mystical

www.yahgodz.com (Andromeda http botnet hosted by dataclub.biz)

Resolved www.yahgodz.com to 46.183.217.148 Server:  www.yahgodz.com Gate file:  /http/image.php Additional domains: bighecks.net/http/image.php (Missing gate file, hosted at worldstream.nl 217.23.4.155) sonic4us.ru/http/image.php (Pointed at 127.0.0.1) imageshells.com/admin/image.php (Missing gate file, hosted at worldstream.nl 217.23.4.107) All of these are mystical’s domains, used for various nefarious purposes in the past. A quick google shows that he’s been loading onto this

hfgfr56745fg.com (Betabot http botnet hosted by ecatel.net)

Resolved hfgfr56745fg.com to 80.82.66.204 Server:   hfgfr56745fg.com Gate file:  /rem/order.php Brian Krebs on the login page  It still crashes skype. Sample here A previous version of the bot was posted here. Hosting infos: http://whois.domaintools.com/80.82.66.204

androhosting.info (Athena irc botnet hosted by voxility.net)

Resolved androhosting.info to 37.221.170.211 Mystical is right back into the irc game, with a different server and domain. This is on the same ip as _Stoner’s Athena test server which was previously posted. Google indicates that the domain once hosted a blackhole exploit kit panel Server: androhosting.info Port:  44 Current global users 119, max 910

webhostingprotection.info (Betabot http botnet hosted by Santrex.net)

Resolved webhostingprotection.info to 46.166.163.131 Server:  webhostingprotection.info Gate file:  /icool/order.php This was from the closed beta of the betabot http bot. The server files have been taken down now so not much point visiting the site. There wasn’t much to see except evidence of the coder’s man crush on the steely gaze of Brian Krebs. For

xtremehosting.info, sexwithme.info (Athena irc botnet hosted by voxility.net)

 Resolved xtremehosting.info, sexwithme.info to 37.221.170.221 Server:  xtremehosting.info Port:  6667 Channel:  #boss Channel password:  mystical Topic for #boss is: !stop Topic for #boss set by samiam at Fri Jan 25 10:31:21 2013 Nick format:  [U|WIN7|x64|L]txzrks Server:  sexwithme.info Port:  6667 Channel:  #210 Nick format:  _[USA|U|L|WIN7|x32|4c]rflbxwws Current Local Users: 823  Max: 1585 #boss            243     [+sntVCTk] !stop #210             402    

sharesend.info (smoke loader http botnet hosted by voxility.net)

Resolved sharesend.info to 37.221.170.8 Server:   sharesend.info Gate file:  /admin/index.php A pity the guest.php credentials have been changed from the default or fun could have be had. Download the panel from here if you want it: hxxp://sharesend.info/admin/admin.zip Hosting infos: http://whois.domaintools.com/37.221.170.8