I've received a notification from somebody looking at a site I host/develop that it contains malware. They were alerted by their Malwarebytes software, which told them the site was 'unsafe'.

I checked as best as I could (virus and malware scanned the uploaded files, https://sitecheck.sucuri.net/) and no problems found. I asked the user to ask Malwarebytes to be more specific or whitelist the site, and they replied:

--
Reporter Date Comment Categories
Anonymous 27 Feb 2022 wp-login.php Web App Attack
emha.koeln 27 Feb 2022 92.205.3.203 Brute-Force Web App Attack - Attempts to probe
for or exploit installed web applications such as a CMS like WordPress/Drupal, e-commerce solutions,
forum software, phpMyAdmin and various other software plugins/solutions.

Whoever owns that website needs to contact their webhost and request they
clean up that IP from
malware.
--

I contacted my host (Heart) and they said it's my problem, and they'd simply close down the site if they revceive a complaint.

I'm not sure what I'm supposed to do! The info given by Malwarebytes looks to me like an attmepted attack - not evidence of malware. Advice welcome!

--
Cheers, Rob

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Am Donnerstag, 10. März 2022, um 18:26:48 Uhr schrieb RJH:

I'm not sure what I'm supposed to do! The info given by Malwarebytes
looks to me like an attmepted attack - not evidence of malware.
Advice welcome!

Please specify what software you run on your server. Is it up-to-date?
Is the operating system itself up-to-date?

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 10 Mar 2022 at 19:53:56 GMT, "Marco Moock" <mo01@posteo.de> wrote:

Am Donnerstag, 10. März 2022, um 18:26:48 Uhr schrieb RJH:

I'm not sure what I'm supposed to do! The info given by Malwarebytes
looks to me like an attmepted attack - not evidence of malware.
Advice welcome!

Please specify what software you run on your server. Is it up-to-date?
Is the operating system itself up-to-date?

Mmm. Not sure how I check. It's 'hosted' by Heart Internet and the server is listed as Apache, and written using Rapidweaver. Sitecheck lists a number of links, use of Javascript, and no Iframes or embedded objects.

--
Cheers, Rob

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

RJH <patchmoney@gmx.com> wrote:

On 10 Mar 2022 at 19:53:56 GMT, "Marco Moock" <mo01@posteo.de> wrote:

Am Donnerstag, 10. März 2022, um 18:26:48 Uhr schrieb RJH:

I'm not sure what I'm supposed to do! The info given by Malwarebytes
looks to me like an attmepted attack - not evidence of malware.
Advice welcome!

Please specify what software you run on your server. Is it up-to-date?
Is the operating system itself up-to-date?

Mmm. Not sure how I check. It's 'hosted' by Heart Internet and the server is listed as Apache, and written using Rapidweaver. Sitecheck lists a number of links, use of Javascript, and no Iframes or embedded objects.

Does it run a forum or a wordpress site? They are notorious as attack
vectors if not kept up-to-date or using vulnerable plugins.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 11/03/2022 02:06, RJH wrote:

On 10 Mar 2022 at 19:53:56 GMT, "Marco Moock" <mo01@posteo.de> wrote:

Am Donnerstag, 10. März 2022, um 18:26:48 Uhr schrieb RJH:

I'm not sure what I'm supposed to do! The info given by Malwarebytes
looks to me like an attmepted attack - not evidence of malware.
Advice welcome!

Please specify what software you run on your server. Is it up-to-date?
Is the operating system itself up-to-date?

Mmm. Not sure how I check. It's 'hosted' by Heart Internet and the server is listed as Apache, and written using Rapidweaver. Sitecheck lists a number of links, use of Javascript, and no Iframes or embedded objects.

Longshot..... check the version of apache: a recent one was subject to a
url path backtrack exploit, allowing shell invocation and thus
installation of hidden malware on the web site. I was badly bitten :-{ I
found a whole pile of python stuff in the apache log area, under ".log"
or similar - it formed a proxy tcp system being controlled by someone
with a .de domain.

If you share an IP with another site (apache's virtual hosting) , the
problem may not lie with you though.


--
Mike Scott
Harlow, England

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 11 Mar 2022 at 08:05:15 GMT, "Chris" <ithinkiam@gmail.com> wrote:

RJH <patchmoney@gmx.com> wrote:

On 10 Mar 2022 at 19:53:56 GMT, "Marco Moock" <mo01@posteo.de> wrote:

Am Donnerstag, 10. März 2022, um 18:26:48 Uhr schrieb RJH:

I'm not sure what I'm supposed to do! The info given by Malwarebytes
looks to me like an attmepted attack - not evidence of malware.
Advice welcome!

Please specify what software you run on your server. Is it up-to-date?
Is the operating system itself up-to-date?

Mmm. Not sure how I check. It's 'hosted' by Heart Internet and the server is >> listed as Apache, and written using Rapidweaver. Sitecheck lists a number of >> links, use of Javascript, and no Iframes or embedded objects.

Does it run a forum or a wordpress site? They are notorious as attack
vectors if not kept up-to-date or using vulnerable plugins.

No - read only

If anyone would like a look it's post16educator org uk.

Before you do, I'd just reitterate that it's been flagged as an insecure site by Malwarebytes.
--
Cheers, Rob

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 10 Mar 2022 at 18:26:48 GMT, "RJH" <patchmoney@gmx.com> wrote:

I've received a notification from somebody looking at a site I host/develop that it contains malware. They were alerted by their Malwarebytes software, which told them the site was 'unsafe'.

I checked as best as I could (virus and malware scanned the uploaded files, https://sitecheck.sucuri.net/) and no problems found. I asked the user to ask Malwarebytes to be more specific or whitelist the site, and they replied:

--
Reporter Date Comment Categories
Anonymous 27 Feb 2022 wp-login.php Web App Attack
emha.koeln 27 Feb 2022 92.205.3.203 Brute-Force Web App Attack - Attempts to probe
for or exploit installed web applications such as a CMS like WordPress/Drupal,
e-commerce solutions,
forum software, phpMyAdmin and various other software plugins/solutions.

Whoever owns that website needs to contact their webhost and request they clean up that IP from
malware.
--

I contacted my host (Heart) and they said it's my problem, and they'd simply close down the site if they revceive a complaint.

I'm not sure what I'm supposed to do! The info given by Malwarebytes looks to me like an attmepted attack - not evidence of malware. Advice welcome!

--
Cheers, Rob

Update - I've just had a reply from Malwarebytes (1 minute after I posted!):

--
Hi, The site is clean but hosted on a malicious IP. The IP is blocked due to recent brute-force attacks.
https://www.abuseipdb.com/check/92.205.3.203
--

That's what I /thought/ their message was saying. Anyway, I assume the IP is set by the host company, Heart? I can't see any way I control it . . .
--
Cheers, Rob

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 11 Mar 2022 at 08:46:33 GMT, "Mike Scott" <usenet.16@scottsonline.org.uk.invalid> wrote:

On 11/03/2022 02:06, RJH wrote:

On 10 Mar 2022 at 19:53:56 GMT, "Marco Moock" <mo01@posteo.de> wrote:

Am Donnerstag, 10. März 2022, um 18:26:48 Uhr schrieb RJH:

I'm not sure what I'm supposed to do! The info given by Malwarebytes
looks to me like an attmepted attack - not evidence of malware.
Advice welcome!

Please specify what software you run on your server. Is it up-to-date?
Is the operating system itself up-to-date?

Mmm. Not sure how I check. It's 'hosted' by Heart Internet and the server is >> listed as Apache, and written using Rapidweaver. Sitecheck lists a number of >> links, use of Javascript, and no Iframes or embedded objects.

Longshot..... check the version of apache: a recent one was subject to a
url path backtrack exploit, allowing shell invocation and thus
installation of hidden malware on the web site. I was badly bitten :-{ I found a whole pile of python stuff in the apache log area, under ".log"
or similar - it formed a proxy tcp system being controlled by someone
with a .de domain.

Thanks, I've written to them asking about the version. I'd imagine that Heart keeps things pretty much up to date, and malware could have been placed at
some time in the past, during an older version I suppose.

If you share an IP with another site (apache's virtual hosting) , the
problem may not lie with you though.

Curiously, the site is listed as hosted by Godaddy according to Sucuri. I'd always thought I'd transferred everything to Heart about 10 years ago.

Anyway, I'm wondering if perhaps I should just delete the entire site manually in FTP and re-upload it? I think I've exhausted the tests I think I can do - even installed Malwarebytes Firefox plugin and still nothing detected. The detail of the malware again:

--
Anonymous 27 Feb 2022 wp-login.php Web App Attack emha.koeln 27 Feb 2022 92.205.3.203 Brute-Force Web App Attack - Attempts to probe for or exploit installed web applications such as a CMS like WordPress/Drupal, e-commerce solutions, forum software, phpMyAdmin and various other software plugins/solutions.

Whoever owns that website needs to contact their webhost and request they
clean up that IP from malware.
--

As I've mentioned, it's a very simply site, effectively just hosting pdfs from a magazine.

--
Cheers, Rob

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

RJH wrote:

If anyone would like a look it's post16educator org uk.

Do you use wordpress? Or write the site using PHP?

The site is using an old jQuery, being loaded from your server (not from a CDN) not clear if it's shared on the 'Heart' server or comes from your RapidWeaver?

Did the supposed report come from <https://emha.koeln> or a person called that? They look like they might be a person who goes looking for vulnerabilities ...

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

RJH wrote:

the site is listed as hosted by Godaddy

yes that IP addr is on godaddy servers, maybe Heart outsource it?


Have you got a "control panel" login? if you don't use PHP, can you turn it off?

Deleting your whole site and re-uploading sounds like a reasonable idea, provided you're sure you have a full copy ...

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

RJH wrote:

I've just had a reply from Malwarebytes (1 minute after I posted!):

--
Hi, The site is clean but hosted on a malicious IP. The IP is blocked due to recent brute-force attacks.
https://www.abuseipdb.com/check/92.205.3.203
--

That's what I /thought/ their message was saying. Anyway, I assume the IP is set by the host company, Heart? I can't see any way I control it . . .

The domain (as you said) is registered with heartinternet.co.uk
For DNS you (or heart) are using domaincontrol.com
which is resolving post16educator.org.uk to 92.205.3.203
The reverse DNS of that address associates to secureserver.net

Maybe that jogs a few brains cells on who is involved?

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 11 Mar 2022 at 10:08:01 GMT, "Andy Burns" <usenet@andyburns.uk> wrote:

RJH wrote:

If anyone would like a look it's post16educator org uk.

Do you use wordpress? Or write the site using PHP?

It's done in Rapidweaver with the Foundry/Stacks plugin - a Mac web editor.

The site is using an old jQuery, being loaded from your server (not from a CDN)
not clear if it's shared on the 'Heart' server or comes from your RapidWeaver?

Mmmm - not sure what that is. I'd guess Rapidweaver in 'injecting' it somehow.

Did the supposed report come from <https://emha.koeln> or a person called that?
They look like they might be a person who goes looking for vulnerabilities ...

The report cam from Malwarebytes - I've just posted their reply to my query - it seems the IP is the problem.
--
Cheers, Rob

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 11/03/2022 10:14, Andy Burns wrote:

RJH wrote:

the site is listed as hosted by Godaddy

yes that IP addr is on godaddy servers, maybe Heart outsource it?

Have you got a "control panel" login?  if you don't use PHP, can you
turn it off?

Deleting your whole site and re-uploading sounds like a reasonable idea, provided you're sure you have a full copy ...

That may not be enough. You'd really need to clear out everything -
source and logs and /anything/ an intruder might have been able to
alter: and then reboot the server. Probably not practicable for the OP.





--
Mike Scott
Harlow, England

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 11 Mar 2022 at 10:14:24 GMT, "Andy Burns" <usenet@andyburns.uk> wrote:

RJH wrote:

the site is listed as hosted by Godaddy

yes that IP addr is on godaddy servers, maybe Heart outsource it?

Have you got a "control panel" login? if you don't use PHP, can you turn it off?

Thanks - I'll take a look. Not sure what that is/does TBH but I'll try turning it off and see what happens.

Deleting your whole site and re-uploading sounds like a reasonable idea, provided you're sure you have a full copy ...

I think it's more the site was subject to an attack - and I don't think
whoever was doing it got through.

The bit I'm confused about now is the vulnerability of the IP address, and how I change that.

--
Cheers, Rob

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

RJH wrote:

The bit I'm confused about now is the vulnerability of the IP address, and how
I change that.

Someone has scanned a whole bunch of domains and/or IP addresses, they've found a vulnerabilities in other sites on the server you're sharing, and attacks coming from other sites hosted on the same server.

It's the equivalent of reporting the address of a whole block of flats as being a cannabis farm, when just one flat is doing it ...

from abuseipdb it looks like you have multiple sleazy neighbours, either ask GoDaddy to identify and kick-off the abusers or choose someone other than GoDaddy who will do a better job as your host.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 11/03/2022 10:21, RJH wrote:
.....

The report cam from Malwarebytes - I've just posted their reply to my query - it seems the IP is the problem.

Which may be shared with other web sites on the same server. Depends how they're set up.


--
Mike Scott
Harlow, England

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 10/03/2022 18:26, RJH wrote:

I've received a notification from somebody looking at a site I host/develop that it contains malware. They were alerted by their Malwarebytes software, which told them the site was 'unsafe'.

May be, I'm missing the point but...

It sounds like the IP you share has been used to mount an attack on a
third party.

That isn't saying you have a vulnerability, it is saying you attacked
someone (or someone sharing your IP attacked someone)

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Pancho wrote:

May be, I'm missing the point but...

It sounds like the IP you share has been used to mount an attack on a third party.

That isn't saying you have a vulnerability, it is saying you attacked someone (or someone sharing your IP attacked someone)

I think that's exactly right, one of Rob's users presumably lets malwarebytes "judge" the sites they visit, MWB looks up the IP addr from various databases, including the abuseipdb, it sees that Rob's website shares an IP addr with some badguys and warns the user who passes it on to Rob.

I looked up several godaddy server IP addrs and they all have hundreds of attacker warnings, I looked up the amazon hosting that one of my sites is on and
it has zero.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)