From abuse@clean-mx.de Thu Dec 30 11:08:33 2010 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on mail.dingens.org X-Spam-Level: X-Spam-Status: No, score=-0.9 required=4.8 tests=RCVD_IN_DNSWL_LOW,RDNS_NONE autolearn=disabled version=3.2.5 X-Original-To: info@x-pie.de Delivered-To: info@x-pie.de X-policyd-weight: using cached result; rate: -7.6 Received: from relayn.netpilot.net (unknown [62.67.240.20]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by wallaby.dingens.org (Postfix) with ESMTPS id BB27744073 for ; Thu, 30 Dec 2010 11:08:29 +0100 (CET) Received: from relayn.netpilot.net (localhost [127.0.0.1]) by relayn.netpilot.net (Postfix) with ESMTP id 2BFD01EC81AA for ; Thu, 30 Dec 2010 11:08:26 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha1; c=simple; d=clean-mx.de; h=from:to :subject:cc:mime-version:message-id:date:content-type; s=sel; bh=A8gnA0Duru6PZSn2a8iPkilbUZ0=; b=TBFvizLPRnzaMJyzJ1IY3SP7zpn1 d0MFC7xvc8tJQ114FPPf5ZvUVMFz/81IlYLCEThmGoImETDV8Ae7wIUjQgC1WWGG 7bJf6nuTvjKdZDPGKK1lIgCysZgomPcBtphE88tcvX9poTJR1+LlEgH5atEZ4fO0 DJxGPczsU9MMgBQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=clean-mx.de; h=from:to :subject:cc:mime-version:message-id:date:content-type; q=dns; s= sel; b=KvYd3Z8jFG1KADNOWyGd/rvIDP/GYtsaSB/XUX2rZoIvEUQn8IvSr1Un+ 3uswOkCar0baXQVrrCFmk50ryU06DRWeOHEdxiou8uWeDU3PCC4EK0QAgMfycrFB /bT09N6NHRiWrDQJ9Hc+NpHeeLZt3xEkrgQ/IEsO/EeEIK1GAo= Received: from dbserv.netpilot.net (unknown [195.214.79.22]) by localhost (Postfix) with ESMTP id 1B01E1EC81AE for ; Thu, 30 Dec 2010 10:08:26 +0000 (UTC) From: abuse@clean-mx.de to: info@x-pie.de Subject: [clean-mx-viruses-688441](212.75.36.180)-->(info@x-pie.de) viruses sites (1 so far) within your network, please close them! status: As of 2010-12-30 10:24:33 CET cc: certbund@bsi.bund.de Precedence: bulk Auto-Submitted: auto-generated MIME-Version: 1.0 X-Mailer: clean mx secure mailer X-Virus-Scanned: by netpilot GmbH at clean-mx.de Message-Id: <20101230.1293701073@dbserv.netpilot.net> Date: Thu, 30 Dec 2010 10:24:33 +0100 content-Type: multipart/signed; boundary="----------=_1293703705-11584-16700"; micalg="pgp-sha1"; protocol="application/pgp-signature" This is a multi-part message in MIME format. It has been signed conforming to RFC3156. Produced by clean-mx transparent crypt gateway. Version: 2.01.0619 http://www.clean-mx.de You need GPG to check the signature. ------------=_1293703705-11584-16700 Content-type: multipart/mixed; boundary="----=_NextPart" This is a multi-part message in MIME format. ------=_NextPart Content-Type: text/plain; charset="iso-8859-1" Dear abuse team, please help to close these offending viruses sites(1) so far. status: As of 2010-12-30 10:24:33 CET http://support.clean-mx.de/clean-mx/viruses.php?email=info@x-pie.de&response=alive (for full uri, please scroll to the right end ... We detected many active cases dated back to 2007, so please look at the date column below. You may also subscribe to our MalwareWatch list http://lists.clean-mx.com/cgi-bin/mailman/listinfo/viruswatch This information has been generated out of our comprehensive real time database, tracking worldwide viruses URI's most likely also affected pages for these ip may be found via passive dns please have a look on these other domains correlated to these ip example: see http://www.bfk.de/bfk_dnslogger.html?query=212.75.36.180 If your review this list of offending site, please do this carefully, pay attention for redirects also! Also, please consider this particular machines may have a root kit installed ! So simply deleting some files or dirs or disabling cgi may not really solve the issue ! Advice: The appearance of a Virus Site on a server means that someone intruded into the system. The server's owner should disconnect and not return the system into service until an audit is performed to ensure no data was lost, that all OS and internet software is up to date with the latest security fixes, and that any backdoors and other exploits left by the intruders are closed. Logs should be preserved and analyzed and, perhaps, the appropriate law enforcement agencies notified. DO NOT JUST DELETE THE FILES. IF YOU DO NOT FIX THE SECURITY PROBLEM, THEY WILL BE BACK! You may forward my information to law enforcement, CERTs, other responsible admins, or similar agencies. +----------------------------------------------------------------------------------------------- |date |id |virusname |ip |domain |Url| +----------------------------------------------------------------------------------------------- |2010-11-11 01:41:19 CET |688441 |Hacktool/Servicekiller.A |212.75.36.180 |dingens.org |http://dingens.org/win32sec.exe +----------------------------------------------------------------------------------------------- Your email address has been pulled out of whois concerning this offending network block(s). If you are not concerned with anti-fraud measurements, please forward this mail to the next responsible desk available... If you just close(d) these incident(s) please give us a feedback, our automatic walker process may not detect a closed case explanation of virusnames: ========================== unknown_html_RFI_php not yet detected by scanners as RFI, but pure php code for injection unknown_html_RFI_perl not yet detected by scanners as RFI, but pure perl code for injection unknown_html_RFI_eval not yet detected by scanners as RFI, but suspect javascript obfuscationg evals unknown_html_RFI not yet detected by scanners as RFI, but trapped by our honeypots as remote-code-injection unknown_html not yet detected by scanners as RFI, but suspious, may be in rare case false positive unknown_exe not yet detected by scanners as malware, but high risk! all other names malwarename detected by scanners ========================== yours Gerhard W. Recher (Geschäftsführer) NETpilot GmbH Wilhelm-Riehl-Str. 13 D-80687 München GSM: ++49 171 4802507 Handelsregister München: HRB 124497 w3: http://www.clean-mx.de e-Mail: mailto:abuse@clean-mx.de PGP-KEY: Fingerprint: A4E317B6DC6494DCC9616366A75AB34CDD0CE552 id: 0xDD0CE552 Location: http://www.clean-mx.de/downloads/abuse-at-clean-mx.de.pub.asc ------=_NextPart-- ------------=_1293703705-11584-16700 Content-Type: application/pgp-signature; name="signature.asc" Content-Disposition: inline; filename="signature.asc" Content-Transfer-Encoding: 7bit Content-Description: Digital Signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iQEcBAEBAgAGBQJNHFoaAAoJEBTGcx9kwGtzfZUIAMqiAkNQC6+u0uHRLe2afaRE gbX9/hYMn29OOltZXzmsrW2f54Wni/OLWGkmyHyqk9FhQwJ+0CEgWWYNPux5SulX FpwDFuDgYhvHllhMFgmkP7mNaf30hL25CfRy/yEsCs0nglSH5zgnrdHpqFW9lq11 pDW4C9dge7DGMHiQbATw2c9DkvJMZEwnRFlaq43zLHcV9XiCW5P3zUk0BaquL99A mt2L5cMuPJDTYub3Z0PNjIWeSy1s9owpq/8MtnwTQhYLnh63kyUlIpN8Eg3X39Uv I4wYr/nnPhGuaZXKJkINRCKP04R77XVJbkDdGeKvRUK5wgAM+V+WWAgPTggRgIk= =JBV3 -----END PGP SIGNATURE----- ------------=_1293703705-11584-16700--