Update: Apparently this is super old, but no one noticed. I guess not that many people use that service because it’s been around since Feb. Which also means some of these may have been pointing to us at that time - so maybe Dean isn’t as inept as I initially thought he was - except for the whole thinking we are spreading destruction without warning people ahead of time. Uhm, ya.

Here we go again. People who have been reading this blog for a while will remember that we have been told we were hacking websites by hosting JavaScript and we have been marked as a phishing site as well. Well, as Michael pointed out, McAfee has marked ha.ckers.org as a site that attempts to exploit you. Way to go guys, very nice indeed.

So let’s dissect what I think happened here. At some point someone looked at one of the examples and said, “Wow this site is bad.” because they are clueless and didn’t bother to even look at the rest of the site. A gentleman by the name of “mr.anderson” then put up a stunning review of the site:

Exploit server

Wow… amazingly thorough review! I wish they would at least put which page they thought was owning them, that would have been amusing to make fun of him at least. But alas, no such luck. Then the big gun arrived. His name is dean and he has been marked as a “experienced reviewer”. Thank god, I’m saved, right? Someone who knows what they’re doing at least?

What mr.anderson said… According to Exploit Prevention Labs’ LinkScanner, this site contains malicious code. The IP address of this domain is 69.12.144.65 and it is shared by seven other domains. These sites are listed below:

advicegalaxy.com
barbarycoastfilms.com
fthe.net
mydickisbiggerthanyours.com
s-alchemy.com
secureseo.com
seodymanics.com

And then just to make sure he’s gotten his point across dean writes:

I forgot to add in my previous review that the other sites listed also contain exploits.

Wow. Just. Wow. Let’s actually take a look at this great find here that dean, our experienced reviewer came up with. Let’s look at advicegalaxy.com:

Name: advicegalaxy.com
Address: 8.15.231.1

Uhm… doesn’t appear to be on 69.12.144.65 to me and it looks like some domain squatter. But maybe that’s just an anomaly. Let’s look at another one:

Name: barbarycoastfilms.com
Address: 69.12.144.101

At least this one is on the right subnet, but still, wrong IP. And it appears to be a movie review site. Alas, not the malware spewing site I had hoped to find.

Name: fthe.net
Address: 69.12.144.99

Again! Close! But alas, wrong IP and even still, it’s a site that is supposed to be funny (we do try, but alas, sometimes we just fail miserably). Hardly the browser exploit factory.

Name: mydickisbiggerthanyours.com
Address: 69.12.144.101

Yes, id sure does have a good sense of humor, doesn’t he? Same deal as fthe.net.

Name: s-alchemy.com
Address: 69.12.144.65

There we go! Finally a match with the IP address that dean listed. Let’s go check it out. Wait, nothing there? How is it going to spread malware when it’s not even alive? Strange….

Name: secureseo.com
Address: 69.12.144.99

Okay, now we’re getting somewhere. It’s at least talking about browsers. But wait, it’s only got a few posts and alas one of them is about helping browser companies detect blackhat SEO tactics. Weird. There has GOT to be malware here! Dean said so! And that man is experienced!

Name: seodymanics.com
Address: 69.25.212.153

Whoah, not even close to the right IP range, and also looks like domain squatting. Alas, nothing to do with us. So now let’s look at ha.ckers.org since that appears to be the offending site.

Name: ckers.org
Address: 69.12.144.99

But wait! Dean clearly said ha.ckers.org was living on .65, not on .99! Maybe they have the wrong site? Now I’m just confused! Just because you use handy dandy outdated IP to hostname lookup and correlation tools doesn’t make you experienced. In fact, it makes you lazy and wrong it turns out. However, let’s get back to the matter at hand. Apparently Exploit Prevention Labs’ LinkScanner thinks I’m a bad bad man. So I go ahead and run it against every URL on ha.ckers.org I think could possibly be scaring it. Alas, nothing. Everything I can think to test comes up as thumbs up, as nice as rainbows and lollipops.

Okay, enough sarcasm. Herein lies some serious problems. How one site can maintain the reputation of other sites in such a way obviously leads to all sorts of false positives and false negatives. Even if you think this site is bad, without contacting me, or explaining what exactly is wrong with the site, how can I even fix the problem to get it up to snuff?

Now we are relying on the reputation of someone named, “dean” and “mr.anderson” to make judgment calls, when it’s clear the more experienced of the two doesn’t have a clue about the site he is reviewing or the other sites (all of the sites listed have now been reviewed as bad by dean including s-alchemy which is not even online and hasn’t been since our server crash months ago). Great job guys. I hope someone at McAfee is reading this and fixes it. Also, if anyone has a copy of Exploit Prevention Labs’ LinkScanner Pro, I’d appreciate a heads up as to what it found on ha.ckers.org that it thinks is bad.

Until we get to the bottom of this, maybe you should take McAfee’s word for it and steer clear of this site and the .65 IP address - they wouldn’t mark this site bad if it weren’t. If I can’t figure out how we’re exploiting you, you should be afraid - very afraid!

This entry was posted on Thursday, August 30th, 2007 at 8:15 am and is filed under Webappsec, Random Security. Responses are currently closed, but you can trackback from your own site.