hellos, does anyone knows is is it possible to de-list xo1 server? i had some email rejections because of this
http://www.spamhaus.org/query/bl?ip=46.28.64.210
regards
http://www.spamhaus.org/query/bl?ip=46.28.64.210
regards
xo1 blacklisted
- Thread starter saenito
- Start date
- Status
I had started another thread before finding this one. Sorry for the double post.
Here's the info from CBL:
IP Address 198.91.81.2 is listed in the CBL. It shows signs of being infected with a spam sending trojan, malicious link or some other form of botnet.
It was last detected at 2015-06-18 17:00 GMT (+/- 30 minutes), approximately 3 hours, 30 minutes ago.
The host at this IP address is infected with the CryptPHP PHP malware.
CryptoPHP is a threat that uses backdoored Joomla, WordPress andn Drupal themes and plug-ins to compromise webservers on a large scale. More information about this threat can be found on the referenced link below.
This was detected by a TCP connection from 198.91.81.2 on port 55226 going to IP address 192.42.116.41 (the sinkhole) on port 80.
The botnet command and control domain for this connection was "foltimaks.biz".
Behind a NAT, you should be able to find the infected machine by looking for attempted connections to IP address 192.42.116.41 or host name foltimaks.biz on any port with a network sniffer such as wireshark or by configuring the router to block and log such connections. Equivalently, you can examine your DNS server or proxy server logs to references to 192.42.116.41 or foltimaks.biz. See Advanced Techniques for more detail on how to use wireshark - ignore the references to port 25/SMTP traffic - the identifying activity is NOT on port 25.
This detection corresponds to a connection at 2015-06-18 16:39:47 (GMT - this timestamp is believed accurate to within one second).
Fox-IT has published a new blog item on this infection. Fox-IT has written two Python scripts that should be very good at finding these infections: check_url.py and check_filesystems.py. The first script scans a web site to find the infection, the second is used for scanning the web site's filesystem to find the infection. Please go to the above Fox-IT link to obtain these scripts and further instructions.
Fox-IT recommends that you should NOT try to "repair" the infection. The infected account should be reinstalled from scratch.
I shall repeat the previous paragraph: removing the "social.png" file DOES NOT remove the infection. "social.png" is only just one small piece of it. The infected account should be reinstalled from scratch.
Here's the info from CBL:
IP Address 198.91.81.2 is listed in the CBL. It shows signs of being infected with a spam sending trojan, malicious link or some other form of botnet.
It was last detected at 2015-06-18 17:00 GMT (+/- 30 minutes), approximately 3 hours, 30 minutes ago.
The host at this IP address is infected with the CryptPHP PHP malware.
CryptoPHP is a threat that uses backdoored Joomla, WordPress andn Drupal themes and plug-ins to compromise webservers on a large scale. More information about this threat can be found on the referenced link below.
- Fox-IT: CryptoPHP - Analysis of a hidden threat inside popular content management systems
- Attackers Using Compromised Web Plug-Ins in CryptoPHP Blackhat SEO Campaign
This was detected by a TCP connection from 198.91.81.2 on port 55226 going to IP address 192.42.116.41 (the sinkhole) on port 80.
The botnet command and control domain for this connection was "foltimaks.biz".
Behind a NAT, you should be able to find the infected machine by looking for attempted connections to IP address 192.42.116.41 or host name foltimaks.biz on any port with a network sniffer such as wireshark or by configuring the router to block and log such connections. Equivalently, you can examine your DNS server or proxy server logs to references to 192.42.116.41 or foltimaks.biz. See Advanced Techniques for more detail on how to use wireshark - ignore the references to port 25/SMTP traffic - the identifying activity is NOT on port 25.
This detection corresponds to a connection at 2015-06-18 16:39:47 (GMT - this timestamp is believed accurate to within one second).
Fox-IT has published a new blog item on this infection. Fox-IT has written two Python scripts that should be very good at finding these infections: check_url.py and check_filesystems.py. The first script scans a web site to find the infection, the second is used for scanning the web site's filesystem to find the infection. Please go to the above Fox-IT link to obtain these scripts and further instructions.
Fox-IT recommends that you should NOT try to "repair" the infection. The infected account should be reinstalled from scratch.
I shall repeat the previous paragraph: removing the "social.png" file DOES NOT remove the infection. "social.png" is only just one small piece of it. The infected account should be reinstalled from scratch.
- Status