Update: Apparently this is super old, but no one noticed. I guess not that many people use that service because it’s been around since Feb. Which also means some of these may have been pointing to us at that time - so maybe Dean isn’t as inept as I initially thought he was - except for the whole thinking we are spreading destruction without warning people ahead of time. Uhm, ya.
So let’s dissect what I think happened here. At some point someone looked at one of the examples and said, “Wow this site is bad.” because they are clueless and didn’t bother to even look at the rest of the site. A gentleman by the name of “mr.anderson” then put up a stunning review of the site:
Wow… amazingly thorough review! I wish they would at least put which page they thought was owning them, that would have been amusing to make fun of him at least. But alas, no such luck. Then the big gun arrived. His name is dean and he has been marked as a “experienced reviewer”. Thank god, I’m saved, right? Someone who knows what they’re doing at least?
What mr.anderson said… According to Exploit Prevention Labs’ LinkScanner, this site contains malicious code. The IP address of this domain is 18.104.22.168 and it is shared by seven other domains. These sites are listed below:
And then just to make sure he’s gotten his point across dean writes:
I forgot to add in my previous review that the other sites listed also contain exploits.
Wow. Just. Wow. Let’s actually take a look at this great find here that dean, our experienced reviewer came up with. Let’s look at advicegalaxy.com:
Uhm… doesn’t appear to be on 22.214.171.124 to me and it looks like some domain squatter. But maybe that’s just an anomaly. Let’s look at another one:
At least this one is on the right subnet, but still, wrong IP. And it appears to be a movie review site. Alas, not the malware spewing site I had hoped to find.
Again! Close! But alas, wrong IP and even still, it’s a site that is supposed to be funny (we do try, but alas, sometimes we just fail miserably). Hardly the browser exploit factory.
Yes, id sure does have a good sense of humor, doesn’t he? Same deal as fthe.net.
There we go! Finally a match with the IP address that dean listed. Let’s go check it out. Wait, nothing there? How is it going to spread malware when it’s not even alive? Strange….
Okay, now we’re getting somewhere. It’s at least talking about browsers. But wait, it’s only got a few posts and alas one of them is about helping browser companies detect blackhat SEO tactics. Weird. There has GOT to be malware here! Dean said so! And that man is experienced!
Whoah, not even close to the right IP range, and also looks like domain squatting. Alas, nothing to do with us. So now let’s look at ha.ckers.org since that appears to be the offending site.
But wait! Dean clearly said ha.ckers.org was living on .65, not on .99! Maybe they have the wrong site? Now I’m just confused! Just because you use handy dandy outdated IP to hostname lookup and correlation tools doesn’t make you experienced. In fact, it makes you lazy and wrong it turns out. However, let’s get back to the matter at hand. Apparently Exploit Prevention Labs’ LinkScanner thinks I’m a bad bad man. So I go ahead and run it against every URL on ha.ckers.org I think could possibly be scaring it. Alas, nothing. Everything I can think to test comes up as thumbs up, as nice as rainbows and lollipops.
Okay, enough sarcasm. Herein lies some serious problems. How one site can maintain the reputation of other sites in such a way obviously leads to all sorts of false positives and false negatives. Even if you think this site is bad, without contacting me, or explaining what exactly is wrong with the site, how can I even fix the problem to get it up to snuff?
Now we are relying on the reputation of someone named, “dean” and “mr.anderson” to make judgment calls, when it’s clear the more experienced of the two doesn’t have a clue about the site he is reviewing or the other sites (all of the sites listed have now been reviewed as bad by dean including s-alchemy which is not even online and hasn’t been since our server crash months ago). Great job guys. I hope someone at McAfee is reading this and fixes it. Also, if anyone has a copy of Exploit Prevention Labs’ LinkScanner Pro, I’d appreciate a heads up as to what it found on ha.ckers.org that it thinks is bad.
Until we get to the bottom of this, maybe you should take McAfee’s word for it and steer clear of this site and the .65 IP address - they wouldn’t mark this site bad if it weren’t. If I can’t figure out how we’re exploiting you, you should be afraid - very afraid!