I have installed Maldet to clean from cryptophp infection ( social.png ) , but even if maldet does the job a few hours later , the IP is listed in CBL spamhaus and i cannot send mails , and i have to wait 48H to trigger delisting and been able to send mails again ; any idea how to resolve this please ?
Hello 
You could add another IP address and configure it as the IP address used for sending with Exim:
How to Configure Exim's Outgoing IP Address
Thank you.
You could add another IP address and configure it as the IP address used for sending with Exim:
How to Configure Exim's Outgoing IP Address
Thank you.
You need to find and remove the account that is infected with cryptophp. These infections come from stolen ("nulled") plugins that are packaged with malware.
Don't try to clean it. Nuke the site and start over. Until you do you will continue to be re-listed on the CBL. Generally, changing your sending IP is a band-aid fix, and one that can hurt your IP reputation more than help it. In this case you might get away with it, but you still need to solve the real problem here.
Don't try to clean it. Nuke the site and start over. Until you do you will continue to be re-listed on the CBL. Generally, changing your sending IP is a band-aid fix, and one that can hurt your IP reputation more than help it. In this case you might get away with it, but you still need to solve the real problem here.
Yes you are right , im terminating the account which having the social.png and not only deleting the file or extension , but you cannot forbid users from installing WP plugins , and if so , plugin may be infected and CBL seems to be so quick for listing , more quick than maldet do to detect and clean the infection
,assuming that im scanning the whole /home/*/public_html once a day , and when listed you are 48h blocked from sending mails , so any other solution than changing IP for exim ?
Last edited:
You can't forbid installing plugins, but you can make it against your ToS to install stolen plugins. According to all the research I saw, the cryptoPHP infections came from nulled (stolen) plugins.
Generally CBL de-listing is instant, unless you've previously requested delisting without fixing the problem.
If you need to change your mailing IP it can be done, but be sure to take everything into consideration; SPF records, reverse DNS, etc.
Generally CBL de-listing is instant, unless you've previously requested delisting without fixing the problem.
If you need to change your mailing IP it can be done, but be sure to take everything into consideration; SPF records, reverse DNS, etc.
| Thread starter | Similar threads | Forum | Replies | Date |
|---|---|---|---|---|
| I | Whitelisting an IP address | Security | 3 | |
| J | CBL Blocking IP Address | Security | 2 | |
| A | CBL Blocking - False positive? | Security | 3 | |
| J | Two CBL SPAMHAUS false positives in two days. Using high number ports which are closed. Possible? | Security | 9 | |
| L | Ip in spamhaus CBL | Security | 1 |