Jump to content

64.70.19.*


WS Abuse

Recommended Posts

Hello,

I work for the Abuse department for Website.ws and it appears that our IP range is blocked by MBAM's malicious website blocking module. Is there any information available regarding the reason for the block, as well as any instructions for resolving this issue? The IP range belongs to our web and email hosts, and unfortunately all domains hosted with our company appear to be blocked. We had previously reported this problem in the following thread:

http://forums.malwarebytes.org/index.php?s...rt=#entry149828 . Apologies for creating a new thread, it was done to keep information regarding this incident separate from the previous one.

Again, any information regarding this issue will be greatly appreciated!

Thanks,

Joseph

.WS Abuse Department

Link to post
Share on other sites

The malicious content has gone from this range, so I'll get it unblocked.

Please bear in mind however, quite a few of the sites on this range are running a very old and insecure version of PHP, and as such, are prone to re-compromise.

Link to post
Share on other sites

Thank you for the information! Do you have any specific URLs that were affected by this PHP exploit so we may investigate this issue further? We're interested in preventing such an exploit from being an issue in the future, so any additional information will greatly appreciated.

Thanks,

Joseph

.WS Abuse

Link to post
Share on other sites

A few examples for you :( (primarily Koobface);

http://4business.ws/words69/hours/havent46.html
http://tifarm.ws/tissa.htm
http://afaizal.ws/fourth50/action/early87.htm
http://financnisvoboda.ws/research47/demand/there18.php
http://bizzzplan.ws/555/?go
http://zionvpmo.ws/criminal-clips/

The usual causes of these, are compromised FTP and ACP credentials (nothing that can be done about these unfortunately, as most users aren't careful enough, or use completely insecure passwords, but keeping PHP/server software, and any CMS/plugin etc software up to date can help prevent compromise via exploits etc)

Link to post
Share on other sites

Thank you for the list of URLs, we'll look into these a little closer and see if we find any patterns that left these domains open for attack. Previously, you had mentioned that "quite a few of the sites on this range are running a very old and insecure version of PHP, and as such, are prone to re-compromise." Is there a specific method of compromise that you are aware of that we should be aware of? Also, you mentioned that "the usual causes of these, are compromised FTP and ACP credentials", but I'm not understanding how this could be related to the PHP version employed for these domains. Could you elaborate?

Thanks,

Joseph

.WS Abuse

Link to post
Share on other sites

The PHP version is a completely seperate issue as far as compromise. Secunia (secunia.com) has a list of vulnerabilities relating to PHP etc, that you'll want to look at (no website should still be running on PHP4, at all). Given how long 5 has been out, there's no excuse for 4 still running on a production server.

Link to post
Share on other sites

Ok, thank you for the clarification. As far as the sample list of domains you had provided earlier, is it possible to receive a full list of reported URLs detected using our IP range for hosting? We'd like to resolve any remaining issues that may not have been detected by our staff. Also, is there any sort of method that can be used to check if any negative reports are being generated against our IP range?

Link to post
Share on other sites

It'll take a while, but I can go through the databases and dig out the entire list for you.

As for negative reports, I can have an auto-notification sent to you when a malicious URL is detected on your range if you like. Just let me know the best e-mail to have the reports sent to.

Link to post
Share on other sites

Great, the entire list would be appreciated immensely. If a report could be sent to abuse@wsdomains.ws , this would be best. Also, could a test email be sent initially so we can setup filters to ensure the message is not marked as spam? The inclusion of a malicious URL would likely trigger our anti-spam filters quite easily.

Link to post
Share on other sites

Test report sent. URL in the test report is one of those mentioned above (tifarm.ws/tissa.htm). Do you want reports for all .ws domains, or just for the /24 mentioned in your original post?

Link to post
Share on other sites

All .WS domains would not hurt. Is it possible to receive one report for all .WS domains, then another for all URLs hosted in our /24? Overlap is to be expected, but initial separation will make investigation smooth. If not easily possible, one lump report would be more than okay.

Additionally, if we could receive monitoring reports for the following ranges, we also utilize these:

98.158.168.0/23

98.158.170.0/24

98.158.171.80/28

Thanks,

Joseph

.WS Abuse

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.