Re: What does this haxker code do?

[Benny Pedersen]

Marc Perkel skrev den 2013-05-04 07:38:

Here's some code I extracted from a hacked web site. I don't know
what it does but I think it night spread viruses. I'd like to see if
anyone understands it. It was added at the beginning of a wordpress
site in the wp-config.php file. I noticed that it pulled data and
redirected to various hacker sites. Maybe we could use it to get a
list and blacklist the hackers domains?


wordpress it is, and it is dropped by secuirity on gentoo, but one of 
my webhosters say if users want it let them have it even if it contains 
secucuity bugs like hell


want to help ?, create clamav signatures for the url in this javascript 
url, and scan email with it


--
senders that put my email into body content will deliver it to my own 
trashcan, so if you like to get reply, dont do it

Fwd: [SURBL-Announce] MW malware sublist added to multi, replaces OB

[Jeff Chan]

http://lists.surbl.org/pipermail/announce/2013-May/000209.html


Date: Wed, 1 May 2013 05:54:48 -0700
To: SURBL Announce annou...@lists.surbl.org
Subject: [SURBL-Announce] MW malware sublist added to multi, replaces OB


As announced last October, malware data has been moved from PH
to a new list MW, taking the bit of OB, which was deprecated last year.
Along with malware data, limited set of cracked hosts also has been
moved from PH to MW, in part because cracked sites often have or
can have malware on them.

The bitmask bit 16 therefore is no longer used by OB, but is used by
MW now.  Please update configurations appropriately.  For example in
SpamAssassin, change:

urirhssub   URIBL_OB_SURBL  multi.surbl.org.A   16
bodyURIBL_OB_SURBL  eval:check_uridnsbl('URIBL_OB_SURBL')
describeURIBL_OB_SURBL  Contains an URL listed in the OB SURBL
blocklist
tflags  URIBL_OB_SURBL  net
reuse   URIBL_OB_SURBL

score URIBL_OB_SURBL 0 0.785 0 0.122

to:

urirhssub   URIBL_MW_SURBL  multi.surbl.org.A   16
bodyURIBL_MW_SURBL  eval:check_uridnsbl('URIBL_MW_SURBL')
describeURIBL_MW_SURBL  Contains an URL listed in the MW SURBL
blocklist
tflags  URIBL_MW_SURBL  net
reuse   URIBL_MW_SURBL

score URIBL_MW_SURBL 0 0.001 0 0.610


Please direct followup discussion to the SURBL Discussion list.

Re: .pw / Palau URL domains in spam

[Dave Funk]

On Wed, 1 May 2013, doneshlaher wrote:


Hello Axb,

Thank you for providing with the domain names. We will be suspending all
these reported domain names.

However, in the mean time may i know what kind of spams have been received
?? also can you please forward us the email headers of few of the reported
domain names.

This would help us to analyse the headers and understand, whether we the
account is compromised or not.

Regards

Donesh Laher
Cyber Security Analyst
.PW Registry


Donesh,
How many dozen spams a day would you like to receive?
Should I send them to your personal address or is there some
other reporting address I should use?

We are not a large site (only a few thousand users) but in the past few
weeks have been receiving hundreds of spams a day advertising .pw domains.
Here's a partial list of some of the past 3 days worth:
(this list would be much larger except that I've been black-listing the
IP addresses of their hosting providers as fast as I can identify them)

vision-virtuahosting1.pw
visionsvirtualwebhost4.pw
allsupremedeal.pw
alltopdeals.pw
amerivalues.pw
autopricefind.pw
autopricefinder.pw
banesgroup.pw
dallyhost.pw
dimehosts.pw
dursidis.pw
efulan.pw
efundess.pw
ekmsgroup.pw
ezhotdealz.pw
getgreatwins.pw
gethotdealz.pw
grevaluaqu.pw
igreatness.pw
imaginec1.pw
iradjead.pw
islity.pw
metagreatwins.pw
neathotdealz.pw
newgreatdealz.pw
progreatdealz.pw
servermaximum.pw
sharpgreatdealz.pw
sleekgreatdealz.pw
specialzhome.pw
specialzland.pw
specialztoday.pw
successtopdeals.pw
superbtopdeals.pw
supertopdeals.pw
usdirects1.pw
vision-virtualhosting12.pw
vision-virtualhosting14.pw
visionsvirtualwebhost2.pw
zbidnow.pw
avanheertyu.pw
getsuperiordeal.pw
sleeplessdaysnow.pw
gwampuer.pw
treelendnews.pw
getmatchednows.pw

--
Dave Funk  University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{