Thegreenbutton.tv - Malwarebytes - shared hosting IP address flagged

The Green Button has risen from the grave. Brought back to life by a few enthusiasts who think the same way you do. Help us make this site better!
Post Reply
DSperber

Posts: 398
Joined: Thu Jan 16, 2014 1:35 am
Location: Marina Del Rey, CA

HTPC Specs: Show details

Thegreenbutton.tv - Malwarebytes - shared hosting IP address flagged

#1

Post by DSperber » Mon Jun 03, 2024 4:53 pm

(1) This morning I sent an email to ADMIN@THEGREENBUTTON.TV advising of this problem, but so far no response. I can no longer get to www.thegreenbutton.tv web site, because all browsers are producing the error message SSL_ERROR_RX_RECORD_TOO_LONG:

The Image

==> For some strange reason, the resolved numeric IP address for www.thegreenbutton.tv is now 192.169.145.218.


(2) This started happening just overnight, and is occurring on every one of my browsers on every one of my four PCs on my home LAN. Some Win7, some Win10, some Win11.

All browsers return "secure connection failed" messages:

Error code: SSL_ERROR_RX_RECORD_TOO_LONG

It is also occurring on at least three other PCs of friends and family (again, Win10 and Win11) which I maintain remotely for them, and thus have remote access to their PCs. They all have different routers, different ISP providers, and again Win10 or Win11.

The key SAMENESS of all of these machines is that they are all running (a) BitDefender anti-virus, and also (b) Malwarebytes Premium anti-malware.

==> I have determined that it is specifically the "real time web protection" being provided by Malwarebytes which is responsible for this symptom. the problem occurs if I leave its "web protection" enabled. However if I DISABLE its "web protection" I no longer have the problem and everything seems to be normal.

Image


(3)The same type of symptom occurs simply by using PING WWW.THEGREENBUTTON.TV, which will actually present the numeric IP that is being ping'ed if things are operating normally. And once again, if I DISABLE the "web protection" of Malwarebytes so that PING works, the numeric IP address shown is once again 192.169.145.218

Code: Select all

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\Darryl Sperber>ping www.thegreenbutton.tv

Pinging thegreenbutton.tv [192.169.145.218] with 32 bytes of data:
Reply from 192.169.145.218: bytes=32 time=24ms TTL=46
Reply from 192.169.145.218: bytes=32 time=21ms TTL=46
Reply from 192.169.145.218: bytes=32 time=23ms TTL=46
Reply from 192.169.145.218: bytes=32 time=21ms TTL=46

Ping statistics for 192.169.145.218:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 21ms, Maximum = 24ms, Average = 22ms

(4) My nephew (who is an IP engineer) has looked into this, and confirmed that he CAN connect to the web site with no problem. But then he does not have Malwarebytes installed.

However he was able to investigate the DNS resolution using NSLOOKUP from his own PC on his own network, and he confirms the DNS problem:

% nslookup thegreenbutton.tv
Server: 192.168.1.1
Address: 192.168.1.1#53

Non-authoritative answer:
Name: thegreenbutton.tv
Address: 192.169.145.218


ADMIN - YOU NEED TO FIX THIS

User avatar
holidayboy

Posts: 2847
Joined: Sun Jun 05, 2011 1:44 pm
Location: Northants, UK

HTPC Specs: Show details

#2

Post by holidayboy » Mon Jun 03, 2024 5:44 pm

Firstly, I do have a day job - I'm not always able to reply to each and every email that's sent to the admin address straight away unfortunately.

Secondly, the IP address for thegreenbutton.tv is indeed 192.169.145.218 (shared hosting).

Thirdly, it looks like another website being hosted on our shared server has possibly been up to no good - the IP address is listed on abuseipdb.com. I've reached out to our hosts to see what they can do.

Fourthly, our DNS records are correct and are working normally from what I can see. I'm not sure what "problem" you're referring to regarding the nslookup result?

Lastly, please don't SHOUT AT ME AGAIN.
Rob.

TGB.tv - the one stop shop for the more discerning Media Center user.

DSperber

Posts: 398
Joined: Thu Jan 16, 2014 1:35 am
Location: Marina Del Rey, CA

HTPC Specs: Show details

#3

Post by DSperber » Mon Jun 03, 2024 6:35 pm

holidayboy wrote: Mon Jun 03, 2024 5:44 pm Firstly, I do have a day job - I'm not always able to reply to each and every email that's sent to the admin address straight away unfortunately.
My apology. I had originally just sent an email to ADMIN before subsequently discovering this Operations forum and then your post here from just a few weeks ago involving a BOT attack and forum outage. I thought perhaps this [what I thought was a DNS-related problem] might be related or a repeat. I then saw your personal email address on your post, and decided to communicate that way as well, thinking that if nobody on your end was using Malwarebytes you might not have even noticed this issue.

Please forgive me for being over-zealous in at least trying to advise you of this non-trivial issue.

Secondly, the IP address for thegreenbutton.tv is indeed 192.169.145.218 (shared hosting).
Really??!! My ignorance here is responsible.

Thirdly, it looks like another website being hosted on our shared server has possibly been up to no good - the IP address is listed on abuseipdb.com. I've reached out to our hosts to see what they can do.
Excellent. That is really the point of this whole communication, so that I can leave "web protection" ENABLED in Malwarebytes and still participate on TGB.

Fourthly, our DNS records are correct and are working normally from what I can see. I'm not sure what "problem" you're referring to regarding the nslookup result?
For this I blame my nephew, the "real techie". He was using that NSLOOKUP command (which I'm not familiar with) and the results he obtained convinced him it was a DNS record problem. Like me, I don't think he thought 192.169.145.218 was actually valid, and that his investigation results indicated some kine of loss of control of DNS records. Obviously we were both naive. Yet again, my apopolgy.

Lastly, please don't SHOUT AT ME AGAIN.
Sorry. I really just wanted to be sure the issue was being investigated, and eventually resolved.

DSperber

Posts: 398
Joined: Thu Jan 16, 2014 1:35 am
Location: Marina Del Rey, CA

HTPC Specs: Show details

#4

Post by DSperber » Mon Jun 03, 2024 6:52 pm

holidayboy wrote: Mon Jun 03, 2024 5:44 pmFourthly, our DNS records are correct and are working normally from what I can see. I'm not sure what "problem" you're referring to regarding the nslookup result?
I was just casually quoting and paraphrasing what my nephew had sent to me. So I really may have misspoken about all of this.

But actually I think I may have been misled here by the results of PING failing to resolve the host name when Malwarebytes "web protection" was enabled: That probably was the source of my comments regarding a possible DNS-related cause:

Code: Select all

with Malwarebytes "web protection" ENABLED:

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\Darryl Sperber>ping www.thegreenbutton.tv
Ping request could not find host www.thegreenbutton.tv. Please check the name an
d try again.
This PING failure when Malwarebytes is blocking part of the handshake is probably an expected RESULT of the Malwarebytes interference.

So we're really probably back to wondering why Malwarebytes feels that 192.169.145.218 is "malware". Either a "false positive" that needs to be reported to them, or a "genuine positive" protecting me from that other "shared hosting" site you mention which is reported on ABUSE.

DSperber

Posts: 398
Joined: Thu Jan 16, 2014 1:35 am
Location: Marina Del Rey, CA

HTPC Specs: Show details

#5

Post by DSperber » Mon Jun 03, 2024 7:29 pm

Just a postscript here...

I've now had a discussion with my nephew about what's been learned so far. He believes it IS a DNS server problem, and that as cached DNS servers around the world begin to expire and new TGB IP resolution begins to fail because updated info is not available, that the "early warning" seen from the Malwarebytes blockage will begin to catch up with everyone.

He predicts TGB will become inaccessible in the near short-term future, unless the DNS server problem is resolved.

I am just the messenger, and the first-clue provided by Malwarebytes (which is unhappy with 192.169.145.218) is just that... a first clue that something not right is going on here, somewhere.

I hope you can get to the bottom of it.

User avatar
holidayboy

Posts: 2847
Joined: Sun Jun 05, 2011 1:44 pm
Location: Northants, UK

HTPC Specs: Show details

#6

Post by holidayboy » Mon Jun 03, 2024 8:07 pm

I have no idea how he's coming to that conclusion.... please feel free to post any results from his testing / investigation. The IP address 192.169.145.218 is not new - what makes you think that it is?

An SOA lookup for the domain rightly points to ns05.domaincontrol.com

If you specify that nameserver in the nslookup for the domain then you get the correct response.

Where is he seeing this caching issue exactly?

A quick lookup on https://dnschecker.org/ shows no errors anywhere.

The "early warning" from Malwarebytes is not showing a DNS issue as far as I'm aware - it's seeing that the shared IP address is associated with unwanted behaviour.

Unless you have some firm evidence that shows an issue with our DNS set up then I won't be engaging in any further conversation at this point.
Rob.

TGB.tv - the one stop shop for the more discerning Media Center user.

DSperber

Posts: 398
Joined: Thu Jan 16, 2014 1:35 am
Location: Marina Del Rey, CA

HTPC Specs: Show details

#7

Post by DSperber » Tue Jun 04, 2024 11:45 am

I've reported the questionable web site blockage on the Malwarebytes "False Positives" sub-forum.

The response from them is, as you mentioned earlier, that "The IP is blocked due to https://www.abuseipdb.com/check/192.169.145.218" so this is not a "false positive" at all. It is a real positive and deserves to be blocked.

The response details from abuseipdb.com state that there have been 64 reports from 34 distinct sources beginning on January 8 2024, with the most recent of which just 30 minutes ago. Clearly not you, but another site on the same shared IP address. And apparently still getting new reports as we speak.

Surely the actual host of the shared server should deal with this problem. Yes?

Kevin Chalet

Posts: 156
Joined: Mon Oct 08, 2018 12:00 pm
Location:

HTPC Specs: Show details

#8

Post by Kevin Chalet » Tue Jun 04, 2024 12:15 pm

On a related note, does your shared host provide you with IPv6 connectivity? If so, that would be nice to add an AAAA record to (www.)thegreenbutton.tv for those of us who have a fully working IPv6 connection (or a non-dual-stack/IPv6-only connection) :mrgreen:

User avatar
holidayboy

Posts: 2847
Joined: Sun Jun 05, 2011 1:44 pm
Location: Northants, UK

HTPC Specs: Show details

#9

Post by holidayboy » Tue Jun 04, 2024 3:45 pm

Kevin Chalet wrote: Tue Jun 04, 2024 12:15 pm On a related note, does your shared host provide you with IPv6 connectivity?
Unfortunately not.
Rob.

TGB.tv - the one stop shop for the more discerning Media Center user.

User avatar
holidayboy

Posts: 2847
Joined: Sun Jun 05, 2011 1:44 pm
Location: Northants, UK

HTPC Specs: Show details

#10

Post by holidayboy » Wed Jun 05, 2024 6:06 pm

Response from our hosts regarding our shared IP address being flagged by third parties:


'Hi,

Our security teams are constantly looking to make sure that the hosting platform is not being abused.

If we notice malicious behavior we take appropriate measures to stop the activity and secure the platform.

However, we will not actively try to remove the IP address from any “list” that will appear online.'



I can understand their reasoning for the last sentence, it would end up being a full time job for somebody - which would then push up the costs of shared hosting.

If members feel they can no longer use tgb.tv due to this issue then I'll look at moving to an alternative hosting solution that will allow for a dedicated IP address. If anybody wants to start a poll then please do.
Rob.

TGB.tv - the one stop shop for the more discerning Media Center user.

Post Reply