cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Our Domain IP blacklisted - Emails from shared IP

Our website is being blacklisted. I researched and this is the message I got when I was finally able to track down the source of the spam being sent from our shared IP. Clearly I cannot fix this but you need to:

Seeing this web page means the problem as NOT been fixed yet. If the web page link shown below is not your page and you are NOT the hosting administrator, you cannot fix this problem, and you will need to contact the hosting administrator to fix it.

This IP address corresponds to a web site that is infected with a spam or malware forwarding/redirection link.

In other words the site has been hacked and is serving up redirection links to spam or malware. It is also almost certainly sending spam too.

We recommend that you review instructions below so as to prevent this happening in future.

The infected host name is "www.appalachiastreaming.com", and this link has an example of the malicious redirect: "http://www.appalachiastreaming.com/wp-content/themes/sketch/d7d1b7d254.html" Depending on the infection type, there may be dozens more malicious redirection pages under www.appalachiastreaming.com.

WARNING As the link is known to malicious, browsing that link is at your own risk.

If www.appalachiastreaming.com is not your host, there is nothing you can do to fix this problem: contact your hoster and have them fix it.

If you are the administrator, searching your web server logs for www.appalachiastreaming.com will likely reveal other copies of these malicious links as well as the command-and-control links (often .php).

One hosting company reported that the malicious script was called "mainik.php" and was dropped from Russian IP addresses.

If the problem is not resolved, this will undoubtably get listed again, and runs the risk of having the CBL disallow further removals. So, don't just delist the IP and expect it to stay delisted unless the root cause is solved.

In other words, Fix it! or run the risk of self-removals being refused in future listings.

Infected servers are usually shared web hosting environments running Cpanel, Plesk, Joomla or Wordpress CMS software that have become compromised either through a vulnerability (meaning the CMS software is out of date and needs patching), or users account information (userids/passwords) have been compromised, and malicious software/files are being uploaded by ftp or ssl. There are several different "families" of malware doing this, including darkmailer, directmailer, Stealrat and others. As a consequence of this, the instructions below focus on finding the problem no matter what it is.

Important: Simply removing the malicious link in general will not prevent future relistings. In fact, several of the botnets doing this have literally dozens of malicious redirects under the same hostname (webhosting account), other malicious links (eg: in Stealrat the command-and-control .php script), and there may be more than one infected webhosting account on the same machine. While manual-cleaning of one of these infections sometimes works, it's generally quite difficult to be sure you have it all. We recommend disabling the account, then reinstalling the account from backups.

We believe that these specific infections are frequently done by altering web server access control mechanisms (example, ".htaccess" files on Apache web servers), and causing the redirect to occur on all "404 url not found" errors. We would appreciate it if you can give us copies of the modifications that this infection has made to your system.

It probable that the change was made via SSL or ftp login using userid/password stolen from the "owner" of the hostname/domain. They should run anti-virus tools on their computers, and the password they use to access the web site should be changed immediately.

If you do not recognize the hostname www.appalachiastreaming.com as belonging to you, it means that some other account on this shared hosting site has been compromised, and there is NOTHING you (or we) can do to fix the infection. Only the administrator of this machine or the owner of www.appalachiastreaming.com can fix it.

Below we've included some information that should help you find and resolve the problem. But again, if it's not your hosting account that's infected, you're unlikely to be able to fix it.

Special note: this listing is based upon detecting a malicious redirector page. Much of the following talks about detecting outbound malicious email. While most redirecter-infected web hosts will also be sending email, not all will. By having the link above, you already know which hosting customer is infected, and the web server logs should tell you most of what you need to know.

4 REPLIES 4

Hi. Same problem here, my website share the same IP.

I call 3 weeks ago and nothing  happen.

What security system GoDaddy have for shared host?

If the infection cross over to all the domains in server ? What then?

 

 

IP Address 160.153.16.37 is listed in the CBL. It shows signs of being infected with a spam sending trojan, malicious link or some other form of botnet. The infected host name is "www.advance-ps.co.uk", and this link has an example of the malicious redirect: "http://www.advance-ps.co.uk/wp-content/plugins/cherry-plugin/admin/import-export/86b0194e97.html" Depending on the infection type, there may be dozens more malicious redirection pages under www.advance-ps.co.uk. WARNING As the link is known to malicious, browsing that link is at your own risk. If www.advance-ps.co.uk is not your host, there is nothing you can do to fix this problem: contact your hoster and have them fix it.

Same here. GoDaddy is sloppy with domain forwarding. They don't keep suspect domains off their servers.

Is there any solution for this problem? I am having the same problem with the shared host server of GoDaddy 166.62.28.126 where https://www.abuseat.org/lookup.cgi complains about a site www.balestier.com.sg hosted in the same shared host. My CRM software is not accepting the email id of my domain quoting  the ip is blacklisted!

I talked to Godaddy service but I doubt if they understand or they are not ready to support though they understand. What do people do in this case (I see there are around 80 sites hosted in this ip!)

The same issue here.  I was told by GoDaddy support that I need to upgrade to Deluxe hosting which has a dedicated IP to avoid this issue and that shared hosting will always suffer from these issues.