Resolved goodfluxetcwow1.com to 146.255.195.104
Server: goodfluxetcwow1.com
Gate file: /forum/7f4765027f274bbc95328d79fa668b75.php
Alternate domains:
goodfluxetcwow2.com
b437571f9061b10e5d33c66c83df359e.ru
This is the malware component of a fastflux hosting setup. Once installed on a computer it opens a web server on port 80 and a DNS server on port 53.
Current IPs used by the setup
hxxp://goodfluxetcwow1.com/system/http.php
Page showing example forwarding
hxxp://goodfluxetcwow1.com/system/test.php
We can learn a little about the server
[SERVER_SOFTWARE] => Apache/2.2.3 (CentOS) [SERVER_NAME] => 127.0.0.1 [SERVER_ADDR] => 127.0.0.1 [SERVER_PORT] => 8080 [REMOTE_ADDR] => 127.0.0.1 [DOCUMENT_ROOT] => /media/truecrypt1/www [SERVER_ADMIN] => root@localhost [SCRIPT_FILENAME] => /media/truecrypt1/www/system/test.php [REMOTE_PORT] => 46342 [GATEWAY_INTERFACE] => CGI/1.1 [SERVER_PROTOCOL] => HTTP/1.0 [REQUEST_METHOD] => GET [QUERY_STRING] => [REQUEST_URI] => /system/test.php [SCRIPT_NAME] => /system/test.php [PHP_SELF] => /system/test.php [REQUEST_TIME] => 1385086046 )
Hosting infos: http://whois.domaintools.com/146.255.195.104
Related md5s (Download sample from Malwr.com)
Fastflux:
ed6ebc6c1ea3a3aa4139993e2d5a90d0