Config file: /hide/1355/file.php
Gate file: /hide/1355/enter.php
According to whois, this is a home cable internet ip (United States Concord Astound Broadband).
Also on the server, smoke loader and pony
Gate file: /smokeldr/index.php
Gate file: /js/gate.php
The moron running this has Pony downloading itself, creating a continuous chain of downloads.
Hosting infos: http://whois.domaintools.com/18.104.22.168
Related md5s (search on malwr.com to download the samples):
Smoke loader: 1581f296eff953d727d26753ddd93bd2
Pony loader: 40e688d7aa46c49bc8d6fb7a2dfcd2d9