Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

Do not cut switchbacks.


aus+uk / uk.comp.homebuilt / Re: OT: Malware

SubjectAuthor
* OT: MalwareRJH
+* Re: OT: MalwareMarco Moock
|`* Re: OT: MalwareRJH
| +* Re: OT: MalwareChris
| |`* Re: OT: MalwareRJH
| | `* Re: OT: MalwareAndy Burns
| |  `* Re: OT: MalwareRJH
| |   `- Re: OT: MalwareMike Scott
| `* Re: OT: MalwareMike Scott
|  `* Re: OT: MalwareRJH
|   `* Re: OT: MalwareAndy Burns
|    +* Re: OT: MalwareRJH
|    |`- Re: OT: MalwareAndy Burns
|    `- Re: OT: MalwareMike Scott
+* Re: OT: MalwareRJH
|`- Re: OT: MalwareAndy Burns
`* Re: OT: MalwarePancho
 `- Re: OT: MalwareAndy Burns

1
OT: Malware

<t0dft8$q0b$1@dont-email.me>

 copy mid

https://www.novabbs.com/aus+uk/article-flat.php?id=1988&group=uk.comp.homebuilt#1988

 copy link   Newsgroups: uk.comp.homebuilt
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: patchmo...@gmx.com (RJH)
Newsgroups: uk.comp.homebuilt
Subject: OT: Malware
Date: Thu, 10 Mar 2022 18:26:48 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 30
Message-ID: <t0dft8$q0b$1@dont-email.me>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=fixed
Content-Transfer-Encoding: 8bit
Injection-Date: Thu, 10 Mar 2022 18:26:48 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="cc97172ad5170b7efdcae2d6ec781adb";
logging-data="26635"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX18T1agozik4PSX1fI2iY4cJ"
User-Agent: Usenapp/1.18/l for MacOS - Full License
Cancel-Lock: sha1:xuETql8sOrm8sL4C5pVrVSFcgwI=
 by: RJH - Thu, 10 Mar 2022 18:26 UTC

I've received a notification from somebody looking at a site I host/develop
that it contains malware. They were alerted by their Malwarebytes software,
which told them the site was 'unsafe'.

I checked as best as I could (virus and malware scanned the uploaded files,
https://sitecheck.sucuri.net/) and no problems found. I asked the user to ask
Malwarebytes to be more specific or whitelist the site, and they replied:

--
Reporter Date Comment Categories
Anonymous 27 Feb 2022 wp-login.php Web App Attack
emha.koeln 27 Feb 2022 92.205.3.203 Brute-Force Web App Attack - Attempts to
probe
for or exploit installed web applications such as a CMS like WordPress/Drupal,
e-commerce solutions,
forum software, phpMyAdmin and various other software plugins/solutions.

Whoever owns that website needs to contact their webhost and request they
clean up that IP from
malware.
--

I contacted my host (Heart) and they said it's my problem, and they'd simply
close down the site if they revceive a complaint.

I'm not sure what I'm supposed to do! The info given by Malwarebytes looks to
me like an attmepted attack - not evidence of malware. Advice welcome!

--
Cheers, Rob

Re: OT: Malware

<20220310205356.1e10cd7d@ryz>

 copy mid

https://www.novabbs.com/aus+uk/article-flat.php?id=1989&group=uk.comp.homebuilt#1989

 copy link   Newsgroups: uk.comp.homebuilt
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: mo0...@posteo.de (Marco Moock)
Newsgroups: uk.comp.homebuilt
Subject: Re: OT: Malware
Date: Thu, 10 Mar 2022 20:53:56 +0100
Organization: A noiseless patient Spider
Lines: 9
Message-ID: <20220310205356.1e10cd7d@ryz>
References: <t0dft8$q0b$1@dont-email.me>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Injection-Info: reader02.eternal-september.org; posting-host="5683e7a8276a4fb62c2639cd1a30ed52";
logging-data="7487"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX19l2fZOGTRaoy4YGhb8Sn7y"
Cancel-Lock: sha1:XqacqkXPuoPa7lnhK8bHjwbtbfc=
X-Newsreader: Claws Mail 3.17.8 (GTK+ 2.24.33; x86_64-pc-linux-gnu)
 by: Marco Moock - Thu, 10 Mar 2022 19:53 UTC

Am Donnerstag, 10. März 2022, um 18:26:48 Uhr schrieb RJH:

> I'm not sure what I'm supposed to do! The info given by Malwarebytes
> looks to me like an attmepted attack - not evidence of malware.
> Advice welcome!

Please specify what software you run on your server. Is it up-to-date?
Is the operating system itself up-to-date?

Re: OT: Malware

<t0earb$c0f$1@dont-email.me>

 copy mid

https://www.novabbs.com/aus+uk/article-flat.php?id=1990&group=uk.comp.homebuilt#1990

 copy link   Newsgroups: uk.comp.homebuilt
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: patchmo...@gmx.com (RJH)
Newsgroups: uk.comp.homebuilt
Subject: Re: OT: Malware
Date: Fri, 11 Mar 2022 02:06:35 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 17
Message-ID: <t0earb$c0f$1@dont-email.me>
References: <t0dft8$q0b$1@dont-email.me> <20220310205356.1e10cd7d@ryz>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=fixed
Content-Transfer-Encoding: 8bit
Injection-Date: Fri, 11 Mar 2022 02:06:35 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="4d5f55db82a666328f70b930452a1831";
logging-data="12303"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX186dT2Z3adPUjcXRhncAlVw"
User-Agent: Usenapp/1.18/l for MacOS - Full License
Cancel-Lock: sha1:wFBF300rKrIFx+syj+vZpQ0Dweg=
 by: RJH - Fri, 11 Mar 2022 02:06 UTC

On 10 Mar 2022 at 19:53:56 GMT, "Marco Moock" <mo01@posteo.de> wrote:

> Am Donnerstag, 10. März 2022, um 18:26:48 Uhr schrieb RJH:
>
>> I'm not sure what I'm supposed to do! The info given by Malwarebytes
>> looks to me like an attmepted attack - not evidence of malware.
>> Advice welcome!
>
> Please specify what software you run on your server. Is it up-to-date?
> Is the operating system itself up-to-date?

Mmm. Not sure how I check. It's 'hosted' by Heart Internet and the server is
listed as Apache, and written using Rapidweaver. Sitecheck lists a number of
links, use of Javascript, and no Iframes or embedded objects.

--
Cheers, Rob

Re: OT: Malware

<t0evrr$114$1@dont-email.me>

 copy mid

https://www.novabbs.com/aus+uk/article-flat.php?id=1991&group=uk.comp.homebuilt#1991

 copy link   Newsgroups: uk.comp.homebuilt
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: ithink...@gmail.com (Chris)
Newsgroups: uk.comp.homebuilt
Subject: Re: OT: Malware
Date: Fri, 11 Mar 2022 08:05:15 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 19
Message-ID: <t0evrr$114$1@dont-email.me>
References: <t0dft8$q0b$1@dont-email.me>
<20220310205356.1e10cd7d@ryz>
<t0earb$c0f$1@dont-email.me>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Injection-Date: Fri, 11 Mar 2022 08:05:15 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="61a8d8a643a8050e4946bfa5d07d6982";
logging-data="1060"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX18zCKtZ/UY81z8II6d+sYXODhh4g/jY2oY="
User-Agent: NewsTap/5.5 (iPhone/iPod Touch)
Cancel-Lock: sha1:VFqx11AXTo9AxoMMCQIaceGc/ro=
sha1:G5WqeegU1q1agH+dvqMs2IV7gi0=
 by: Chris - Fri, 11 Mar 2022 08:05 UTC

RJH <patchmoney@gmx.com> wrote:
> On 10 Mar 2022 at 19:53:56 GMT, "Marco Moock" <mo01@posteo.de> wrote:
>
>> Am Donnerstag, 10. März 2022, um 18:26:48 Uhr schrieb RJH:
>>
>>> I'm not sure what I'm supposed to do! The info given by Malwarebytes
>>> looks to me like an attmepted attack - not evidence of malware.
>>> Advice welcome!
>>
>> Please specify what software you run on your server. Is it up-to-date?
>> Is the operating system itself up-to-date?
>
> Mmm. Not sure how I check. It's 'hosted' by Heart Internet and the server is
> listed as Apache, and written using Rapidweaver. Sitecheck lists a number of
> links, use of Javascript, and no Iframes or embedded objects.

Does it run a forum or a wordpress site? They are notorious as attack
vectors if not kept up-to-date or using vulnerable plugins.

Re: OT: Malware

<t0f29a$fq8$1@dont-email.me>

 copy mid

https://www.novabbs.com/aus+uk/article-flat.php?id=1992&group=uk.comp.homebuilt#1992

 copy link   Newsgroups: uk.comp.homebuilt
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: usenet...@scottsonline.org.uk.invalid (Mike Scott)
Newsgroups: uk.comp.homebuilt
Subject: Re: OT: Malware
Date: Fri, 11 Mar 2022 08:46:33 +0000
Organization: Scott family
Lines: 31
Message-ID: <t0f29a$fq8$1@dont-email.me>
References: <t0dft8$q0b$1@dont-email.me> <20220310205356.1e10cd7d@ryz>
<t0earb$c0f$1@dont-email.me>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Date: Fri, 11 Mar 2022 08:46:34 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="3eed3ebd11c2cae869ad78139cfb174e";
logging-data="16200"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX189/GTCqZVXyLw/l/kG72CD9VaUhEpC8gE="
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
Thunderbird/91.5.0
Cancel-Lock: sha1:8nL8sfpuoaET6yeBbpd0Bkn/mfw=
In-Reply-To: <t0earb$c0f$1@dont-email.me>
Content-Language: en-GB
 by: Mike Scott - Fri, 11 Mar 2022 08:46 UTC

On 11/03/2022 02:06, RJH wrote:
> On 10 Mar 2022 at 19:53:56 GMT, "Marco Moock" <mo01@posteo.de> wrote:
>
>> Am Donnerstag, 10. März 2022, um 18:26:48 Uhr schrieb RJH:
>>
>>> I'm not sure what I'm supposed to do! The info given by Malwarebytes
>>> looks to me like an attmepted attack - not evidence of malware.
>>> Advice welcome!
>>
>> Please specify what software you run on your server. Is it up-to-date?
>> Is the operating system itself up-to-date?
>
> Mmm. Not sure how I check. It's 'hosted' by Heart Internet and the server is
> listed as Apache, and written using Rapidweaver. Sitecheck lists a number of
> links, use of Javascript, and no Iframes or embedded objects.
>

Longshot..... check the version of apache: a recent one was subject to a
url path backtrack exploit, allowing shell invocation and thus
installation of hidden malware on the web site. I was badly bitten :-{ I
found a whole pile of python stuff in the apache log area, under ".log"
or similar - it formed a proxy tcp system being controlled by someone
with a .de domain.

If you share an IP with another site (apache's virtual hosting) , the
problem may not lie with you though.

--
Mike Scott
Harlow, England

Re: OT: Malware

<t0f3p0$c8p$1@dont-email.me>

 copy mid

https://www.novabbs.com/aus+uk/article-flat.php?id=1993&group=uk.comp.homebuilt#1993

 copy link   Newsgroups: uk.comp.homebuilt
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: patchmo...@gmx.com (RJH)
Newsgroups: uk.comp.homebuilt
Subject: Re: OT: Malware
Date: Fri, 11 Mar 2022 09:12:01 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 29
Message-ID: <t0f3p0$c8p$1@dont-email.me>
References: <t0dft8$q0b$1@dont-email.me> <20220310205356.1e10cd7d@ryz> <t0earb$c0f$1@dont-email.me> <t0evrr$114$1@dont-email.me>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=fixed
Content-Transfer-Encoding: 8bit
Injection-Date: Fri, 11 Mar 2022 09:12:01 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="4d5f55db82a666328f70b930452a1831";
logging-data="12569"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1+36xGefMk3u0cjDUFN+9vI"
User-Agent: Usenapp/1.18/l for MacOS - Full License
Cancel-Lock: sha1:MZBfErRMbjVRdmFQJPqPZfF6cI0=
 by: RJH - Fri, 11 Mar 2022 09:12 UTC

On 11 Mar 2022 at 08:05:15 GMT, "Chris" <ithinkiam@gmail.com> wrote:

> RJH <patchmoney@gmx.com> wrote:
>> On 10 Mar 2022 at 19:53:56 GMT, "Marco Moock" <mo01@posteo.de> wrote:
>>
>>> Am Donnerstag, 10. März 2022, um 18:26:48 Uhr schrieb RJH:
>>>
>>>> I'm not sure what I'm supposed to do! The info given by Malwarebytes
>>>> looks to me like an attmepted attack - not evidence of malware.
>>>> Advice welcome!
>>>
>>> Please specify what software you run on your server. Is it up-to-date?
>>> Is the operating system itself up-to-date?
>>
>> Mmm. Not sure how I check. It's 'hosted' by Heart Internet and the server is
>> listed as Apache, and written using Rapidweaver. Sitecheck lists a number of
>> links, use of Javascript, and no Iframes or embedded objects.
>
> Does it run a forum or a wordpress site? They are notorious as attack
> vectors if not kept up-to-date or using vulnerable plugins.

No - read only

If anyone would like a look it's post16educator org uk.

Before you do, I'd just reitterate that it's been flagged as an insecure site
by Malwarebytes.
--
Cheers, Rob

Re: OT: Malware

<t0f4kn$tbk$1@dont-email.me>

 copy mid

https://www.novabbs.com/aus+uk/article-flat.php?id=1994&group=uk.comp.homebuilt#1994

 copy link   Newsgroups: uk.comp.homebuilt
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: patchmo...@gmx.com (RJH)
Newsgroups: uk.comp.homebuilt
Subject: Re: OT: Malware
Date: Fri, 11 Mar 2022 09:26:47 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 59
Message-ID: <t0f4kn$tbk$1@dont-email.me>
References: <t0dft8$q0b$1@dont-email.me> <20220310205356.1e10cd7d@ryz> <t0earb$c0f$1@dont-email.me> <t0f29a$fq8$1@dont-email.me>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=fixed
Content-Transfer-Encoding: 8bit
Injection-Date: Fri, 11 Mar 2022 09:26:47 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="4d5f55db82a666328f70b930452a1831";
logging-data="30068"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX186n0dhL50idL+o1NZ1jBvb"
User-Agent: Usenapp/1.18/l for MacOS - Full License
Cancel-Lock: sha1:tE0etUhLaRvgQ5bo4a+giEKgzek=
 by: RJH - Fri, 11 Mar 2022 09:26 UTC

On 11 Mar 2022 at 08:46:33 GMT, "Mike Scott"
<usenet.16@scottsonline.org.uk.invalid> wrote:

> On 11/03/2022 02:06, RJH wrote:
>> On 10 Mar 2022 at 19:53:56 GMT, "Marco Moock" <mo01@posteo.de> wrote:
>>
>>> Am Donnerstag, 10. März 2022, um 18:26:48 Uhr schrieb RJH:
>>>
>>>> I'm not sure what I'm supposed to do! The info given by Malwarebytes
>>>> looks to me like an attmepted attack - not evidence of malware.
>>>> Advice welcome!
>>>
>>> Please specify what software you run on your server. Is it up-to-date?
>>> Is the operating system itself up-to-date?
>>
>> Mmm. Not sure how I check. It's 'hosted' by Heart Internet and the server is
>> listed as Apache, and written using Rapidweaver. Sitecheck lists a number of
>> links, use of Javascript, and no Iframes or embedded objects.
>>
>
> Longshot..... check the version of apache: a recent one was subject to a
> url path backtrack exploit, allowing shell invocation and thus
> installation of hidden malware on the web site. I was badly bitten :-{ I
> found a whole pile of python stuff in the apache log area, under ".log"
> or similar - it formed a proxy tcp system being controlled by someone
> with a .de domain.
>

Thanks, I've written to them asking about the version. I'd imagine that Heart
keeps things pretty much up to date, and malware could have been placed at
some time in the past, during an older version I suppose.

> If you share an IP with another site (apache's virtual hosting) , the
> problem may not lie with you though.

Curiously, the site is listed as hosted by Godaddy according to Sucuri. I'd
always thought I'd transferred everything to Heart about 10 years ago.

Anyway, I'm wondering if perhaps I should just delete the entire site manually
in FTP and re-upload it? I think I've exhausted the tests I think I can do -
even installed Malwarebytes Firefox plugin and still nothing detected. The
detail of the malware again:

--
Anonymous 27 Feb 2022 wp-login.php Web App Attack emha.koeln 27 Feb 2022
92.205.3.203 Brute-Force Web App Attack - Attempts to probe for or exploit
installed web applications such as a CMS like WordPress/Drupal, e-commerce
solutions, forum software, phpMyAdmin and various other software
plugins/solutions.

Whoever owns that website needs to contact their webhost and request they
clean up that IP from malware.
--

As I've mentioned, it's a very simply site, effectively just hosting pdfs from
a magazine.

--
Cheers, Rob

Re: OT: Malware

<j90lc4FjddnU1@mid.individual.net>

 copy mid

https://www.novabbs.com/aus+uk/article-flat.php?id=1995&group=uk.comp.homebuilt#1995

 copy link   Newsgroups: uk.comp.homebuilt
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!news.szaf.org!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: use...@andyburns.uk (Andy Burns)
Newsgroups: uk.comp.homebuilt
Subject: Re: OT: Malware
Date: Fri, 11 Mar 2022 10:08:01 +0000
Lines: 11
Message-ID: <j90lc4FjddnU1@mid.individual.net>
References: <t0dft8$q0b$1@dont-email.me> <20220310205356.1e10cd7d@ryz>
<t0earb$c0f$1@dont-email.me> <t0evrr$114$1@dont-email.me>
<t0f3p0$c8p$1@dont-email.me>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Trace: individual.net NM3c1MCa0RLEjaBvUyUu7glRPsyqmdSWgEaTTN/HMjWcgEroSP
Cancel-Lock: sha1:H2156VgLrrAWvbOBCcFbeaAYYtA=
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101
Thunderbird/91.7.0
Content-Language: en-GB
In-Reply-To: <t0f3p0$c8p$1@dont-email.me>
 by: Andy Burns - Fri, 11 Mar 2022 10:08 UTC

RJH wrote:

> If anyone would like a look it's post16educator org uk.

Do you use wordpress? Or write the site using PHP?

The site is using an old jQuery, being loaded from your server (not from a CDN)
not clear if it's shared on the 'Heart' server or comes from your RapidWeaver?

Did the supposed report come from <https://emha.koeln> or a person called that?
They look like they might be a person who goes looking for vulnerabilities ...

Re: OT: Malware

<t0f7ac$ift$1@dont-email.me>

 copy mid

https://www.novabbs.com/aus+uk/article-flat.php?id=1996&group=uk.comp.homebuilt#1996

 copy link   Newsgroups: uk.comp.homebuilt
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: patchmo...@gmx.com (RJH)
Newsgroups: uk.comp.homebuilt
Subject: Re: OT: Malware
Date: Fri, 11 Mar 2022 10:12:28 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 45
Message-ID: <t0f7ac$ift$1@dont-email.me>
References: <t0dft8$q0b$1@dont-email.me>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=fixed
Content-Transfer-Encoding: 8bit
Injection-Date: Fri, 11 Mar 2022 10:12:28 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="4d5f55db82a666328f70b930452a1831";
logging-data="18941"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX18WWsvtNuP5qN1GbIcEVGqa"
User-Agent: Usenapp/1.18/l for MacOS - Full License
Cancel-Lock: sha1:A03RVZ6MqogC3ys9PlIqJ7Ps9ng=
 by: RJH - Fri, 11 Mar 2022 10:12 UTC

On 10 Mar 2022 at 18:26:48 GMT, "RJH" <patchmoney@gmx.com> wrote:

> I've received a notification from somebody looking at a site I host/develop
> that it contains malware. They were alerted by their Malwarebytes software,
> which told them the site was 'unsafe'.
>
> I checked as best as I could (virus and malware scanned the uploaded files,
> https://sitecheck.sucuri.net/) and no problems found. I asked the user to ask
> Malwarebytes to be more specific or whitelist the site, and they replied:
>
> --
> Reporter Date Comment Categories
> Anonymous 27 Feb 2022 wp-login.php Web App Attack
> emha.koeln 27 Feb 2022 92.205.3.203 Brute-Force Web App Attack - Attempts to
> probe
> for or exploit installed web applications such as a CMS like WordPress/Drupal,
> e-commerce solutions,
> forum software, phpMyAdmin and various other software plugins/solutions.
>
> Whoever owns that website needs to contact their webhost and request they
> clean up that IP from
> malware.
> --
>
> I contacted my host (Heart) and they said it's my problem, and they'd simply
> close down the site if they revceive a complaint.
>
> I'm not sure what I'm supposed to do! The info given by Malwarebytes looks to
> me like an attmepted attack - not evidence of malware. Advice welcome!
>
> --
> Cheers, Rob

Update - I've just had a reply from Malwarebytes (1 minute after I posted!):

--
Hi, The site is clean but hosted on a malicious IP. The IP is blocked due to
recent brute-force attacks.
https://www.abuseipdb.com/check/92.205.3.203
--

That's what I /thought/ their message was saying. Anyway, I assume the IP is
set by the host company, Heart? I can't see any way I control it . . .
--
Cheers, Rob

Re: OT: Malware

<j90lo2FjfeqU1@mid.individual.net>

 copy mid

https://www.novabbs.com/aus+uk/article-flat.php?id=1997&group=uk.comp.homebuilt#1997

 copy link   Newsgroups: uk.comp.homebuilt
Path: i2pn2.org!i2pn.org!usenet.goja.nl.eu.org!3.eu.feeder.erje.net!feeder.erje.net!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: use...@andyburns.uk (Andy Burns)
Newsgroups: uk.comp.homebuilt
Subject: Re: OT: Malware
Date: Fri, 11 Mar 2022 10:14:24 +0000
Lines: 12
Message-ID: <j90lo2FjfeqU1@mid.individual.net>
References: <t0dft8$q0b$1@dont-email.me> <20220310205356.1e10cd7d@ryz>
<t0earb$c0f$1@dont-email.me> <t0f29a$fq8$1@dont-email.me>
<t0f4kn$tbk$1@dont-email.me>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Trace: individual.net bc8YEnOykSOAyQHsvWxfywll6Vn8MOjHsu+EnjfYP1ytKGQWcY
Cancel-Lock: sha1:mxQJiwpXjmv6XSIpz8cenLS/JQ0=
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101
Thunderbird/91.7.0
Content-Language: en-GB
In-Reply-To: <t0f4kn$tbk$1@dont-email.me>
 by: Andy Burns - Fri, 11 Mar 2022 10:14 UTC

RJH wrote:

> the site is listed as hosted by Godaddy

yes that IP addr is on godaddy servers, maybe Heart outsource it?

Have you got a "control panel" login? if you don't use PHP, can you turn it off?

Deleting your whole site and re-uploading sounds like a reasonable idea,
provided you're sure you have a full copy ...

Re: OT: Malware

<t0f7r4$t2i$1@dont-email.me>

 copy mid

https://www.novabbs.com/aus+uk/article-flat.php?id=1998&group=uk.comp.homebuilt#1998

 copy link   Newsgroups: uk.comp.homebuilt
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: patchmo...@gmx.com (RJH)
Newsgroups: uk.comp.homebuilt
Subject: Re: OT: Malware
Date: Fri, 11 Mar 2022 10:21:24 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 24
Message-ID: <t0f7r4$t2i$1@dont-email.me>
References: <t0dft8$q0b$1@dont-email.me> <t0evrr$114$1@dont-email.me> <t0f3p0$c8p$1@dont-email.me> <j90lc4FjddnU1@mid.individual.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=fixed
Content-Transfer-Encoding: 8bit
Injection-Date: Fri, 11 Mar 2022 10:21:24 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="4d5f55db82a666328f70b930452a1831";
logging-data="29778"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX18JkqdU1u/msHIN/gxXPGPN"
User-Agent: Usenapp/1.18/l for MacOS - Full License
Cancel-Lock: sha1:zYiNWek/ovedRWDI9RVspnufx0A=
 by: RJH - Fri, 11 Mar 2022 10:21 UTC

On 11 Mar 2022 at 10:08:01 GMT, "Andy Burns" <usenet@andyburns.uk> wrote:

> RJH wrote:
>
>> If anyone would like a look it's post16educator org uk.
>
> Do you use wordpress? Or write the site using PHP?
>

It's done in Rapidweaver with the Foundry/Stacks plugin - a Mac web editor.

> The site is using an old jQuery, being loaded from your server (not from a CDN)
> not clear if it's shared on the 'Heart' server or comes from your RapidWeaver?
>

Mmmm - not sure what that is. I'd guess Rapidweaver in 'injecting' it somehow.

> Did the supposed report come from <https://emha.koeln> or a person called that?
> They look like they might be a person who goes looking for vulnerabilities ...

The report cam from Malwarebytes - I've just posted their reply to my query -
it seems the IP is the problem.
--
Cheers, Rob

Re: OT: Malware

<j90m6pFjj5oU1@mid.individual.net>

 copy mid

https://www.novabbs.com/aus+uk/article-flat.php?id=1999&group=uk.comp.homebuilt#1999

 copy link   Newsgroups: uk.comp.homebuilt
Path: i2pn2.org!i2pn.org!usenet.goja.nl.eu.org!3.eu.feeder.erje.net!feeder.erje.net!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: use...@andyburns.uk (Andy Burns)
Newsgroups: uk.comp.homebuilt
Subject: Re: OT: Malware
Date: Fri, 11 Mar 2022 10:22:14 +0000
Lines: 19
Message-ID: <j90m6pFjj5oU1@mid.individual.net>
References: <t0dft8$q0b$1@dont-email.me> <t0f7ac$ift$1@dont-email.me>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Trace: individual.net DFxkG9uLdFifw/xKk3B9iwIseN5enT+CrNJqZaLEd56skrPPhK
Cancel-Lock: sha1:XB8597JRCnBrC+JWE+ZkUxI/ZsY=
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101
Thunderbird/91.7.0
Content-Language: en-GB
In-Reply-To: <t0f7ac$ift$1@dont-email.me>
 by: Andy Burns - Fri, 11 Mar 2022 10:22 UTC

RJH wrote:

> I've just had a reply from Malwarebytes (1 minute after I posted!):
>
> --
> Hi, The site is clean but hosted on a malicious IP. The IP is blocked due to
> recent brute-force attacks.
> https://www.abuseipdb.com/check/92.205.3.203
> --
>
> That's what I /thought/ their message was saying. Anyway, I assume the IP is
> set by the host company, Heart? I can't see any way I control it . . .

The domain (as you said) is registered with heartinternet.co.uk
For DNS you (or heart) are using domaincontrol.com
which is resolving post16educator.org.uk to 92.205.3.203
The reverse DNS of that address associates to secureserver.net

Maybe that jogs a few brains cells on who is involved?

Re: OT: Malware

<t0f819$ib$1@dont-email.me>

 copy mid

https://www.novabbs.com/aus+uk/article-flat.php?id=2000&group=uk.comp.homebuilt#2000

 copy link   Newsgroups: uk.comp.homebuilt
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: patchmo...@gmx.com (RJH)
Newsgroups: uk.comp.homebuilt
Subject: Re: OT: Malware
Date: Fri, 11 Mar 2022 10:24:41 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 26
Message-ID: <t0f819$ib$1@dont-email.me>
References: <t0dft8$q0b$1@dont-email.me> <t0f29a$fq8$1@dont-email.me> <t0f4kn$tbk$1@dont-email.me> <j90lo2FjfeqU1@mid.individual.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=fixed
Content-Transfer-Encoding: 8bit
Injection-Date: Fri, 11 Mar 2022 10:24:41 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="4d5f55db82a666328f70b930452a1831";
logging-data="587"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/qnuPoQLpjPpyQvAnhjsjg"
User-Agent: Usenapp/1.18/l for MacOS - Full License
Cancel-Lock: sha1:BfZlGrXN0H1m2DMfzLI8aLz2ZyY=
 by: RJH - Fri, 11 Mar 2022 10:24 UTC

On 11 Mar 2022 at 10:14:24 GMT, "Andy Burns" <usenet@andyburns.uk> wrote:

> RJH wrote:
>
>> the site is listed as hosted by Godaddy
>
> yes that IP addr is on godaddy servers, maybe Heart outsource it?
>
>
> Have you got a "control panel" login? if you don't use PHP, can you turn it
> off?

Thanks - I'll take a look. Not sure what that is/does TBH but I'll try turning
it off and see what happens.
>
> Deleting your whole site and re-uploading sounds like a reasonable idea,
> provided you're sure you have a full copy ...

I think it's more the site was subject to an attack - and I don't think
whoever was doing it got through.

The bit I'm confused about now is the vulnerability of the IP address, and how
I change that.

--
Cheers, Rob

Re: OT: Malware

<t0f9kh$sq3$1@dont-email.me>

 copy mid

https://www.novabbs.com/aus+uk/article-flat.php?id=2001&group=uk.comp.homebuilt#2001

 copy link   Newsgroups: uk.comp.homebuilt
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: usenet...@scottsonline.org.uk.invalid (Mike Scott)
Newsgroups: uk.comp.homebuilt
Subject: Re: OT: Malware
Date: Fri, 11 Mar 2022 10:52:01 +0000
Organization: Scott family
Lines: 25
Message-ID: <t0f9kh$sq3$1@dont-email.me>
References: <t0dft8$q0b$1@dont-email.me> <20220310205356.1e10cd7d@ryz>
<t0earb$c0f$1@dont-email.me> <t0f29a$fq8$1@dont-email.me>
<t0f4kn$tbk$1@dont-email.me> <j90lo2FjfeqU1@mid.individual.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Date: Fri, 11 Mar 2022 10:52:01 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="3eed3ebd11c2cae869ad78139cfb174e";
logging-data="29507"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/5X4R+jVwh0F3q2z6ZDwJpMrkN/Tc4Bb4="
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
Thunderbird/91.5.0
Cancel-Lock: sha1:Bd8kjBVmlGwhkfSA3UZnsrhiMSM=
In-Reply-To: <j90lo2FjfeqU1@mid.individual.net>
Content-Language: en-GB
 by: Mike Scott - Fri, 11 Mar 2022 10:52 UTC

On 11/03/2022 10:14, Andy Burns wrote:
> RJH wrote:
>
>> the site is listed as hosted by Godaddy
>
> yes that IP addr is on godaddy servers, maybe Heart outsource it?
>
>
> Have you got a "control panel" login?  if you don't use PHP, can you
> turn it off?
>
> Deleting your whole site and re-uploading sounds like a reasonable idea,
> provided you're sure you have a full copy ...

That may not be enough. You'd really need to clear out everything -
source and logs and /anything/ an intruder might have been able to
alter: and then reboot the server. Probably not practicable for the OP.

>

--
Mike Scott
Harlow, England

Re: OT: Malware

<t0f9oj$sq3$2@dont-email.me>

 copy mid

https://www.novabbs.com/aus+uk/article-flat.php?id=2002&group=uk.comp.homebuilt#2002

 copy link   Newsgroups: uk.comp.homebuilt
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: usenet...@scottsonline.org.uk.invalid (Mike Scott)
Newsgroups: uk.comp.homebuilt
Subject: Re: OT: Malware
Date: Fri, 11 Mar 2022 10:54:11 +0000
Organization: Scott family
Lines: 12
Message-ID: <t0f9oj$sq3$2@dont-email.me>
References: <t0dft8$q0b$1@dont-email.me> <t0evrr$114$1@dont-email.me>
<t0f3p0$c8p$1@dont-email.me> <j90lc4FjddnU1@mid.individual.net>
<t0f7r4$t2i$1@dont-email.me>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Fri, 11 Mar 2022 10:54:11 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="3eed3ebd11c2cae869ad78139cfb174e";
logging-data="29507"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/hX/pKXR4vng2JM+85Kh/mLWmRmW04VAA="
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
Thunderbird/91.5.0
Cancel-Lock: sha1:ZmQvSocj9QbI2r3JMwgOUG8bUIM=
In-Reply-To: <t0f7r4$t2i$1@dont-email.me>
Content-Language: en-GB
 by: Mike Scott - Fri, 11 Mar 2022 10:54 UTC

On 11/03/2022 10:21, RJH wrote:
......
> The report cam from Malwarebytes - I've just posted their reply to my query -
> it seems the IP is the problem.

Which may be shared with other web sites on the same server. Depends how
they're set up.

--
Mike Scott
Harlow, England

Re: OT: Malware

<j90ok0Fk0u4U1@mid.individual.net>

 copy mid

https://www.novabbs.com/aus+uk/article-flat.php?id=2004&group=uk.comp.homebuilt#2004

 copy link   Newsgroups: uk.comp.homebuilt
Path: i2pn2.org!i2pn.org!usenet.goja.nl.eu.org!3.eu.feeder.erje.net!feeder.erje.net!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: use...@andyburns.uk (Andy Burns)
Newsgroups: uk.comp.homebuilt
Subject: Re: OT: Malware
Date: Fri, 11 Mar 2022 11:03:26 +0000
Lines: 15
Message-ID: <j90ok0Fk0u4U1@mid.individual.net>
References: <t0dft8$q0b$1@dont-email.me> <t0f29a$fq8$1@dont-email.me>
<t0f4kn$tbk$1@dont-email.me> <j90lo2FjfeqU1@mid.individual.net>
<t0f819$ib$1@dont-email.me>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Trace: individual.net YVgN13egmBt/Ra2TrQsLaQkHiezIXUG9cdSgE6RqrpyeUq+zFq
Cancel-Lock: sha1:IuqyaIvjuNQ/KiCo12ulvAPvG4s=
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101
Thunderbird/91.7.0
Content-Language: en-GB
In-Reply-To: <t0f819$ib$1@dont-email.me>
 by: Andy Burns - Fri, 11 Mar 2022 11:03 UTC

RJH wrote:

> The bit I'm confused about now is the vulnerability of the IP address, and how
> I change that.

Someone has scanned a whole bunch of domains and/or IP addresses, they've found
a vulnerabilities in other sites on the server you're sharing, and attacks
coming from other sites hosted on the same server.

It's the equivalent of reporting the address of a whole block of flats as being
a cannabis farm, when just one flat is doing it ...

from abuseipdb it looks like you have multiple sleazy neighbours, either ask
GoDaddy to identify and kick-off the abusers or choose someone other than
GoDaddy who will do a better job as your host.

Re: OT: Malware

<t0fcf1$opd$1@dont-email.me>

 copy mid

https://www.novabbs.com/aus+uk/article-flat.php?id=2006&group=uk.comp.homebuilt#2006

 copy link   Newsgroups: uk.comp.homebuilt
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: Pancho.D...@outlook.com (Pancho)
Newsgroups: uk.comp.homebuilt
Subject: Re: OT: Malware
Date: Fri, 11 Mar 2022 11:40:16 +0000
Organization: A noiseless patient Spider
Lines: 13
Message-ID: <t0fcf1$opd$1@dont-email.me>
References: <t0dft8$q0b$1@dont-email.me>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Fri, 11 Mar 2022 11:40:17 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="c1c67fa455fe234b4d6a27110e0bbaab";
logging-data="25389"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/jhdA7kWuNgJYO7lok8Vq6IYcfNSDx72U="
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101
Thunderbird/91.3.0
Cancel-Lock: sha1:Uf7jKIMxDRK4NkxL5MqnmmVFxWs=
In-Reply-To: <t0dft8$q0b$1@dont-email.me>
Content-Language: en-GB
 by: Pancho - Fri, 11 Mar 2022 11:40 UTC

On 10/03/2022 18:26, RJH wrote:
> I've received a notification from somebody looking at a site I host/develop
> that it contains malware. They were alerted by their Malwarebytes software,
> which told them the site was 'unsafe'.
>

May be, I'm missing the point but...

It sounds like the IP you share has been used to mount an attack on a
third party.

That isn't saying you have a vulnerability, it is saying you attacked
someone (or someone sharing your IP attacked someone)

Re: OT: Malware

<j90t3pFksprU1@mid.individual.net>

 copy mid

https://www.novabbs.com/aus+uk/article-flat.php?id=2007&group=uk.comp.homebuilt#2007

 copy link   Newsgroups: uk.comp.homebuilt
Path: i2pn2.org!i2pn.org!usenet.goja.nl.eu.org!3.eu.feeder.erje.net!feeder.erje.net!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: use...@andyburns.uk (Andy Burns)
Newsgroups: uk.comp.homebuilt
Subject: Re: OT: Malware
Date: Fri, 11 Mar 2022 12:20:07 +0000
Lines: 18
Message-ID: <j90t3pFksprU1@mid.individual.net>
References: <t0dft8$q0b$1@dont-email.me> <t0fcf1$opd$1@dont-email.me>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Trace: individual.net y2zG2hw13nWd+tzAv6JdsATgFuAEmQOA4sWTOU4r/PvBLxNO54
Cancel-Lock: sha1:bDys65RMoLqzPB6DplBZKx42Yig=
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101
Thunderbird/91.7.0
Content-Language: en-GB
In-Reply-To: <t0fcf1$opd$1@dont-email.me>
 by: Andy Burns - Fri, 11 Mar 2022 12:20 UTC

Pancho wrote:

> May be, I'm missing the point but...
>
> It sounds like the IP you share has been used to mount an attack on a third party.
>
> That isn't saying you have a vulnerability, it is saying you attacked someone
> (or someone sharing your IP attacked someone)

I think that's exactly right, one of Rob's users presumably lets malwarebytes
"judge" the sites they visit, MWB looks up the IP addr from various databases,
including the abuseipdb, it sees that Rob's website shares an IP addr with some
badguys and warns the user who passes it on to Rob.

I looked up several godaddy server IP addrs and they all have hundreds of
attacker warnings, I looked up the amazon hosting that one of my sites is on and
it has zero.

1
server_pubkey.txt

rocksolid light 0.9.7
clearnet tor