indifer.websitedns.in Migration Information

[GatorPraveen]

We are excited to announce that we will be migrating your Reseller Hosting package hosted on indifer.websitedns.in to brand new Dell servers in a new datacenter in Mumbai called GPX. GPX is the first datacenter in India to be an Uptime Certified Tier-IV datacenter, which is the highest level of certification possible. You can find out more about our new datacenter here - http://goo.gl/wHFfBk and here - http://goo.gl/Nc82qd.

We are excited about this migration as we believe it will significantly improve the quality of our services, and will result in a much better experience for you.

Maintenance Window

Our maintenance window will be split into two parts:

1. No access to cPanel

Starting 12 Noon on Monday, December 8th, we will block all access to cPanel. You and your customers will still be able to access Webmail, and will be able to make changes to their websites via FTP. Your customers websites will continue to function normally. Blocking access to cPanel will allow us to reduce the downtime you face during the migration.

2. Migration

We will be using a maintenance window of 12 hours, during which you website will face a downtime of upto an hour. The maintenance window starts on Tuesday, December 9th at 8PM IST. During this migration, your website and your customers’ websites will face intermittent downtimes of up to an hour.

We will be contacting you shortly with more technical details on the migration process.

[GatorPraveen]

Dear Customer, we are still in the process of migrating indifer.hostgator.in. Our ETA is 6PM today (Dec-11th). Thank you for your patience.

[deepakm]

Dear Customer, we are still in the process of migrating indifer.hostgator.in. Our ETA is 6PM today (Dec-11th). Thank you for your patience.

Any update? is it got completed?

[deepakm]

Any update? is it got completed?

any one has time to update this forum about migration process update of indifer server

[Gatorswaroop]

Dear Customer,

The Indifer.websitedns.in IP was blacklisted due to one of the hosting packages containing malware. We have scanned the server and all malicious contents has been removed from the server now.
We are already in the process of getting the Ip white-listed.

We will update you shortly with more technical details on the migration process.

Thank you for your patience.

[GatorPraveen]

Dear Customer, the migration of indifer.websitedns.in has been completed. Thank you for your patience.

[deepakm]

Dear Customer, the migration of indifer.websitedns.in has been completed. Thank you for your patience.

should we go ahead and update name server of all domains?

[deepakm]

should we go ahead and update name server of all domains?

IP address of indifer server has been blacklisted if we try to remove from there it say bot net hosted "wonderfails.net".


IP Address 103.21.59.168 is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.

It was last detected at 2014-12-11 12:00 GMT (+/- 30 minutes), approximately 18 hours ago.

Due to how these infections are being delisted without being corrected, you cannot delist this IP address until there's been at least 48 hours of no-relisting.

The host at this IP address is infected with the CryptPHP PHP malware.

CryptoPHP is a threat that uses backdoored Joomla, WordPress andn Drupal themes and plug-ins to compromise webservers on a large scale. More information about this threat can be found on the referenced link below.

Fox-IT: CryptoPHP - Analysis of a hidden threat inside popular content management systems
Attackers Using Compromised Web Plug-Ins in CryptoPHP Blackhat SEO Campaign
This infection almost certainly means that the infected web site has used pirated plugins from the nulledstylez.com, dailynulled.com sites or some other site that specializes in providing "nulled" (pirated) software. Fox-IT's research has shown that every pirated theme or plug-in on these two sites has been infested with the cryptophp malware.

This was detected by a TCP connection from 103.21.59.168 on port 52852 going to IP address 192.42.116.41 (the sinkhole) on port 80.

The botnet command and control domain for this connection was "wonderfails.net".

Behind a NAT, you should be able to find the infected machine by looking for attempted connections to IP address 192.42.116.41 or host name wonderfails.net on any port with a network sniffer such as wireshark or by configuring the router to block and log such connections. Equivalently, you can examine your DNS server or proxy server logs to references to 192.42.116.41 or wonderfails.net. See Advanced Techniques for more detail on how to use wireshark - ignore the references to port 25/SMTP traffic - the identifying activity is NOT on port 25.

This detection corresponds to a connection at 2014-12-11 11:41:43 (GMT - this timestamp is believed accurate to within one second).

Fox-IT has published a new blog item on this infection. Fox-IT has written two Python scripts that should be very good at finding these infections: check_url.py and check_filesystems.py. The first script scans a web site to find the infection, the second is used for scanning the web site's filesystem to find the infection. Please go to the above Fox-IT link to obtain these scripts and further instructions.

Fox-IT recommends that you should NOT try to "repair" the infection. The infected account should be reinstalled from scratch.

I shall repeat the previous paragraph: removing the "social.png" file DOES NOT remove the infection. "social.png" is only just one small piece of it. The infected account should be reinstalled from scratch.

This listing cannot be delisted until at least 48 hours (2 days) have elapsed from the last listing. In 2 days from the above listing timestamp, come back here and you'll be able to delist this IP.

[deepakm]

After migration to new datacenter at GPX, Mumbai your relay server IP 103.21.58.134 blocked by many ISP like redif and Net4India.

Also many corporates like Axisbank and Siemens are rejecting emails.

Refer to below rejection message

Recipient address rejected: 550 delivery from 103.21.58.134 is rejected. Check at http://www.commtouch.com/Site/Resour...Reputation.asp. Reference code:


We have informed over the phone and raised ticket for the same but till now NO RESPONSE has come, this very disaapointing.


If this IP is creating issue then why it is not getting replaced with new IP


Shifting to new data center for the betterment seems it creating lots of mail delivery problem to the recipient

Hope security will on TOP priority and sort out the matter permanently

IP address of indifer server has been blacklisted if we try to remove from there it say bot net hosted "wonderfails.net".


IP Address 103.21.59.168 is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.

It was last detected at 2014-12-11 12:00 GMT (+/- 30 minutes), approximately 18 hours ago.

Due to how these infections are being delisted without being corrected, you cannot delist this IP address until there's been at least 48 hours of no-relisting.

The host at this IP address is infected with the CryptPHP PHP malware.

CryptoPHP is a threat that uses backdoored Joomla, WordPress andn Drupal themes and plug-ins to compromise webservers on a large scale. More information about this threat can be found on the referenced link below.

Fox-IT: CryptoPHP - Analysis of a hidden threat inside popular content management systems
Attackers Using Compromised Web Plug-Ins in CryptoPHP Blackhat SEO Campaign
This infection almost certainly means that the infected web site has used pirated plugins from the nulledstylez.com, dailynulled.com sites or some other site that specializes in providing "nulled" (pirated) software. Fox-IT's research has shown that every pirated theme or plug-in on these two sites has been infested with the cryptophp malware.

This was detected by a TCP connection from 103.21.59.168 on port 52852 going to IP address 192.42.116.41 (the sinkhole) on port 80.

The botnet command and control domain for this connection was "wonderfails.net".

Behind a NAT, you should be able to find the infected machine by looking for attempted connections to IP address 192.42.116.41 or host name wonderfails.net on any port with a network sniffer such as wireshark or by configuring the router to block and log such connections. Equivalently, you can examine your DNS server or proxy server logs to references to 192.42.116.41 or wonderfails.net. See Advanced Techniques for more detail on how to use wireshark - ignore the references to port 25/SMTP traffic - the identifying activity is NOT on port 25.

This detection corresponds to a connection at 2014-12-11 11:41:43 (GMT - this timestamp is believed accurate to within one second).

Fox-IT has published a new blog item on this infection. Fox-IT has written two Python scripts that should be very good at finding these infections: check_url.py and check_filesystems.py. The first script scans a web site to find the infection, the second is used for scanning the web site's filesystem to find the infection. Please go to the above Fox-IT link to obtain these scripts and further instructions.

Fox-IT recommends that you should NOT try to "repair" the infection. The infected account should be reinstalled from scratch.

I shall repeat the previous paragraph: removing the "social.png" file DOES NOT remove the infection. "social.png" is only just one small piece of it. The infected account should be reinstalled from scratch.

This listing cannot be delisted until at least 48 hours (2 days) have elapsed from the last listing. In 2 days from the above listing timestamp, come back here and you'll be able to delist this IP.