{"id":1115,"date":"2021-07-20T07:03:12","date_gmt":"2021-07-20T12:03:12","guid":{"rendered":"https:\/\/www.knownhost.com\/kb\/?p=1115"},"modified":"2026-01-23T06:16:53","modified_gmt":"2026-01-23T12:16:53","slug":"detecting-and-cleaning-eitest-infections-following-spamhaus-and-cbl-blacklisting","status":"publish","type":"post","link":"https:\/\/www.knownhost.com\/kb\/detecting-and-cleaning-eitest-infections-following-spamhaus-and-cbl-blacklisting\/","title":{"rendered":"Detecting and Cleaning EITest Infections Following Spamhaus and CBL Blacklisting"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 ez-toc-wrap-right counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #212121;color:#212121\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #212121;color:#212121\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 eztoc-toggle-hide-by-default' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.knownhost.com\/kb\/detecting-and-cleaning-eitest-infections-following-spamhaus-and-cbl-blacklisting\/#eitest_infections_and_blacklists\" >EITest Infections and Blacklists<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.knownhost.com\/kb\/detecting-and-cleaning-eitest-infections-following-spamhaus-and-cbl-blacklisting\/#how_to_find_the_infection\" >How To Find the Infection<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.knownhost.com\/kb\/detecting-and-cleaning-eitest-infections-following-spamhaus-and-cbl-blacklisting\/#removing_the_eitest_infections\" >Removing the EITest Infections<\/a><\/li><\/ul><\/nav><\/div>\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"eitest_infections_and_blacklists\"><\/span>EITest Infections and Blacklists<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>EITest is older malware dating back to at least 2011 that uses compromised websites to accomplish several different nefarious tasks, such as directing users to Exploit Kits landing pages which are responsible for distributing various types of malware. One of the latest was the payload being downloaded to victim&#8217;s computers to generate fraudulent traffic. This was disguised as a popup to notify the user of a &#8216;problem&#8217; stating that the user was missing the &#8220;Hoefler text&#8221; font, which was accompanied by the proposed solution to download the font via the &#8220;Chrome_Font.exe&#8221; file. The user would remain uninfected until they executed the downloaded file, which would then begin generating malicious traffic via background browsing on the victim&#8217;s computer.&nbsp;<a href=\"https:\/\/www.proofpoint.com\/us\/threat-insight\/post\/EITest-Nabbing-Chrome-Users-Chrome-Font-Social-Engineering-Scheme\">EITest Nabbing Chrome Users with a \u201cChrome Font\u201d Social Engineering Scheme<\/a><\/p>\n\n\n\n<p>Many infections of Eitest were the result of WordPress exploitation via the MailPoet plugin vulnerability in 2014. Let me stress that WordPress is no less secure than other CMSs on average, it is just the most popular choice by far and thus an ideal target for generating malicious traffic. Nonetheless, this malware was also seen with other CMSs, but the proportion of affected WordPress sites outnumbers those of other CMSs primarily because the number of WordPress sites overall outnumbers that of other CMSs.<\/p>\n\n\n\n<p>You have probably found this article because your server&#8217;s IP is blacklisted via Spamhaus, which then states that the blacklisting is due to being listed on the CBL due to an EITest infection.<\/p>\n\n\n\n<p>If you were to visit Spamhaus, the&nbsp;URL&nbsp;and results would be as follows (where 108.xxx.xx.xxx) represents the mail server IP):<\/p>\n\n\n\n<p><a href=\"https:\/\/check.spamhaus.org\" rel=\"nofollow\">Spamhaus Blocklist Removal Center<\/a><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1024\" height=\"666\" src=\"https:\/\/www.knownhost.com\/kb\/wp-content\/uploads\/2021\/07\/spamhaus-listed-via-cbl-1024x666.png\" alt=\"\" class=\"wp-image-1116\" srcset=\"https:\/\/www.knownhost.com\/kb\/wp-content\/uploads\/2021\/07\/spamhaus-listed-via-cbl-1024x666.png 1024w, https:\/\/www.knownhost.com\/kb\/wp-content\/uploads\/2021\/07\/spamhaus-listed-via-cbl-300x195.png 300w, https:\/\/www.knownhost.com\/kb\/wp-content\/uploads\/2021\/07\/spamhaus-listed-via-cbl-768x500.png 768w, https:\/\/www.knownhost.com\/kb\/wp-content\/uploads\/2021\/07\/spamhaus-listed-via-cbl.png 1200w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Once you click on the CBL link above, you are taken to a page similar to this:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1024\" height=\"872\" src=\"https:\/\/www.knownhost.com\/kb\/wp-content\/uploads\/2021\/07\/cbl-site-eitest_-1024x872.png\" alt=\"\" class=\"wp-image-1117\" srcset=\"https:\/\/www.knownhost.com\/kb\/wp-content\/uploads\/2021\/07\/cbl-site-eitest_-1024x872.png 1024w, https:\/\/www.knownhost.com\/kb\/wp-content\/uploads\/2021\/07\/cbl-site-eitest_-300x256.png 300w, https:\/\/www.knownhost.com\/kb\/wp-content\/uploads\/2021\/07\/cbl-site-eitest_-768x654.png 768w, https:\/\/www.knownhost.com\/kb\/wp-content\/uploads\/2021\/07\/cbl-site-eitest_.png 1200w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Scrolling down the page will then reveal details about the detection like so:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"800\" height=\"247\" src=\"https:\/\/www.knownhost.com\/kb\/wp-content\/uploads\/2021\/07\/cbl-eitest-detection-summary.png\" alt=\"\" class=\"wp-image-1118\" srcset=\"https:\/\/www.knownhost.com\/kb\/wp-content\/uploads\/2021\/07\/cbl-eitest-detection-summary.png 800w, https:\/\/www.knownhost.com\/kb\/wp-content\/uploads\/2021\/07\/cbl-eitest-detection-summary-300x93.png 300w, https:\/\/www.knownhost.com\/kb\/wp-content\/uploads\/2021\/07\/cbl-eitest-detection-summary-768x237.png 768w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/><\/figure>\n\n\n\n<p>The CBL is quite trusting as it will allow you to self-remove your IP from the blacklist, however, if you do so without actually cleaning the EITest infection, it will detect this continuing EITest activity and stop allowing you to self-remove your IP. The CBL page will state something along the lines of the following:<\/p>\n\n\n\n<p><em>Self Removal:<br>Normally, you can remove the CBL listing yourself. If no removal link is given below, follow the instructions, and come back and do the lookup again, and the removal link will appear.<br>Too many relistings in the past 24 hours (22), we recommend you read and implement our suggestions, and try again in a day or so.<\/em><\/p>\n\n\n\n<p>That particular server had been re-listed 23 times in a single day. Obviously, EITest infections is a very active malware and monitoring the network activity to find what account is responsible shouldn&#8217;t take too long to yield results. It is certainly nothing that should be taken lightly. Allowing it to persist indicates that vulnerabilities exist in your site(s) that could all sensitive data such as your customer&#8217;s data to be stolen and\/or cause damage to your server&#8217;s, site&#8217;s or business&#8217;s reputation. Thus, it is imperative to actually clean the infection from your account(s) and then properly secure your account(s) to prevent further malware infections, even if Eitest has been completely sinkholed.<\/p>\n\n\n\n<p>EITest itself isn&#8217;t the major concern since it has been rendered essentially harmless due to the infection sinkhole operation by Proofpoint, abuse.ch, BrilliantIT, and Twitter user @Secu0133. on March 15, 2018.&nbsp;Though the blacklisting is a bit frustrating since it affects mail deliverability, the real concern is the vulnerabilities and possible backdoors that exist on those compromised sites and the potential adverse effects on those that visit the site.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"how_to_find_the_infection\"><\/span>How To Find the Infection<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>The information provided via the CBL can be quite daunting, confusing, and overly technical for many site owners. Many don&#8217;t know how to monitor their traffic to determine the infected user, and may have many sites on their reseller servers which complicates pinpointing the infection.<\/p>\n\n\n\n<p>Proofpoint has provided the following list of C&amp;C domains and the Sinkhole IP to monitor for.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"900\" height=\"475\" src=\"https:\/\/www.knownhost.com\/kb\/wp-content\/uploads\/2021\/07\/ioceitestproofpoint.png\" alt=\"\" class=\"wp-image-1119\" srcset=\"https:\/\/www.knownhost.com\/kb\/wp-content\/uploads\/2021\/07\/ioceitestproofpoint.png 900w, https:\/\/www.knownhost.com\/kb\/wp-content\/uploads\/2021\/07\/ioceitestproofpoint-300x158.png 300w, https:\/\/www.knownhost.com\/kb\/wp-content\/uploads\/2021\/07\/ioceitestproofpoint-768x405.png 768w\" sizes=\"(max-width: 900px) 100vw, 900px\" \/><\/figure>\n\n\n\n<p>When digging one of the domain listed for its A record, you can see that the A record returned is a sinkholed IP belonging to abuse.ch:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"900\" height=\"113\" src=\"https:\/\/www.knownhost.com\/kb\/wp-content\/uploads\/2021\/07\/sinkholeaubseip.png\" alt=\"search Eitest infections\" class=\"wp-image-1120\" srcset=\"https:\/\/www.knownhost.com\/kb\/wp-content\/uploads\/2021\/07\/sinkholeaubseip.png 900w, https:\/\/www.knownhost.com\/kb\/wp-content\/uploads\/2021\/07\/sinkholeaubseip-300x38.png 300w, https:\/\/www.knownhost.com\/kb\/wp-content\/uploads\/2021\/07\/sinkholeaubseip-768x96.png 768w\" sizes=\"(max-width: 900px) 100vw, 900px\" \/><\/figure>\n\n\n\n<p>Abuse.ch has provided the&nbsp;<a href=\"https:\/\/www.abuseat.org\/shtracer.pl\">shtracer.pl script<\/a>&nbsp;to monitor network traffic to help in identifying where the infection is, and then LASKOWSKI-TECH went even further to expand on this method for other operating systems and to include custom yara signatures.&nbsp;<a href=\"https:\/\/www.abuseat.org\/shtracer.html\">FINDING BOTNETS ON SERVERS &#8211; INTRODUCING &#8220;SHTRACER&#8221;<\/a><\/p>\n\n\n\n<p>Here at KnownHost, we decided to combine parts 1 and 2 into one script and modify it so that it is cPanel server specific, so that finding and eliminating this infection can be as easy as possible for our customers.<\/p>\n\n\n\n<p>The purpose of this script is to help detect Eitest infections on cPanel servers and locate the malicious files. It does the following:<\/p>\n\n\n\n<ol class=\"wp-block-list\"><li>Uses netstat to monitor the network for connections to the sinkhole IP. If your cPanel server&#8217;s IP is blacklisted via CBL, it will ask you for the sinkhole IP. It will use the known sinkhole IP as the default if you simply press Enter when asked. This was done to allow the script to remain effective in case the sinkhole IP is changed in the future.<\/li><li>If and when a connection to the sinkhole IP is detected, it will then log the output of lsof -p PID to \/root\/support\/detect-eitest\/eitest-files-$PID.log and the output of netstat for that connection to \/root\/support\/detect-eitest\/eitest-connection-log.txt. It gets the infected user&#8217;s username from this detection.<\/li><li>It then asks if you want to run Clamscan on the infected account. If so, it checks to see if cPanel&#8217;s Clamscan RPMs are installed and installs them if not.<\/li><li>It will git clone the custom Yara rules used for Eitest infections PHP malware.<\/li><li>It will then initiate a Clamscan instance for the infected user using these rules.<\/li><li>It kills the screen session running the monitoring script.<\/li><li>It outputs the results of the Clamscan here: \/root\/support\/detect-eitest\/scanresults.txt<\/li><\/ol>\n\n\n\n<p>You can download the script by simply clicking the file link below. As always, it is recommended to review any scripts you download off of the internet before you run them.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>#!\/usr\/bin\/env bash\n \n# Eitest Script for cPanel Servers\n \n#Get Sinkhole IP\n \necho Enter Destination IP from the Detection Information Summary CBL report or press enter if the Destination IP is 192.42.116.41\nread input\n \nmkdir -p \/root\/support\/detect-eitest &amp;&amp; cd $_\nscript=eitest-monitor.sh\n(\ncat &lt;&lt;'EITESTSCRIPT'\n#!\/usr\/bin\/env bash\nsinkhole=${input:-\"192.42.116.41\"}\nwhile true; do\n connect=$(netstat -tpn | grep $sinkhole);\n if &#091;&#091; $connect ]]; then\n PID=$(echo $connect | awk '{print$7}' | cut -d '\/' -f1);\n (lsof -p $PID &gt; eitest-files-$PID.log &amp;)\n echo $connect &gt;&gt; eitest-connection-log.txt;\n fi\nsleep 0.01\ndone\nEITESTSCRIPT\n) &gt; $script\n \n \n# Start Process Detection Script \n \nchmod 755 eitest-monitor.sh\nscreen -S eitest-monitor -dm bash -c '.\/eitest-monitor.sh'\n \n \n# Wait Until a Eitest Connection is Logged to Get the Infected User\n \necho\necho\necho Monitoring the Network for Eitest Activity Now ... ... ... ... ...\necho ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ...\nuntil  &#091; -e eitest-connection-log.txt ]; do\n sleep 60\ndone\n \n \nsleep 15\nRED='\\033&#091;0;31m'\nNC='\\033&#091;0m' # No Color\nfile=$(ls -lah | grep eitest-files-&#091;0-9] | tail -1 | awk {'print $9'})\nuser=$(tail -1 $file | awk {'print $3'})\necho \necho -e \"${RED}Eitest Connection Detected for user ${user}! Initiating Clamscan using Yara Signatures on Account...${NC}\"\necho\n \necho \"Do you want to initiate a Clamscan on this account now? &#091;Y\/N] This will install clamscan and the necessary custom yara rules if not installed already.\"\nread input\nif &#091; $input == \"y\" ] || &#091; $input == \"Y\" ]; then\n echo Proceeding...\nelse\n echo Terminating Script now...\n screen=$(screen -ls | grep eitest-monitor | awk {'print $1'})\n screen -X -S $screen quit\n exit\nfi\n \n#Check for Clamscan and Install if Necessary\n \nif &#091; -f \/usr\/local\/cpanel\/3rdparty\/bin\/clamscan ]; then\n echo Clamscan is installed. Proceeding.\n echo\nelse\n echo Installing Clamscan...\n echo\n \/scripts\/update_local_rpm_versions --edit target_settings.clamav installed\n \/scripts\/check_cpanel_rpms --fix --targets=clamav\nfi\n \necho Git the Eitest Yara Signatures for Clamscan... \necho\n \nif &#091; -f \/root\/support\/detect-eitest\/lw-yara\/lw.hdb ]; then\n echo Custom Yara Rules are installed. Proceeding.\n echo\nelse\n echo Installing Custom Yara Rules...\n echo\n git clone https:\/\/github.com\/Hestat\/lw-yara.git\nfi\n \n# Start Clamscan With Eitest Yara Rules for the User\n \n\/usr\/local\/cpanel\/3rdparty\/bin\/clamscan -ir -l scanresults.txt -d lw-yara\/lw-rules_index.yar -d lw-yara\/lw.hdb \/home\/$user\n \n#Kill Screen\n \nscreen=$(screen -ls | grep eitest-monitor | awk {'print $1'})\nscreen -X -S $screen quit\n \n#Print Results\n \nwd=$(pwd)\necho Scan Complete! Results: $wd\/scanresults.txt<\/code><\/pre>\n\n\n\n<p>To use this script, download and then do the following:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>  sh eitest.sh<\/code><\/pre>\n\n\n\n<p>Or:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>  chmod +x eitest.sh\n  .\/eitest.sh<\/code><\/pre>\n\n\n\n<p>And then follow the prompts. The following shows output from running this script on an infected server.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1024\" height=\"759\" src=\"https:\/\/www.knownhost.com\/kb\/wp-content\/uploads\/2021\/07\/expected-eitest.sh-output-1024x759.png\" alt=\"monitoring Eitest infections\" class=\"wp-image-1121\" srcset=\"https:\/\/www.knownhost.com\/kb\/wp-content\/uploads\/2021\/07\/expected-eitest.sh-output-1024x759.png 1024w, https:\/\/www.knownhost.com\/kb\/wp-content\/uploads\/2021\/07\/expected-eitest.sh-output-300x223.png 300w, https:\/\/www.knownhost.com\/kb\/wp-content\/uploads\/2021\/07\/expected-eitest.sh-output-768x570.png 768w, https:\/\/www.knownhost.com\/kb\/wp-content\/uploads\/2021\/07\/expected-eitest.sh-output.png 1200w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n<div class=\"kb-shortcode kb-shortcode_warning\">\n                    <div class=\"kb-shortcode-icon\">\n                        <i class=\"fa fa-exclamation-triangle fa-2x\"><\/i>\n                    <\/div>\n                    <div class=\"kb-shortcode-content_warning\">IMPORTANT!!! Just because this scan identifies one user and then quits does not mean that other users are not also infected! You need to clean the infected user&#8217;s account and rescan to determine whether the infection no longer exists on the server!<\/div>\n                <\/div>\n\n\n\n<p>This script was adapted to automate this process for cPanel servers and much attribution must be given to Mark David Scott Cunningham, Abuse.ch, LASKOWSKI-TECH, Twitter users @kafeine, @Secu0133, and those others listed in this article for their hard work to protect the internet and combat this malware. Much of the monitoring portion of the script above was adapted from the script eitest-connection-watch.sh written by Mr. Cunningham.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"removing_the_eitest_infections\"><\/span>Removing the EITest Infections<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Due to the highly customizable nature of websites, KnownHost is unable to provide a single solution for cleaning an infected site. We can, however, provide some direction. Once you have run the script and it has identified the infected user, you can then use the Clamscan results from the script&#8217;s output to help you and your developer get started with removing the malicious code. It isn&#8217;t enough to remove the malicious code alone. You&nbsp;must&nbsp;also secure the vulnerabilities in the site that allowed the initial compromise. You may choose to restore from a backup prior to any compromise if you have one older than the date that the compromise first occurred. Even if you choose to go this route, you must still make sure to secure the site. As with any compromise, you will want to check the databases to make sure that no extra users with administrator privileges had been added. WPScan&nbsp;is an excellent tool for discovering vulnerabilities in a site&#8217;s code, plugins, or themes if you are using WordPress. Similar tools exist online for other CMSs. EITest infections have been around long enough! Let&#8217;s end it once and for all!<\/p>\n\n\n\n<p><strong>Remember:<\/strong>&nbsp;that <a href=\"https:\/\/www.knownhost.com\/\">KnownHost<\/a> is here to help! If you would like for us to run the script for you since it requires SSH root access, then please open a support ticket. We can also run WPScan for your domain as well. Once you have cleared the malware infection, we would be glad to run the script for you again or to help with submitting a delisting request if necessary.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>EITest Infections and Blacklists EITest is older malware dating back to at least 2011 that uses compromised websites to accomplish several different nefarious tasks, such as directing users to Exploit Kits landing pages which are responsible for distributing various types of malware. One of the latest was the payload being downloaded to victim&#8217;s computers to [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[92],"tags":[161,162,164,123,165,163],"class_list":["post-1115","post","type-post","status-publish","format-standard","hentry","category-technical-support","tag-blacklist","tag-blacklisted","tag-compromise","tag-linux","tag-malware","tag-spamhaus"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Clean EITest Infections After Spamhaus\/CBL Blacklisting | KnownHost<\/title>\n<meta name=\"description\" content=\"Step-by-step guide to detect and remove EITest malware infections from your server. Fix Spamhaus and CBL blacklisting issues with proven cleanup methods.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.knownhost.com\/kb\/detecting-and-cleaning-eitest-infections-following-spamhaus-and-cbl-blacklisting\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Clean EITest Infections After Spamhaus\/CBL Blacklisting | KnownHost\" \/>\n<meta property=\"og:description\" content=\"Step-by-step guide to detect and remove EITest malware infections from your server. Fix Spamhaus and CBL blacklisting issues with proven cleanup methods.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.knownhost.com\/kb\/detecting-and-cleaning-eitest-infections-following-spamhaus-and-cbl-blacklisting\/\" \/>\n<meta property=\"og:site_name\" content=\"KnownHost\" \/>\n<meta property=\"article:published_time\" content=\"2021-07-20T12:03:12+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-01-23T12:16:53+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.knownhost.com\/kb\/wp-content\/uploads\/2021\/07\/spamhaus-listed-via-cbl.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"781\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Jonathan K. W.\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Jonathan K. W.\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/detecting-and-cleaning-eitest-infections-following-spamhaus-and-cbl-blacklisting\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/detecting-and-cleaning-eitest-infections-following-spamhaus-and-cbl-blacklisting\\\/\"},\"author\":{\"name\":\"Jonathan K. W.\",\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/#\\\/schema\\\/person\\\/3db6e20d1f33519cd68fe0ba1230a48b\"},\"headline\":\"Detecting and Cleaning EITest Infections Following Spamhaus and CBL Blacklisting\",\"datePublished\":\"2021-07-20T12:03:12+00:00\",\"dateModified\":\"2026-01-23T12:16:53+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/detecting-and-cleaning-eitest-infections-following-spamhaus-and-cbl-blacklisting\\\/\"},\"wordCount\":1461,\"image\":{\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/detecting-and-cleaning-eitest-infections-following-spamhaus-and-cbl-blacklisting\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/wp-content\\\/uploads\\\/2021\\\/07\\\/spamhaus-listed-via-cbl-1024x666.png\",\"keywords\":[\"blacklist\",\"blacklisted\",\"compromise\",\"linux\",\"malware\",\"spamhaus\"],\"articleSection\":[\"Technical Support\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/detecting-and-cleaning-eitest-infections-following-spamhaus-and-cbl-blacklisting\\\/\",\"url\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/detecting-and-cleaning-eitest-infections-following-spamhaus-and-cbl-blacklisting\\\/\",\"name\":\"Clean EITest Infections After Spamhaus\\\/CBL Blacklisting | KnownHost\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/detecting-and-cleaning-eitest-infections-following-spamhaus-and-cbl-blacklisting\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/detecting-and-cleaning-eitest-infections-following-spamhaus-and-cbl-blacklisting\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/wp-content\\\/uploads\\\/2021\\\/07\\\/spamhaus-listed-via-cbl-1024x666.png\",\"datePublished\":\"2021-07-20T12:03:12+00:00\",\"dateModified\":\"2026-01-23T12:16:53+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/#\\\/schema\\\/person\\\/3db6e20d1f33519cd68fe0ba1230a48b\"},\"description\":\"Step-by-step guide to detect and remove EITest malware infections from your server. Fix Spamhaus and CBL blacklisting issues with proven cleanup methods.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/detecting-and-cleaning-eitest-infections-following-spamhaus-and-cbl-blacklisting\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/detecting-and-cleaning-eitest-infections-following-spamhaus-and-cbl-blacklisting\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/detecting-and-cleaning-eitest-infections-following-spamhaus-and-cbl-blacklisting\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/wp-content\\\/uploads\\\/2021\\\/07\\\/spamhaus-listed-via-cbl.png\",\"contentUrl\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/wp-content\\\/uploads\\\/2021\\\/07\\\/spamhaus-listed-via-cbl.png\",\"width\":1200,\"height\":781},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/detecting-and-cleaning-eitest-infections-following-spamhaus-and-cbl-blacklisting\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Detecting and Cleaning EITest Infections Following Spamhaus and CBL Blacklisting\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/#website\",\"url\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/\",\"name\":\"KnownHost\",\"description\":\"KnownHost provides a comprehensive webhosting knowledge base to help answer many of your common webhosting and linux questions.\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/#\\\/schema\\\/person\\\/3db6e20d1f33519cd68fe0ba1230a48b\",\"name\":\"Jonathan K. W.\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f432b99e6651fe8d1deb57a285bd84e806f1c9ae8b4c6c585d7e3a0b33789ad9?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f432b99e6651fe8d1deb57a285bd84e806f1c9ae8b4c6c585d7e3a0b33789ad9?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f432b99e6651fe8d1deb57a285bd84e806f1c9ae8b4c6c585d7e3a0b33789ad9?s=96&d=mm&r=g\",\"caption\":\"Jonathan K. W.\"},\"sameAs\":[\"https:\\\/\\\/www.knownhost.com\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Clean EITest Infections After Spamhaus\/CBL Blacklisting | KnownHost","description":"Step-by-step guide to detect and remove EITest malware infections from your server. Fix Spamhaus and CBL blacklisting issues with proven cleanup methods.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.knownhost.com\/kb\/detecting-and-cleaning-eitest-infections-following-spamhaus-and-cbl-blacklisting\/","og_locale":"en_US","og_type":"article","og_title":"Clean EITest Infections After Spamhaus\/CBL Blacklisting | KnownHost","og_description":"Step-by-step guide to detect and remove EITest malware infections from your server. Fix Spamhaus and CBL blacklisting issues with proven cleanup methods.","og_url":"https:\/\/www.knownhost.com\/kb\/detecting-and-cleaning-eitest-infections-following-spamhaus-and-cbl-blacklisting\/","og_site_name":"KnownHost","article_published_time":"2021-07-20T12:03:12+00:00","article_modified_time":"2026-01-23T12:16:53+00:00","og_image":[{"width":1200,"height":781,"url":"https:\/\/www.knownhost.com\/kb\/wp-content\/uploads\/2021\/07\/spamhaus-listed-via-cbl.png","type":"image\/png"}],"author":"Jonathan K. W.","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Jonathan K. W.","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.knownhost.com\/kb\/detecting-and-cleaning-eitest-infections-following-spamhaus-and-cbl-blacklisting\/#article","isPartOf":{"@id":"https:\/\/www.knownhost.com\/kb\/detecting-and-cleaning-eitest-infections-following-spamhaus-and-cbl-blacklisting\/"},"author":{"name":"Jonathan K. W.","@id":"https:\/\/www.knownhost.com\/kb\/#\/schema\/person\/3db6e20d1f33519cd68fe0ba1230a48b"},"headline":"Detecting and Cleaning EITest Infections Following Spamhaus and CBL Blacklisting","datePublished":"2021-07-20T12:03:12+00:00","dateModified":"2026-01-23T12:16:53+00:00","mainEntityOfPage":{"@id":"https:\/\/www.knownhost.com\/kb\/detecting-and-cleaning-eitest-infections-following-spamhaus-and-cbl-blacklisting\/"},"wordCount":1461,"image":{"@id":"https:\/\/www.knownhost.com\/kb\/detecting-and-cleaning-eitest-infections-following-spamhaus-and-cbl-blacklisting\/#primaryimage"},"thumbnailUrl":"https:\/\/www.knownhost.com\/kb\/wp-content\/uploads\/2021\/07\/spamhaus-listed-via-cbl-1024x666.png","keywords":["blacklist","blacklisted","compromise","linux","malware","spamhaus"],"articleSection":["Technical Support"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.knownhost.com\/kb\/detecting-and-cleaning-eitest-infections-following-spamhaus-and-cbl-blacklisting\/","url":"https:\/\/www.knownhost.com\/kb\/detecting-and-cleaning-eitest-infections-following-spamhaus-and-cbl-blacklisting\/","name":"Clean EITest Infections After Spamhaus\/CBL Blacklisting | KnownHost","isPartOf":{"@id":"https:\/\/www.knownhost.com\/kb\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.knownhost.com\/kb\/detecting-and-cleaning-eitest-infections-following-spamhaus-and-cbl-blacklisting\/#primaryimage"},"image":{"@id":"https:\/\/www.knownhost.com\/kb\/detecting-and-cleaning-eitest-infections-following-spamhaus-and-cbl-blacklisting\/#primaryimage"},"thumbnailUrl":"https:\/\/www.knownhost.com\/kb\/wp-content\/uploads\/2021\/07\/spamhaus-listed-via-cbl-1024x666.png","datePublished":"2021-07-20T12:03:12+00:00","dateModified":"2026-01-23T12:16:53+00:00","author":{"@id":"https:\/\/www.knownhost.com\/kb\/#\/schema\/person\/3db6e20d1f33519cd68fe0ba1230a48b"},"description":"Step-by-step guide to detect and remove EITest malware infections from your server. Fix Spamhaus and CBL blacklisting issues with proven cleanup methods.","breadcrumb":{"@id":"https:\/\/www.knownhost.com\/kb\/detecting-and-cleaning-eitest-infections-following-spamhaus-and-cbl-blacklisting\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.knownhost.com\/kb\/detecting-and-cleaning-eitest-infections-following-spamhaus-and-cbl-blacklisting\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.knownhost.com\/kb\/detecting-and-cleaning-eitest-infections-following-spamhaus-and-cbl-blacklisting\/#primaryimage","url":"https:\/\/www.knownhost.com\/kb\/wp-content\/uploads\/2021\/07\/spamhaus-listed-via-cbl.png","contentUrl":"https:\/\/www.knownhost.com\/kb\/wp-content\/uploads\/2021\/07\/spamhaus-listed-via-cbl.png","width":1200,"height":781},{"@type":"BreadcrumbList","@id":"https:\/\/www.knownhost.com\/kb\/detecting-and-cleaning-eitest-infections-following-spamhaus-and-cbl-blacklisting\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.knownhost.com\/kb\/"},{"@type":"ListItem","position":2,"name":"Detecting and Cleaning EITest Infections Following Spamhaus and CBL Blacklisting"}]},{"@type":"WebSite","@id":"https:\/\/www.knownhost.com\/kb\/#website","url":"https:\/\/www.knownhost.com\/kb\/","name":"KnownHost","description":"KnownHost provides a comprehensive webhosting knowledge base to help answer many of your common webhosting and linux questions.","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.knownhost.com\/kb\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.knownhost.com\/kb\/#\/schema\/person\/3db6e20d1f33519cd68fe0ba1230a48b","name":"Jonathan K. W.","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f432b99e6651fe8d1deb57a285bd84e806f1c9ae8b4c6c585d7e3a0b33789ad9?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f432b99e6651fe8d1deb57a285bd84e806f1c9ae8b4c6c585d7e3a0b33789ad9?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f432b99e6651fe8d1deb57a285bd84e806f1c9ae8b4c6c585d7e3a0b33789ad9?s=96&d=mm&r=g","caption":"Jonathan K. W."},"sameAs":["https:\/\/www.knownhost.com"]}]}},"_links":{"self":[{"href":"https:\/\/www.knownhost.com\/kb\/wp-json\/wp\/v2\/posts\/1115","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.knownhost.com\/kb\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.knownhost.com\/kb\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.knownhost.com\/kb\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.knownhost.com\/kb\/wp-json\/wp\/v2\/comments?post=1115"}],"version-history":[{"count":1,"href":"https:\/\/www.knownhost.com\/kb\/wp-json\/wp\/v2\/posts\/1115\/revisions"}],"predecessor-version":[{"id":8015,"href":"https:\/\/www.knownhost.com\/kb\/wp-json\/wp\/v2\/posts\/1115\/revisions\/8015"}],"wp:attachment":[{"href":"https:\/\/www.knownhost.com\/kb\/wp-json\/wp\/v2\/media?parent=1115"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.knownhost.com\/kb\/wp-json\/wp\/v2\/categories?post=1115"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.knownhost.com\/kb\/wp-json\/wp\/v2\/tags?post=1115"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}