VPS has been blacklisted by CBL

[davel]

Hi,

CBL (The CBL), which some ISPs use for blacklisting claims that my VPS has been infected with DarkMailer/Yellsoft DirectMailer.

As a result I am unable to send emails to orange.co.uk/freeserve/wanadoo addresses.

What sort of help can I get from the support team in cleaning my VPS and hardening it to minimise the risk of this recurring? What's the best way to get started?

Thanks,
Dave.

[WelshTom]

Quote:

Originally Posted by davel

Hi,

CBL (The CBL), which some ISPs use for blacklisting claims that my VPS has been infected with DarkMailer/Yellsoft DirectMailer.

As a result I am unable to send emails to orange.co.uk/freeserve/wanadoo addresses.

What sort of help can I get from the support team in cleaning my VPS and hardening it to minimise the risk of this recurring? What's the best way to get started?

Thanks,
Dave.

Are you sure it's not YOUR IP address on the CBL? What does the bounce e-mail say?

[davel]

Yes, It is my IP, my VPS's IP address, that has been blacklisted. That's what I meant to say, anyway.

Orange's bounce said
"Subject: Mail delivery failed: returning message to sender

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

xx@xx.wanadoo.co.uk
SMTP error from remote mail server after initial connection:
host mail-in.freeserve.com [193.252.22.184]: 554 5.7.1 service refused.
Client host <my VPS IP address> blocked for spamming issues. More information
available at http://help.orange.c

------ This is a copy of the message, including all the headers. ------

Return-path: <dave@my_vps.co.uk>
Received: from [212.183.140.17] (helo=Inbox)
by vps.my_vps.co.uk with esmtps (SSLv3:RC4-MD5:12
(Exim 4.69)
(envelope-from <dave@my_vps.co.uk>)
id 1NjaiV-0002ca-Lt; Mon, 22 Feb 2010 16:01:04 +0000
MIME-Version: 1.0
content-class:
From: Me <dave@my_vps.co.uk>
Subject: FW: Problem sending emails
Date: Mon, 22 Feb 2010 16:01:00 +0000
Importance: normal
X-Priority: 3
To: Recpient <xx@xx.wanadoo.co.uk>
"
Unsurprisingly I could not get help from the mal-formed orange URL.
I checked on the CBL blacklist and my VPS IP was on there.

I did some more digging and found the rogue files (cgi files), so removed them and killed the cgi processes. I have changed the password of the account used to gain access to my server too.

I don't need FTP access for all my user accounts. In CPanel I can't remove all of an account's FTP users. How can I limit FTP access to an account? I have prevented the use of anonymous FTP.

Also, is it possible to force all users to use FTP over SSL? As the password used to gain access was 9 chars long and comprised upper and lower case letters and numbers then it seems unlikely that it was cracked through brute force (there being over 210 trillion combinations), so I assume the password was picked up when going through the internet as clear text.

Thanks

Dave.

[WelshTom]

Quote:

Originally Posted by davel

Yes, It is my IP, my VPS's IP address, that has been blacklisted. That's what I meant to say, anyway.

Orange's bounce said
"Subject: Mail delivery failed: returning message to sender

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

xx@xx.wanadoo.co.uk
SMTP error from remote mail server after initial connection:
host mail-in.freeserve.com [193.252.22.184]: 554 5.7.1 service refused.
Client host <my VPS IP address> blocked for spamming issues. More information
available at http://help.orange.c

------ This is a copy of the message, including all the headers. ------

Return-path: <dave@my_vps.co.uk>
Received: from [212.183.140.17] (helo=Inbox)
by vps.my_vps.co.uk with esmtps (SSLv3:RC4-MD5:12
(Exim 4.69)
(envelope-from <dave@my_vps.co.uk>)
id 1NjaiV-0002ca-Lt; Mon, 22 Feb 2010 16:01:04 +0000
MIME-Version: 1.0
content-class:
From: Me <dave@my_vps.co.uk>
Subject: FW: Problem sending emails
Date: Mon, 22 Feb 2010 16:01:00 +0000
Importance: normal
X-Priority: 3
To: Recpient <xx@xx.wanadoo.co.uk>
"
Unsurprisingly I could not get help from the mal-formed orange URL.
I checked on the CBL blacklist and my VPS IP was on there.

I did some more digging and found the rogue files (cgi files), so removed them and killed the cgi processes. I have changed the password of the account used to gain access to my server too.

I don't need FTP access for all my user accounts. In CPanel I can't remove all of an account's FTP users. How can I limit FTP access to an account? I have prevented the use of anonymous FTP.

Also, is it possible to force all users to use FTP over SSL? As the password used to gain access was 9 chars long and comprised upper and lower case letters and numbers then it seems unlikely that it was cracked through brute force (there being over 210 trillion combinations), so I assume the password was picked up when going through the internet as clear text.

Thanks

Dave.

If you're not entirley sure how those files got there, ask eUK to do an audit of your server as they may not have been uploaded via FTP. But yes, there is an option to force FTP over SSL (or you can disable it completely) which you can do from WHM.

You can request to remove yourself from the CBL, but be sure all infected files are removed from your server beforehand as if you get added to the CBL again you may not be able to get back off it