Resolved google-analytics.pw to 18.104.22.168 Yet another wordpress brute forcing botnet. This one is different from the previously posted one as it uses HTTP for it’s C&C server. It gets a bit tricky, as it tries to hide it’s gate by sending Host: google-analytics.pw. In the request instead of Host: google-analytics.pw Here is a correct requestRead more...
Resolved boofer-villa.com to 22.214.171.124 Server: boofer-villa.com Gate file: /secret/order.php Another betabot from our friend in the comments. Hosting infos: http://whois.domaintools.com/126.96.36.199
Resolved seattleschools.co to 188.8.131.52 Server: seattleschools.co Gate file: /beta/order.php Another betabot from this commentor. There is a umbra loader panel at hxxp://seattleschools.co/panel/Panel/ No sample again. Hosting infos: http://whois.domaintools.com/184.108.40.206
Resolved h4xinc.com to 220.127.116.11 Server: h4xinc.com Gate file: /matrix/order.php Thanks to this commentor for the report. No sample for this one, if anyone see something connecting to it, post a comment. Hosting infos: http://whois.domaintools.com/18.104.22.168
Resolved winblowservice.hopto.org to 22.214.171.124 Server: winblowservice.hopto.org Gate file: /service/order.php Alternate domains: imafaggot.pw imtheop.redirectme.net Thanks to this commentor for the report Hosting infos: http://whois.domaintools.com/126.96.36.199 Related md5s (Search on malwr.com to download samples) Betabot: c994461c69b02a63d0f1bbcd2a56ba54
Resolved liveinsurance.org to 188.8.131.52 Server: liveinsurance.org Gate file: /loverboy/order.php freegamebox.us, a domain from a previous betabot is hosted on the same IP, so both are probably owned by the same person. Hosting infos: http://whois.domaintools.com/184.108.40.206 Related md5s (search on malwr.com to download samples) Betabot: 655b1833bfe7dc80391287ae6d568318
This is a guest post witten by mongoose Server: 220.127.116.11 Port: 6667 Channel: #nirjhar Current local users: 47 Max: 472 Current global users: 47 Max: 472 This file was downloaded from this botnet. Whois on host IP: http://whois.domaintools.com/18.104.22.168
Server: 22.214.171.124 Port: 6667 Current global users 104, max 387 Channel: #razbot #razbot 102 Oper: [n[ARE|U|L|WIN7|x64|2c]loruybe] (firstname.lastname@example.org): … [n[ARE|U|L|WIN7|x64|2c]loruybe] #strike #razbot [n[ARE|U|L|WIN7|x64|2c]loruybe] irc.foonet.com :FooNet Server [n[ARE|U|L|WIN7|x64|2c]loruybe] is a Network Administrator [n[ARE|U|L|WIN7|x64|2c]loruybe] is available for help. [n[ARE|U|L|WIN7|x64|2c]loruybe] idle 00:09:52, signon: Tue Sep 03 11:45:07 [n[ARE|U|L|WIN7|x64|2c]loruybe] End of WHOIS list. This is the same authhost as another posted athena botnet. Hosting infos:Read more...
Resolved predhost.in to 126.96.36.199 Server: Predhost.in Gate file: /sm/index.php Logging into hxxp://predhost.in/sm/guest.php with guest:guest works. Anyone want to test if the sqli got fixed? Hosting infos: http://whois.domaintools.com/188.8.131.52 Related md5s (Search on malwr.com to download samples) Smokeloader: 4c438005e17b968813f3df1fb2e15f4a
Resolved main-firewalls.com to 184.108.40.206 Server: main-firewalls.com Gate file: /gate.php Downloaded FakeAV and Zeroaccess Hosting infos: http://whois.domaintools.com/220.127.116.11 Related md5s (Search on malwr.com to download sample) Pony: a3243c1f6fe92db72af7b5c1f9b207ea