Blacklisted IP's

[ak1]

About two weeks ago, I wrote a message to http://www.avast.com/contact-form.php?loadStyles asking to check my blacklisted IP's.
I still have not got an answer...
Maybe if I write here things can get moving.
I am a new owner of a server and the 1st thing I did was check my ip's on the leading AV. They are all clean except for these:
217.23.8.104
217.23.8.105
217.23.8.119
217.23.8.121
217.23.8.123
217.23.8.181
217.23.8.182
217.23.8.183
217.23.8.184
217.23.8.185
217.23.8.186
217.23.8.210
217.23.8.216
217.23.8.217
217.23.8.218
217.23.8.219
avast is blocking any referrals to or from these ip's.
Could you check them and if everything is clean remove them from the blacklist?
Thank you.

[Theo Peterbroers]

See attached Anubis analysis.

Summary:
    - Changes security settings of Internet Explorer:
        This system alteration could seriously affect safety surfing the World
        Wide Web.

    - Performs File Modification and Destruction:
        The executable modifies and destructs files which are not temporary.

    - Performs Registry Activities:
        The executable creates and/or modifies registry entries.

Any antivirus worth its salt should block this site.

[ak1]

Could you explain more simply what is wrong and what should I do?
I entered in the browser hxtp://217.23.8.184 and get a white sheet.

[DavidR]

Avast isn't alone in blocking that IP, http://sitecheck.sucuri.net/results/217.23.8.184/ the same for .186, .186, also 104, so I'm guessing it is going to be similar for the others. The Sucuri scan also reports this, "Unable to properly scan your site. Unable to connect." So that kind of falls in line with your white sheet, no content.

The ones mentioned above on a whois resolves to a customer.worldstream.nl so I don't know what domains are assigned to these.

[Theo Peterbroers]

Hi ak1, sorry I don't know what is wrong with 217.23.8.184.

When i tried to open this page, avast netshield blocked me. Unfortunately, netshield does not reveal details about the threat it detected (or maybe I simply cannot find them). Your blank page may be a silent way of blocking access, or simply stating "no content".

When a website is blocked, standard procedure is to upload its address to a number of url checkers like https://anubis.iseclab.org/, http://sucuri.net/, http://zulu.zscaler.com/, http://wepawet.iseclab.org/.

The anubis report I attached to my previous post sounded quite convincing. Sucuri says "Domain blacklisted by SiteAdvisor (McAfee): 217.23.8.184". I am unable to open SiteAdvisor to obtain further details. Wepawet finds no Javascript/PDF threat and could not download a flash SWF url. Probably 217.23.8.184 hosts no flash files.

Google on 217.23.8.184.
One of the results:
"chiceramichairstylingiron.com
 www.sitetrail.com/chiceramichairstylingiron.com - Vertaal deze pagina
 The primary web hosting server where chiceramichairstylingiron.com is hosted resolves to the IP address 217.23.8.184 and is located at , , Netherlands.
" 
What does not show here, is that sitetrail.com has a really bad WOT (Web of Trust) reputation

Sitetrail.com apparently moved their site one day ago, thank you robtex (http://www.robtex.com/dns/sitetrail.com.html#records), see attached png file. Most likely, you inherited their bad reputation.

Regards,
(Goh, ik had dit waarschijnlijk allemaal in het Nederlands kunnen doen).

[polonus]

These are the resuts for the AS: AS Name: WORLDSTREAM WorldStream SiteVet report...
IPs allocated: 13056
Blacklisted URLs: 554

Hosts...
...malicious URLs? No 
...badware? Yes 
...botnet C&C servers? No 
...exploit servers? No 
...Zeus botnet servers? No 
...Current Events? Yes 
...phishing servers? No 

WARNING: The IP PTR associated with this record, does not resolve back to it's original IP address. This is very bad practice.

Original: 217.23.8.184
PTR: customer.worldstream.nl.
PTR IP: 127.0.0.1 Error while fetching URL.

I see this on there: 217.23.8.14   WorldStream   Maasdijk, Zuid-Holland, Netherlands
buygenericonline.org, airmaxkeys.org, easy-warez.org ...   Server
 Trojan.Win32.VBKrypt.bjiv was spread from that IP for 15.8 hrs -> wXw.nofotur.in

217.23.8.104
217.23.8.105
217.23.8.119
217.23.8.121 WorldStream   Maasdijk, Zuid-Holland, Netherlands
xzen.org, gg-webhosting.net, myunicornssecret.com   Server
217.23.8.123
217.23.8.181
217.23.8.182
217.23.8.183
217.23.8.184
217.23.8.185
217.23.8.186
217.23.8.210
217.23.8.216
217.23.8.217
217.23.8.218
217.23.8.219
See for what is on there: http://www.plotip.com/ip/217.23.8

Sites like warez, gamehacking dot net, talkingcrapaboutcannabis.com, extreme-warez.org, war3z.net do not add specially to a high Web Rep score.
Together with a variety of malware all sorts like: Packed.Win32.Krap.gx, WORM_KUBFACE.SMF, Trojan.Win32.VBKrypt.bjiv,  TR/ATRAPS.Gen, TR/Crypt.ZPACK.Gen
and other html-unknown "Unfug" will certainly not help either,

polonus

[ak1]

Yes, hosting in the Netherlands, I did not make this mystery, any whois request for these ip will show it. (But I'm not Dutchman, sorry Kwartet! )
Guys, my drives are now completely clean, yet I started my projects.
All I need is to learn how to clean up the reputation of the ip.
Dunno what (http://just-ping.com/index.php?vh=chiceramichairstylingiron.com&c=&s=ping!&vtt=1345129963&vhost=_&c=) chiceramichairstylingiron.com is it.
buygenericonline.org, airmaxkeys.org, easy-warez.org - 217.23.8.14 - not mine
xzen.org, gg-webhosting.net, myunicornssecret.com - no resolve(and not mine too).

[polonus]

Hi ak1,

You can report the issue here:  http://www.avast.com/en-no/contact-form.php?noStyles
If it is an IP block, and I get avast Network Shield alerts only for a GET request, not for the header, then it is up to them to de-block or partially de-block that range or part of that range. Then it is up to them to decide. OK, and I understood that at that IP you will have a dedicated server running...

polonus

[ak1]

Do they have to send an e-mail after my request?
Silence is boring..

[DavidR]

I don't believe so, unless they require more information.

When reporting this did you give a link to this topic as we have seen many responses in the forums on stuff like this. Usually it is notification that an update will unblock the domain or IP, but on some occasions confirmation that the detection is correct.