Hi, I tried to send out several emails today all got bounced back to me and a link to the following page was provided,
http://cbl.abuseat.org/lookup.cgi?ip=74.63.233.26
http://cbl.abuseat.org/lookup.cgi?ip=74.63.233.26
[FONT=Verdana, Arial, Helvetica]IP Address 74.63.233.26 is currently listed in the CBL.[/FONT]
[FONT=Verdana, Arial, Helvetica]It was detected at 2010-02-26 08:00 GMT (+/- 30 minutes), approximately 23 hours, 30 minutes ago.[/FONT]
[FONT=Verdana, Arial, Helvetica]There will usually be a link to self-remove this IP from the CBL at the end of this page, but read the following text first[/FONT]
[FONT=Verdana, Arial, Helvetica]It has been relisted following a previous removal at 2010-02-25 14:30 GMT[/FONT]
[FONT=Verdana, Arial, Helvetica] [SIZE=+1]ATTENTION: At the time of detection, this IP was infected with, or NATting for a computer infected with a high volume spam sending trojan - it is participating or facilitating a botnet sending spam or spreading virus/spam trojans. [/SIZE][/FONT]
[FONT=Verdana, Arial, Helvetica] [SIZE=+1]ATTENTION: If you simply repeatedly remove this IP address from the CBL without correcting the problem, the CBL WILL eventually stop letting you delist it and you will have to contact us directly. [/SIZE][/FONT]
[FONT=Verdana, Arial, Helvetica]This detection is of the DarkMailer/YellSOFT DirectMailer Trojan. [/FONT]
[FONT=Verdana, Arial, Helvetica][SIZE=+2]PAY VERY CLOSE ATTENTION TO THE FOLLOWING [SIZE=+1] [/SIZE][/SIZE][/FONT]
[FONT=Verdana, Arial, Helvetica][SIZE=+1]You will NOT be allowed to self-delist Darkmailer/DirectMailer CBL entries. You MUST fix the problem first. [/SIZE][/FONT]
[FONT=Verdana, Arial, Helvetica]DO NOT contact us until the problem is resolved. If you do not own/administer this IP address, bring this issue to the owner's attention and do not contact us. [/FONT]
[FONT=Verdana, Arial, Helvetica]You MUST configure your web server to prevent DarkMailer/DirectMailer infections being able to spam the Internet. Take special attention to the references to "SMTP Tweak" below - locking down outbound port 25 by something like "SMTP Tweak" is the only way to permanently prevent your web server spamming the Internet. [/FONT]
[FONT=Verdana, Arial, Helvetica]We've heard rumors that the "SMTP Tweak in cPanel" doesn't work in some cases. But enabling CSF SMTP_BLOCK does. [/FONT]
[FONT=Verdana, Arial, Helvetica]You can find out more detail on this by doing google searches for "YellSOFT DirectMailer" or "DarkMailer", including screenshots of the control panel this software installs on your web server (the control panel in Russian). [/FONT]
[FONT=Verdana, Arial, Helvetica]See, for example, Darkmailer in Wikipedia and this thread in the CPanel Forum. [/FONT]
[FONT=Verdana, Arial, Helvetica]Note the references to "csf SMTP_BLOCK" and "WHM's SMTP Tweak" [/FONT]
[FONT=Verdana, Arial, Helvetica]This detection is that of a spammer who has broken into your web server (usually) via cracked or keylogged FTP credentials. Once they've logged in via FTP, they install perl scripts that do the spamming. CPanel and Plesk installations are the most common infectees, but others (including Apache) are also subject to this problem. [/FONT]
[FONT=Verdana, Arial, Helvetica]ANY web server capable of running Perl scripts (whether Windows, UNIX, Linux, FreeBSD etc) and permits FTP access for customers/users OR EVEN administrators to change their web pages is potentially a victim of this spamware. [/FONT]
[FONT=Verdana, Arial, Helvetica]You can often identify this (on UNIX/Linux systems) by doing "ps" (process status) and finding many (often 10 or more) long-running processes named ".cgi", ".php" or ".pl" that are owned by the same user as your web server instance. As an example, one infectee saw 25 copies of a "dm.cgi" program running under his Apache server's userid. [/FONT]
[FONT=Verdana, Arial, Helvetica]There are two main versions of this spamware: [/FONT]
[FONT=Verdana, Arial, Helvetica]In the first, it works by uploading a series of ".php" and ".pl" scripts via FTP (you'll see this in your FTP logs), and then invoking them via your web server. Once the programs are invoked, they delete themselves from the file system, but remain running. [/FONT]
[FONT=Verdana, Arial, Helvetica]MUST the second, the spamware is a "cgi" Perl script that does not delete itself. It can be called anything - eg: "dm.cgi", "test.cgi" etc. [/FONT]
[FONT=Verdana, Arial, Helvetica]It will most often be in the cgi-bin directory, perhaps that of an individual user, not the system-wide one. [/FONT]
[FONT=Verdana, Arial, Helvetica]You also may find various files like "from.txt", "replyto.txt" etc. There may also be a "sys" directory that contains a lot of "*.mx" files. This all has to be eradicated. Whether these exist depends on the configuration of the DarkMailer/DirectMailer spamware that is infecting your machine. [/FONT]
[FONT=Verdana, Arial, Helvetica]Dealing with this can be difficult, because as long as your FTP passwords can be cracked (or stolen from an infected web developer's PC) it can come back at any time. [/FONT]
[FONT=Verdana, Arial, Helvetica]First: minimize FTP access. Secure/change all passwords. If you can do your customer uploads some other way, turn off FTP, or prevent FTP from writing directly into the web server's document directory. [/FONT]
[FONT=Verdana, Arial, Helvetica]It is entirely possible that this spamware can be installed by other means (eg: FrontPage extensions), but we have not heard of it actually being done. Yet.... [/FONT]
[FONT=Verdana, Arial, Helvetica]Second: Find the infection. If it's the second version ("cgi"), you can find it, remove it and kill any running copies. [/FONT]
[FONT=Verdana, Arial, Helvetica]If it's the first version, there's nothing to find because it's deleted itself, instead you have to stop the current processes running. The simplest way is to reboot the server. Or, if you can identify _all_ of the rogue processes, killing them should be enough. Just make sure they stay dead. [/FONT]
[FONT=Verdana, Arial, Helvetica]Third: Configure your system to absolutely prohibit any userid except root or your mail server's userid (often "mailman" or something like that) from getting access to outbound port 25. In this way, even if you do get infected, the spamware can't get email out to the Internet. [/FONT]
[FONT=Verdana, Arial, Helvetica]In the above links, take note of the references to "CPanel/WHM's SMTP Tweak" and "CSF SMTP_BLOCK" - these are both patches/addon hacks to CPanel that can implement outbound port 25 restrictions. There are many other ways to accomplish this for other web servers, for example, IPTables on Linux, PF on FreeBSD etc. [/FONT]
[FONT=Verdana, Arial, Helvetica]These Linux IPtables commands will restrict outbound port 25 to userids "mail", "mailman" and "root". They will have to be invoked as root, and you will need to arrange that your system will reissue these commands when it boots. One way of doing the latter is to add them as "up" commands to /etc/network/interfaces if your version of Linux supports it (eg: Ubuntu, Debian and other distributions). See "man 5 interfaces". [/FONT]
[FONT=Verdana, Arial, Helvetica]iptables -A OUTPUT -d 127.0.0.1 -p tcp -m tcp --dport 25 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 25 -m owner --gid-owner mail -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 25 -m owner --gid-owner mailman -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 25 -m owner --uid-owner root -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with-icmp-port-unreachable
[/FONT] [FONT=Verdana, Arial, Helvetica][SIZE=+2]WARNING! We are seeing far too many of these listings simply being delisted without the spambot being removed. The owner of this web server MUST address this problem and remove the spambot. [/SIZE][/FONT]
[FONT=Verdana, Arial, Helvetica]You MUST patch your system and then fix/remove the trojan. Do this before delisting, or you're most likely to be listed again almost immediately. [/FONT]
[FONT=Verdana, Arial, Helvetica]If this IP is a NAT firewall/gateway, you MUST configure the NAT to prevent outbound port 25 connections to the Internet except from your real mail servers. Please see our recommendations on NAT firewalls [/FONT]
[FONT=Verdana, Arial, Helvetica]The Microsoft MSRT (Malicious Software Removal Tool) stands a good chance of being able to find/remove the malicious software. If you can find which machinethe malware is on.[/FONT]
[FONT=Verdana, Arial, Helvetica]Request delisting of 74.63.233.26.[/FONT]