Resolved a.loader.ws to 198.144.121.130 Andromeda Server: a.loader.ws Gate file: /ad/image.php Plugins Rootkit: http://a.loader.ws/ad/r.pack Socks: http://a.loader.ws/ad/s.pack Formgrabber: http://a.loader.ws/ad/f.pack Gate file: /ad/fg.php Multilocker Server: a.loader.ws Gate file: /l/lending/tds.php UPDATE: New domain used from the hecker: Resolved : [j87gyuh7uh.org] To [37.143.12.145] the rest is same files paths etc from same guy 2 domains not activated yet j87gyuh7uh.orgRead more...
runescape-livestream.tv (Andromeda http botnet hosted by vmbox.co)
Resolved runescape-livestream.tv to 198.20.67.66 Server: runescape-livestream.tv Gate file: /andro/image.php Plugins Rootkit: http://runescape-livestream.tv/andro/r.pack Formgrabber: http://runescape-livestream.tv/andro/f.pack Gate file: /andro/fg.php Hosting infos: http://whois.domaintools.com/198.20.67.66
group-gz.me (Andromeda http botnet hosted by Panamaserver.com)
Resolved group-gz.me to 190.123.47.198 Server: group-gz.me Gate file: /.daci/perete.php Plugins Rootkit: group-gz.me/.daci/r.pack Socks: group-gz.me/.daci/s.pack Formgrabber: group-gz.me/.daci/f.pack Gate file: group-gz.me/.daci/fg.php This guy is installing the recently posted survey winlocker on his bots. Hosting infos: http://whois.domaintools.com/190.123.47.198
honey.punked.us (Andromeda http botnet hosted by kimsufi.com
Resolved honey.punked.us to 94.23.213.78 Server: honey.punked.us Gate file: /sex/image.php Plugins Rootkit: http://doncarlosmayorista.com/.sec/r.pack Socks: http://doncarlosmayorista.com/.sec/s.pack Formgrabber: http://doncarlosmayorista.com/.sec/f.pack Gate file: honey.punked.us/sex/fg.php This is the new andromeda of the french hecker h4r3. Now he’s using cracked andromeda with free domains. Hosting infos: http://whois.domaintools.com/94.23.213.78
img197-imageshack.info (Andromeda http botnet and Spyeye banking malware hosted by ecatel.net)
Resolved img197-imageshack.info to 93.174.90.96 Server: img197-imageshack.info Gate file: /panel/image.php Spyeye Server: img197-imageshack.info Gate file: /gate.php Login: /admin.php Bonus silence winlocker crap: img197-imageshack.info/bl/eu.php Hosting infos: http://whois.domaintools.com/93.174.90.96
zxz.consulting-info.eu (Multiple http botnets hosted by France Roubaix Ovh Sas)
Resolved zxz.consulting-info.eu to 5.39.71.80 This is the french hecker known as h4r3 who has been posted before Andromeda This is the same andromeda net that was posted before, just with the rest of the domains. Previous/disabled domains vvv.exp1oit.in xxx.be-shopping.net Current domain: zxz.consulting-info.eu Gate file: /service/image.php Plugins: Rootkit: tbontepaard.nl/gllr/r.pack Socks: tbontepaard.nl/gllr/s.pack kbot Server: zxz.consulting-info.eu GateRead more...
starhf.com (Andromeda http botnet proxied by cloudflare)
Resolved starhf.com to 108.162.193.86, 108.162.193.186 Server: starhf.com Gate file: /andro/image.php This is the second andromeda net I’ve seen hosted on cloudflare. They wouldn’t take down the first one for want of evidence. I guess their bot detection technology has some trouble if it can’t even detect when cloudflare is acting as a C&C proxy.Read more...
warzone3030.tk (Andromeda http botnet hosted by santrex.net)
Resolved warzone3030.tk to 46.105.100.182 Server: warzone3030.tk Gate file: /Panel/image.php Plugins Rootkit: warzone3030.tk/Panel/plugins/r.pack Socks: warzone3030.tk/Panel/plugins/s.pack Formgrabber: warzone3030.tk/Panel/plugins/f.pack Hosting infos: http://whois.domaintools.com/46.105.100.182
188.165.4.163 (Andromeda http botnet hosted by vpzzo.net)
Server: 188.165.4.163 Gate file: /and/image.php Plugins Rootkit: 188.165.4.163/and/external_plugins/r.pack Socks: 188.165.4.163/and/external_plugins/s.pack Formgrabber: 188.165.4.163/and/external_plugins/f.pack Gatefile /and/fg.php Hosting infos: http://whois.domaintools.com/188.165.4.163
blazehost.net (Andromeda and Smoke http botnets hosted by Seychelles Victoria Business Dialogue Ltd)
Resolved blazehost.net to 91.217.178.32 Andromeda Server: Blazehost.net gate file: /andro/image.php Plugins Rootkit: blazehost.net/andro/r.pack Socks: blazehost.net/andro/s.pack Formgrabber: blazehost.net/andro/f.pack Gate file: /andro/fg.php Smoke Server: Blazehost.net Gate file: /index.php Hosting infos: http://whois.domaintools.com/91.217.178.32