False Positive | expogr.com

[prestonrodrixx]

What are the subjects of the false-positive (domains, URLs, or IPs)?

• https://expogr.com/
• 37.27.138.207

Why do you believe this is a false-positive?

​Our domain, expogr.com, was previously compromised due to a security breach, leading to its inclusion in the Phishing.Database. Upon identifying the issue, we took immediate action to remove all malicious content and migrated to a new, secure server on December 14, 2024. Comprehensive security scans have since confirmed that the site is now free of vulnerabilities. Given these remedial measures, we believe the current listing is a false positive and kindly request a re-evaluation of our domain's status.

How did you discover this false-positive(s)?

Website was hacked

Where did you find this false-positive if not listed above?

We became aware of this false-positive listing during a routine security audit of our domain, expogr.com. During this process, we utilized various security tools and services to assess our domain's status across multiple security databases. It was through this comprehensive evaluation that we discovered our domain had been flagged, prompting us to take immediate corrective actions.

Have you requested a review from other sources?

Yes, we have proactively reached out to other security platforms to address this issue. Notably, we have submitted a false positive removal request to CRDF Labs, providing them with detailed information about the previous compromise and the subsequent security measures we've implemented. We are currently awaiting their response and will provide any additional information they may require to expedite the re-evaluation process.

Do you have a screenshot?

Screenshot

Additional Information or Context

I have also noticed that...

[phishing-database-bot]

Verification Required

@prestonrodrixx, thank you for submitting a false positive report! To help us verify your ownership of the affected domain(s), please complete the following steps:

1. Set a DNS TXT record for the domain(s) listed in this issue with the following details:

   • Record Name: _phishingdb
   • Record Value: antiphish-24073581891f91d22c3df0536770b474a1a95640

   Your Verification ID: antiphish-24073581891f91d22c3df0536770b474a1a95640

2. Wait for DNS propagation (this may take a few minutes to a few hours).

3. Reply to this issue once the TXT record has been set.

Important Notes

• Verification does not guarantee whitelisting. The Phishing.Database team will review your report after verifying ownership, but the decision to whitelist depends on further investigation and analysis.
• If the record cannot be set or you need alternative methods of verification, please contact us at contact@phish.co.za - preferably from the domain's official email address.

How to Check the TXT Record ?

You can verify that the TXT record is properly set using:

• Online tools like MXToolBox TXT Lookup.
• The command line:

  dig TXT _phishingdb.example.com
  

Thank you for your cooperation! We will address your issue as soon as possible after verification.

The Phishing.Database Project Team.

[prestonrodrixx]

The TXT record has been set. Please check.

[spirillen]

Comments

DNS Check

ptcheck expogr.com antiphish-24073581891f91d22c3df0536770b474a1a95640
The test value matches the DNS TXT record.

Thanks for using my tools.
Please consider a sponsor ship at https://www.mypdns.org/donate

Known phishingrecords

What can you tell me about these records, known to us from the PD project?

pyfunceble -u $(sd expogr.com)

Subject                                                                                              Status      Source     Expiration Date   HTTP Code  Checker       Tested At          
---------------------------------------------------------------------------------------------------- ----------- ---------- ----------------- ---------- ------------- -------------------
http://expogr.com/application/_notes/cap.php                                                         INACTIVE    STDLOOKUP  Unknown           404        AVAILABILITY  23. Feb 2025 00:43:54
http://expogr.com/application/c_s/js/_notes/cab.php                                                  INACTIVE    STDLOOKUP  Unknown           404        AVAILABILITY  23. Feb 2025 00:43:54

Execution Time: 00:00:00:1.936239

Verdict

Waiting response in found issue, but looking good so far

---

Thank you for reaching out. I want to clarify that I am not the owner of this project nor user of it. I assist with the whitelisting of domains to the best of my ability, but I do this as an unpaid volunteer in my free time. Your understanding and patience are greatly appreciated.
Additionally, I would like to share that I occasionally struggle with a mild degree of PTSD, which means I tend to forget even small details, like did I have breakfast this morning. So please bare with me, if I'm loosing the thread sometimes. Your understanding and patience in this matter are greatly appreciated.

If you feel inclined to buy me a cup of coffee, it would certainly help speed up the process, but please know that it will not influence my decisions or verdicts in any way.

Additionally, I want to be very clear: I do not access any Cloudflare, CloudFront, or Google networks. This is a matter of principle for me, as I believe in upholding human rights, the right to online privacy, and network security. These services often intercept traffic to collect personally identifiable information (PII), which I believe compromises our autonomy and makes us all puppets to the big tech puppeteers.

Thank you for your understanding!

Best regards.

[prestonrodrixx]

We have identified that the URLs http://expogr.com/application/_notes/cap.php and http://expogr.com/application/c_s/js/_notes/cab.php were present on our previous server without our knowledge. These files have been removed, and our current server is secure. Additionally, CRDF Labs has removed expogr.com from their blacklist. We kindly request that you also remove expogr.com from your blacklist.

Thank you for your assistance.

[spirillen]

Thanks for your reply, that is the answer I liked to head.

Just a little note for below, I did see Nissa online yesterday, but have not gotten any note regarding the whitelist failures, it might have com to life.. ⛪

Whitelist Request Update

Added with: b42535100730abb214854be73909c5a1aba62ea2

I want to start by saying that I currently do not have any further options to assist you regarding the whitelisting process, as it all hinges on the issue outlined in this issue.

Thank you for your patience as we navigate the whimsical world of whitelisting! Unfortunately, we can’t wrap up your request just yet, as we’re currently waiting on a little help from our friend @funilrys over at that issue. It seems the handling of whitelists in the Phishing-Database project has hit a bit of a snag, and @funilrys is the only one with the keys to the server that processes this data.

If you could kindly pop over to that issue and request that other trusted System Administrators gain access to the server for restarting the failed jobs, it would be immensely helpful. The more voices we have, the better!

Additionally, I must inform you that I do not have any power regarding the whitelisting processes on VirusTotal. For further requests about being whitelisted on VirusTotal, I recommend reaching out to their support platform and directing their attention towards this issue and the one at this issue to see if that can assist in getting you removed from VT.

In the meantime, here’s our usual standard answer regarding the visibility of changes:

• The change should be visible to Phishing-Database within a few hours.
• It can take a few days before you see any changes on VirusTotal, Contact VT.

Thanks for your understanding, and let’s get this sorted out together!

Cheers!