Spamhaus blacklists due to CryptoPHP infected websites used by Blackhat SEO
Posted by WestNIC Support on 23 November 2014 05:47 PM
UPDATE #2: we're performing malware scans across other shared servers to prevent future blacklists associated with CryptoPHP malware. Accounts with malware and viruses are being suspended. If your account has been suspended, there are three options: 1. remove public_html folder with all contents then reset password and activate account (free of charge). Data bases and email users are not affected by public_html folder removal; 2. find offsite backup then run restore for $10. 3. In some cases it would be possible to run manual site cleanup to preserve current files (most of current data and data bases). This service cost $20. How to activate suspended account: https://my.westnic.net/howtos/account-has-been-suspended.html
UPDATE #1: most servers are excluded from blacklist. We're still running extensive malware and vulnerabilities scan across other (not listed at Spamhaus) servers. If you use outdated php script or plugin (wordpress, joomla, whmcs, clientexec, drupal and others), please update it ASAP (including themes and plugins). If you don't use plugins or themes, please remove it via FTP. Severely outdated software is being removed without prior warning. Compromised accounts are being suspended.
We thank you for cooperation and understanding.
More and more servers are getting on Spamhaus blacklist due to new malware (CryptoPHP) accidentally installed by webmasters/end-users with nulled theme, plugin etc or by bots via outdated/insecure php scripts. What is CryptoPHP?
CryptoPHP is a threat that uses backdoored Joomla, WordPress and Drupal themes and plug-ins to compromise webservers on a large scale. By publishing pirated themes and plug-ins free for anyone to use instead of having to pay for them, the CryptoPHP actor is social engineering site administrators into installing the included backdoor on their server.
After being installed on a webserver the backdoor has several options of being controlled which include command and control server communication, mail communication as well as manual control.
How to resolve this issue:
At this moment we have 11 shared cPanel servers blacklisted on Spamhaus network. Obviously more will be on that blacklist in the couple of days since most servers are being shared. Cleanup process is very slow. First of all, we have to install exploit scanner then perform manual scans on entire /home directory. Normally scan completes in about 6 hours. Results are dramatic: more than 40% of installed php scripts are outdated, ~5% installed with default configs (with no password set) and ~5% already hacked. Installations with default configs are being removed without warning. Compromised websites are either being suspended or terminated - it depends on how it was compromised and number of viruses/dos/malware tools installed.
If your website shows "suspended" page, please drop a ticket to https://support.westnic.net. We can provide site backup then remove public_html folder with all contents free of charge. You need to install php script and theme from scratch. If your website doesn't load at all, it most likely infected with CryptoPHP.
Nothing would ever happen to your website if you keep it secure. Avoid installing plugins and themes from unknown (not verified) vendors!
1. Install script properly in the first place then secure. It takes 1-2 hours to secure Wordpress installation, not 1 minute: https://my.westnic.net/howtos/wordpress.html
2. Physically remove unused plugins and themes (via FTP). If you install plugin, please check source! There are many infected plugins and themes.
3. Do not use usernames "admin". Create new one then assign privileges.
4. Change user/pass to cPanel every 6 months using password generator tool. Do not use own passwords like "sunny2015".
5. Purchase then install antivirus with built-in firewall, keep OS and browsers updated.
When my server will be removed from Spamhaus? I need to send very important email right now!
As soon as we complete all scans then suspend/terminate compromised websites. If you cannot reach recipient due to Spamhaus block, please use alternative sources, for example, gmail. If you use email for business, it's good idea to get business apps (gmail, Google disk etc) for domain. It cost only $5 per user/month and does provide more redundancy and reliability. We use it too and there is nothing wrong with that: cPanel server has only one or two MX records (Google provides 5) and get blacklisted 3-5 times per year. Please note that blacklist doesn't affect inbound emails.
Servers affected (server IDs): cheetah, rl2, eu7, eu8, eu11, ms3, panther2, micro, micro2, dc6, dc18, luna, eagle. Unfortunately, more will be on the blacklist soon due to new Spamhaus policy/rule scan. We'll post new server IDs here. Server ID in red: blacklisted on Spamhaus; server ID in yellow: pending removal from Spamhaus, ongoing malware scans; server ID in green: compromised websites either removed or suspended, delisted from Spamhaus.
Thank you for your patience and cooperation.