Blog for hpHosts, and whatever else I feel like writing about ....

Tuesday, 22 December 2009

FYI to pharmalert, and other "reviewers" on SiteAdvisor, WoT etc etc etc

hpHosts has been and continues to be, an excellent project that I love being a part of, and although I'm glad that others find it useful, there's a certain segment that I would like to address. Given I don't know who these particular people are, I evidently can't contact them any other way, so figured a blog post would be best.

Those I am referring to, are those "reviewing" and commenting on sites over at the likes of SiteAdvisor, Web of Trust, Norton SafeWeb etc, with things such as;

Rating: Adware, spyware, or viruses

hpHosts Online has classified this as a malware distibution site. Keep clear.

Refer to http://hosts-file.net for more information


I really do appreciate that others respect the hpHosts project, and are referencing it, but I must please ask you stop. Why? Because I'm human, and everyone makes mistakes. Not every site in hpHosts will deserve to be there (alot were added prior to my taking over the project, and some of those are either F/P's, or no longer fit the inclusion policy), and I remove those I am notified of, or come across during verification proc's. Case in point, nepalnews.com, which was removed from the database today - it is a legit website and thus, was an F/P, but yet a couple people commented on it's Web of Trust scorecard solely because of it's listing in hpHosts - they didn't check the site themselves to see whether or not the site was indeed malicious.

I also don't mind you reference hpHosts, or a sites listing in such, but I must ask you refrain from doing so based solely on it's being in hpHosts. Check the site yourself, there's a number of methods of doing such if you don't have a test machine to do it, for example;

Wepawet
http://wepawet.cs.ucsb.edu

vURL Online
http://vurl.mysteryfcm.co.uk

Malzilla
http://malzilla.sourceforge.net

Again, I would like to thank everyone for their continued support, it is very much appreciated. But checking the sites yourself will benefit everyone, and if done properly, will benefit yourself the most as it will give you the tools necessary, to analyze a website and identify malicious content, which are tools that everyone should have.

22 comments:

Prabowo, Arief said...

Agree, everyone can make a mistakes. So all, please re-check site that you suspect! Keep rock Steven!

AlphaCentauri said...

Thanks for that information. Your blog post was mentioned in a private forum for SiteAdvisor reviewers, so the message will get out.

For anyone wishing to contact volunteer SA reviewers directly, many of them are members at http://ksforum.inboxrevenge.com/ (not always under the same usernames). Starting a thread there is a good way to get in touch with people.

Mark said...

Message received and understood.
Keep up the good work, your site is impressive.

Pharmalert

carl said...

well, that is one good way to weed out the false positives right? :) Wait for them to roll in through SA (which is largely unresponsive anyhow)....

5starAffiliatePrograms said...

I STRONGLY Urge reviewers to read this post and take Steve's advice.

My site 5staraffiliateprograms.com was falsely reported as having an adserver by HpHosts. As soon as I found out I contacted Steven and he checked my site and removed it from the database immediately. (Thank you)

BUT THE DAMAGE WAS ALREADY DONE!

Because pharmalert and Alexis Kauffmann had already reviewed my site on Site Advisor and said I have malware and an adserver. I have neither and never have. I believe they just saw the report on Hphosts and never checked for themselves.

I have a reputable site, one of the top in my industry and do advertising for Google and Microsoft.

However now visitors tell me they are afraid of my site and think they will get malware. I'm afraid this is going to seriously impact my business.

All because of a mistake and the reviewers not checking my site out for themselves.

I'm trying to verify my site with McAfee so I can try to correct the problem, but my host is set up wrong so I can't verify and I'm not very technical. Still working on trying to solve this problem.

If anyone can help me with McAfee to get the red warning removed I would SINCERELY appreciate it.

Linda

lord said...

Linda, no point in blaming Siteadvisor reviewers.

McAfee analysis page indicates site is currently red because of McAfee TrustedSource.

Please get your facts straight, it is even stated right below the red rating of your site!

"McAfee TrustedSource web reputation analysis found potential security risks with this site. Use with extreme caution."

http://www.siteadvisor.com/sites/5staraffiliateprograms.com
http://www.trustedsource.org/query/5staraffiliateprograms.com

Have a nice day.

-lordpake

Adam said...

Sometimes errors can happen, pake is right, you can't just blame the reviewers....you should contact your hosting provider too. From reading Google Safebrowse diagnositcs they say your site is clean too http://www.google.com/safebrowsing/diagnostic?site=5staraffiliateprograms.com BUT, the network that you are on, http://www.google.com/safebrowsing/diagnostic?site=AS:36024 has some issues with malware....so TrustedSource could have "flagged" you that way....being on the same network as other malicious content, they flagged you as malicious too.

And again, Project Honeypot yields clean, http://www.projecthoneypot.org/ip_65.99.206.122 but you have some "neighbors" that have some issues..

And well, being an "affiliate" company.....many people, when they see anything "affiliate" they think "tracking" - so it's possible that's how/why you originally landed in the hpHosts ;)

AlphaCentauri said...

Hi, Linda,

I wish we had that much influence in whether sites were rated red or not! SA basically ignores the reviews and comes up with their own rating. If it isn't malware or phishing, they usually rate it no worse than yellow, no matter how fraudulent or how much of a risk to public health.

It's entirely possible they were judging "reputation" from HPHosts, in which case someone needs to get the message to them, too.

The contact form for SA is a bit hard to find. It's here:
http://www.siteadvisor.com/userfeedback.html
It's the best way to get a human response. Since they may be rating a large number of sites based on data that HP Hosts considers unreliable, it would be appropriate to point them to this discussion.

Have you figured out how to post a webmaster comment? Go here:
http://user.siteadvisor.com/forums/websiteOwnerVerification.php
You have to be authorized to post files on the website. You enter your domain name on the websiteOwnerVerification page and they give you a file name. You open notepad and save a blank file with that name. Then you upload it to your website in the root folder (the top file you have access to, the one with the other files like "www" and "cgi-bin"). You go back to the SA page and click to tell them it's ready, they go to the site to confirm it is there, and then they know you are an authorized representative of that website. It's good to post website owner comments even if there is no problem -- it will always display first, no matter how many pages of other comments there are.

5starAffiliatePrograms said...

Thanks to everyone for all the comments and help with this.

I admit I am not that technical and did not understand the process that well at the time. Just was in shock and really worried about my site's reputation.

Adam, thanks SOOOO much for that extra detail. I would not have known to check all that and need to go do it right now.

One other thing to note, CatalysteMarketing was flagged as a red site I link to. I own that site too and it's on the same dedicated server. I never use that site anymore, it's an old site that's just sort of sitting out there not doing anything. But maybe it got hacked or injected with something malicious or something. Really need to spend the weekend just researching all this stuff. Need to check with my host to see if there is anything they can find too.

AlphaCentauri, thanks. I did eventually find that form and I have since submitted a ticket to SA and they say they are re-evaluating my site.

I am still trying to get my site verified so I can post as the owner. I have a script that changed something on my 404 page so SA can't verify and I have to figure out how to fix that. Then wasn't sure how to add the verification file to my site once I can add it, so thanks for explaining that part too.

Thanks again everyone for all the help!

Linda

5starAffiliatePrograms said...

Oh YEA!!! 5 Star is now GREEN!!!

Happy days!

WOW the guys at SA were really fast at correcting this. Have to think it's in part because Steven emailed them too. THANKS SO MUCH Steven.

CatalysteMarketing is still Red, so I guess I need to go through the same process with that site too.

Thanks again so much to Steven and all who posted here trying to help. Really appreciate you!

INVENT said...

There is a real problem.
hpHosts marks my own site(0x0a.net) as exploit, but there are no any exploits here. I am virus analyst, and i can proove it :)
But the tons of people, rely on hpHosts and mark my site in many different sources as dangerous. This is ambicious...

MysteryFCM said...

I've got 3 records of exploit code related to your domain;

20091229043725 79.174.65.40 2430.ovz35.hc.ru 0x0a.net http://0x0a.net/spl2.html

20091230162656 79.174.65.40 2430.ovz35.hc.ru 0x0a.net http://0x0a.net/pics/ChangeLog.pdf

20091230162734 79.174.65.40 2430.ovz35.hc.ru 0x0a.net http://0x0a.net/spl.html

INVENT said...

You can always check this pages. They doesn`t exist already for 3! months :)

It was a simple test on CWSandbox. Cause i`m a virus analyst, i upload some malware sample on my site, check it by CWSandbox, got results and immediately remove it from site. Site is considered dangerous because i test something on specialized sandbox? :)
And if i upload some obfuscation on my host, and check it by WepaWet for example? Host will be dangerous too? :)

I think that this situation is wrong, you must recheck all results that you has got from other vendors.

P.S. I wrote to Sunbelt for two months ago, but seems, they just simple cannot recheck anything at all.

MysteryFCM said...

Re-checking hundreds of thousands of sites constantly, isn't something I currently have the resources for ;o)

INVENT said...

Thanks a lot.
BTW, u have a SQL inj :)
http://support.it-mate.co.uk/?mode=Products&p=%27

MysteryFCM said...

Doing that kind of thing without authorization isn't exactly helping your argument of being legit, but it's been fixed never the less, cheers.

Helen said...

Thank you Steve! For a while I actually thought that Alexis and Pharmalert worked for you, I only found out that they did not by the notice you put on your hpHosts site.

To err is human :) and anyone thinking they might not be sure about a domain should check it, I visited a very reputable web design site and one link they posted was to a site to it was infected with the pegel virus so you never know when or where or when they are cleaned up, i'll have to log into the forum to report it.

Many many thanks for a top notch service

e-sushi said...

My 2 cents as a developer:

Brothersoft.com is run from within China by a Chinese company. Why didn't it come as a surprise when I detected that Brothersoft is apparently offering 12 programs by me, but actually distributes trojans as a download instead of the original software?

By doing so, Brothersoft.com abuses my name for their malicious attempts to invade your computer system!

Also, being located in China, they use their freedom to ignore DMCA takedown notices, so the issue can not be resolved as long as China ignores international copyright laws and licenses.

If that's not enough reason for marking Brothersoft.com as a malicious website, you haven't opened your eyes lately.

MysteryFCM said...

Can you point me to any of the files they're claiming are yours, but are coming with malicious downloads instead please?

AlphaCentauri said...

Brothersoft.com is registered with GoDaddy, which does respect copyright law. They may tell you to deal with the hosting company, though.

It is hosted on 63.116.243.105 and 63.116.243.123, which is Verizon Business. Again, a U.S. company that is covered by copyright law, no matter what the registrant's address is.

In fact, it's quite unlikely the address in the whois is the real address of the registrant if it is distributing malware as you say. So the China thing could be a diversion. It's worth submitting a WDPRS report in case GoDaddy refuses to act; if Verizon boots them they can just change hosting somewhere else without missing a beat. If the domain is on hold due to fraudulent whois, they can no longer receive traffic for it.

The important thing is to present your case clearly and calmly, with links to VirusTotal analysis of the download files, etc. It looks to me that you will have to get sandboxed up and click through a few links to get to the actual download to do it; I wasn't able to confirm that there is malicious software there. It's unlikely any site offering free downloads of all those programs is legitimate, though.

Klen11 said...

You should remove

"According to http://www.hosts-file.net/ if you access this domain you risk to unwillingly download and install malicious software (virus, trojans, spyware, etc) that may damage your computer."

on your results page.

http://hosts-file.net/?s=108.167.172.200

Makes it look like the site has a problem to some users.

MysteryFCM said...

Thank you.

As an aside, I've added the domain involved, as whilst there's no malware, I did find spam pointing to it, and given the sites owner didn't mention it at all when replying, he quite obviously doesn't mind it.

Spam found at:
hxxps://forums.eveonline.com/default.aspx?g=posts&m=1192353#post1192353