Server: freegamebox.ru Gate file: /hunter/123/order.php The same gate directory has shown up before. Related md5s (Download samples from Malwr.com) Betabot: e6e0b46fbb5741b058e3c9b84f601a7f
gemers9.ru (Betabot http botnet proxied by cloudflare.com)
Server: gemers9.ru Gate file: /damm/5425/order.php Looks like Hackforum skiddies even carry their love for Cloudflare to their botnets Related md5s (Download samples from Malwr.com) Betabot: 684eb10838071bda6f68c26838056f72
sloodam.in (Betabot http botnet proxied by cloudflare.com)
Server: sloodam.in Gate file: /lolserver/james/order.php Yet another scriptkiddie seems to think that cloudflare is the best place to host his botnet. Lets see how fast they shut this down. Related md5s (Search on Malwr.com to download samples) Betabot: faf473886ef8775d6514ab898a550b3e
bicycletrainers.info (betabot http botnet proxied by cloudflare to 100tb.com)
Server: bicycletrainers.info Gate file: /wheellock/order.php Alternate domains: dirtybagmcgee.com womenhealthbody.pw It’s been a while since I’ve seen someone trying to use cloudflare with malware. Lets see how long it takes them to block it this time. Related md5s (Search on malwr.com to download samples) Betabot: ddb28ce54c501be046400ddaa474f257 EDIT: It’s been blocked, and I got the hosting info:Read more...
blackhats.su (Betabot http botnet proxied by cloudflare)
Server: blackhats.su Gate file: /bb/order.php Alternate domains: aeonhf.net aeonhf.me You may recognize one of the domains, as it has appeared on the blog before. They used cloudflare that time as well. Lets see if we can get cloudflare to block access to it again. Related md5s (search on malwr.com to download the samples): Beta bot:Read more...
aeonhf.net (Smoke loader http botnet proxied by cloudflare)
Resolved aeonhf.net to 173.245.60.168, 173.245.61.168 (Cloudflare ips) Server: aeonhf.net, Alternate domain: aminserve.info (Currently has non-responsive nameservers) Gate file: /admin/index.php This is the latest skid who uses cloudflare to help host his botnet. Maybe this time they’ll do something about it? Hosting infos: ecatel.info Edit: CloudFlare received your abuse report dated February 24, 2013 regarding: aeonhf.netRead more...
rat-forums.net (Ice 9 banking malware proxied by cloudflare)
Resolved rat-forums.net to 108.162.194.61, 108.162.194.161 Server: rat-forums.net Gate file: /web/adm/gate.php Config file: /web/config/index.php This is the first time I’ve seen the ice 9 zeus mod in the wild. I guess all the skiddies are trying it out now that it’s cracked. Hopefully cloudflare will put a stop to their experimenting.
starhf.com (Andromeda http botnet proxied by cloudflare)
Resolved starhf.com to 108.162.193.86, 108.162.193.186 Server: starhf.com Gate file: /andro/image.php This is the second andromeda net I’ve seen hosted on cloudflare. They wouldn’t take down the first one for want of evidence. I guess their bot detection technology has some trouble if it can’t even detect when cloudflare is acting as a C&C proxy.Read more...
myinstalls.info (Andromeda and kbot http botnets hiding behind cloudflare)
Resolved myinstalls.info to 199.27.134.49, 173.245.60.132 Andromeda Server: myinstalls.info Gate file: /neuro/image.php kbot Server: myinstalls.info Gate file: /kb/gate.php I’m glad to see Khant has recovered from having some malicious individual run rm -rf / as root on his server. However I’m not sure if having bots connect through cloudflare is such a good idea.