Site flagged as malware, botnet

[Matthew1000]

Hi

Our website is flagged as botnet, malware https://regery[.]com and our customers complain about this.

Would like to assure that website is secure, online since 2017 and never had any issus. It is proxied by cloudflare and we see that cloudflare IP address is also in the list of dangerous addresses, but that IP address serves hundreds of different domains.

We sumbetted reanalysis through https://opentip.kaspersky.com/ a few days ago but did not receive any feedback.

Please help us to resolve the issue

https://opentip.kaspersky.com/regery.com/

https://opentip.kaspersky.com/172.67.213.23 - 172.67.213.23 belongs to 172.64.0.0/13 subnet that is owned by CloudFlare (https://www.cloudflare.com/ips/)

Thank you

[harlan4096]

Welcome to Kaspersky community.

 

I just sent your url to K. analysts, waiting for final verdict.

[harlan4096]

Quote

 

Hello,

URL was removed from blocklist. It will be fixed in the next update. Thank you for your help.

Best regards, Malware Analyst

 

 

[Matthew1000]

Please let us know when we should recheck to ensure that domain was unlisted?

Thank you

[harlan4096]

I don't know when it will be, just keep updated Your K. product via signatures and also KSN.

 

For example, in VirusTotal, detection has been already removed, but my KES is still detecting it, so it may take a bit, but not much, a few hours, at most.

[Matthew1000]

Hello,

We have observed that our website URL (https://www.virustotal.com/gui/url/8d73ddf573aa5ec9a0f932b0207d293a91e3b6afe4ea5947cd3a5eae6df4b019?nocache=1) has been flagged on Virustotal, despite not using PHP and returning a 404 error for this specific request. We are puzzled by this blacklisting and seek clarification.

Our website strictly does not utilize PHP, and the reported URL returns a 404 error, indicating the absence of any content at that location. We are concerned about the accuracy of this detection and kindly request a thorough investigation into why our site has been blacklisted.

Thank you for your assistance
 

[harlan4096]

Main URL is not flagged anymore, but I confirm that URL is still being detected, I just reported it also to K. analysts...

[harlan4096]

They replied me this:

 

Quote

 

Hello,

This detection is correct.
Thank you for your inquiry to Kaspersky.

Best regards, Malware Analyst

 

 

[Matthew1000]

Please let us know how this is possible? We are operating since 2017, not using PHP, not open for file upload, hidden under CloudFlare protection, using readonly filesystems on our containered environment, using SSL, but by some reason we are detected by your software? This is perplexing. We need more background on this

[harlan4096]

I requested a more elaborate details...

Quote

Hello,

The site was infected. There was a malicious file at this endpoint.

Best regards, Malware Analyst

[Matthew1000]

We do not have any entrypoints to upload files. We prebuild and verify our docker images, filesystem within containers is readonly. We request an audit from your side or escalation

Also we have several other domains looking to exactly same environment (like regery[.]ua). Infrastructure and endpoints is 100% identical exept CloudFlare IP addresses. But there are no such problems on other domains

[harlan4096]

Quote

Hello,

We only detect the final url: regery[.]com/pipeprocessauthBigloadprotectlocal[.]php
We don't detect the entire domain. This detection should not create problems for users.

Best regards, Malware Analyst

[Matthew1000]

Hello,

We are seeking a thorough understanding of how detection process flagged our websites regardless of the URL. This detection not only poses a risk to our reputation but also raises concerns about the security of our website. It is important to us to be protected and secure. If some spoofing or blackmailing happening we should be aware of such.

Our goal is to be secure and be completely removed from your databases.

If you need further information or need to evaluate our company or website, please use this thread for the communication or contact us to our specified email.

 

[Matthew1000]

Hello Harlan4096,

After conducting our own investigation, we discovered that our website was being referenced by malicious software, resulting in our domain resolving to IP address 185.118.143.220 (Turkey). This IP address communicated HTTP 200 OK via port 80 with date 2019.

We were never been associated with IP address 185.118.143.220, and it is not included in any of CloudFlare's IP ranges. Additionally this IP address is not owned by our Datacenter where we host our facilities. The port 80 is closed for communication on our end and redirects to 443, never returns 200OK. This situation strongly resembles DNS spoofing. Now we have DNSSEC enabled.

We kindly request your assistance in addressing this issue. Please advise us on the necessary steps to remove our domain from these lists or any guidance that we must take to address the issue as soon as possible. Also any direct contacts that may help will be much appreciated.

Your guidance and support in resolving this matter are greatly appreciated.

Thank you for your prompt attention to this urgent matter.
 

[harlan4096]

🤔 Then I would recommend to contact to official Support, since I'm just a Mod in this community, and I don't work actually for Kaspersky (only a volunteer for the love of the firm 🙂 ), and I don't have the tools to go ahead in this case, and escalate the issue.

 

K. Support

 

You can create a ticket request, filling out the form, for example, like this:

 

 

And then go to: Did not find Your answer? Contact customer service, and then filling out:

 

 

Explain there the issue, also giving the link of this thread. The reference of the reporting of the site I did previously is : [VD3] [URL:3] [LN:EN] [KL-2367540]

 

I hope this way can fix the issue.

[Matthew1000]

Hello Harlan4096,

Thank you for the help.

Since you have a direct contacts to K. support/analysts please let them know that we contacted them via their contact form. We have more evidences that we never served 200OK from our IP addresses to the provided link.

I'm attaching the screen from CF for the future reference.

We understand that you are just a Mod, but you have experience and we believe that secure and open internet is a collective creativity. Hope for your indirect assistance.

 

 

Edited October 11 by Matthew1000

[harlan4096]

Well, I have the same contact to K. analysts that any K. user can get, since I sent my reports from this service:

 

KOTIP

 

I logged in with My Kaspersky credentials, and sent the reports, any K. user can do that 🙂

 

 

Anyway, I will send them the link of Your last post.

[Matthew1000]

Yeah, we also sent reports there, but by some reason your reports are processed faster 🤷‍♂️

[Matthew1000]

Hello Harlan4096,

Would like to share a brief update on the issue.

After a couple of repeated checks Kaspersky Lab confirmed false positive.

Thank you for help

 

[harlan4096]

Great, I'm glad!