It has been brought to our attention that some clients are experiencing issues when trying to send email to other mail servers that use CBL blacklist for filitering of their emails.
The result being that any emails being sent to those servers, were being bounced back with a message saying that the Uk Cheap Hosts server is blacklisted and giving the reason shown that the server is hosting a site contining the CryptoPHP expoit. (see screenshot below dated 28th of May).
After a scan of the server we have found the culprit web site and they have been asked to resolve the issue within 24 hours or risk their web site being removed from the server (which has now been done...see update may 29th 2015)
Crypto What?
This is a bad nasty exploit. TheCryptoPHP exploit is installed through free plugins or themes which have been pirated and masquerade themselves as being original, whch have been specially prepared by criminals to infect the website the item is installed on. The exploit is then activated remotely and very often its not activated right away, it can be days/week/months before its activated. It essentially creates pages on your site with links to other dodgy sites.
Here is a whitepaper about the cryptophp exploit:https://foxitsecurity.files.wordpress.com/2014/11/cryptophp-whitepaper-foxsrt-v4.pdf
HEALTH WARNING:We advise EVERYBODY who is using any form of CMS like Joomla, Drupal, Magento, Wordpress etc to ensure they dont download a PIRATED theme or plugin from an unknown source as it may contain secret embedded code which creates malicious backdoor activity. If you see a theme/plugin which is a copy of a paid version, then avoid it or risk the consequences. If its too good to be true it usually is.
UPDATE 29/5/2015
The client has confimed they have removed the site from the server and profusely apologises for causing the issues.
UPDATE 30/5/2015
We have scanned the server space where the previous crytophp virus was found and its come back negative for any signs of virus, so have submitted a removal request from the CBL (see screenshot below).
Screenshot from 30th of May 2015
Screenshot from 28th of May 2015
Thursday, May 28, 2015
