a good case in court for potential lost earnings as the data they are using is not live. 

Much appreciate the screen shot. 

 

 

 

[daqua]

@JPopovic as you can see above the screen shot provided. If you cannot lift this block then can I ask please your legal department contact me then I can issue a court summons to get this sorted. I know you're doing your job but this could be a potential huge impact on our business and others. Many thanks

[Porthos]

11 minutes ago, daqua said:

We changed over to a server where we are the only site on the server which costs a fair amount of money.

I would ask the host to either clean that IP up or move your server to a different IP. Your host is the one to blame for allowing the abuse of the IP, to begin with.

I am offering this suggestion as just another user who has a site as well. As a reminder, I do not work for Malwarebytes.

[daqua]

2 minutes ago, Porthos said:

I would ask the host to either clean that IP up or move your server to a different IP. Your host is the one to blame for allowing the abuse of the IP, to begin with.

I am offering this suggestion as just another user who has a site as well. As a reminder, I do not work for Malwarebytes.

79.170.40.182 is not the website IP address so the information Malwares is looking at is wrong. Thanks for your help.

[Porthos]

5 minutes ago, daqua said:

79.170.40.182 is not the website IP address so the information Malwares is looking at is wrong. Thanks for your help.

Every lookup I run shows it is.

https://www.nslookup.io/domains/daqua.co.uk/webservers/

https://www.site24x7.com/tools/find-ip-address-of-web-site.html

Edited August 14, 2023 by Porthos

[daqua]

4 minutes ago, Porthos said:

Every lookup I run shows it is.

https://www.nslookup.io/domains/daqua.co.uk/webservers/

https://www.site24x7.com/tools/find-ip-address-of-web-site.html

Thanks that's very interesting. None of them have a date stamp as to when that data was gathered. When I spoke to Malware customer services some time back they were showing me data from virustotal.com which I checked on Friday and the last check was 2 years ago. I have just checked and last analysis 16 hours ago with the old IP address. I have doubled checked the server ip address in case I was going mad and it is not that. Very strange.

[daqua]

@JPopovic I have been emailing the source of this data where the IP address is wrong. They are covering themselves and emailed back stating "This information is only to be used as a reference, it cannot be used to block websites" 

I need this resolving please so message me who to contact with Malware if this is out of your remit. The information you are blocking my website is false and defamatory. 

[David H. Lipman]

@daqua

Please reference:  The Dangers Of Using Shared Hosting And How To Prevent Them

 

[daqua]

31 minutes ago, David H. Lipman said:

@daqua

Please reference:  The Dangers Of Using Shared Hosting And How To Prevent Them

 

Hi David I am no longer using shared hosting. I have a unique server for the website which has it's own unique IP that no other server has. I changed this due to this happening and thought the block would have been lifted but their data is still showing the old IP.

[David H. Lipman]

C:\1\1\1>ping -a daqua.co.uk

Pinging daqua.co.uk [79.170.40.182] with 32 bytes of data:
Reply from 79.170.40.182: bytes=32 time=93ms TTL=52
Reply from 79.170.40.182: bytes=32 time=93ms TTL=52
Reply from 79.170.40.182: bytes=32 time=95ms TTL=52
Reply from 79.170.40.182: bytes=32 time=93ms TTL=52

Ping statistics for 79.170.40.182:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 93ms, Maximum = 95ms, Average = 93ms

 

[Porthos]

Your site is not the only one on that IP. For example.

Your host is your issue. Your issue is with them. Your site is just collateral damage.

Your host needs to assign a different IP.

dunesgolfcentre.co.uk

 

Category: Trojan
Domain: dunesgolfcentre.co.uk
IP Address: 79.170.40.182
Port: 80
Type: Outbound
File: C:\Program Files\Mozilla Firefox\firefox.exe

 

Edited August 14, 2023 by Porthos

[daqua]

@Porthos   79.170.40.182  is not the server address that my website is hosted on. It was originally and I moved it to another server where no other websites are on. The issue I have is Malware is not live data but old data it is drawing on.

If it was live data it would see that the IP for the website is 79.170.44.19. That is the server IP live now.

Have paid a lot of money to sort this out but it is showing Malware is not live data.

Hope this explains it and was hoping someone in Malware would check and resolve it.

If anyone has any legal expertise would appreciate it as have lost orders due to this False information.

 

[Porthos]

What do you see if you open a CMD prompt on a computer without Malwarebytes and type/copy and paste the following?

ping -a daqua.co.uk

Edited August 14, 2023 by Porthos

[Porthos]

Ping from the CM prompt has nothing to do with anyone's lists and the date.

 

Edited August 14, 2023 by Porthos

[daqua]

@Porthos   Thanks. Don't know what is going on will ask my website host why it is doing this as when I log on into website portal the ip address is not that as I had it moved. Will see what they say.

 

[Porthos]

3 minutes ago, daqua said:

will ask my website host why it is doing this

Guess you got the same results?