small rbldns Statistics of blocklist.de

Currently we have 3 RBLDNS-Server which have the Attacker-IPs listen from the last 48 Hours after the last Attack in some Categories:

Name / URL Description / Content
apache.bl.blocklist.de Apache, RFI, w00tw00t, SQL-Injection, Forum-Spam + http://honeystats.info/
bruteforcelogin.bl.blocklist.de All IPs, which attacks Joomla, WordPress and other Web-Logins with Brute-Force
bl.blocklist.de All IP-Addresses (all Services)
all.bl.blocklist.de All IP-Addresses (all Services)
ftp.bl.blocklist.de FTP -> only IP’s there runs FTP Brute-Force-Attacks.
imap.bl.blocklist.de imap, pop3, sasl, webmail-Logins….
mail.bl.blocklist.de mail/postfix, 5xx-Errors (Blacklist-Entrys), Relaying…
ssh.bl.blocklist.de IPs there runs SSH-Attacks.
sip.bl.blocklist.de IPs, who has try Sip/Asterisk Brute-Force-Login-Attacken.

On the usa-Server we have active the rbldns-Stats. The rbldns generate the Count of Queries, Count of Matches and the Bytes which have received and send.
The RBL-Server gets each 10 Minutes a summery of:
19 M Queries
1 M matches
The value varies on the Weekend and Attack-Runs.

Also the RBL-Servers returns in the TXT-Record the Service-Name like „ssh“ and the Unixtimestamp of last reported Attack:
Infected System (Service: apacheddos, Last-Attack: 1370990468), see http://www.blocklist.de/en/view.html?ip=$ip
In time to time, there was over 20.000 IPs in the complete List listen.


Brute-Force on WordPress wp-login.php. Bots use currently Firefox 19.0 as UserAgent

The Brute-Force Login Attack on WordPress and Joomla run since a few weeks:


We have currently listen 16582 IP-Address on the bruteforcelogin-List

In the last Days, the Attackers use in the most Requests (think over 90%) the UserAgent „Firefox/19.0“: - - [06/Jun/2013:17:51:46 +0200] "POST wp-login.php HTTP/1.0" 200 4555 "http://referer-domain.tld/" "Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0"

We have found on one Site a little bit Malware-Code, but there was not complete. If you received a Report from us and found the Malware-Script, please send them to us.

Thank you!



over 9,181 URLs from SEO-Spamer on blog.com (end site: clickbank.com)

After the last „URL-Reporting“ there was used most *.pl Domains, but now we have found over 9,181 URLs from *.blog.com which was abused by SEO-Spamer to get Traffic by good sites over blog.com to there „Money-Sites“.

On there Moneysites, he offer to make money over clickbank with Affiliates.


avervurm.blog.com  avervurm.blog.com2 avervurm.blog.com3avervurm.blog.com4


Other blog.com URLs, but with the same content or a little bit different content, but all redirects to clickbank.com:

grinevaskij1970.blog.com grinevaskij1970.blog.com2pirevilka.blog.com


Some Links go to the „Money-Site“ of the SEO-Spamer over tinyurl.com: „hxxp://tinyurl.com/cszvyuf/go8.php?aHR0cDovL2p1bDRvbm9rODUuZWJheWNlcnQuaG9wLmNsaWNrYmFuay5uZXQ=“

And then to: „http://www.jobreplacementformula.com/clickbank.php?hop=codelocker“ or direct to clickbank.com



And on there, all Links goes to hxxp://www.lottomasterformula.com like this:


and then to clickbank.com:


From there, you have an order-formular to buy the Book how can you make many with clickbank.com for only „$67.00“:








On the bottom there is a Text from a Banner with „codelocker.blogcom“ which was not replaced from a JavaScript in the Chrome-Browser under the VirtualMachine:








We have report the URLs over the Ticket-System to blog.com and wait for an response. At this time, i don’t think, that blog.com uses clickbank.com to make adds on there site….

In the most case of sites with user generated content, the urls will be disabled/deleted.

Currently we have over 2,677,883 URLs in our Database which was posted by Spamer in our Honeypot-Systems. We look in the next time how many new urls come daily into and add a rbl-List with these URLS.

Have interests on this URLs, please contact us.


Translate »