Blocklist Removal Center
About Spamhaus  |  FAQs  |  News Blog   
Frequently Asked Questions (FAQ)
DNSBL Usage
Generic Questions
Glossary
Hacked... Here's help
ISP Spam Issues
Legal Questions
Marketing FAQs
Online Scams
Organization
ROKSO FAQ
Spamhaus BCL
Spamhaus CSS
Spamhaus DBL
Spamhaus HBL
Spamhaus PBL
Spamhaus SBL
Spamhaus XBL
Spamhaus DROP
 » BGPf FAQs
 » Datafeed FAQs



Hacked... Here's help

IP listed in CSS - General help
Hacked Website or CMS - General Information
CMS-Specific help
How can Wireshark help find the problem?


IP listed in CSS - General help
Why was this IP listed?

This IP was listed because we have evidence suggesting that the IP or something behind it is compromised or infected.

What should be done about it?

The situation requires correcting: Spamhaus has detected spoofed SMTP connections coming from this IP address. We are unable to advise on the exact nature of the infection, but hope the following information might be of help.
  • If you have devices running Microsoft Windows, take a look at Windows Defender, Malwarebytes, Norton Power Eraser, CCleaner and/or McAfee Stringer.
    • NOTE: These tools are free.
  • We have seen many mobile devices (mostly Android phones) being turned into spam proxies as a result of installing questionable apps.
  • Calling your ISP or taking your machine to a competent tech support service might also be useful.
Is this IP a NAT gateway, firewall or router?
  • Capturing the network traffic going to remote IPs on port 25 is the best way to identify which devices are generating this traffic: in general, only mailservers are supposed to generate such traffic, as mail clients rely on the dedicated ports 587 or 465.
  • Wireshark is a good (free) tool to investigate network traffic.
  • In some cases, the compromised device can also be the router itself.
    • Ensure that telnet port 23 (UDP and TCP) is not accidentally left open.
    • Please consult the documentation of your device regarding how to make sure its software is up to date, and how to ensure that the device is properly secured.
CSS listings expire automatically a set number of hours after last detection, so if the problem is solved the listing will fade out with no further intervention needed.


Hacked Website or CMS - General Information
There are five main steps to fixing a hacked website, and they MUST all be completed:
  1. If it is at all possible, the website/server should be taken offline while it is being fixed.
  2. All of the infected files must be removed.
  3. The CMS and all plugins and extensions must be updated to the latest and most secure versions.
  4. Be sure the server itself is secure, or ask a system administrator to perform a security audit.
  5. All passwords must be changed. Strong passwords should be used, and two factor authentication added wherever possible.
Take your website offline:
The whole time that a server is infected, it poses a threat of some kind to the rest of the Internet (spam, DDoS, botnet command node, malware infector, phishing websites, etc).
  • Domain reputation will suffer as a result of any infection. That drop in reputation will affect not only websites but also email... and not just due to Spamhaus listings.
  • It is very important to temporarily suspend an infected website, if possible, while it is repaired and secured.
  • Taking it offline will help protect domain and email reputation: this is a strategic decision with the fewest bad consequences for both the website operator and the Internet at large.
A good place to start is with Spamhaus' news blog on how to Stop Spammers from Exploiting your Webserver. Additional in depth information: Website software known as Content Management System (CMS) is a common vector for security attacks on websites. This can result in domains being listed by Spamhaus.

In all cases, the website's software - including the CMS and any related extensions or plugins - must be patched to a secure version and the infected files must be removed and the server itself must be secure in order for a domain to stay out of Spamhaus lists.
  • If hacked pages are detected after a domain has been de-listed, the domain will quickly be re-listed.
  • That re-listing should serve as an alert that the website and/or web server are still compromised, and that quick corrective action is required.
  • If re-listing happens too many times, we will prevent further removals until we are assured that the problem has been properly fixed.
All webservers, webserver software operating systems (OS) should be also checked and all patched to current versions. Please, secure your server(s).

These infections can and do affect any operating systems (OS). We see these infections on Windows/WINNT, Linux, FreeBSD, Darwin and more, and on Apache, nginx, squid, Microsoft-IIS and other web servers, too.

Anti-virus scans usually do not detect these infections. Running an a/v scan is a good thing to do, but negative results do not mean that the website or server are clean of infection.

We are also receiving reports of accounts with compromised FTP passwords. For ISPs: some possible solutions - unknown, untested and not vouched for by Spamhaus but still of possible interest: Hacked websites in the news (Arstechnica); old but still relevant: Active malware campaign uses thousands of WordPress sites to infect visitors - Sep 18, 2015, by Dan Goodin


CMS-Specific help
Wordpress has an FAQ in serveral languages: "My site was hacked!" that has many tips and links. Joomla has a Security Checklist, and specifies what to do if a site using their CMS has been hacked or defaced. Drupal has an extensive security page, which has a link to their latest information on how to secure a Drupal installation. If TYPO3 is being used, ensure that the most current version of it is being used.

Spamhaus systems detect many StealRat remote access trojan (RAT) infections on CMS systems.
  • XBL/CBL is also detecting and listing IP addresses with StealRat infections.
    • The CBL website offers assistance to help find the problem, fix it, and then prevent it from happening again.
  • CBL also mentions the "ebury SSH rootkit", a sophisticated Linux backdoor. It is built to steal OpenSSH credentials and maintain access to a compromised server. Suggested reading regarding ebury:


How can Wireshark help find the problem?
For experienced administrators, Wireshark or some other network sniffer are a useful option to track down odd/unusual/suspicious HELO/EHLO origins.
  • Wireshark is free of charge.
    • More in-depth details on how to set up and use Wireshark can be found on the CBL help pages.
Some Wireshark usage suggestions to help track down the problem
  • Capture filter options - set to: port 25
  • Display filter - set to: smtp.req.command == "HELO" or smtp.req.command == "EHLO"
  • If the exact HELO string to look for is known: {smtp.req.command == "HELO" or smtp.rec.command = "EHLO) and (smtp.req.parameter contains "[HELO string]")
NOTE: Ensure that the above is adjusted so it only applies to sessions that are initiated from the problem IP - not to the IP.

This may work:
  • ip.src == "insert problem IP"
If the packets being captured are carefully reviewed to locate the "oddities", it should be possible to identify where they are coming from.


© 1998-2020 The Spamhaus Project SLU. All rights reserved.
Legal  |  Privacy