CBL blacklist removal – How to kill botnet malware & delist your IP
SpamHaus CBL or Composite Blocking List is a list of IPs that is known to send spam, or is found to have a bot infected website.
Here at Bobcares, we help website and server owners delist blacklisted IPs, and maintain their servers to prevent future infections or blacklisting.
Most CBL blacklist removal requests begin by site owners reporting either a bounced mail or a failed website scan.
Some examples are:
￼A message that you sent to the following recipient could not be delivered due to a permanent error. ** The remote server 32.153.XXX.XXX responded with: ** email@example.com 550:5.7.1 Service unavailable, Client host [134.43.217.XXX] blocked using Spamhaus. To request removal from this list see http://www.spamhaus.org/lookup.lasso. This message was created automatically by mail delivery software on the server red.myserver.net.
Mail log error
554 Service unavailable; Client host [myserver.com] blocked by cbl.abuseat.org; Blocked – see http://www.abuseat.org/lookup.cgi?ip=134.43.217.XXX (in reply to RCPT TO command)
Website scan error
Title: [134.43.217.XXX] Blacklist Check Failed- abuseat
Severity: Critical (10.0)
Description: 134.43.217.XXX is currently listed as a source of spam on the abuseat blacklist.
If you believe your site is listed erroneously, click here to request removal.
Spamhaus Abuseat CBL listing
What causes CBL blacklisting?
SpamHaus runs several “spam traps” all over the internet.
They collect spam mails using these traps, and find out which IPs are likely to be infected with spam scripts and botnets.
These IPs are listed as possible spam or malware sources using the blacklist.
Mail server administrators use this blacklist to deny mails from possible spam sources.
So, if your IP is listed in CBL, that means your server is infected with malware.
How are servers infected with malware?
There are broadly two ways in which attackers inject malware into a server:
- Exploiting vulnerable server software – This happens when server software (WordPress, Drupal, PHP, Kernel, etc.) are not updated. Hackers exploit vulnerabilities and inject malware.
- Uploading using stolen account passwords – Website or server administrators accidentally install virus in their PC either by visiting infected websites, by clicking on phishing mails or by inserting infected media. These viruses then log everything they type, and get access to the server and website.
Once a malware is injected into a website, it then becomes a launch pad to infect more websites.
How to delist a blacklisted IP from CBL
Delisting is not a simple click-and-go process.
It involves three steps:
- Cleaning malware from your server – The most reliable way is to restore your site from a clean backup taken before your site or server was infected. If this is not possible, then you need to use advanced troubleshooting to locate and weed out malware.
- Patching or rectifying the vulnerabilties that enabled malware upload – First you need to find out which software vulnerability or compromised account was used to upload malware. Then these software and account need to be secured to prevent a re-infection.
- Submitting a delist request – Once you are sure all malware is removed, you can use https://www.abuseat.org/lookup.cgi?ip=[YOUR_IP_HERE] to request a delisting. Note that if you jump to this step without completing step 1, and 2, your IP will be re-listed, and you will no longer be able to delist from the website.
- Maintenance and periodic audit to prevent another blacklisting – Apply software updates as soon as you see them, and get your server audited periodically by security professionals to prevent another blacklisting.
How to find out malware in the website and server
Here at Bobcares, we help hundreds of website owners every month in weeding out malware, and to keep their server clean.
We’ve seen that if a server is infected, often the safest and sometimes the fastest way is to setup a new server and restore the site from backup. It’ll ensure that there’s ZERO malware that can cause future infections.
However, it is not always possible, and we use a combination of techniques to detect malware. Some of these are:
- Use a malware scanner – Some tools like Maldet, RKHunter and ClamAV can detect malware in your website or server. It might not detect every malware out there, but it is a good starting point.
- Analyze running processes, network connections and traffic – Look for unusual behavior in the server like your “FTP” process sending out mails, or “Apache” process running for hours. See which file and user created that process. You can then locate the hidden malware.
- Go through the system logs – Find out when the outbound spam happened. Then look at the HTTPD, Cron and FTP log files around that time. See which file was accessed. That will give you the malware location.
- Scan the server for encoded files – Hackers love to obfuscate their code. So, look for encoded files that use common obfuscation commands. We covered malware scanning in more detail in this post.
- Look for altered system files – Attackers often replace system binaries such as SSH, HTTPD, etc. if they get root access to your server. You can find them using the “rpm -v” command or the “file” command.
- Find uncommon files – Look for newly created files in /dev/, /boot/, /opt/, etc. that has no reason to be there. Most likely those were dumped there by a malware.
If you need help with weeding out malware from your server, click here to contact our security experts. We are online 24/7.
How to find out and patch vulnerabiltiies
Once you find out and clean all malware, you need to figure out how they got into the server.
The best way for this is to look at the logs.
If you see FTP or File Manager logs accessing the malware, you can be reasonably sure that the malware was injected through a compromised account.
If you do not see any upload logs, but see an HTTPd process suddenly giving rise to a malicious process, you can be sure that it’s a software vulnerability. Some sites that have FTP auto-enabled also leave FTP logs.
This step is VERY important. Unless you accurately identify and patch the vulnerabilities, your server will be infected again, and future delistings will be difficult.
It can get a bit complicated. So, if you need a bit of help, click here to talk to our server experts. We are online 24/7.
How to request IP delisting in Composite Blocking List
If your IP is listed for the first time, this should be an easy process.
Once all the above steps are completed, wait for a few hours, and then use the link https://www.abuseat.org/lookup.cgi?ip=[YOUR_IP_HERE] to see your listing, scroll to the bottom, and request a delisting.
If in case this “Self Removal” is not shown, CBL can be contacted at “firstname.lastname@example.org”.
You’ll need to explain the steps you took to kill the malware and fix the root cause.
If you need a security expert to take care of this, click here. We are online 24/7.
How to prevent future IP blacklisting
It is easy to fall into a sense of security once all malware is cleaned and the specific vulnerability is patched.
But it is a trap.
The real villain in this whole issue is the lack of caution.
Because you either forgot to apply software updates as soon as they were available, or your PC was infected.
Either way, you need to take these steps to prevent a future blacklisting. It includes broadly:
- Server hardening – From file system hardening to web applicaton firewalls, a lot can be done to prevent upload and execution of server malware. Get a professional server management company to do a one time hardening and optimization on your server. This will ensure that even if a malware gets into the server, it will not be able to execute any commands.
- 24/7 monitoring – New vulnerabilities are disclosed all the time. You need a professional company to evaluate new threats, monitor connections on your site, and if needed, apply emergency patches if a new exploit is making rounds. You can get this service for as low as $24.99/month.
- Timely updates – I can’t stress this enough. Apply updates as soon as it is released. If you don’t have time to do it yourself, get someone to do it for you. We can do this for you using our Basic Server Management service for just $69.99/month.
- Periodic audits – Online security is an ever changing battle field. New malware, new modes of attack, and new defenses come out all the time. So, get a professional to takea look at all your server defenses and settings at least once every 2 months. This usually costs $250 or more, but if you are a subscriber to our server management plans, this is free.
SpamHaus CBL is a list of all IPs that’s known to send out spam. For CBL blacklist removal, you’ll need to first locate the malware in your server, clean it and then patch the vulnerability used to upload the malware. Once you are sure your server can no longer be infected, you can request a delisting.