Author: I_Post_Ur_Info

www.yahgodz.com (Andromeda http botnet hosted by dataclub.biz)

Uncategorized

Resolved www.yahgodz.com to 46.183.217.148 Server:  www.yahgodz.com Gate file:  /http/image.php Additional domains: bighecks.net/http/image.php (Missing gate file, hosted at worldstream.nl 217.23.4.155) sonic4us.ru/http/image.php (Pointed at 127.0.0.1) imageshells.com/admin/image.php (Missing gate file, hosted at worldstream.nl 217.23.4.107) All of these are mystical’s domains, used for various nefarious purposes in the past. A quick google shows that he’s been loading onto thisRead more...

aeonhf.net (Smoke loader http botnet proxied by cloudflare)

Uncategorized

Resolved aeonhf.net to  173.245.60.168, 173.245.61.168 (Cloudflare ips) Server:  aeonhf.net, Alternate domain:  aminserve.info (Currently has non-responsive nameservers) Gate file:  /admin/index.php This is the latest skid who uses cloudflare to help host his botnet. Maybe this time they’ll do something about it? Hosting infos: ecatel.info Edit: CloudFlare received your abuse report dated February 24, 2013 regarding: aeonhf.netRead more...

mikimouse.net (ngrbot irc botnet hosted by yisp.nl)

Uncategorized

Resolved mikimouse.net to 46.182.107.35 Server:  mikimouse.net (Alternate domains mikimouse.org mikispace.org) Port:  1863 Server password:  jobs Channel:  #jobs Topic for #jobs is: Topic for #jobs set by h at Sat Feb 23 19:28:30 2013 This is the same bot, port and spreading method as a previously posted botnet. However that had been sinkholed so it appearsRead more...

616design.info (Pony loader and Zeus banking malware hosted by fastit.net)

Uncategorized

Resolved 616design.info to 80.82.222.106 Pony Server:  616design.info Gate file:  /forum/pony/gate.php This is by the same guy as this winlocker and andromeda bot. The server seems to be down at the moment, most likely due to zeus tracker posting the zeus bot I located on the same ip. Zeus Server:  oppspeedy.co.ua Gate file:  /forum/33/gate.php Config file: Read more...

5.199.167.219 (Citadel banking malware hosted by balticservers.com)

Uncategorized

Gate file:  5.199.167.219/mode.php Config droppers  (appear to be compromised sites) shadowsfromlight.com/wp-content/upgrade/file.php www.danainvestment.com/wp-content/upgrade/file.php gregsmission.org/wp-content/upgrade/file.php luna.pgnstudio.com/wp-content/upgrade/file.php On gregsmission.org WP-Sentinel seems to have failed to stop the initial compromise, but is now preventing the dropper from functioning. Sample is located here http://whois.domaintools.com/5.199.167.219