nightbyrd Posted November 22, 2014 Posted November 22, 2014 Just sent an email from one of my domain accounts to a Yahoo address and the message was returned to sender ("Mail delivery failed: returning message to sender") with the following explanation: "Connections will not be accepted from 65.19.143.2, because the ip is in Spamhaus's list." I went to Spamhaus and entered the IP address (which belongs to the Stevie server). Here's the result: IP Address 65.19.143.2 is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.It was last detected at 2014-11-22 00:00 GMT (+/- 30 minutes), approximately 30 minutes ago.The host at this IP address is infected with the CryptPHP PHP malware.CryptoPHP is a threat that uses backdoored Joomla, WordPress andn Drupal themes and plug-ins to compromise webservers on a large scale. More information about this threat can be found on the referenced link below.Fox-IT: CryptoPHP - Analysis of a hidden threat inside popular content management systemsAttackers Using Compromised Web Plug-Ins in CryptoPHP Blackhat SEO Campaign This infection almost certainly means that the infected web site has used pirated plugins from the nulledstylez.com, dailynulled.com sites or some other site that specializes in providing "nulled" (pirated) software. Fox-IT's research has shown that every pirated theme or plug-in on these two sites has been infested with the cryptophp malware. There are a number of scanners that can be used on web servers to try to find malicious PHP and Perl scripts, such as rkhunter etc. With the assistance of others, we've written a simple perl script called findbot.pl that searches for such things as r57shell, cryptphp etc. It will search your system can find potentially dangerous scripts. As it's very simple-minded you will have to carefully inspect the files it finds to verify whether what it finds is malicious or not. Be aware of the file types - finding executable code fragments within ".png" or ".jpg" files is clearly demonstrates that the file is malicious. In order to use findbot.pl, you will need Perl installed. Install perl if necessary Download findbot.plFollow the instructions at the beginning of the findbot.pl fileWARNING: If you continually delist 65.19.143.2 without fixing the problem, the CBL will eventually stop allowing the delisting of 65.19.143.2. If you have resolved the problem shown above and delisted the IP yourself, there is no need to contact us.Click on this link to delist 65.19.143.2. I assume you will take care of this and there's nothing for me to do?
wolstech Posted November 22, 2014 Posted November 22, 2014 Someone's account probably has malware...Krydos will need to take care of this and have it unblocked.
wolstech Posted November 22, 2014 Posted November 22, 2014 This support request is being escalated to our root admin.
r0nmlt Posted November 24, 2014 Posted November 24, 2014 MX Toolbox reports 65.19.143.2 Is listed on CBL, Spamhaus and Truncate
wolstech Posted November 26, 2014 Posted November 26, 2014 It can take several days if not a week or more for krydos to check the boards. Give it time.
wolstech Posted November 27, 2014 Posted November 27, 2014 Stevie appears to no longer be blacklisted: http://mxtoolbox.com/SuperTool.aspx?action=blacklist%3a65.19.143.2&run=toolpage
wolstech Posted November 29, 2014 Posted November 29, 2014 He hasn't been on at all this week. He's very busy lately. It was two weeks between logins for him last time.
Krydos Posted December 2, 2014 Posted December 2, 2014 Stevie is no longer listed in any spam lists that I can find.
Recommended Posts