False Positive | *.exo.io

[lcrt5]

What are the subjects of the false-positive (domains, URLs, or IPs)?

• sos-ch-dk-2.exo.io
• sos-ch-gva-2.exo.io
• sos-de-muc-1.exo.io
• sos-de-fra-1.exo.io

Why do you believe this is a false-positive?

These domains appeared in this blocklist a few weeks ago (even though the content had already been taken down weeks before).
Since, the list has been updated and these domains do not appear anymore in Phishing Database (thanks for your reactivity on this!). However, they still do appear to be listed by Phishing Database on Virus Total. Could there be a broken integration between Phishing Database and Virus Total?

Thanks for your help and support on this.
Cheers

How did you discover this false-positive(s)?

VirusTotal

Where did you find this false-positive if not listed above?

Have you requested a review from other sources?

Do you have a screenshot?

The domains mentioned above are not listed on PhishTank or OpenFish.

Screenshot

Additional Information or Context

No response

[phishing-database-bot]

Verification Required

@lcrt5, thank you for submitting a false positive report! To help us verify your ownership of the affected domain(s), please complete the following steps:

1. Set a DNS TXT record for the domain(s) listed in this issue with the following details:

   • Record Name: _phishingdb
   • Record Value: antiphish-cbd357bd0c9393aa3596b7050f5e74e6c7b27f63

   Your Verification ID: antiphish-cbd357bd0c9393aa3596b7050f5e74e6c7b27f63

2. Wait for DNS propagation (this may take a few minutes to a few hours).

3. Reply to this issue once the TXT record has been set.

Important Notes

• Verification does not guarantee whitelisting. The Phishing.Database team will review your report after verifying ownership, but the decision to whitelist depends on further investigation and analysis.
• If the record cannot be set or you need alternative methods of verification, please contact us at [email protected] - preferably from the domain's official email address.

How to Check the TXT Record ?

You can verify that the TXT record is properly set using:

• Online tools like Google's Dig Tool or MXToolBox TXT Lookup.
• The command line:

  dig TXT _phishingdb.example.com
  

Thank you for your cooperation! We will address your issue as soon as possible after verification.

The Phishing.Database Project Team.

[lcrt5]

TXT record now set for exo.io
Cheers

[lcrt5]

Any update on the case by any chance? cc @mitchellkrogza @funilrys @spirillen @g0d33p3rsec
Cheers

[spirillen]

Yeah, I'm taking a break, as my own project is re-creating its issues, so I'm rewriting all my scripts, meaning only my matrix script, is back up, and it is not supporting this project; @g0d33p3rsec is in school and doing a lot of homework; @funilrys and @mitchellkrogza ??

but what is exo.io, you might get my attention tomorrow, now it about bedtime

[lcrt5]

Thanks @spirillen

exo.io is the domain used by the European cloud provider Exoscale, for their Object Storage service (similar to AWS S3, called SOS). Here is some info about it: Exoscale - Object Storage

There are different subdomains corresponding to the different zones (for example sos-ch-gva-2.exo.io or the other subdomains listed above in this thread)

Cheers

[spirillen]

you got whitelisted in https://github.com/Phishing-Database/Phishing 1bec061e752fae2dc84bd612f9b54dd50e06c947

[lcrt5]

Hi @spirillen thanks a lot for the update and the whitelisting. Though, I noticed that these domains still appear as being flagged in VirusTotal. Is there anything else to be done to solve this issue? Cheers

[spirillen]

Standard answer, as per README

• The change should be visible to https://github.com/Phishing-Database/ within a few hours
• It can take a few days before you see any changes on VirusTotal

If you want more, you'll need to contact VT as we do not PUSH, they PULL

[spirillen]

Strike previous msg....

found these new records in the DB

sd exo.io
https://sos-ch-dk-2.exo.io/protected09062022mail51xsu9030znc0287hvzhaw02692bzfuiw048615931/protected.html
https://sos-ch-gva-2.exo.io/eli/6stxu2wLGBhD3c289yd49dVEN.html
https://sos-ch-gva-2.exo.io/itu03834-3ck/login_SJALJJH383_KXQCqZXAPJHDJHDJZUYDZXFCGHUIOLYDGJDf8733.html
https://sos-ch-gva-2.exo.io/vol048-edfjf/login_SJALJJH383_KXQCqZXAPJHDJHDJZUYDZXFCGHUIOLYDGJDf8733.html
https://sos-de-fra-1.exo.io/redcodc-0pc/v9o4hx.html
https://sos-de-muc-1.exo.io/prodax0-pod/login_SJALJJH383_KXQCqZXAPJHDJHDJZUYDZXFCGHUIOLYDGJDf8733.html
https://sos-de-muc-1.exo.io/qbo-ictin/login_SJALJJH383_KXQCqZXAPJHDJHDJZUYDZXFCGHUIOLYDGJDf8733.html
https://sos-de-muc-1.exo.io/qvos-boc/login_SJALJJH383_KXQCqZXAPJHDJHDJZUYDZXFCGHUIOLYDGJDf8733.html
https://sos-de-muc-1.exo.io/wecopl-t56/w34rfgyuiol.html
https://sos-de-muc-1.exo.io/woxmax2-pljx/login_SJALJJH383_KXQCqZXAPJHDJHDJZUYDZXFCGHUIOLYDGJDf8733.html

[spirillen]

Subject                                                                                              Status      Source     Tested At          
---------------------------------------------------------------------------------------------------- ----------- ---------- -------------------
https://sos-ch-gva-2.exo.io/eli/6stxu2wLGBhD3c289yd49dVEN.html                                       INACTIVE    STDLOOKUP  03. Feb 2025 16:19:55
https://sos-de-fra-1.exo.io/redcodc-0pc/v9o4hx.html                                                  INACTIVE    STDLOOKUP  03. Feb 2025 16:19:56
https://sos-ch-dk-2.exo.io/protected09062022mail51xsu9030znc0287hvzhaw02692bzfuiw048615931/protected.html INACTIVE    STDLOOKUP  03. Feb 2025 16:19:56
https://sos-ch-gva-2.exo.io/itu03834-3ck/login_SJALJJH383_KXQCqZXAPJHDJHDJZUYDZXFCGHUIOLYDGJDf8733.html INACTIVE    STDLOOKUP  03. Feb 2025 16:19:56
https://sos-ch-gva-2.exo.io/vol048-edfjf/login_SJALJJH383_KXQCqZXAPJHDJHDJZUYDZXFCGHUIOLYDGJDf8733.html INACTIVE    STDLOOKUP  03. Feb 2025 16:19:56
https://sos-de-muc-1.exo.io/prodax0-pod/login_SJALJJH383_KXQCqZXAPJHDJHDJZUYDZXFCGHUIOLYDGJDf8733.html INACTIVE    STDLOOKUP  03. Feb 2025 16:19:57
https://sos-de-muc-1.exo.io/wecopl-t56/w34rfgyuiol.html                                              ACTIVE      HTTP CODE  03. Feb 2025 16:19:57
https://sos-de-muc-1.exo.io/qbo-ictin/login_SJALJJH383_KXQCqZXAPJHDJHDJZUYDZXFCGHUIOLYDGJDf8733.html INACTIVE    STDLOOKUP  03. Feb 2025 16:19:58
https://sos-de-muc-1.exo.io/qvos-boc/login_SJALJJH383_KXQCqZXAPJHDJHDJZUYDZXFCGHUIOLYDGJDf8733.html  INACTIVE    STDLOOKUP  03. Feb 2025 16:19:59
https://sos-de-muc-1.exo.io/woxmax2-pljx/login_SJALJJH383_KXQCqZXAPJHDJHDJZUYDZXFCGHUIOLYDGJDf8733.html INACTIVE    STDLOOKUP  03. Feb 2025 16:19:59

Execution Time: 00:00:00:8.038396

[lcrt5]

I confirm that all these links are now dead and that the files that may have been stored there in the past were taken down. There is no malicious file anymore under these URLs (including the one that still shows an ACTIVE status in the list above).
Thanks a lot