malware review

[easyhostmedia]

Hi

why is it that some VPS providers dont know how Googles malware review works

I recently purchased a fully managed VPS from wizzsolutions on 2012-11-10 just so i could run my main site and WHMCS away from clients sites. i installed cpanel and all was working fine until yesterday when i tried to access my WHM i got a warning ( see attachment wizzerror1.jpg)

when i click why was the page blocked i am taken too


http://safebrowsing.clients.google....efox&hl=en-GB&site=http://46.37.179.138:2086/

see attachment wizzerror2.jpg

this does not show my IP and i have not hosted any of the mentioned sites as this is only hosting my own main site

today i get these replys

Hello,

We are doing the scan on your server with maldet to check for the malicious content in it. Besides these you need to contact Google to have them do a scan afterward as well.

Please verify the below given URL to contact Google to scan the server and remove the block as well.

=======
http://support.google.com/webmasters/bin/answer.py?hl=en&answer=163633

Terry,

Most likely the user that was setup on your main IP in the past was hosting this malware content, I would assume it is not on your VPS.

Per this link we'll need to contact google to resolve this:
http://safebrowsing.clients.google....37.179.138:2086/&client=googlechrome&hl=en-US

Do you have a google account?
You will have to request this malware review per this link within webmaster tools:
http://support.google.com/webmasters/bin/answer.py?hl=en&answer=168328

Let us know if you have any questions or concerns,

but getting them to understand that the google malware review is to review websites and not server IPS

"Request a malware review

Once you're certain your site is free of malware, you can ask Google to review it.

Once you're sure your site is free from any infected code and content, you can request a malware review.

Request a malware review:

On the Webmaster Tools Home page, select the site you want.
Click Health, and then click Malware.
Click Request a review."

maldect is clean according to them

----------------------------------------
root@alpha [~]# maldet -a /home/?/public_html
Linux Malware Detect v1.4.1
(C) 2002-2011, R-fx Networks <proj@r-fx.org>
(C) 2011, Ryan MacDonald <ryan@r-fx.org>
inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(15688): signatures loaded: 10179 (8311 MD5 / 1868 HEX)
maldet(15688): building file list for /home/*/public_html, this might take awhile...
maldet(15688): file list completed, found 10305 files...
maldet(15688): 10305/10305 files scanned: 0 hits 0 cleaned
maldet(15688): scan completed on /home/*/public_html: files 10305, malware hits 0, cleaned hits 0
maldet(15688): scan report saved, to view run: maldet --report 112812-1102.15688
------------------------------------------------

but they still insist on this

Hi,

You need to do it by yourself with your registered email ID of your server to scan the site or a removal request from the google by following the Mike , Betty URL which was given early.

--------------------------
http://support.google.com/webmasters/bin/answer.py?hl=en&answer=168328
---------------------------

If you are not sure with doing this, Please let me know the registered email login details of the server to assist you further with this.

 

[easyhostmedia]

now they are saying

Description:
Hi,

Please note If the servers IPs reputation is bad then you will have to follow googles instructions on getting it off the list. The servers IP address can't have malware on it, as malware is found on something like a servers OS.

----
Thanks.

so a server set up 2 weeks ago that wizz solution set up with the OS and google are saying the server IP that wizz solution assigned to my server is associated with malware and all this is due to me and for me to correct.

what a joke. my site is not even on the server IP 46.37.179.138 as its on a dedicated IP

 

[Criot]

I would of thought really that they should of sorted this out for you considering how it's not your fault as you aren't the person who hosted the malicious content on it.

There isn't much more you can do though other than move to another provider if you aren't happy with their service.

 

[easyhostmedia]

I would of thought really that they should of sorted this out for you considering how it's not your fault as you aren't the person who hosted the malicious content on it.

There isn't much more you can do though other than move to another provider if you aren't happy with their service.

I think then finally got the message that google malware review does not work with IPS

Terry,

I think you are right about adding the server IP to a list in google. I
will check more on our end. I do not think this issue stops you from
using WHM, maybe only in Chrome. Please let me confirm a few things and I will return to you shortly.

 

[HostLeet]

I would get a new IP with a good reputation right away. They should be able to grant you that small request in the very least.. Also, the IP's reputation should have been dealt with before they even assigned it to you. Specially if the last user with the IP was hosting malware on their network. :crash:

 

[easyhostmedia]

I would get a new IP with a good reputation right away. They should be able to grant you that small request in the very least.. Also, the IP's reputation should have been dealt with before they even assigned it to you. Specially if the last user with the IP was hosting malware on their network. :crash:

well this is what i would have thought, which should be a simple task, but wizzsolutions seem to use burstnet (enough said) http://whois.domaintools.com/46.37.179.138

also they fact they did not know how the google malware review system worked and was expecting me to sort this issue out

 

[handsonhosting]

We have worked with datacenters in the past when buying servers through them and finding IPs on Spam Lists, Google Lists, you name it - in every case the datacenter is required to take the action to resolve the IP issues, and REFUND us until they have a 100% clean IP.

It ended up about 2 years ago that our existing datacenter knows that if we order an IP and it's not clean, we'll cancel the server. In the past, we would order 4 or 5 to have on stand by, if one fails, they all get rejected. Our datacenters love us now - mainly because we FORCE them to do their job. It's not our fault that THEY provided service to someone previously who got their IP on a list.

If you're having problems with them not providing clean IPs, let them know that you're removing your machines - fairly quickly, they'll take action to resolve the issue. Also, require that they re-imburse you for the time that you've wasted waiting on a new machine that was then inoperable. Fairly quickly, you'll see their story change - at least when it comes to you and your business anyway.

As for burstnet - been there, done that, refused the t-shirt and bailed. We were experimenting with them for UK Dedicated servers. Between their lack of ability to use an Image when setting up the server, limited response on support, and then what appeared to be either degraded hardware or incorrectly configured machines - we finally had to pull the plug on all things related to them. We were only TESTING machines at that point, I could only imagine if I had resold those machines to people and faced that backlash. We'd lose the customer and our reputation for life!

 

[asuserver]

One of the sites I had the same problem after contacting Google has lasted 4 months and the problem was solved.

 

[easyhostmedia]

If you're having problems with them not providing clean IPs, let them know that you're removing your machines - fairly quickly, they'll take action to resolve the issue. Also, require that they re-imburse you for the time that you've wasted waiting on a new machine that was then inoperable. Fairly quickly, you'll see their story change - at least when it comes to you and your business anyway.

tried that and got this response

Terry,

You have asked for a refund every time you have had an issue with your account. I do not think this is very fair or the right way to have a hosting partnership. As a hosting company owner you should understand and know that web hosting is many times not perfect. We work very hard to make our solutions as worry free and powerful for our clients and I am sure you do the same. So for this issue it seems google marked a whole subnet as a malware host:

--
Diagnostic page for 46.37.179.0
but my IP is 46.37.179.138
---

As you know with hosting IPs are recycled, so what happened is that one of the 256 other IPs on this subnet, a client in the past was hosting malware, and therefore Google has marked the whole 46.37.179.0/24 as a malware source.

This seems like and error and we'll work to have it resolved for you. We'll update you as soon as possible on this, thanks for your understanding!

----

also got these 3 messages overnight from 3 different techs

Hello,

Sorry !

As we stated earlier, your server IP(46.37.179.138) has black-listed in Google for some Malware contents on previous users that were on your subnet.

We are working on resolving this issue with our network engineers as well as google security team to remove this black list

But we tested and can access WHM in few browsers like "opera" but are working on fixing this.

Let us know of any questions or concerns and that we are resolving this as fast as possible

Thanks for your patience !

Hello,

Thanks for your patience !

We have send a request to delist the IP (46.37.179.138) from Google data base.

We are also interacting with Google team and our network engineers to resolve this issue ASAP.

Thanks for your understanding regarding this issue.

Hi Terry,

We have requested Google to remove the server IP address from their database and it may take some hours to have them review the IP and get it removed. Meanwhile, you can access WHM by selecting "Ignore this Warning" showing on the main page and it will redirect to WHM login page.

We will update you once the IP address is removed from the google suspicious database.

Thanks for your understanding.

so i have to wait days to get to use my server at the same time i have paid them and also paying cpanel for a CP licence.

i have their next invoice arrived to be paid by 10/12/2012 and IP invoice to be paid for by 12/12/2012. yes it took them 2 days to provide me a dedicated IP ( i only wanted 1 but had to take 10 IPs for $5 as this was the smallest they could provide)

 

[easyhostmedia]

now i get

Description:
** File Attached: modi_wizz.jpg **

Hi,

You can find the "Ignore this Warning" at the right bottom of the page in this link https://46.37.179.138:2087/

I have attached a link for your help, I will update you once I have heard back from google team

Thanks for your patience and co-operation.

but ignoring the warning still does not help me that the IP is not clean and who knows if any of the other IP they sold me are clean or not. why would i open an attachment from them if they cant supply a clean IP how clear are their system.

 

[attracthd]

Well, that's a nasty situation. What is one to do in such a case? As I see it your options are to wait for the issue to be resolved or to cancel your service with them and move on. At least you don't really have malware, it's just the IP's that are bad.

 

[easyhostmedia]

Well, that's a nasty situation. What is one to do in such a case? As I see it your options are to wait for the issue to be resolved or to cancel your service with them and move on. At least you don't really have malware, it's just the IP's that are bad.

at least my site and WHMCS are still up, its just the servers main IP that is bad and my site is using a ded IP and my WHMCS database is backup up daily to a gmail email account.

I will wait it out and not pay the pending invoices (due day 10/12/2012 for VPS and 12/12/2012 for IPS) just means i am paying cpanel for a CP licence which i cant access root whm due to this IP issue.

 

[handsonhosting]

This is probably the worst response that I've ever seen anyone make:

As a hosting company owner you should understand and know that web hosting is many times not perfect.

This is an excuse, plain and simple. I call BS on that. As a hosting company, you STRIVE for excellence, and believe it or not, you can attain it many times. Yes there might be a blip every now and then, but depending what it is, it might have been in your control anyway.

With regards to their response about Google blocking entire subnets because of a single bad IP, this is incorrect. Google blocks individual IPs, just like every other company. If it WAS the case that they blocked the entire subnet, then why are they only requesting removal of YOUR IP number rather than the entire subnet. Also, if it was the fault of one other person in the subnet, have they found the person and removed them so that you do not end up re-blocked again in the near future?

Blocks happen, it's a way of life sometimes, but they're usually for something that you or your client has done. When it comes to IPs, only the AARIN contact is able to get the blocks removed. The fact that an IP is assigned to me is not enough for anyone to care, they will only talk to the datacenter or upstream provider to remove a block etc.

Hate to say it, but it sounds like you need a new provider! As for them saying that you're cancelling a perfectly good machine, this is only partially true. The machine might be OK, but their product they delivered (bad IP) causes the entire purcahse not to work. As a result, it *IS* 100% their fault and should be resolved BEFORE delivery.

Really sucks. Sad to hear that this "data center" is just passing the hat rather than taking responsibility for their inability to screen customers, validate IPs, and maintain white IP lists prior to redistribution.

 

[easyhostmedia]

Hi Conor

I think they say its the subnert because of this

http://safebrowsing.clients.google....efox&hl=en-GB&site=http://46.37.179.138:2086/

I laughed at their latest reply

Hi,

Sorry for the inconvenience caused to you, We are still waiting for the Google team's reply to clean your IP address.

Please note if Google failed to solve this issue in 24hours, We will consider moving you to another IP range which may be needed and there will some downtime while moving the class range.

Thanks for your understanding and co-operation.

----
Syam R.
3rd Level Engineering & Tech Support
WizzSolutions.com LLC

considering i reported this to them 27/11/2012 01:31:31 pm which if i am correct is over 24 hours, allthough I spent 24 hrs trying to get them to understand how the google malware review system does not work on IPs

Just received yet another reply

Description:

Hi,

The Google team will take atleast 24hours to reply to this issue.

Is it okay for you cancel this VPS and get a new one in the US location?

Please let us know how to proceed with this issue.

strange to why i would want a US location when i specifically ordered a UK server.

 

[handsonhosting]

ouch - yeah, US is different than UK.. as a hosting company they should know the difference and what impact that could play on SEO and site visitors. Seems like they just have their heads in the sand!

As for changing IPs - the downtime should be minutes (if done correctly), and really if they wanted to do things 100% right, they could just map the IP to the new IP while it all resolves.

Only other thought would be to have a CLEAN IP to have your mail going out on that IP, a CLEAN IP for your website itself, and then wait for the bad IP to resolve for only the login of the actual server. This way, you're not losing time.

Find out if they have already scanned the new IP that they plan to move you to - and if not, why they think moving you to another dirty IP is going to resolve anything

 

[easyhostmedia]

i only got vps to host my main site and WHMCS away from my clients accounts which are on a server through the steadfast chicago DC, but with me being in the UK i thought it best to have main site on UK server

luckily (hopefully) my site is on a ded IP, but i have a VPS with a dad IP and a pool of 13 IP4 IPS as they say they could only sell IPs in blocks of 10 ( but i ended up with 13)

latest message, which i say is a useless as a chocolate fireguard

Description:
Hi,

We have already contacted Google team to clean the IP address and they will take 24-48hours to clean the IP address.

Thanks for your understanding.

----
Syam R.
3rd Level Engineering & Tech Support

i dont think repling would help as they just keep repeating the same thing.

 

[easyhostmedia]

a new pointless message from their management

Terry,


I'm still working on this and have just requested escalation to the executive team at the network. Since it is an entire subnet that is marked as malware they should be responsible and I am pushing them to assist.
Just keep in mind how big of a company google is and how hard it is to find the right person to resolve this specific issue in a company that size.
We resolve blacklists all of the time but they are managed by small organizations in most cases.


I appreciate your patience and please know that we are working on this as hard as possible on this for you.




Michael Kahn

 

[Artashes]

a new pointless message from their management

Pointless or not, they are keeping in touch with you and letting you know the issue is still very much a priority for them, which is a nice thing to do. Some other companies wouldn't even communicate properly.
Would you rather sit in a complete darkness about what's going on (or not going on)?

 

[attracthd]

Pointless or not, they are keeping in touch with you and letting you know the issue is still very much a priority for them, which is a nice thing to do. Some other companies wouldn't even communicate properly.
Would you rather sit in a complete darkness about what's going on (or not going on)?

That's true, but I think it's not very much of a relief to him. The company admitting that they're having a problem is nice and all but it would be nicer if the issue didn't happen in the first place. Oh, well...

 

[easyhostmedia]

updates overnight.

still may look elsewhere though

Description:
Terry,

Found this link: http://avinashtech.com/google/disable-google-safe-browsing-firefox/
You may want to give it a try in firefox

We are still researching and working on a solution. Thanks for your patience and we'll update you soon.

----
-Michael K
WizzSolutions.com The Leader In High Bandwidth Hosting.

Description:
Terry,

Talk to the team and they mentioned we made the de-list request twice yesterday. It should take about 48 hours to be removed.
We'll keep this ticket open and monitor for the status.

Thanks,

----
-Michael K
WizzSolutions.com The Leader In High Bandwidth Hosting.

Hi Terry,

Please try to access WHM via any of your secondary ips : http://178.238.140.178:2086. We could access WHM by bypassing the waring showing on the primary ip as well as with secondary ip too. Please see the attached screenshot. Please have a try and let us know if you still face any issues.

We will get back to you once we receive an update from google regarding the removal of IP address from their database.

Thanks
-----
Poornima S.
Quality Assurance Senior Mgr.

Description:
Hello,

Thanks for your patience during this long hours.

Finally your server Ip(http://46.37.179.138/)has been De-listed by Google team. Now you can access your whm by using any browser with out any errors.

====
http://46.37.179.138:2087
-------

You can view the status of the report by accessing below URL.
-------
http://www.stopbadware.org/reports/00e88768032275cdd95ae28e59b83f02
-----

In above link, please click on the last "+" symbol. There you can find the status as below.
----
Review requested: Nov 29th 2012
Review closed: Nov 29th 2012
Review status: Closed - URL no longer reported by StopBadware partners
---------

Please try this by removing your browser cache.

Let us know if you need any further assistance regarding this.

Thanks !




----
Regards,

Richard
3rd Level Engineering & Tech Support