IP Address 85.214.96.235 is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.
It was last detected at 2014-11-24 00:00 GMT (+/- 30 minutes), approximately 16 hours ago.
It has been relisted following a previous removal at 2014-11-21 14:39 GMT (3 days, 1 hours, 56 minutes ago)
The host at this IP address is infected with the CryptPHP PHP malware.
CryptoPHP is a threat that uses backdoored Joomla, WordPress andn Drupal themes and plug-ins to compromise webservers on a large scale. More information about this threat can be found on the referenced link below.
Fox-IT: CryptoPHP - Analysis of a hidden threat inside popular content management systems
Attackers Using Compromised Web Plug-Ins in CryptoPHP Blackhat SEO Campaign
This infection almost certainly means that the infected web site has used pirated plugins from the nulledstylez.com, dailynulled.com sites or some other site that specializes in providing "nulled" (pirated) software. Fox-IT's research has shown that every pirated theme or plug-in on these two sites has been infested with the cryptophp malware.
This was detected by a TCP connection from 85.214.96.235 on port 40683 going to IP address 173.193.197.194 (the sinkhole) on port 80.
The botnet command and control domain for this connection was "outletginess.net".
Behind a NAT, you should be able to find the infected machine by looking for attempted connections to IP address 173.193.197.194 or host name outletginess.net on any port with a network sniffer such as wireshark or by configuring the router to block and log such connections. Equivalently, you can examine your DNS server or proxy server logs to references to 173.193.197.194 or outletginess.net. See Advanced Techniques for more detail on how to use wireshark - ignore the references to port 25/SMTP traffic - the identifying activity is NOT on port 25.
This detection corresponds to a connection at 2014-11-24 00:24:49 (GMT - this timestamp is believed accurate to within one second).
Fox-IT has a blog item on finding and fixing CryptoPHP infections here. Based on suggestions found there, we recommend one of the following two *NIX command lines to find the current version of CryptoPHP. The first command is usually very fast, but will not find copies of CryptoPHP installed after the last time "updatedb" has run (usually once per day). The second command will find all existing copies, but may take hours to run.
find -L / -type f -name 'social.png' | xargs file
locate -b '\social.png' | xargs file
If either script returns something like "../images/social.png: PHP script, ASCII text", then you have found one infection - there may be more than one.
Note that the "locate" subsystem or "file" command are not always installed by default. On Debian or Ubuntu, you can install these two commands by "sudo apt-get install locate" and "sudo apt-get install file" respectively. If you have to install locate, it won't locate anything until "updatedb" (part of locate package) has run at least once. You can run it manually via "sudo update". Update takes a long time to run the first time.
Fox-IT recommends that you should NOT try to "repair" the infection. The infected account should be reinstalled from scratch.
I shall repeat the previous paragraph: removing the "social.png" file DOES NOT remove the infection. "social.png" is only just one small piece of it. The infected account should be reinstalled from scratch.
NEW! There's a new version of findbot that should find CryptoPHP faster and simpler - try the -c option.
There are a number of scanners that can be used on web servers to try to find malicious PHP and Perl scripts, such as rkhunter etc.
With the assistance of others, we've written a simple perl script called findbot.pl that searches for such things as r57shell, cryptphp etc. It will search your system can find potentially dangerous scripts.
As it's very simple-minded you will have to carefully inspect the files it finds to verify whether what it finds is malicious or not. Be aware of the file types - finding executable code fragments within ".png" or ".jpg" files is clearly demonstrates that the file is malicious.
In order to use findbot.pl, you will need Perl installed.
Install perl if necessary
Download findbot.pl
Follow the instructions at the beginning of the findbot.pl file
Likes: 
CryptPHP aangetroffen
Quote
