Resolved trik.su to 174.127.123.4 Server: trik.su Port: 5050 Channel: #trk #trk :.j #upd .u trk2 /120/126/99/107/25/61/37/112/72/120/110/67/113/123/122/115/35/64/118/114/35/123/85/74/78/111/125/83/8/55/46/39/32/63/42/55/63/35/44/11/42/38/32/37/120/110/121/ Channel: #upd #upd :.u trk2 /120/126/99/107/25/61/37/103/86/99/120/83/100/118/123/98/98/13/108/108/35/123/85/74/15/107/97/69/ Hosting info: http://whois.domaintools.com/174.127.123.4 Related md5s (Download samples from Malwr.com) Aspermod: 1f876d3830527f22f84205069695d3d2
vvvhhhccc.com (Betabot http botnet hosted by dacentec.com)
Resolved vvvhhhccc.com to 192.111.153.98 Server: vvvhhhccc.com Gate file: /8/8/8/be/order.php Alternate domains: virusprotect.su virus-protector.net latinodancewears.com.vn He has a plasma http botnet on the same domain that he is using to mine dogecoins. Gate file: /8/8/plasma/login.php Hosting info: http://whois.domaintools.com/192.111.153.98 Related md5s (Download samples from Malwr.com) Betabot: a58ddb7a7a3b823ff0ddd541f136d9f4 Plasma: 401459ef275cf0639a855a4dff234bf5 Mining info: Stratum+tcp://pool.dogechain.info:3333 -u latinodresses.plasmahttp -p x
videotr.in (Facebook spreading browser extension proxied by cloudflare)
This is aimed at Turkish Facebook users. The scripts used by the extension are hosted over several domains. The infection starts with the site hxxp://www.videotr.in, which plays a short videoclip. The video is then interrupted and the user is urged to run an exe that is downloaded to fix the issue. The exe creates aRead more...
Fbcentral.net (Betabot http botnet hosted by ixam-hosting.com)
Resolved fbcentral.net to 109.163.228.196 Server: fbcentral.net Gate file: /orders/order.php Related md5s (Download samples from Malwr.com) Betabot: ffb8efe74954a348a3ec397c132cce96 Hosting info: http://whois.domaintools.com/109.163.228.196
199.187.121.82 (pBots hosted by databasebydesignllc.com)
Server: 199.187.121.82 Port: 7802 * There are 1 users and 3702 invisible on 1 servers * 127 :unknown connection(s) * 2 :channels formed * I have 3703 clients and 0 servers * Current Local Users: 3703 Max: 3785 * Current Global Users: 3703 Max: 3785 Channel: #bom# Channel Users Topic #sick# 341 [+smntMu] #bom# 3385Read more...
googleisearch.com (ferret DDOS botnet hosted by sigmait.dk)
Resolved googleisearch.com to 195.20.141.115 Server: googleisearch.com Gate file: /tmp/search.php The panel is version 2.2, indicating continued development since it’s discovery. Hosting info: http://whois.domaintools.com/195.20.141.115 Related md5s (Download samples from Malwr.com) Ferret: bcf167ad78a41f695b766531ed3a6fea
iappleblog.net (Betabot http botnet hosted by ubris-hosting.com)
Resolved iappleblog.net to 37.9.55.98 Server: iappleblog.net Gate file: /img/beta/order.php Alternate domains: iapplegeek.com androidistore.net This is the first betabot 1.7 I’ve seen in the wild. Thanks to Xylitol for the C&C info. Looks like the network signatures need to be updated Hosting info: http://whois.domaintools.com/37.9.55.98 Related md5s (Download sample from Malwr.com) Betabot: 5f3b16af36bfa193a222222035c7321c
93.174.94.158 (Linux Perl bots hosted by Ecatel.net)
Server: 93.174.94.158 Port: 6667 * There are 1 users and 3854 invisible on 1 servers * 24 :unknown connection(s) * 45 :channels formed * I have 3855 clients and 0 servers * 3855 15196 :Current local users 3855, max 15196 * 3855 5212 :Current global users 3855, max 5212 Channel: #X (Perl bots) Bot SourceRead more...
uploadwith.me (Betabot http botnet hosted by datashack.net)
Resolved uploadwith.me to 63.141.233.107 Server: uploadwith.me Gate file: /ashg653/order.php Alternate domain: strike-file-hosting.us Hosting info: http://whois.domaintools.com/63.141.233.107 Notice anything interesting about this IP? CustName: Chris Gravenstein Address: 201 E. 16th st City: North Kansas City StateProv: MO PostalCode: 64116 Country: US RegDate: 2013-10-21 Updated: 2013-10-21 Ref: http://whois.arin.net/rest/customer/C04738525 That’s right, Chris Gravenstein, aka digital has managed to topRead more...
illuminati.sx (Plasma http botnet hosted by worldstream.nl)
Resolved illuminati.sx to 109.236.80.74 Server: illuminati.sx Gate file: /http/gate.php This is the first time I have seen the HTTP version of plasma and it sucks hard. It seems to be a slightly upgraded version of the old barracuda HTTP bot, with few of the problems fixed. Hosting info: http://whois.domaintools.com/109.236.80.74 Bitcoin mining info: miner.start http://109.236.80.74/miner/CPUMiner.files *-aRead more...