0

Hi all,

My site is on dedicated server by fasthosts.co.uk.
i get email from host server that my site has been placed on the Spamhaus SBL.
below is the content for that:

>> Web bot: port 80
>> IP address 217.174.241.205: on fasthosts.co.uk/live-servers.net 
>> Canadian Pharmacy spammer[s] are using a botnet consisting of 
>> compromised systems on which NGINX is installed listening on port 80 
>> to proxy their pages unless the system, itself, is making use of that 
>> port in which case nginx listend on port 8080. The nameservers 
>> resolve hostnames which are spamvertized as port 80 (http://hostname) 
>> to IP addresses of systems with nginx listening on port 80 and 
>> resolve other hostnames, spamvertized on port 8080, 
>> http://hostname:8080, to IP addresses with nginx listening on that port.
>> 
>> The nameservers and hosts quickly rotate (double fast-flux) though 
>> the nameserver IP addresses listed in the root servers ('glue' 
>> records) may not change so quickly.
>> 
>> If you know a hostname you can find it at both port 80 and port 8080 
>> bots by forcing the resolution.
>> 
>> Canadian Pharmacy is running a counterfeit luxury good ('replicas') 
>> site along with their pharmacy site at these IP addresses.
>> 
>> A currently resolvable (for some reason they seem often to lose 
>> domains!) is discountprowatch.com (replicas site, spamvertized on 
>> port 80) and a recent (unresolvable) pharmacy hostname is 
>> buyviagraworld.com (spamvertized on port 8080). While they have 
>> "lost" buyviagraworld.com (there are no nameserver records in the 
>> root servers) they have not "retired" it (their nameservers, if you 
>> can find them, still resolve it to port 8080 bots and you can find 
>> the pharmacy site up by forcing the resolution).

Now host support is saying to resolve all issues.
But i don't know what can i do to solve it.

M not aware of server settings.
Please all experts help me out.

Will wait for response.

2
Contributors
2
Replies
3
Views
7 Years
Discussion Span
Last Post by vibhaJ
0

Hello,

It sounds like someone has posted a site on your server and is generating sam form it. I would start by checking the /tmp /var/tmp /usr/tmp directories for posted files or directories. Make sure when you do directory listings you use:

ls -la

I have always found they like to hide things in directories that look like they belong like ... instead of just . and .. or ..<space> or along those lines. if nothing else there may be something in one of your users home directories. If it is a linux box and you would like some help send me a Private Message and a login and I can take a look.

0

Thanks rch1231.
Sent you Private Message.
Please all.....Get me out of this.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.