Jump to content

nightbyrd

Members
 View Profile  See their activity

  • Posts

    7

  • Joined

  • Last visited

 Content Type 

Posts posted by nightbyrd

    [Solved] Stevie Blacklisted

    in Escalated Requests

    Posted

    Just tried to send an email from my account that was returned because IP 65.19.143.2 is listed in Spamhaus XBL. I looked it up and apparently some moron installed pirated themes or plugins and now the web server is infected. Hope you can take care of this. Here's the info:

     

     

    IP Address 65.19.143.2 is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.

    It was last detected at 2015-04-10 19:00 GMT (+/- 30 minutes), approximately 3 hours, 30 minutes ago.

    Due to how these infections are being delisted without being corrected, you cannot delist this IP address until there's been at least 48 hours of no-relisting.

    The host at this IP address is infected with the CryptPHP PHP malware.

    CryptoPHP is a threat that uses backdoored Joomla, WordPress andn Drupal themes and plug-ins to compromise webservers on a large scale. More information about this threat can be found on the referenced link below.

    This infection almost certainly means that the infected web site has used pirated plugins from the nulledstylez.com, dailynulled.com sites or some other site that specializes in providing "nulled" (pirated) software. Fox-IT's research has shown that every pirated theme or plug-in on these two sites has been infested with the cryptophp malware.

    This was detected by a TCP connection from 65.19.143.2 on port 50927 going to IP address 192.42.116.41 (the sinkhole) on port 80.

    The botnet command and control domain for this connection was "carandfly.net".

    Behind a NAT, you should be able to find the infected machine by looking for attempted connections to IP address 192.42.116.41 or host name carandfly.net on any port with a network sniffer such as wireshark or by configuring the router to block and log such connections. Equivalently, you can examine your DNS server or proxy server logs to references to 192.42.116.41 or carandfly.net. See Advanced Techniques for more detail on how to use wireshark - ignore the references to port 25/SMTP traffic - the identifying activity is NOT on port 25.

    This detection corresponds to a connection at 2015-04-10 19:20:07 (GMT - this timestamp is believed accurate to within one second).

    Fox-IT has published a new blog item on this infection. Fox-IT has written two Python scripts that should be very good at finding these infections: check_url.py and check_filesystems.py. The first script scans a web site to find the infection, the second is used for scanning the web site's filesystem to find the infection. Please go to the above Fox-IT link to obtain these scripts and further instructions.

    Fox-IT recommends that you should NOT try to "repair" the infection. The infected account should be reinstalled from scratch.

    I shall repeat the previous paragraph: removing the "social.png" file DOES NOT remove the infection. "social.png" is only just one small piece of it. The infected account should be reinstalled from scratch.

    This listing cannot be delisted until at least 48 hours (2 days) have elapsed from the last listing. In 2 days from the above listing timestamp, come back here and you'll be able to delist this IP.

    [Solved] Stevie Mail Server Infected With Trojan?

    in Escalated Requests

    Posted

    Just sent an email from one of my domain accounts to a Yahoo address and the message was returned to sender ("Mail delivery failed: returning message to sender") with the following explanation:

     

    "Connections will not be accepted from 65.19.143.2, because the ip is in Spamhaus's list."

     

    I went to Spamhaus and entered the IP address (which belongs to the Stevie server). Here's the result:

     

    IP Address 65.19.143.2 is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.

    It was last detected at 2014-11-22 00:00 GMT (+/- 30 minutes), approximately 30 minutes ago.

    The host at this IP address is infected with the CryptPHP PHP malware.

    CryptoPHP is a threat that uses backdoored Joomla, WordPress andn Drupal themes and plug-ins to compromise webservers on a large scale. More information about this threat can be found on the referenced link below.

    This infection almost certainly means that the infected web site has used pirated plugins from the nulledstylez.com, dailynulled.com sites or some other site that specializes in providing "nulled" (pirated) software. Fox-IT's research has shown that every pirated theme or plug-in on these two sites has been infested with the cryptophp malware.

    There are a number of scanners that can be used on web servers to try to find malicious PHP and Perl scripts, such as rkhunter etc.

    With the assistance of others, we've written a simple perl script called findbot.pl that searches for such things as r57shell, cryptphp etc. It will search your system can find potentially dangerous scripts.

    As it's very simple-minded you will have to carefully inspect the files it finds to verify whether what it finds is malicious or not. Be aware of the file types - finding executable code fragments within ".png" or ".jpg" files is clearly demonstrates that the file is malicious.

    In order to use findbot.pl, you will need Perl installed.

    • Install perl if necessary
    • Download findbot.pl
    • Follow the instructions at the beginning of the findbot.pl file

    WARNING: If you continually delist 65.19.143.2 without fixing the problem, the CBL will eventually stop allowing the delisting of 65.19.143.2.

    If you have resolved the problem shown above and delisted the IP yourself, there is no need to contact us.

    Click on this link to delist 65.19.143.2.

     

    I assume you will take care of this and there's nothing for me to do?

×
×
  • Create New...