Jump to content

[Solved] Stevie Mail Server Infected With Trojan?


Recommended Posts

Just sent an email from one of my domain accounts to a Yahoo address and the message was returned to sender ("Mail delivery failed: returning message to sender") with the following explanation:


"Connections will not be accepted from, because the ip is in Spamhaus's list."


I went to Spamhaus and entered the IP address (which belongs to the Stevie server). Here's the result:


IP Address is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.

It was last detected at 2014-11-22 00:00 GMT (+/- 30 minutes), approximately 30 minutes ago.

The host at this IP address is infected with the CryptPHP PHP malware.

CryptoPHP is a threat that uses backdoored Joomla, WordPress andn Drupal themes and plug-ins to compromise webservers on a large scale. More information about this threat can be found on the referenced link below.

This infection almost certainly means that the infected web site has used pirated plugins from the nulledstylez.com, dailynulled.com sites or some other site that specializes in providing "nulled" (pirated) software. Fox-IT's research has shown that every pirated theme or plug-in on these two sites has been infested with the cryptophp malware.

There are a number of scanners that can be used on web servers to try to find malicious PHP and Perl scripts, such as rkhunter etc.

With the assistance of others, we've written a simple perl script called findbot.pl that searches for such things as r57shell, cryptphp etc. It will search your system can find potentially dangerous scripts.

As it's very simple-minded you will have to carefully inspect the files it finds to verify whether what it finds is malicious or not. Be aware of the file types - finding executable code fragments within ".png" or ".jpg" files is clearly demonstrates that the file is malicious.

In order to use findbot.pl, you will need Perl installed.

  • Install perl if necessary
  • Download findbot.pl
  • Follow the instructions at the beginning of the findbot.pl file

WARNING: If you continually delist without fixing the problem, the CBL will eventually stop allowing the delisting of

If you have resolved the problem shown above and delisted the IP yourself, there is no need to contact us.

Click on this link to delist


I assume you will take care of this and there's nothing for me to do?

Link to comment
Share on other sites

This topic is now closed to further replies.

  • Create New...