Blocklist Removal Center
About Spamhaus  |  FAQs  |  News Blog   
Frequently Asked Questions (FAQ)
Generic Questions
Hacked... Here's help
ISP Spam Issues
Legal Questions
Marketing FAQs
Online Scams
Spamhaus BCL
Spamhaus CSS
Spamhaus DBL
Spamhaus HBL
Spamhaus PBL
Spamhaus SBL
Spamhaus XBL
Spamhaus DROP
 » BGPf FAQs
 » Datafeed FAQs

Hacked... Here's help

IP listed in CSS - General help
WiFi and Home Networks
Hacked Website or CMS - General Information
CMS-Specific help
How can Wireshark help find the problem?

IP listed in CSS - General help
Why was this IP listed?

This IP was listed because we have evidence suggesting that the IP or something behind it is compromised or infected.

What should be done about it?

The situation requires correcting: Spamhaus has detected spoofed SMTP connections coming from this IP address. We are unable to advise on the exact nature of the infection, but hope the following information might be of help.
  • If you have devices running Microsoft Windows, take a look at Windows Defender, Malwarebytes, Norton Power Eraser, CCleaner and/or McAfee Stinger.
    • NOTE: These tools are free.
  • We have seen many mobile devices (mostly Android phones) being turned into spam proxies as a result of installing questionable apps.
  • Calling your ISP or taking your machine to a competent tech support service might also be useful.
Is this IP a NAT gateway, firewall or router?
  • Capturing the network traffic going to remote IPs on port 25 is the best way to identify which devices are generating this traffic: in general, only mailservers are supposed to generate such traffic, as mail clients rely on the dedicated ports 587 or 465.
  • Wireshark is a good (free) tool to investigate network traffic.
  • In some cases, the compromised device can also be the router itself.
    • Ensure that telnet port 23 (UDP and TCP) is not accidentally left open.
    • Please consult the documentation of your device regarding how to make sure its software is up to date, and how to ensure that the device is properly secured.
CSS listings expire automatically a set number of hours after last detection, so if the problem is solved the listing will fade out with no further intervention needed.

WiFi and Home Networks
Bots can operate on nearly any internet-capable device!
  • These devices can include (but are not limited to): laptops, tablets and pads, mobile phones, servers, desktop computers, gaming systems, "Internet of Things" products like light bulbs and appliances, and even WiFi routers themselves.
  • Something to examine would be if you supply a guest network or free wifi. If so, those often have a lesser security profile and should be reviewed.
When any of those bots emits spam, the emission may be detected, and the originating IP listed by Spamhaus systems. Due to the fact there is such a variety of bots that operate in different ways, we are not able to give specific advice. Here some general ideas about identifying, securing or de-weaponizing an affected device.
  • If you have devices running Microsoft Windows, any or all of the following free tools may help: Windows Defender, Malwarebytes, Norton Power Eraser, CCleaner, or McAfee Stinger.
  • Calling your ISP or taking your machine to a competent tech support service might also be useful.
Mikrotik routers had vulnerable software. Most Mikrotiks have been patched, but in case yours still needs an update, you can find the current version on their website. As of Q2 2020, our systems are detecting many bot connections coming from mobile devices, particularly Androids.

WiFi networks and apps can often be diagnosed by a process of elimination.
  • Remove all devices from the wifi system.
  • Wait a few days to see if it relists in our data.
  • Reconnect the devices, one by one, waiting a few days to see if a listing occurs, before adding the next one.
  • When the IP relists, it is likely the newest device.
  • Please open a ticket for removal of the IP.
    • You can also use the lookup tool to monitor your IP's status if you are concerned about another device or a re-lising
NOTE: while each device is connected, open and use all the apps on it, since sometimes it is the use of the app which triggers the bot.
  • Be particularly careful of recently installed apps. We have also found that malicious code is sometimes detected even in long-installed apps that have been recently updated.
  • Removing or disabling apps, then slowly adding them back one by one, with several days in between, may work to identify the vulnerable software.
    • We are VERY interested in the specific app, version, and even the installed code of such apps, if you are able to provide that to us. Such information helps us help others.
If none of this works, professional help may be required. Please call your ISP for information.

General Advice

WiFi routers for home use should be configured with port 25 disabled.
  • Disabling port 25 will not stop mail software from working normally. The software for email clients that used to read and send email operates on a different port (587), and such clients are able to access your ISP's mail servers after being correctly configured. From the user perspective there is no difference.
  • The majority of home networks will not be running a private mail server.
    • Some routers will allow you to configure a specific device, and only that device, to access port 25, and those can allow a mail server to operate on the router as well as preventing other devices from making malicious SMTP connections. If a private mail server is being used, this is the ideal solution.
  • For help with any configuration of routers, devices, or email software, please refer to the device documentation or your ISP for assistance.

Hacked Website or CMS - General Information
There are five main steps to fixing a hacked website, and they MUST all be completed:
  1. If it is at all possible, the website/server should be taken offline while it is being fixed.
  2. All of the infected files must be removed.
  3. The CMS and all plugins and extensions must be updated to the latest and most secure versions.
  4. Be sure the server itself is secure, or ask a system administrator to perform a security audit.
  5. All passwords must be changed. Strong passwords should be used, and two factor authentication added wherever possible.
Take your website offline:
The whole time that a server is infected, it poses a threat of some kind to the rest of the Internet (spam, DDoS, botnet command node, malware infector, phishing websites, etc).
  • Domain reputation will suffer as a result of any infection. That drop in reputation will affect not only websites but also email... and not just due to Spamhaus listings.
  • It is very important to temporarily suspend an infected website, if possible, while it is repaired and secured.
  • Taking it offline will help protect domain and email reputation: this is a strategic decision with the fewest bad consequences for both the website operator and the Internet at large.
A good place to start is with Spamhaus' news blog on how to Stop Spammers from Exploiting your Webserver. Additional in depth information: Website software known as Content Management System (CMS) is a common vector for security attacks on websites. This can result in domains being listed by Spamhaus.

In all cases, the website's software - including the CMS and any related extensions or plugins - must be patched to a secure version and the infected files must be removed and the server itself must be secure in order for a domain to stay out of Spamhaus lists.
  • If hacked pages are detected after a domain has been de-listed, the domain will quickly be re-listed.
  • That re-listing should serve as an alert that the website and/or web server are still compromised, and that quick corrective action is required.
  • If re-listing happens too many times, we will prevent further removals until we are assured that the problem has been properly fixed.
All webservers, webserver software operating systems (OS) should be also checked and all patched to current versions. Please, secure your server(s).

These infections can and do affect any operating systems (OS). We see these infections on Windows/WINNT, Linux, FreeBSD, Darwin and more, and on Apache, nginx, squid, Microsoft-IIS and other web servers, too.

Anti-virus scans usually do not detect these infections. Running an a/v scan is a good thing to do, but negative results do not mean that the website or server are clean of infection.

We are also receiving reports of accounts with compromised FTP passwords. For ISPs: some possible solutions - unknown, untested and not vouched for by Spamhaus but still of possible interest: Hacked websites in the news (Arstechnica); old but still relevant: Active malware campaign uses thousands of WordPress sites to infect visitors - Sep 18, 2015, by Dan Goodin

CMS-Specific help
Wordpress has an FAQ in serveral languages: "My site was hacked!" that has many tips and links. Joomla has a Security Checklist, and specifies what to do if a site using their CMS has been hacked or defaced. Drupal has an extensive security page, which has a link to their latest information on how to secure a Drupal installation. If TYPO3 is being used, ensure that the most current version of it is being used.

Spamhaus systems detect many StealRat remote access trojan (RAT) infections on CMS systems.
  • XBL/CBL is also detecting and listing IP addresses with StealRat infections.
    • The CBL website offers assistance to help find the problem, fix it, and then prevent it from happening again.
  • CBL also mentions the "ebury SSH rootkit", a sophisticated Linux backdoor. It is built to steal OpenSSH credentials and maintain access to a compromised server. Suggested reading regarding ebury:

How can Wireshark help find the problem?
For experienced administrators, Wireshark or some other network sniffer are a useful option to track down odd/unusual/suspicious HELO/EHLO origins.
  • Wireshark is free of charge.
    • More in-depth details on how to set up and use Wireshark can be found on the CBL help pages.
Some Wireshark usage suggestions to help track down the problem
  • Capture filter options - set to: port 25
  • Display filter - set to: smtp.req.command == "HELO" or smtp.req.command == "EHLO"
  • If the exact HELO string to look for is known: {smtp.req.command == "HELO" or smtp.rec.command = "EHLO) and (smtp.req.parameter contains "[HELO string]")
NOTE: Ensure that the above is adjusted so it only applies to sessions that are initiated from the problem IP - not to the IP.

This may work:
  • ip.src == "insert problem IP"
If the packets being captured are carefully reviewed to locate the "oddities", it should be possible to identify where they are coming from.

© 1998-2020 The Spamhaus Project SLU. All rights reserved.
Legal  |  Privacy