WS Abuse Posted June 11, 2010 ID:265909 Share Posted June 11, 2010 Hello,I work for the Abuse department for Website.ws and it appears that our IP range is blocked by MBAM's malicious website blocking module. Is there any information available regarding the reason for the block, as well as any instructions for resolving this issue? The IP range belongs to our web and email hosts, and unfortunately all domains hosted with our company appear to be blocked. We had previously reported this problem in the following thread:http://forums.malwarebytes.org/index.php?s...rt=#entry149828 . Apologies for creating a new thread, it was done to keep information regarding this incident separate from the previous one.Again, any information regarding this issue will be greatly appreciated!Thanks,Joseph.WS Abuse Department Link to post Share on other sites More sharing options...
MysteryFCM Posted June 12, 2010 ID:266255 Share Posted June 12, 2010 The malicious content has gone from this range, so I'll get it unblocked.Please bear in mind however, quite a few of the sites on this range are running a very old and insecure version of PHP, and as such, are prone to re-compromise. Link to post Share on other sites More sharing options...
WS Abuse Posted June 14, 2010 Author ID:267346 Share Posted June 14, 2010 Thank you for the information! Do you have any specific URLs that were affected by this PHP exploit so we may investigate this issue further? We're interested in preventing such an exploit from being an issue in the future, so any additional information will greatly appreciated.Thanks,Joseph.WS Abuse Link to post Share on other sites More sharing options...
MysteryFCM Posted June 14, 2010 ID:267348 Share Posted June 14, 2010 A few examples for you (primarily Koobface);http://4business.ws/words69/hours/havent46.htmlhttp://tifarm.ws/tissa.htmhttp://afaizal.ws/fourth50/action/early87.htmhttp://financnisvoboda.ws/research47/demand/there18.phphttp://bizzzplan.ws/555/?gohttp://zionvpmo.ws/criminal-clips/The usual causes of these, are compromised FTP and ACP credentials (nothing that can be done about these unfortunately, as most users aren't careful enough, or use completely insecure passwords, but keeping PHP/server software, and any CMS/plugin etc software up to date can help prevent compromise via exploits etc) Link to post Share on other sites More sharing options...
WS Abuse Posted June 14, 2010 Author ID:267353 Share Posted June 14, 2010 Thank you for the list of URLs, we'll look into these a little closer and see if we find any patterns that left these domains open for attack. Previously, you had mentioned that "quite a few of the sites on this range are running a very old and insecure version of PHP, and as such, are prone to re-compromise." Is there a specific method of compromise that you are aware of that we should be aware of? Also, you mentioned that "the usual causes of these, are compromised FTP and ACP credentials", but I'm not understanding how this could be related to the PHP version employed for these domains. Could you elaborate?Thanks,Joseph.WS Abuse Link to post Share on other sites More sharing options...
MysteryFCM Posted June 14, 2010 ID:267359 Share Posted June 14, 2010 The PHP version is a completely seperate issue as far as compromise. Secunia (secunia.com) has a list of vulnerabilities relating to PHP etc, that you'll want to look at (no website should still be running on PHP4, at all). Given how long 5 has been out, there's no excuse for 4 still running on a production server. Link to post Share on other sites More sharing options...
WS Abuse Posted June 14, 2010 Author ID:267400 Share Posted June 14, 2010 Ok, thank you for the clarification. As far as the sample list of domains you had provided earlier, is it possible to receive a full list of reported URLs detected using our IP range for hosting? We'd like to resolve any remaining issues that may not have been detected by our staff. Also, is there any sort of method that can be used to check if any negative reports are being generated against our IP range? Link to post Share on other sites More sharing options...
MysteryFCM Posted June 14, 2010 ID:267402 Share Posted June 14, 2010 It'll take a while, but I can go through the databases and dig out the entire list for you.As for negative reports, I can have an auto-notification sent to you when a malicious URL is detected on your range if you like. Just let me know the best e-mail to have the reports sent to. Link to post Share on other sites More sharing options...
WS Abuse Posted June 14, 2010 Author ID:267417 Share Posted June 14, 2010 Great, the entire list would be appreciated immensely. If a report could be sent to abuse@wsdomains.ws , this would be best. Also, could a test email be sent initially so we can setup filters to ensure the message is not marked as spam? The inclusion of a malicious URL would likely trigger our anti-spam filters quite easily. Link to post Share on other sites More sharing options...
MysteryFCM Posted June 14, 2010 ID:267421 Share Posted June 14, 2010 Test report sent. URL in the test report is one of those mentioned above (tifarm.ws/tissa.htm). Do you want reports for all .ws domains, or just for the /24 mentioned in your original post? Link to post Share on other sites More sharing options...
WS Abuse Posted June 14, 2010 Author ID:267432 Share Posted June 14, 2010 All .WS domains would not hurt. Is it possible to receive one report for all .WS domains, then another for all URLs hosted in our /24? Overlap is to be expected, but initial separation will make investigation smooth. If not easily possible, one lump report would be more than okay. Additionally, if we could receive monitoring reports for the following ranges, we also utilize these:98.158.168.0/23 98.158.170.0/24 98.158.171.80/28Thanks,Joseph.WS Abuse Link to post Share on other sites More sharing options...
MysteryFCM Posted June 14, 2010 ID:267436 Share Posted June 14, 2010 It's been setup Link to post Share on other sites More sharing options...
WS Abuse Posted June 14, 2010 Author ID:267449 Share Posted June 14, 2010 Great! Thank you for all of your assistance, and we look forward to receiving the aforementioned reports.Thanks,Joseph.WS Abuse Link to post Share on other sites More sharing options...
MysteryFCM Posted June 14, 2010 ID:267454 Share Posted June 14, 2010 No problem Link to post Share on other sites More sharing options...
MysteryFCM Posted June 19, 2010 ID:270073 Share Posted June 19, 2010 Abuse reports for ws domains have been getting sent to you since originally setup, but I've had no response thus far. Are you actually dealing with these? Link to post Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now