Resolved cureid.pw to 62.109.17.111 Server: cureid.pw Gate file: /cmd.php The fort disco brute forcing malware has been upgraded, and is now bruteforcing pop3 accounts. The url list to bruteforce is now a list of domains and MX servers. motorisationplus.com:mx00.1and1.fr instagift.com:aspmx.l.google.com paddypartners.it:cluster2a.eu.messagelabs.com nunofi.sk:mail3.itstudio.cz realasianbabes.com:oxmail.registrar-servers.com kvalitetskatalog.se:kvalitetskatalog.se caissedesdepots.fr:mail1.caissedesdepots.fr siat.ac.cn:mx.cstnet.cn A list is mirrored here, you can see moreRead more...
milfsdeasing.com (paradise ddos bot hosted by zevshost.net)
Resolved milfsdeasing.com to 192.102.6.130 Server: milfsdeasing.com Gate file: /par/bfg.php The bot is currently attacking a few websites related to stock and financial regulation. POST /par/bfg.php HTTP/1.1 Host: milfsdeasing.com User-Agent: PARADISE Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 10 status=get HTTP/1.1 200 OK Date: Thu, 12 Sep 2013 00:25:55 GMT Server: Apache/2.2.16 (Debian) X-Powered-By: PHP/5.3.3-7+squeeze14 Vary: Accept-Encoding Content-Length:Read more...
cureit.pw (WordPress bruting botnet hosted by firstvds.ru)
Resolved cureit.pw to 62.109.17.111 This is the same malware as this previous post. Correct gate request GET /cmd.php HTTP/1.0 Host: cureit.pw. Keep-Alive: 300 Connection: keep-alive User-Agent: Mozilla/4.0 (compatible; Synapse) HTTP/1.1 200 OK Date: Wed, 11 Sep 2013 19:17:35 GMT Server: Apache/2.2.24 (FreeBSD) PHP/5.4.15 mod_ssl/2.2.24 OpenSSL/1.0.1e X-Powered-By: PHP/5.4.15 Cache-Control: max-age=1 Expires: Wed, 11 Sep 2013 19:17:36Read more...
jottedmaintains.net (Citadel banking malware hosted by linkup.ua)
Resolved jottedmaintains.net to 176.119.2.93 Server: jottedmaintains.net Gate file: /xerox/file.php Config file: /xerox/gate.php Hosting infos: http://whois.domaintools.com/176.119.2.93 Related md5s (Search on malwr.com to download samples) Citadel: 19d04a8e094f5fe2b171cf5eed677c30
lpa4u.in (Betabot http botnet hosted by worldstream.nl)
Resolved lpa4u.in to 217.23.4.120 Server: lpa4u.in Gate file: /radioserver/order.php Downloaded by this andromeda. The domain was only registered yesterday. Hosting infos: http://whois.domaintools.com/217.23.4.120 Related md5s (search on malwr.com to download samples) Betabot: 4046fd4e5ddfc40548c2316d6cd289f4
dortnath.com (Andromeda http botnet hosted by sunhoster.ru)
Resolved dortnath.com to 185.6.80.48 Server: dortnath.com Gate file: /gate.php Hosting infos: http://whois.domaintools.com/185.6.80.48 Related md5s (search on malwr.com to download samples) Andromeda: 8d7d4ea8a5ef18341d5534056d60e061
google-analytics.pw (WordPress bruting botnet hosted by intermedia.md)
Resolved google-analytics.pw to 89.45.14.74 Yet another wordpress brute forcing botnet. This one is different from the previously posted one as it uses HTTP for it’s C&C server. It gets a bit tricky, as it tries to hide it’s gate by sending Host: google-analytics.pw. In the request instead of Host: google-analytics.pw Here is a correct requestRead more...
boofer-villa.com (Betabot http botnet hosted by hetzner.de)
Resolved boofer-villa.com to 88.198.59.89 Server: boofer-villa.com Gate file: /secret/order.php Another betabot from our friend in the comments. Hosting infos: http://whois.domaintools.com/88.198.59.89
seattleschools.co (Betabot http botnet hosted by myhosting.com)
Resolved seattleschools.co to 168.144.32.16 Server: seattleschools.co Gate file: /beta/order.php Another betabot from this commentor. There is a umbra loader panel at hxxp://seattleschools.co/panel/Panel/ No sample again. Hosting infos: http://whois.domaintools.com/168.144.32.16
h4xinc.com (Betabot http botnet hosted by blueangelhost.com)
Resolved h4xinc.com to 91.218.244.221 Server: h4xinc.com Gate file: /matrix/order.php Thanks to this commentor for the report. No sample for this one, if anyone see something connecting to it, post a comment. Hosting infos: http://whois.domaintools.com/91.218.244.221