woodelf
New Member
- Messages
- 18
- Reaction score
- 0
- Points
- 1
I received a warning my domain 'lignumspectare.com' was blacklisted and further checking results below:
CBL Lookup Utility
IP Address 198.91.81.2 is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.
It was last detected at 2013-09-03 14:00 GMT (+/- 30 minutes), approximately 9 hours, 30 minutes ago.
NEW INFORMATION: IMPORTANT
The IP address 198.91.81.2 corresponds to a web site that is infected with a spam or malware forwarding link.
The website's host name is "42-terra.com", and this link is an example of the redirect: "http://42-terra.com/bombshell.html?wagosi".
In other words the website "42-terra.com" has been hacked.
The web site "42-terra.com" may not be familiar to you. This means that another customer of your provider is hosting their web site on the same IP address as you. In that case, you really need to get your provider to assist you.
Usually, the redirect takes the user's browser to a spam or malware site. It's usually fake russian pills or pornography.
Usually, the infection is a Cpanel, Plesk, Joomla or Wordpress CMS install that has become infected either through a vulnerability (meaning the CMS software is out of date and needs patching), or the owner of "42-terra.com" has had their account information (userids/passwords) compromised. Then malicious software/files are being uploaded by ftp or ssl.
It is often simplest to disable or suspend the web site (meaning you can delist the IP to resolve your CBL listing issues) and then deal with the problem in a somewhat more leisurely/less-urgent fashion.
In many cases, particularly with older compromises, the criminals that hacked this site will have uploaded a wide variety of spamming and other compromise tools. Therefore, the account corresponding to "42-terra.com" needs to be examined very carefully for signs of tampering. Further, the criminal will even modify existing web pages (particularly http://42-terra.com itself) to have hidden references to pill/drug/porn sites. If you're not completely certain that you've removed all traces of the compromise, we strongly recommend reinstalling the site from scratch.
Furthermore, the site's passwords MUST be changed, and the customer should run anti-virus scanners on their own personal computers immediately to try to find and remove any keystroke loggers.
We believe that the malicious redirects are done by altering web server access control mechanisms (example, ".htaccess" files on Apache web servers), and causing the redirect to occur on all "404 url not found" errors. We would appreciate it if you can give us copies of the modifications that this infection has made to your system.
If you do not recognize the hostname "42-terra.com" as belonging to you, it means that some other account on this shared hosting site has been compromised, and there is NOTHING you (or we) can do to fix the infection. Only the administrator of this machine or the owner of "42-terra.com" can fix it.
CBL Lookup Utility
IP Address 198.91.81.2 is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.
It was last detected at 2013-09-03 14:00 GMT (+/- 30 minutes), approximately 9 hours, 30 minutes ago.
NEW INFORMATION: IMPORTANT
The IP address 198.91.81.2 corresponds to a web site that is infected with a spam or malware forwarding link.
The website's host name is "42-terra.com", and this link is an example of the redirect: "http://42-terra.com/bombshell.html?wagosi".
In other words the website "42-terra.com" has been hacked.
The web site "42-terra.com" may not be familiar to you. This means that another customer of your provider is hosting their web site on the same IP address as you. In that case, you really need to get your provider to assist you.
Usually, the redirect takes the user's browser to a spam or malware site. It's usually fake russian pills or pornography.
Usually, the infection is a Cpanel, Plesk, Joomla or Wordpress CMS install that has become infected either through a vulnerability (meaning the CMS software is out of date and needs patching), or the owner of "42-terra.com" has had their account information (userids/passwords) compromised. Then malicious software/files are being uploaded by ftp or ssl.
It is often simplest to disable or suspend the web site (meaning you can delist the IP to resolve your CBL listing issues) and then deal with the problem in a somewhat more leisurely/less-urgent fashion.
In many cases, particularly with older compromises, the criminals that hacked this site will have uploaded a wide variety of spamming and other compromise tools. Therefore, the account corresponding to "42-terra.com" needs to be examined very carefully for signs of tampering. Further, the criminal will even modify existing web pages (particularly http://42-terra.com itself) to have hidden references to pill/drug/porn sites. If you're not completely certain that you've removed all traces of the compromise, we strongly recommend reinstalling the site from scratch.
Furthermore, the site's passwords MUST be changed, and the customer should run anti-virus scanners on their own personal computers immediately to try to find and remove any keystroke loggers.
We believe that the malicious redirects are done by altering web server access control mechanisms (example, ".htaccess" files on Apache web servers), and causing the redirect to occur on all "404 url not found" errors. We would appreciate it if you can give us copies of the modifications that this infection has made to your system.
If you do not recognize the hostname "42-terra.com" as belonging to you, it means that some other account on this shared hosting site has been compromised, and there is NOTHING you (or we) can do to fix the infection. Only the administrator of this machine or the owner of "42-terra.com" can fix it.
