Fail2Ban Reporting Service

Currently we have 3 RBLDNS-Server which have the Attacker-IPs listen from the last 48 Hours after the last Attack in some Categories:
http://www.blocklist.de/en/rbldns.html

On the usa-Server we have active the rbldns-Stats. The rbldns generate the Count of Queries, Count of Matches and the Bytes which have received and send.
The RBL-Server gets each 10 Minutes a summery of:
19 M Queries
1 M matches
The value varies on the Weekend and Attack-Runs.

Also the RBL-Servers returns in the TXT-Record the Service-Name like „ssh“ and the Unixtimestamp of last reported Attack:
Infected System (Service: apacheddos, Last-Attack: 1370990468), see http://www.blocklist.de/en/view.html?ip=$ip
In time to time, there was over 20.000 IPs in the complete List listen.

The Brute-Force Login Attack on WordPress and Joomla run since a few weeks:

http://support.hostgator.com/articles/specialized-help/technical/wordpress/wordpress-login-brute-force-attack

We have currently listen 16582 IP-Address on the bruteforcelogin-List

In the last Days, the Attackers use in the most Requests (think over 90%) the UserAgent „Firefox/19.0“:

189.143.62.117 - - [06/Jun/2013:17:51:46 +0200] "POST wp-login.php HTTP/1.0" 200 4555 "http://referer-domain.tld/" "Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0"

We have found on one Site a little bit Malware-Code, but there was not complete. If you received a Report from us and found the Malware-Script, please send them to us.

Thank you!

After the last „URL-Reporting“ there was used most *.pl Domains, but now we have found over 9,181 URLs from *.blog.com which was abused by SEO-Spamer to get Traffic by good sites over blog.com to there „Money-Sites“.

On there Moneysites, he offer to make money over clickbank with Affiliates.

Other blog.com URLs, but with the same content or a little bit different content, but all redirects to clickbank.com:

Some Links go to the „Money-Site“ of the SEO-Spamer over tinyurl.com: „hxxp://tinyurl.com/cszvyuf/go8.php?aHR0cDovL2p1bDRvbm9rODUuZWJheWNlcnQuaG9wLmNsaWNrYmFuay5uZXQ=“

And then to: „http://www.jobreplacementformula.com/clickbank.php?hop=codelocker“ or direct to clickbank.com

And on there, all Links goes to hxxp://www.lottomasterformula.com like this:

hxxp://www.lottomasterformula.com/dlguard/dlg/sell.php?prodData=cb%2C6

and then to clickbank.com:

hxxps://ssl.clickbank.net/order/orderform.html?time=1370165174&vvvv=6562617963657274&item=1&detail=Job+Replacement+Formula+67&vvar=detail%3DJob+Replacement+Formula+67%26dlgp%3D6&oaref=01.09B9DCCD9E0E71A5790AC3235281919F0D991A7DEB89597DD4E6AA7D1731DA971A6BC929777E2ED95D5AF51F83B0AA90A0AF6050AB48256725481747D07F78E1ECBF3B2FC242EF671C76543A63F84442719A7B93

From there, you have an order-formular to buy the Book how can you make many with clickbank.com for only „$67.00“:

On the bottom there is a Text from a Banner with „codelocker.blogcom“ which was not replaced from a JavaScript in the Chrome-Browser under the VirtualMachine:

We have report the URLs over the Ticket-System to blog.com and wait for an response. At this time, i don’t think, that blog.com uses clickbank.com to make adds on there site….

In the most case of sites with user generated content, the urls will be disabled/deleted.

Currently we have over 2,677,883 URLs in our Database which was posted by Spamer in our Honeypot-Systems. We look in the next time how many new urls come daily into and add a rbl-List with these URLS.

Have interests on this URLs, please contact us.