Resolved google-analytics.pw to 89.45.14.74 Yet another wordpress brute forcing botnet. This one is different from the previously posted one as it uses HTTP for it’s C&C server. It gets a bit tricky, as it tries to hide it’s gate by sending Host: google-analytics.pw. In the request instead of Host: google-analytics.pw Here is a correct requestRead more...
boofer-villa.com (Betabot http botnet hosted by hetzner.de)
Resolved boofer-villa.com to 88.198.59.89 Server: boofer-villa.com Gate file: /secret/order.php Another betabot from our friend in the comments. Hosting infos: http://whois.domaintools.com/88.198.59.89
seattleschools.co (Betabot http botnet hosted by myhosting.com)
Resolved seattleschools.co to 168.144.32.16 Server: seattleschools.co Gate file: /beta/order.php Another betabot from this commentor. There is a umbra loader panel at hxxp://seattleschools.co/panel/Panel/ No sample again. Hosting infos: http://whois.domaintools.com/168.144.32.16
h4xinc.com (Betabot http botnet hosted by blueangelhost.com)
Resolved h4xinc.com to 91.218.244.221 Server: h4xinc.com Gate file: /matrix/order.php Thanks to this commentor for the report. No sample for this one, if anyone see something connecting to it, post a comment. Hosting infos: http://whois.domaintools.com/91.218.244.221
winblowservice.hopto.org (Betabot http botnet hosted by nyi.net)
Resolved winblowservice.hopto.org to 207.12.89.154 Server: winblowservice.hopto.org Gate file: /service/order.php Alternate domains: imafaggot.pw imtheop.redirectme.net Thanks to this commentor for the report Hosting infos: http://whois.domaintools.com/207.12.89.154 Related md5s (Search on malwr.com to download samples) Betabot: c994461c69b02a63d0f1bbcd2a56ba54
liveinsurance.org (Betabot http botnet hosted by worldstream.nl)
Resolved liveinsurance.org to 109.236.84.150 Server: liveinsurance.org Gate file: /loverboy/order.php freegamebox.us, a domain from a previous betabot is hosted on the same IP, so both are probably owned by the same person. Hosting infos: http://whois.domaintools.com/109.236.84.150 Related md5s (search on malwr.com to download samples) Betabot: 655b1833bfe7dc80391287ae6d568318
212.7.194.240 (Athena IRC Botnet Hosted By Dediserv [dediserv.eu])
This is a guest post witten by mongoose Server: 212.7.194.240 Port: 6667 Channel: #nirjhar Current local users: 47 Max: 472 Current global users: 47 Max: 472 This file was downloaded from this botnet. Whois on host IP: http://whois.domaintools.com/212.7.194.240
5.133.180.103 (Athena irc botnet hosted by bhost.co.uk)
Server: 5.133.180.103 Port: 6667 Current global users 104, max 387 Channel: #razbot #razbot 102 Oper: [n[ARE|U|L|WIN7|x64|2c]loruybe] (rusho@i.hate.microsefrs.com): … [n[ARE|U|L|WIN7|x64|2c]loruybe] #strike #razbot [n[ARE|U|L|WIN7|x64|2c]loruybe] irc.foonet.com :FooNet Server [n[ARE|U|L|WIN7|x64|2c]loruybe] is a Network Administrator [n[ARE|U|L|WIN7|x64|2c]loruybe] is available for help. [n[ARE|U|L|WIN7|x64|2c]loruybe] idle 00:09:52, signon: Tue Sep 03 11:45:07 [n[ARE|U|L|WIN7|x64|2c]loruybe] End of WHOIS list. This is the same authhost as another posted athena botnet. Hosting infos:Read more...
Predhost.in (Smokeloader hosted by Digitalocean.com)
Resolved predhost.in to 198.199.109.163 Server: Predhost.in Gate file: /sm/index.php Logging into hxxp://predhost.in/sm/guest.php with guest:guest works. Anyone want to test if the sqli got fixed? Hosting infos: http://whois.domaintools.com/198.199.109.163 Related md5s (Search on malwr.com to download samples) Smokeloader: 4c438005e17b968813f3df1fb2e15f4a
main-firewalls.com (Pony stealer hosted by virtacore.com)
Resolved main-firewalls.com to 74.204.171.69 Server: main-firewalls.com Gate file: /gate.php Downloaded FakeAV and Zeroaccess Hosting infos: http://whois.domaintools.com/74.204.171.69 Related md5s (Search on malwr.com to download sample) Pony: a3243c1f6fe92db72af7b5c1f9b207ea