Problem discussed in here http://tieba.baidu.com/p/3019254137 and here http://tieba.baidu.com/p/1976852770

hxxp://211.162.61.201/download/ … is blocked by avast
For example hxxp://211.162.61.201/download/3072045/3276609/1/cab/153/171/1381257750169_171/access-x-none_49490652ae77b4607b7682256f7f10286f538280.cab

In case you don’t understand Chinese, the problem is that when those Chinese users is watching video on popular video website (such as youku and toudu), avast alert this website as URL:Mal.
See the /download/ part, This IP is probably use as downloading file. Then it will be similar to this solved problem https://forum.avast.com/index.php?topic=149291.msg1084622#msg1084622

don’t know why sophos blacklist it: https://www.virustotal.com/zh-tw/url/4ce3afa88fc1031020682d96429d3602baaa079727a897161fc02e8bd51ed68b/analysis/

no change to hxxp because it cannot be opened

Yes there is need to change it. Not everyone is using avast. http://zulu.zscaler.com/submission/show/5b604c4d0044eb7414b9a0cdd6b3aa65-1414223537 http://urlquery.net/report.php?id=1414223407739 http://multirbl.valli.org/lookup/211.162.61.201.html http://mxtoolbox.com/SuperTool.aspx?action=mx%3a211.162.61.201&run=toolpage

Well, I tried. No matter which method you use, you CANNOT access anything though the link directly. You cannot even download the file within the link too.
It is not for direct access!!! You will either get a connection timeout or just an error page. And that is the reason why I don’t change it, because you CANNOT go to that site.
BUT, you may get the content though some video in Chinese site like youku.
Anyway edited just in case there is still malicious content loaded on the “page not found” page.

Edit:

http://urlquery.net/report.php?id=1414223407739
http://mxtoolbox.com/SuperTool.aspx?action=mx%3A211.162.61.201&run=toolpage
https://www.virustotal.com/zh-tw/url/4ce3afa88fc1031020682d96429d3602baaa079727a897161fc02e8bd51ed68b/analysis/

These scans will be pointless. As you can see, both doesn’t access any content because the page just won’t load that way.

The scans are not pointless, they show that there are problems with that IP.

Hi Eddy and rickyyeung,

There is a http communication error from that IP site and certainly issues.
Further down you read the why - because darknet cybercrimnal actions going on.

https://www.virustotal.com/nl/ip-address/211.162.61.201/information/
Sucuri is also unable to scan the site.
Hostname: 211.162.61.201
IP address: 211.162.61.201

System Details:
Unable to properly scan your site. Unable to connect.
Quttera gives an unreachable.

See: https://www.robtex.com/en/advisory/ip/211/162/61/201/

Well interesting info for rickkyyeung - seems Russian cybercriminals are busy setting up a Forma Cyber Attack
going after email addresses to use these a.s.a.p. as Malware Droppers - Sophos also seems aware.
Funny Yandex has not reacted, so probably the actions may be “condoned” by Russian officialdom.

Blacklist reactions came from: blocklist link status description
red
dev.null.dk link (127.0.0.2)
dev.null.dk ?
spamsources.fabel.dk (127.0.0.2)
spamsources.fabel.dk
timeout

What we can say is that avast! is very well informed here and right on top on what is going on! "Wielka brawa dla avasta!

For the domain name info: https://www.robtex.com/en/advisory/dns/com/116221/

For such IP’s there should be a DAEDALOS system darknet monitorring set up i.m.o.

polonus (volunteer website security analyzer)

Hi Eddy and rickyyeung,

This is very much on the spam radar now: http://zy0.de/q/211.162.61.201 via via @mailabuse
Hostname [invalid rDNS]

polonus