cureit.pw (WordPress bruting botnet hosted by firstvds.ru)

Resolved cureit.pw to 62.109.17.111

This is the same malware as this previous post.

Correct gate request

GET /cmd.php HTTP/1.0
Host: cureit.pw.
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; Synapse)



HTTP/1.1 200 OK
Date: Wed, 11 Sep 2013 19:17:35 GMT
Server: Apache/2.2.24 (FreeBSD) PHP/5.4.15 mod_ssl/2.2.24 OpenSSL/1.0.1e
X-Powered-By: PHP/5.4.15
Cache-Control: max-age=1
Expires: Wed, 11 Sep 2013 19:17:36 GMT
Vary: Accept-Encoding
Content-Length: 52
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

1
30
hxxp://cureit.pw/temp_brut/1011888.txt
wolf
480

Site list mirrored here. Both wordpress and Joomla sites are included in this list.
.
The username list has changed. The malware will attempt to use the domain name as the login username.

GET /login.txt HTTP/1.0
Host: cureit.pw.
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; Synapse)

HTTP/1.1 200 OK
Date: Wed, 11 Sep 2013 19:17:38 GMT
Server: Apache/2.2.24 (FreeBSD) PHP/5.4.15 mod_ssl/2.2.24 OpenSSL/1.0.1e
Last-Modified: Tue, 10 Sep 2013 18:40:04 GMT
ETag: "42d1d3e-2f-4e60bd545e900"
Accept-Ranges: bytes
Content-Length: 47
Cache-Control: max-age=604800
Expires: Wed, 18 Sep 2013 19:17:38 GMT
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/plain

{domain}
{domain}.{zone}
admin
administrator

Hosting infos: http://whois.domaintools.com/62.109.17.111

Related md5s (Search on malwr.com to download samples)
Wordpress bruteforcer: 820da59811ea536331b7189bd86f3c72

Categories: Uncategorized