Greetings,
We have received the following complaint regarding an IP on your network.Â
Please resolve the issue and update us with the actions you’ve taken to reach a
resolution.
Thank you,
–Â
namless drone | Network Operations Center Technician
———————————————————————-
Continuum Network Operations Center
Phone: 1.877.432.COLO
Email: [email protected]
www.Facebook.com/ContinuumColo
Received on Apr/13/2014 12:34:04AM
Dear abuse team,
please help to close these offending viruses sites(1) so far.
status: As of 2014-04-13 07:33:39 CEST
http://support.clean-mx.de/clean-mx/viruses.php?email=abusenoc@continuumdatacenters.com&response=alive
(for full uri, please scroll to the right end …Â
We detected many active cases dated back to 2007, so please look at the date
column below.
You may also subscribe to our MalwareWatch list
http://lists.clean-mx.com/cgi-bin/mailman/listinfo/viruswatch
This information has been generated out of our comprehensive real time
database,
tracking worldwide viruses URI’s
If your review this list of offending site, please do this carefully, pay
attention for redirects also!
Also, please consider this particular machines may have a root kit installed !
So simply deleting some files or dirs or disabling cgi may not really solve the
issue !
Advice: The appearance of a Virus Site on a server means that
someone intruded into the system. The server’s owner should
disconnect and not return the system into service until an
audit is performed to ensure no data was lost, that all OS and
internet software is up to date with the latest security fixes,
and that any backdoors and other exploits left by the intruders
are closed. Logs should be preserved and analyzed and, perhaps,
the appropriate law enforcement agencies notified.
DO NOT JUST DELETE THE FILES. IF YOU DO NOT FIX THE SECURITY
PROBLEM, THEY WILL BE BACK!
You may forward my information to law enforcement, CERTs,
other responsible admins, or similar agencies.
+———————————————————————————————–
|date |id |virusname |ip |domain |Url|
+———————————————————————————————–
|2014-04-13 07:01:01
CEST |24886536 |WS.Reputation.1 |216.231.130.102 |superglobalmegacorp.com |http://vpsland.superglobalmegacorp.com/install/WindowsCE/nethack/nethack3.4.3-WinCE-2.11-x86.zip
+———————————————————————————————–
Your email address has been pulled out of whois concerning this offending
network block(s).
If you are not concerned with anti-fraud measurements, please forward this mail
to the next responsible desk available…
If you just close(d) these incident(s) please give us a feedback, our automatic
walker process may not detect a closed case
explanation of virusnames:
==========================
unknown_html_RFI_php not yet detected by scanners as RFI, but pure php code for
injection
unknown_html_RFI_perl not yet detected by scanners as RFI, but pure perl code
for injection
unknown_html_RFI_eval not yet detected by scanners as RFI, but suspect
javascript obfuscationg evals
unknown_html_RFI not yet detected by scanners as RFI, but trapped by our
honeypots as remote-code-injection
unknown_html not yet detected by scanners as RFI, but suspious, may be in rare
case false positive
unknown_exe not yet detected by scanners as malware, but high risk!
all other names malwarename detected by scanners
==========================
yours
Gerhard W. Recher
(CTO)
net4sec UG (haftungsbeschraenkt)
Leitenweg 6
D-86929 Penzing
GSM: ++49 171 4802507
Geschaeftsfuehrer: Martina Recher
Handelsregister Augsburg: HRB 27139
EG-Identnr: DE283762194
w3:Â http://www.clean-mx.de
e-Mail: [email protected]
PGP-KEY: Fingerprint: A4E317B6DC6494DCC9616366A75AB34CDD0CE552 id: 0xDD0CE552
Location:Â http://www.clean-mx.de/downloads/abuse-at-clean-mx.de.pub.asc
LOL.
Try [email protected], from their Whois.
Maybe he’ll also be up there to receive an award… 🙂
The only reply to this I could think of is this image: http://i0.kym-cdn.com/photos/images/original/000/461/903/3a9.png
yeah, ain’t that the truth!
You should store your files on the Internet Archive (archive.org).
They love software for outdated platform 🙂
I don’t think I’m notable enough yet to get a snapshot…. 🙁
you can sumbit them into the general software/misc files archive, not the wayback machine
ATGoKart> nico: Queued http://virtuallyfun.superglobalmegacorp.com/.
This snapshot will be in IA in a few days 🙂
Now, you can also create “collection” on IA and you can use an S3-like API for mass upload: https://archive.org/help/abouts3.txt
It reads like your hoster is just asking you for an acknowledgement that you’ve investigated. Is doing nothing a valid option?
It’s my hoster’s hoster (ie the data center) demanding to investigate, my guy read this, and then took my machine offline saying it was compromised.
I think they know they goofed, because they wouldn’t tell me what virus, even though I demanded to know from the start.
This is awesome 🙂
Btw. is http://www.nethack.org also blocked/offended by them ?
I’m from germany, should I wrote them that they just made an obvious mistake ?
I was going to send the nethack people an email alerting them that my WindowsCE version has been flagged by morons, and it could result in their carrier’s carrier getting one of these letters and the resulting fallout…
I mean is this poor guy going to get taken down as well?
From what I’ve read, this clean-mx will at best ignore people the screw over, or at worst make it a personal vendetta to threaten every person who dares to host their content (well not the end user, or their provider, but the higher upstream provider).
Keep in mind they threatened the people who own the data centre where I was located, not the people who I rented the server from.
What a mess!
What is worse, is these guys have no real ‘power’ if you tell them to go screw themselves they can’t do anything, but people react to these letters.
My own web site (including my blog, which covers also some virtual machine expirience stories) is also detect as a “Malware site” (which is ridiculous, too) in one case, the vendor is ParetoLogic, but unfortunately they do not show why. I guess it’s a chinese sub company which has their “consultants” who had to categorize sites. If they find a keyword like “Hack”, they obviously choose “Malware” or similar because of their limited knowledge and impreciseness. Fortunately it’s only one insignificant vendor, who cares about ParetoLogic …
Yeah, that’s how I’d feel about mx-safe, until they got the power of strong sounding form letters…
Digging around, I also hear this is a major horror if you get enough of these anonymous strikes and google/chrome and mozilla/firefox will put up some ‘you are a malware hosting site’ banner…
Good Grief!
True enough. I’ve seen that Chrome banner on a one-man site where a guy only posted his x86 emulator now and then. There was nothing else there. Fortinet flagged the site as malware as well, until I noticed them (as I mentioned earlier I suspect they start out by flagging everything as ‘Malware’ and rely on customers to whitelist sites for them).
-Tor
Just found out this Gerhard W. Recher’s http://www.clean-mx.de also flagged my websites many times in the past:
http://www.phishtank.com/phish_detail.php?phish_id=2387186&frame=site
He is quite annoying. And worse, held to no accountability.
Our work website just got hit by this stupidity. Our ISP got the exact same email (except replace the URLs). Funny thing is it was sent at almost the exact same time a customer I was talking to attempted to download our remote support tool…. Which their crappy antivirus blocked.
Looks to me like they’re receiving reports from a certain AV, auto-scanning, and auto-demanding the abuse contact take the site down. Pretty dumb idea.
I hear you. I had a pretty sweet hosting deal on an awesome dedicated server with a fast connection before this jerk screwed it all up. Even worse is that I was using this server for backups. And this IDIOT cost me the server, and all my backups. I still can’t believe that my hosting companies, data centre took anything from this jerk seriously. And I really love how he demands the server be formatted, and that is exactly what they did.
So now I have to host my files behind a simple password protection scheme that returns a 404 on every link I have as an attempt to thwart the auto-scanners.
All this because I had the nerve to host nethack for WindowsCE/i386 because his retarded ‘scanner’ doesn’t recognize WindowsCE/i386 binaries.
It has been six months, and I’m still mad about it.
This site Clean-mx.de is run by an incompetent security apprentice wannabe named Gerhard W Recher.
He has built an unprofessional spamming website that mainly goes out there sending emails to hosting service providers including bogus and false malware and virus reports threatening to close websites down.
Mr.Gerhard W Recher is specially interested to close down his own competitors businesses and websites and produces false malware reports to do so.
People like Gerhard W Recher should be thrown out of the internet for the benefit of the whole community!
Gerhard W Recher is a psycopath that sees monsters where they are not, he should send his cv to Holywood for the next psyco movie where he will surely perform a nice job as Mr.Bates.
Help stop this madness and get Clean-mx.de out of the net before this Gerhard W Recher psyco man closes down all the internet!
See:
http://www.bluetack.co.uk/forums/index.php?showtopic=20173&pid=93161
http://www.boredomsoft.org/clean-mx.bs
https://www.siteadvisor.com/sites/msgpage/clean-mx.de/
It looks like old style Nazi tactics and practices that Gerhard W. Recher is using. He has been building small concentration camps on the internet that with time are turning into large untolerable monsters. Like other Nazi psychopaths, I anticipate an unhappy ending for Gerhard W. Recher and Clean-mx.de.
wow, and people call me bitter!
I’d almost be happy if he just apologized for screwing me over, and put an end to this automated reign of terror.
Looks like Gerhard W. Recher is still cooking some shit out on the net.
Oh man, he should virus scan his ass!
Somebody kick this nazi’s ass out of the internet!
Go virus scan your ass Recher and eat your own shit nazi!
Hello!
Well we could make life interesting for the dumb schmuck by finding out who barely intelligent company made the most fallacious mistake of all by registering his firm, and then naturally find out who’s his ISP, and then send them the same complaint letters that you received partner, but complaining about his silly complaints.
It would certainly make life interesting for this fool.
Look what i just found
if you have questions, criticism, wishes or … do not hesitate to contact us at [email protected]
you may reach us by cell phone +49 171 4802507
And oddly enough it’s as useful as banging your head against the wall. But if enough people hit the wall…..
How we can block his crawler? They use virustotal.com reports, but they are doingan amateur email spam advertising.
I setup a simple 404 on all my downloads to prevent anyone from automatically scanning files. Then I setup an automated password generator to populate the 404 page with a ‘corrected’ link along with a username/password combination. It defeats robots, but some humans wget and then complain about the 404 without actually reading it.
It’s been effective for the last few years, so I guess that works well enough?
Go and virus scan you ass Gerhard W. Recher.
Eat your own shit Recher.
Clean-mx my ass, fucker.
Don’t forget to bring some toilet paper you ass cleaner.
Just posted a warning on Web of Trust. This dude’s friends with MysteryFCM, who advertised Clean MX’s services on that same platform meant for users to tell other users whether a site is trustworthy. Wow.
Password protection appears broken. Passwords are not being generated.
Strange, my rc.local didn’t execute on reboot to turn NAT back on. Oh well, it’s fixed, and downloads may resume!
Thank you! <3
And thanks for saving Neko from oblivion 🙂
I don't suppose you have had any luck collecting the source for any earlier versions? I'd like to have a little library of source code showing the evolution of Neko over the years.
I don’t have all that much, although last time I was looking I did find the first X-11 version buried in either SLS Linux or the first Debian.
I really ought to do some kind of neko preservation society or something.
Hilarious. I found your website because this dumbass appears to be still sending this shit these days.
Just as he blocked my attempt at getting people interested in Windows CE on the x86, you can bet he never updates a damned thing, and it’ll suppress Windows on ARM, as again it’s not a 100% uniform i386 Win32.
It’s absolute bullshit the way he portrays himself as being something legit, and worse how people read his ‘scare tactic’ letters and think it’s something legit.
The guy is a total douche.
fascist Weimar Republik 1919-1945 1oo% shame!!! Hohenzollerns are turning in graves!