Server: 37.9.53.121 Gate file: //xSZ64Wiax/WiOzJe3G7u7ok3gOYqHdv2xk.php According to virustotal this is an affiliate program, with the pony file downloaded from the same site. Hosting infos: http://whois.domaintools.com/37.9.53.121 Related md5s (Search on malwr.com to download the sample) Pony: 37ae22ba2799ed146c47085268dd481b
fackestructur.be (Warbot http botnet hosted by firstvds.ru)
Resolved fackestructur.be to 82.146.42.62 Server: fackestructur.be Gate file: /bymedstar_01/index.php One of the files downloaded by this andromeda. I don’t know why anyone would waste their time setting up this old piece of crap, let alone spreading it. Hosting infos: http://whois.domaintools.com/82.146.42.62 Related md5s (search on Malwr.com to download samples) Warbot: a0ef373644caec98e666048a581a4cf0
towi4-place.com (Andromeda http botnet hosted by core-vps.lv)
Resolved towi4-place.com to 193.105.240.20 Server: towi4-place.com Gate file: /1800/image.php Downloads Cutwail as well as other malware. The owner has left a message on the index page. То, что мы называем злом, является всего лишь неизбежностью в нашем бесконечном развитии. Ф.Кафка >Вопросы и предожения сотрудничества (JID): ToWi4@cryptovpn.com Google translated: What we call evil is simply inevitableRead more...
bicycletrainers.info (betabot http botnet proxied by cloudflare to 100tb.com)
Server: bicycletrainers.info Gate file: /wheellock/order.php Alternate domains: dirtybagmcgee.com womenhealthbody.pw It’s been a while since I’ve seen someone trying to use cloudflare with malware. Lets see how long it takes them to block it this time. Related md5s (Search on malwr.com to download samples) Betabot: ddb28ce54c501be046400ddaa474f257 EDIT: It’s been blocked, and I got the hosting info:Read more...
navega.pw (Betabot http botnet hosted by OVH.net)
Resolved navega.pw to 198.245.51.109 Server: navega.pw Gate file: /b7891/b986/bnav123/mar/360/vid5852/order.php This is on the same IP as the previously posted Athena irc botnet, and is one of three betabot botnets hosted on the server, with smalltoys and strike-file-hosting being the other two. Hosting infos: http://whois.domaintools.com/198.245.51.109 Related md5s (Search on malwr.com to download the samples) betabot: a422f5aabc160f5a8dbde033ea9e6d0bRead more...
hosting-bros.me (Athena irc botnet hosted by OVH.net)
Resolved hosting-bros.me to 198.245.51.109 Server: hosting-bros.me Port: 2300 Channel: #athena Hosting infos: http://whois.domaintools.com/198.245.51.109 Related md5s (Search on malwr.com to download samples) Athena: c6c1355e7af32c584a4959878bd2640a
irc.tskiller.com (Athena irc botnet hosted by scopehosts.com)
Resolved irc.tskiller.com to 91.109.17.227 Server: irc.tskiller.com Port: 6667 There are 1 users and 207 invisible on 1 servers Channels: #kurdish 5 #ddos 13 asf123 #deus 8 #eser 4 #DyntaiLegion 12 #kebab 6 #stud 6 #Kavin 3 [+sntVCT] #opers 1 #deneme 12 #hack0si 7 #LoL 2 #USA 1 #TizenX 2 #unwrittenlaw 4 #winyle 5 #nirjhar 54 Read more...
74.121.150.39 (WordPress brute forcing botnet hosted by it7.net)
Server: 74.121.150.39 Port: 22503 (note, this is not irc based) This is one of the various botnets attempting to bruteforce wordpress blogs. It works pretty fast, during a short run on the malwr.com sandbox it attempted to login to 981 different blogs, all with domains starting with exp. Since malwr.com only allows the sample uploaderRead more...
ns1.androha.com (Andromeda http botnet hosted by namecheap.com)
Resolved ns1.androha.com to 162.213.250.141 Server: ns1.androha.com Gate file: /cgi/image.php Plugins: Rootkit: hxxp://ns1.androha.com/cgi/r.pack Socks: hxxp://ns1.androha.com/cgi/s.pack Formgrabber: hxxp://ns1.androha.com/cgi/f.pack Gate file: /cgi/fg.php First cracked andromeda I’ve seen in a while. Hosting infos: http://whois.domaintools.com/162.213.250.141 Related md5s (Search on malwr.com to download the sample) Andromeda: c5598dd742b5504084779ccfda0b207c
allrounders.cc (Athena http botnet hosted by hostkey.com)
Resolved allrounders.cc to 146.0.73.201 Server: allrounders.cc Gate file: /1ds2541svc/gate.php This domain was previously used as a backup domain for a now defunct betabot. I guess the owner is trying all the L33T hackforums bots. Hosting infos: http://whois.domaintools.com/146.0.73.201 Related md5s (Search on malwr.com to see the sample in action. You can’t download it as someone hatesRead more...