Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Shells Virtual Desktop
BMail.ag - Secure Email Service
Server.net
CPLicense.net
VPS Server
Buy VPN
Vultr
VMs for AI
HostDare
ReliableSite White-Label Dedicated Hosting for Resellers
InterServer VPS
BMail.ag - Secure Email Service
Best VPN
High-Performance Bare Metal Server Solutions
Karvl.com
Server Mania Cloud Hosting
DataWagon Hosting
AlphaVPS Hosting
Evoxt.com
Clouvider
VPS Hosting with NVMe
Residential IPs in the US & 4G Mobile Proxies in EU & US with Unlimited Bandwidth
ReliableSite White-Label Dedicated Hosting for Resellers
Rabisu - Hosting Solutions
Shells Virtual Desktop

Categories

In this Discussion

Home General
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

spectraip strange message

jure12jure12 Member
in General

Hi,
I'm trying to access spectraip.net and I get this message.

Thanked by 1Kolestor

Comments

  • zGatozGato Member

    i don't know what you expect us to do about that

    Thanked by 9imok nghialele Noct satorik BasToTheMax tentor Alyx sh97 Marx
  • cybertechcybertech Member

    ban them

  • VeraselVerasel Member

    just ignore and proceed and report it to cf as a false positive.

    Thanked by 1sillycat
  • DataWagonDataWagon Member, Patron Provider

    Cloudflare is really bad about this. They flagged our homepage as phishing a few months back due to a false report. It's been 6 weeks and they still haven't reviewed our appeal or responded to us. We ended up switching CDNs after a week.

    Thanked by 4WyvernCo Kolestor sillycat Ed_Chd
  • jure12jure12 Member

    @spectraip

  • SwiftnodeSwiftnode Member, Patron Provider, LIR
    edited June 2025

    @DataWagon said:
    Cloudflare is really bad about this. They flagged our homepage as phishing a few months back due to a false report. It's been 6 weeks and they still haven't reviewed our appeal or responded to us. We ended up switching CDNs after a week.

    It looks like this goes beyond just Cloudflare, ESET and a dozen other AVs are flagging their javascript files as malicious.

    If you look at their main.js for example, it looks like it's been maliciously modified, the bottom shows:

    edit: Seems like it's closely related to this NDSW/NDSX malware campaign from ~2021/2022. Wayback machine shows that the javascript files on spectraip's site has been compromised since at least May 28, 2024.

    Ideally it is supposed to work like this:

    1. Operates in the background, generates two base-36 random, converts to string.
    2. That string is used for a request to the animate.php with parameter "id"
    3. Animate.php is supposed to return something, which is then eval()'d by the malicious javascript.

    But animate.php seems to actually not exist, I tried hitting it with generated strings and couldn't get anything but a 404. Something like "m5x7a9b3f0z2k4l1j6h8" as the id parameter should return a value.

    My guess, their install was compromised at some point in the past, the animate.php was cleaned/removed, but the javascript still remains.

    Thanked by 17Xrmaddness MikeA nepeus akhfa jure12 Blembim JohnnySac satorik Kolestor zGato BasToTheMax JabJab tentor Alyx quicksilver03 atomi imok
  • jure12jure12 Member

    @Swiftnode said:

    @DataWagon said:
    Cloudflare is really bad about this. They flagged our homepage as phishing a few months back due to a false report. It's been 6 weeks and they still haven't reviewed our appeal or responded to us. We ended up switching CDNs after a week.

    It looks like this goes beyond just Cloudflare, ESET and a dozen other AVs are flagging their javascript files as malicious.

    If you look at their main.js for example, it looks like it's been maliciously modified, the bottom shows:

    edit: Seems like it's closely related to this NDSW/NDSX malware campaign from ~2021/2022. Wayback machine shows that the javascript files on spectraip's site has been compromised since at least May 28, 2024.

    Ideally it is supposed to work like this:

    1. Operates in the background, generates two base-36 random, converts to string.
    2. That string is used for a request to the animate.php with parameter "id"
    3. Animate.php is supposed to return something, which is then eval()'d by the malicious javascript.

    But animate.php seems to actually not exist, I tried hitting it with generated strings and couldn't get anything but a 404. Something like "m5x7a9b3f0z2k4l1j6h8" as the id parameter should return a value.

    My guess, their install was compromised at some point in the past, the animate.php was cleaned/removed, but the javascript still remains.

    @spectraip

  • KolestorKolestor Member

    Nothing New! Cloudflare is terrible, just use DNS mode only

  • SwiftnodeSwiftnode Member, Patron Provider, LIR

    @Kolestor said:
    Nothing New! Cloudflare is terrible, just use DNS mode only

    Not sure why Cloudflare is getting the blame here.

  • NyrNyr Community Contributor, Veteran
    edited June 2025

    @Swiftnode said:

    @Kolestor said:
    Nothing New! Cloudflare is terrible, just use DNS mode only

    Not sure why Cloudflare is getting the blame here.

    Because they are notorious for flagging legit sites as phishing based on malicious and baseless reports (even if it is not the case here).

    Thanked by 1ServerBachelor
  • sillycatsillycat Member

    @DataWagon said: It's been 6 weeks and they still haven't reviewed our appeal or responded to us.

    That's why you email CF VPs the day it happens. Worked for me.

  • sillycatsillycat Member

    @Swiftnode said: It looks like this goes beyond just Cloudflare, ESET and a dozen other AVs are flagging their javascript files as malicious.

    spectraip.com != spectraip.net

    Reguards.

    Thanked by 2Swiftnode Firez
  • SwiftnodeSwiftnode Member, Patron Provider, LIR
    edited June 2025

    @sillycat said:

    spectraip.com != spectraip.net

    Reguards.

    oh.. well that's a brand disaster.

    for what it's worth, spectraip.net is also flagged on ESET, but not due to the malicious javascript files above, but rather the IP being on their blacklist.

    other endpoints are not blacklisted, for example, dedicated.spectraip.net which is on 91.230.49.10 rather than 91.230.49.1 like the primary .net.

  • DediRockDediRock Member, Patron Provider

    That's not fun, hopefully it gets sorted soon.

  • jure12jure12 Member

    @DediRock said:
    That's not fun, hopefully it gets sorted soon.

    They solved it. Spectraip is a very good hosting company.

  • KolestorKolestor Member

    @jure12 said:

    @DediRock said:
    That's not fun, hopefully it gets sorted soon.

    They solved it. Spectraip is a very good hosting company.

    Yeah Lucas Walter is a good guy. LOL

    but 0 support, if you had service with SKB-Enterprise / Phanes Cloud they ripped people off scamming them and providing 0 services

  • KolestorKolestor Member

    @jure12 said:

    @DediRock said:
    That's not fun, hopefully it gets sorted soon.

    They solved it. Spectraip is a very good hosting company.

    I paid renewal for 3 domains with SKB Enterprise and they vanished with the invoice after fews days, no one replies to tickets/email and if they did they do after half a year

    was lucky to transfer them out directly because they never renewed my domains

Sign In or Register to comment.