Unreliable IP reputation resources?

[polonus]

Given the all-green here: https://cloudfilt.com/ip-reputation/lookup?ip=118.27.17.248

But what do you think when you see that IP is being reported here?
https://www.shodan.io/host/118.27.17.248 (with vulnerabilities),
and also being reported here: https://www.abuseipdb.com/check/118.27.17.248

However, it was missed to appear here: https://www.projecthoneypot.org/ip_118.27.17.248

polonus

[polonus]

Additional info through a shodan.io IP check - analyzed later by A.I. delivers these info:

IP Address Information

The IP address 118.27.17.248 is associated with multiple services and protocols, including:
SSH (OpenSSH 8.2p1)
NTP (version 3)
HTTP/1.1 (nginx 1.18.0)
HTTPS (SSL/TLS with a GlobalSign Atlas R3 AlphaSSL CA 2023 Q4 certificate)

The IP address is also reported to have been involved in vulnerabilities:
CVE-2021-23017 (nginx resolver security issue)
CVE-2021-3618 (ALPACA application layer protocol content confusion attack)
CVE-2023-44487 (HTTP/2 protocol allows a denial-of-service attack)
SSL/TLS Certificate

The SSL/TLS certificate is issued by GlobalSign Atlas R3 AlphaSSL CA 2023 Q4.
The certificate is valid from January 5, 2024, to February 5, 2025.
The subject of the certificate is www.goal24g.com, and the alternative name includes goal24g.com.
The certificate uses RSA encryption with a key size of 2048 bits.
The certificate chain includes three signed certificate timestamps.
Potential Concerns

The presence of vulnerabilities CVE-2021-23017, CVE-2021-3618, and CVE-2023-44487
may indicate potential security risks associated with this IP address.

The use of an outdated version of OpenSSH (8.2p1) may also be a concern.
The SSL/TLS certificate's expiration date is relatively soon, which may require reissuance or renewal.
In summary, while this IP address appears to be associated with various services and protocols,
the presence of vulnerabilities and an outdated version of OpenSSH may indicate potential security concerns.

Additionally, the SSL/TLS certificate's expiration date is approaching, which may require attention to ensure continued security.

Also see: https://www.speedguide.net/ip/118.27.17.248#_
In summary, while Webmin is a powerful tool for managing Unix-based systems,.
Serving it over HTTP instead of HTTPS may introduce security risks.
Additionally, the relaxed content-security policy may increase the risk of XSS attacks.

to be qualified as a medium- to high-risk site.


polonus

[polonus]

Another one ignored by many resources but established as malicious:

https://www.projecthoneypot.org/ip_23.108.51.89
https://www.abuseipdb.com/check/23.108.51.89  (not yet reported?)
https://viz.greynoise.io/ip/23.108.51.89 (not flagged; further investigation is recommended.)
overwhelming evidence: https://www.shodan.io/host/23.108.51.89
Only 1 reported this as malicious here: https://www.virustotal.com/gui/ip-address/23.108.51.89

The lack of consistent flagging across various resources can lead to a phenomenon known as "whitelisting."
or "ignorance on a large scale."

This can indeed make the internet a hazardous place, especially for individuals who rely on a single source for security information.

VirusTotal's IP address lookup service is an excellent example of a reliable resource
that provides a comprehensive view of IP reputation.
It's reassuring to see that they have flagged this IP address as malicious.
indicating a high likelihood of it being used for malicious activities.
But only 1 flag could lead to the interpretation of it being a FP.

The evidence presented earlier, including the IP's association with dictionary attacks,
vulnerabilities and spam emails, further reinforces the notion that this IP address is malicious.

It's crucial for individuals and organisations to have access to reliable and comprehensive resources
like VirusTotal to help protect themselves from online threats.

polonus