[bitfolk] Odd issue when re-numbering - new IP only routable…

From mike@??? Wed May 09 18:49:09 2012
Received: from mail-ey0-f176.google.com ([209.85.215.176])
    by mail.bitfolk.com with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16)
    (Exim 4.72) (envelope-from <mike@???>) id 1SSBwj-0003fS-3f
    for users@???; Wed, 09 May 2012 18:49:09 +0000
Received: by eaab16 with SMTP id b16so300098eaa.21
    for <users@???>; Wed, 09 May 2012 11:49:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zanker.org; s=google;
    h=message-id:date:from:user-agent:mime-version:to:subject:references
    :in-reply-to:content-type:content-transfer-encoding;
    bh=1V0gnuP4WurkqGQ++nW67cNpAU7YReI4vmegY8yKmsQ=;
    b=AZx1IpVl6SNQMoOTVFYSusjzwiwdEqreH3YyxbFVVtVV6PnGVgIITkCFkSEffNIoTM
    mpG0A4c7BQc/A87ULKsrfUL7iaziAxtz6XPRVwbWx+ZbbYNjlsanTpi77DNTdE3LilSw
    FBp2Y8SVSx9j1WdGVwVcl9339+ikz2fRgzWf4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
    d=google.com; s=20120113;
    h=message-id:date:from:user-agent:mime-version:to:subject:references
    :in-reply-to:content-type:content-transfer-encoding
    :x-gm-message-state;
    bh=1V0gnuP4WurkqGQ++nW67cNpAU7YReI4vmegY8yKmsQ=;
    b=PywQrDEMXpw2uVKyXWesYQONZA0oNwaRKUQLDiQUQ1jQ8ROw5+EYe9+LE2b1KTnWvY
    kMi/Fj+UNS/GqRWmXrRALazqiUW1ZsN4eaZ4aIN06hgNnt0jo1u+qEW02vj5n432OOBs
    OTtUPAL8p1nKhkejcleEcjZ9JtXhFqJ2CqXA8Y1EFCCvqcBYXhYv4jgrDsWRYg9qX8+K
    sAiJeJXulc8eUmjwoA2odBv8QofZLnEJYFD6gQiEdJ5AJ+cqpwoNucxlf7VUMtJYduUU
    HfwZyMLZBGRaHXMBlYtUT5JYdhdFVjJd+25EZr8em2Y5Q4VpXfzrJddKpSQWNvi01/yg
    NZaA==
Received: by 10.213.27.3 with SMTP id g3mr820090ebc.6.1336589342964;
    Wed, 09 May 2012 11:49:02 -0700 (PDT)
Received: from [192.168.1.34] (wan-gw.zanker.org. [95.172.230.183])
    by mx.google.com with ESMTPS id n52sm16823374eeh.9.2012.05.09.11.49.01
    (version=SSLv3 cipher=OTHER); Wed, 09 May 2012 11:49:01 -0700 (PDT)
Message-ID: <4FAABC1B.4040409@???>
Date: Wed, 09 May 2012 19:48:59 +0100
From: Mike Zanker <mike@???>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64;
    rv:12.0) Gecko/20120428 Thunderbird/12.0.1
MIME-Version: 1.0
To: users@???
References: <20120509142238.GR12360@???>
    <CAOkDyE-5g0aDiQgyBTR0LRTBc8TSQeVD+BCgFz07PH8iCwUEuQ@???>
    <CAFTQQEmc6Rs1hECwKca95Vt+5ACcVtYPKpCF2gUaJfporXsKow@???>
In-Reply-To: <CAFTQQEmc6Rs1hECwKca95Vt+5ACcVtYPKpCF2gUaJfporXsKow@???>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Gm-Message-State: ALoCoQn2JITWryNhUmmX/1bNVG8BaRjwgv/M4SY55X1IsnsfjSmJAxPHCM5qpd/ofSd+F4eHPisw
X-Virus-Scanner: Scanned by ClamAV on mail.bitfolk.com at Wed,
    09 May 2012 18:49:09 +0000
X-SA-Exim-Connect-IP: 209.85.215.176
X-SA-Exim-Mail-From: mike@???
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
    spamd2.lon.bitfolk.com
X-Spam-Level: 
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
    DKIM_VALID_AU, RCVD_IN_DNSWL_LOW,
    SPF_PASS shortcircuit=no autolearn=disabled version=3.3.1
X-Spam-Report: * -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at
    http://www.dnswl.org/, low *      trust
    *      [209.85.215.176 listed in list.dnswl.org]
    * -0.0 SPF_PASS SPF: sender matches SPF record
    * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
    author's *       domain
    * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
    *  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
    *      valid
X-SA-Exim-Version: 4.2.1 (built Mon, 22 Mar 2010 06:51:10 +0000)
X-SA-Exim-Scanned: Yes (on mail.bitfolk.com)
Subject: Re: [bitfolk] PHP-CGI exploit probes seen - please make sure your
 VPS is secured against this
X-BeenThere: users@???
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Users of BitFolk hosting <users.lists.bitfolk.com>
List-Unsubscribe: <https://lists.bitfolk.com/mailman/options/users>,
    <mailto:users-request@lists.bitfolk.com?subject=unsubscribe>
List-Archive: <http://lists.bitfolk.com/lurker/list/users.html>
List-Post: <mailto:users@lists.bitfolk.com>
List-Help: <mailto:users-request@lists.bitfolk.com?subject=help>
List-Subscribe: <https://lists.bitfolk.com/mailman/listinfo/users>,
    <mailto:users-request@lists.bitfolk.com?subject=subscribe>
X-List-Received-Date: Wed, 09 May 2012 18:49:09 -0000

From duane@??? Thu May 10 01:24:44 2012
Received: from mail.aus-biz.com ([208.82.100.153])
    by mail.bitfolk.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
    (Exim 4.72) (envelope-from <duane@???>) id 1SSI7W-0003T3-8D
    for users@???; Thu, 10 May 2012 01:24:44 +0000
Received: from [192.168.2.141] (220-245-82-41.static.tpgi.com.au
    [220.245.82.41])
    (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
    (Client did not present a certificate)
    by mail.aus-biz.com (Postfix) with ESMTPSA id 19514FF2D3
    for <users@???>; Thu, 10 May 2012 11:14:38 +1000 (EST)
Message-ID: <4FAB167B.3080703@???>
Date: Thu, 10 May 2012 11:14:35 +1000
From: Duane <duane@???>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
    rv:11.0) Gecko/20120329 Thunderbird/11.0.1
MIME-Version: 1.0
To: users@???
References: <20120509142238.GR12360@???>
In-Reply-To: <20120509142238.GR12360@???>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Virus-Scanner: Scanned by ClamAV on mail.bitfolk.com at Thu,
    10 May 2012 01:24:42 +0000
X-SA-Exim-Connect-IP: 208.82.100.153
X-SA-Exim-Mail-From: duane@???
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
    spamd0.lon.bitfolk.com
X-Spam-Level: 
X-Spam-ASN: AS36252 208.82.96.0/21
X-Spam-Status: No, score=0.7 required=5.0 tests=SPF_NEUTRAL shortcircuit=no
    autolearn=disabled version=3.3.1
X-Spam-Report: * 0.7 SPF_NEUTRAL SPF: sender does not match SPF record
    (neutral)
X-SA-Exim-Version: 4.2.1 (built Mon, 22 Mar 2010 06:51:10 +0000)
X-SA-Exim-Scanned: Yes (on mail.bitfolk.com)
Subject: Re: [bitfolk] PHP-CGI exploit probes seen - please make sure your
 VPS is secured    against this
X-BeenThere: users@???
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Users of BitFolk hosting <users.lists.bitfolk.com>
List-Unsubscribe: <https://lists.bitfolk.com/mailman/options/users>,
    <mailto:users-request@lists.bitfolk.com?subject=unsubscribe>
List-Archive: <http://lists.bitfolk.com/lurker/list/users.html>
List-Post: <mailto:users@lists.bitfolk.com>
List-Help: <mailto:users-request@lists.bitfolk.com?subject=help>
List-Subscribe: <https://lists.bitfolk.com/mailman/listinfo/users>,
    <mailto:users-request@lists.bitfolk.com?subject=subscribe>
X-List-Received-Date: Thu, 10 May 2012 01:24:45 -0000

>      http://blog.sucuri.net/2012/05/php-cgi-vulnerability-exploited-in-the-wild.html

From kai.hendry@??? Thu May 10 07:40:55 2012
Received: from mail-we0-f176.google.com ([74.125.82.176])
    by mail.bitfolk.com with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16)
    (Exim 4.72) (envelope-from <kai.hendry@???>)
    id 1SSNzY-0000hu-8j
    for users@???; Thu, 10 May 2012 07:40:55 +0000
Received: by werc1 with SMTP id c1so942954wer.21
    for <users@???>; Thu, 10 May 2012 00:40:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
    h=mime-version:sender:in-reply-to:references:date
    :x-google-sender-auth:message-id:subject:from:to:cc:content-type;
    bh=JS9jj23pgX6Yl1VV++ExXGbpyYxxUwPWl/0bSPx/4B8=;
    b=LuDXt6q3rViVweUGf7SJSHgJO9GJANBVwiChhDVtnC467hgoU9eKJQbTZLEiRVUqmf
    NS9btvEoH0xxI+U3rhOo4epvegsG627U6cQnaLkG65r5PnrqAJt3zmsXo/xnkBNvLl3W
    fA5hdchYqPYb88O7mipJPue2oP7p48XwkM9HHpf27FeCdgQoUc5M2y+C82GIS48Bhw0+
    UNDt6FQeyoSp+v4cRp2n76vNxeedRu65jb1GMid4aDeLlGii4HOsqnMuAuxUWOEgwmlh
    smW8cw3kCikMDeMMQR/SwTEx+UriMH8yMHwneMGf40ZCCgrMISM8q/PiE6GPzixdMDiQ
    9Y+g==
MIME-Version: 1.0
Received: by 10.180.78.233 with SMTP id e9mr7046898wix.5.1336635599213; Thu,
    10 May 2012 00:39:59 -0700 (PDT)
Sender: kai.hendry@gmail