Server: 93.115.93.30 Gate file: /moneymaker/image.php Plugins Rootkit: hxxp://93.115.93.30/moneymaker/r.pack Socks: hxxp://93.115.93.30/moneymaker/s.pack Formgrabber: hxxp://93.115.93.30/moneymaker/f.pack Gate file: /moneymaker/fg.php Hosting infos: http://whois.domaintools.com/93.115.93.30
stateqa.biz (Andromeda http botnet hosted by plusserver.de)
Resolved stateqa.biz to 188.138.88.81 Server: stateqa.biz Gate file: /andrei/image.php Cracked andromeda seems to be making a comeback, after all the betabots posted recently. Hosting infos: http://whois.domaintools.com/188.138.88.81
fahfasd.pw (Andromeda http botnet hosted by xeneurope.com)
Resolved fahfasd.pw to 109.235.51.249 Server: fahfasd.pw Gate file: /Panel/image.php Plugins Rootkit: hxxp://fahfasd.pw/Panel/plugins/r.pack Socks: hxxp://fahfasd.pw/Panel/plugins/s.pack Formgrabber: hxxp://fahfasd.pw/Panel/plugins/f.pack Gate file: /Panel/fg.php Hosting infos: http://whois.domaintools.com/109.235.51.249
moneybooster.info (Andromeda http botnet hosted by leaseweb.com)
Resolved moneybooster.info to 95.211.211.90 Server: moneybooster.info Gate file: /bc/image.php I guess betabot isn’t working for him anymore. What a waste of $320. Hosting infos: http://whois.domaintools.com/95.211.211.90
hardstunt.com (Andromeda http botnet proxied by cloudflare.com)
Resolved hardstunt.com to 108.162.198.113, 108.162.199.113 Server: hardstunt.com Gate file: /blob/image.php Hosting a botnet behind cloudflare seems like a bad idea.Lets see if I can get this blocked. EDIT: CloudFlare received your malware report dated April 28, 2013 regarding: hardstunt.com Please be aware CloudFlare is a network provider offering a reverse proxy, pass-through security service. WeRead more...
crispershf.hc0.me (Andromeda http botnet hosted by Ecatel.net)
Resolved crispershf.hc0.me to 80.82.69.144 Server: crispershf.hc0.me Gate file: /panel/image.php Hosting infos: http://whois.domaintools.com/80.82.69.144
fearboot.com (Andromeda http botnet hosted by vmbox.co)
Resolved fearboot.com to 198.20.67.10 Server: fearboot.com Gate file: /andro/image.php Visit http://fearboot.com/p.php or http://fearboot.com/phpinfo.php for information about the server. Hosting infos: http://whois.domaintools.com/198.20.67.10
199.168.136.116(Andromeda hosted in United States Scranton Volumedrive)
Panel:hxxp://199.168.136.116/andro/image.php Plugins: hxxp://199.168.136.116/andro/r.pack hxxp://199.168.136.116/andro/s.pack hxxp://199.168.136.116/andro/f.pack Andromeda path need user and login :hxxp://199.168.136.116/andro/ Other: http://199.168.136.116/andro/fg.php?id=1880376902 sample:hxxp://199.168.136.116/andro/and.exe hosting infos: http://whois.domaintools.com/199.168.136.116
kryptic.me (Andromeda http botnet hosted by alibabahost.com)
Resolved kryptic.me to 37.221.170.234 Server: kryptic.me Gate file: /jackson/gate.php Plugins Rootkit: hxxp://krytical.me/jackson/plugins/rk_666604bd.mod Alternate domain: krytical.me http://whois.domaintools.com/37.221.170.234
a55555a.dontexist.com(Andromeda Bot hosted in France Roubaix Ovh Systems)
This is from the anonymous guy here Resolved : [a55555a.dontexist.com] To [188.165.87.109] Panel: a55555a.dontexist.com/XMhXautVnLzlIC/image.php hosting infos: http://whois.domaintools.com/188.165.87.109