Hello,

I have some problems with 2 websites hosted on a dedicated server from Hetzner, Germany with the IP: 88.198.41.180.

First problem is that people using Avast! Antivirus solution are immediately blocked when trying to visit the websites.
We did a scan of the websites ourselves and they are clean but still the Avast! Antivirus behaves the same.

The second problem is the following

There was a record of an Russian website falwar.ru using the IP of this server. Now it’s gone, they’re only our 2 websites (fefco.org and citpa-europe.org).

We think that this particular anti virus (Avast!) has blacklisted this IP caused by some eventual treats made previously from the Russian website.

The Russian website is now under this IP 31.31.204.60 in Russia, along with other 30,741 websites. (examples: 0-pem0nte.ru 0084.ru 00ss.ru 017-programs.ru).

What can I do?

I already sent a message to Avast! to unblock the IP which is clean now but no reply yet.

Thanks in advance,
Sebastian

that IP is also on McAfee block list

http://sitecheck.sucuri.net/results/88.198.41.180

virustotal
https://www.virustotal.com/url/6db94e2240963e4ee5a8a75c3e053ee5d35d8a277eacc1f26663dc01f71f783d/analysis/1350395863/

IDS alert from sucuricata filter. http://urlquery.net/report.php?id=234446

Thanks

So, I may be right about what I said previously, that the IP is blocked due to the previous usage?

Multiple Fraud/Scam domain IP: http://www.malwareurl.com/ns_listing.php?ip=31.31.204.60
See: http://www.malwareurl.com/ns_listing.php?ip=31.31.204.60
AS details: AS Name: DOTSI Dotsi, Unipessoal Lda.
IPs allocated: 4096
Blacklisted URLs: 2

Hosts…
…malicious URLs? No
…badware? Yes
…botnet C&C servers? No
…exploit servers? No
…Zeus botnet servers? No
…Current Events? Yes
…phishing servers? No

from IP Malicious Toolkit Website 2 attacks were being launched
Web Attack: Malicious Toolkit Website 2
Attacking Computer: 88.198.41.180, 80
Attacker url: wXw.zonis.co.tv/9s1hjngl/?2
spider activity and spambot activity and comment spammer activity being performed from that IP range according to project honeypot,
PHP.ShellExec malware on http://mcn.team.cx/scripts/box

polonus

In the end the hosting company offered to change the IP and I guess I will accept.

I mean, it’s not my job to clean an IP provided already with problems.

Anyway, Avast! should pay more attention to this! It’s like someone said, you buy a new house and the next day you have people at the door asking you for money that the old landlord owed them…

Trough my searches I found an interesting name: ET RBN Known Russian Business Network IP (398). Maybe you might want to pay attention to them if you are not aware of them.

All the best!

Trough my searches I found an interesting name: ET RBN Known Russian Business Network IP (398). Maybe you might want to pay attention to them if you are not aware of them.

Russian Business Network
http://en.wikipedia.org/wiki/Russian_Business_Network

I totally get how annoying this must be. It looks like your website might’ve been flagged mistakenly, maybe because of the server’s IP reputation. Here’s a few things you can try to get it sorted:

Check your server’s IP reputation: Sometimes shared hosting can cause issues if other sites on the same server are flagged. You can use tools like MXToolbox to see if your server’s IP is on any blacklists.

Report the false alarm to Avast: If it’s a false positive, Avast should be able to review and clear it up. You can send them a report through their site to get it removed from their database.

Scan your website for malware: Just to be safe, you can run a scan on your website with tools like Sucuri or Wordfence. It’s good to double-check that everything is clean, especially if you haven’t done this in a while.

Get in touch with your hosting provider: If you’re with a managed hosting provider like Onlive Server, they should be able to help out. They monitor the servers for issues like this, and their support team can often work with security companies to resolve things like IP blacklisting.

I hope this helps! Let me know if you need any more details, and best of luck getting it all sorted!

It now says that this is -expired.reg dot ru, and it refuses connection.
Reg dot ru has the following retirable JavaScript libraries: jquery-validation 1.17.0 Found in htxps://www.reg.ru/dist/old-vendors.dc18cc3a8014d7ae37fe.js _____Vulnerability info:

high CVE-2022-31147 ReDoS vulnerability in url and URL2 validation GHSA-ffmh-x56j-9rc3 12

low CVE-2021-43306 2428 ReDoS vulnerability in URL2 validation GHSA-j9m2-h2pv-wvph 1
high CVE-2021-21252 Regular Expression Denial of Service vulnerability GHSA-jxwx-85vp-gvwm 1
jquery 1.12.4 Found in htxps://www.reg.ru/dist/old-vendors.dc18cc3a8014d7ae37fe.js _____Vulnerability info:

medium 2432 3rd party CORS request may execute CVE-2015-9251 GHSA-rmxg-73gg-4p98 1234

medium CVE-2015-9251 11974 parseHTML() executes scripts in event handlers GHSA-rmxg-73gg-4p98 123
medium CVE-2019-11358 4333 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution GHSA-6c3j-c64m-qhgq 123
medium CVE-2020-11022 4642 Regex in its jQuery.htmlPrefilter sometimes may introduce XSS GHSA-gxr4-xjj5-5px2 1
medium CVE-2020-11023 CVE-2020-23064 4647 passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery’s DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. GHSA-jpcq-cgw6-v4j6 1
low 73 jQuery 1.x and 2.x are End-of-Life and no longer receiving security updates

polonus