(Click fraud botnet hosted by

Resolved to (cname)
Resolved to

Gate file:  /feed/xml.php?uid=219  

More click fraud courtesy of french hecker h4r3. This time it looks a bit more sophisticated though. I’m assuming this is an affiliate program as while it’s using h4r3’s domain it points to another site. If you search for a url containing %/feed/xml.php?uid=% on clean-mx you’ll find numerous other domains, many of which seem advertising related. Those that are still alive also point to

The C&C seems to work similarly to the other click fraud bot posted, with urls to be clicked contained in a script on the page. Some of the urls are contained in redirects that expire minutes later, presumably after a certain number of clicks have gone through.

Initial redirects

The same redirect a few minutes later

The bot appears to use the same Firefox 16 useragent for all of the clicks.

More information about the site can be found at it`s phpinfo page, located here: hxxp://
A way to get in touch with the owner of the affiliate program is located here: hxxp://
A pastebin showing the C&C page is located here

Hosting infos:

Categories: Uncategorized

1 Comment

Anonymous - January 3, 2013 at 8:05 pm

another url linking there:

hxxp:// -> hxxp://

The rDNS points to the same host.

Comments are closed