Powered by Invision Power Board


  Reply to this topicStart new topicStart Poll

> Outbound mail problems on webpro1 and webpro2, resolved
andy
Posted: Apr 19 2018, 02:15 PM
Quote Post





Group: Advantagecom Staff
Posts: 4,302
Member No.: 9
Joined: 12-July 02



Recently, spam blacklists have started listing IP addresses of servers seen by honeypot addresses related to "EITest" malware that inserts itself into Wordpress and other PHP driven sites through unpatched user code vulnerabilities. (more info than you want here: https://blog.brillantit.com/exposing-eitest-campaign/ )

Understand that this is not a server vulnerability. It is a vulnerability in user uploaded code. Code that we have little to no control over. Code contained in literally millions of files that we could never hope to police.

When users don't keep their CMS updated, it will be infected. It's just a matter of when.

Unfortunately, everyone on the server will suffer because of this.

Because spam blacklists have started listing the IP addresses of servers that reach out to these benign honeypot addresses due to a user content infection, both webpro1.speedingbits.com and webpro2.speedingbits.com are currently shown in blacklists that subscribe to this practice.

We're currently investigating ways we can do server-side scanning of web site contents to find the infections so we can shutdown the accounts of those running infected websites.

Updates about this issue will be posted to this thread as they're available.


--------------------
Sincerely,
Andrew Kinney
CTO, Advantagecom Networks

Please do not private message me. My regular management duties preclude responding to every customer that sends me a support issue. Instead, post on the forum or contact tech support.
PMUsers Website
Top
andy
Posted: Apr 19 2018, 04:41 PM
Quote Post





Group: Advantagecom Staff
Posts: 4,302
Member No.: 9
Joined: 12-July 02



This is the very recent results of an effort to "sinkhole" all the systems responsible for controlling the botnets related to eitest.

The sinkhole began March 15, 2018 and it is only within the last 10 days or so that we've seen reports from users regarding the servers being blacklisted. We believe that Spamhaus CBL decided it was a good idea to bounce email from servers that had an IP on the list maintained by the sinkhole and that happened on or around April 12, 2018. https://www.proofpoint.com/us/threat-insigh...infection-chain

ClamAV, the default scanning system employed by CPanel, does not detect files related to eitest, so we're still looking for alternate ways to find the responsible files.

Until we can find and remove the responsible files, the Spamhaus CBL email blacklist will continue to cause outbound email from these servers to be rejected by third parties that use the blacklist.

I'd like to reiterate that the systems are not blacklisted because they were used in the sending of spam. This is purely because the people at Spamhaus made an arbitrary decision to abuse their power as a spam blacklist to punish servers that have compromised content management systems (almost exclusively WordPress).

I believe this action on the part of Spamhaus was irresponsible and premature since there is not yet a good way to detect the compromised files and inspecting every one of millions of files by hand is not possible.

This isn't the first time that Spamhaus has abused their power and done irresponsible things that were detrimental to the smooth running of the Internet. It won't be the last time, either. Unfortunately, we can't convince places like Microsoft to stop using them, though.

We're still working on this and it's our top priority right now.


--------------------
Sincerely,
Andrew Kinney
CTO, Advantagecom Networks

Please do not private message me. My regular management duties preclude responding to every customer that sends me a support issue. Instead, post on the forum or contact tech support.
PMUsers Website
Top
andy
Posted: Apr 19 2018, 07:38 PM
Quote Post





Group: Advantagecom Staff
Posts: 4,302
Member No.: 9
Joined: 12-July 02



We have some software running that will watch outbound connections and tell us if any reach out to the sinkhole IP address. It should also tell us what user and file were involved.

It is dependent on the malware actually being visited by a web site visitor, however, so it may take awhile until we see which files are involved. The sinkhole reports only one hit from webpro2 in the last 24 hours and six in the last 24 hours from webpro1, so we'll probably need to watch it for a full 24 hours.

Unfortunately, it will not identify files that are not actively being used in a web site, though, so we're still looking for a way to scan for any malware related web site files that haven't been used.


--------------------
Sincerely,
Andrew Kinney
CTO, Advantagecom Networks

Please do not private message me. My regular management duties preclude responding to every customer that sends me a support issue. Instead, post on the forum or contact tech support.
PMUsers Website
Top
andy
Posted: Apr 20 2018, 11:10 AM
Quote Post





Group: Advantagecom Staff
Posts: 4,302
Member No.: 9
Joined: 12-July 02



On webpro1, we've identified one heavily infected site so far with our monitoring tool. Webpro2 has registered no infection activity yet.

We're testing a malware scanner against the known infected customer files to verify that the malware scanner can properly detect this type of infection. If it successfully detects the infection, then we'll make it an included part of our CPanel based shared hosting accounts.

Once our testing is complete, we'll work with the client(s) to clean up their out of date and hacked WordPress installations.


--------------------
Sincerely,
Andrew Kinney
CTO, Advantagecom Networks

Please do not private message me. My regular management duties preclude responding to every customer that sends me a support issue. Instead, post on the forum or contact tech support.
PMUsers Website
Top
andy
Posted: Apr 27 2018, 09:47 AM
Quote Post





Group: Advantagecom Staff
Posts: 4,302
Member No.: 9
Joined: 12-July 02



This was completed several days ago.

We were able to identify and employ malware scanning software that is now run on a schedule as an included part of our WebPro2 shared hosting services (and other account types on webpro1.speedingbits.com and webpro2.speedingbits.com).

The clients who had malware infected files have had the malware deactivated and we successfully requested delist for both servers with CBL (Spamhaus).


--------------------
Sincerely,
Andrew Kinney
CTO, Advantagecom Networks

Please do not private message me. My regular management duties preclude responding to every customer that sends me a support issue. Instead, post on the forum or contact tech support.
PMUsers Website
Top
0 User(s) are reading this topic (0 Guests and 0 Anonymous Users)
0 Members:

Topic Options Reply to this topicStart new topicStart Poll