Resolved winblowservice.hopto.org to 207.12.89.154 Server: winblowservice.hopto.org Gate file: /service/order.php Alternate domains: imafaggot.pw imtheop.redirectme.net Thanks to this commentor for the report Hosting infos: http://whois.domaintools.com/207.12.89.154 Related md5s (Search on malwr.com to download samples) Betabot: c994461c69b02a63d0f1bbcd2a56ba54
liveinsurance.org (Betabot http botnet hosted by worldstream.nl)
Resolved liveinsurance.org to 109.236.84.150 Server: liveinsurance.org Gate file: /loverboy/order.php freegamebox.us, a domain from a previous betabot is hosted on the same IP, so both are probably owned by the same person. Hosting infos: http://whois.domaintools.com/109.236.84.150 Related md5s (search on malwr.com to download samples) Betabot: 655b1833bfe7dc80391287ae6d568318
212.7.194.240 (Athena IRC Botnet Hosted By Dediserv [dediserv.eu])
This is a guest post witten by mongoose Server: 212.7.194.240 Port: 6667 Channel: #nirjhar Current local users: 47 Max: 472 Current global users: 47 Max: 472 This file was downloaded from this botnet. Whois on host IP: http://whois.domaintools.com/212.7.194.240
5.133.180.103 (Athena irc botnet hosted by bhost.co.uk)
Server: 5.133.180.103 Port: 6667 Current global users 104, max 387 Channel: #razbot #razbot 102 Oper: [n[ARE|U|L|WIN7|x64|2c]loruybe] (rusho@i.hate.microsefrs.com): … [n[ARE|U|L|WIN7|x64|2c]loruybe] #strike #razbot [n[ARE|U|L|WIN7|x64|2c]loruybe] irc.foonet.com :FooNet Server [n[ARE|U|L|WIN7|x64|2c]loruybe] is a Network Administrator [n[ARE|U|L|WIN7|x64|2c]loruybe] is available for help. [n[ARE|U|L|WIN7|x64|2c]loruybe] idle 00:09:52, signon: Tue Sep 03 11:45:07 [n[ARE|U|L|WIN7|x64|2c]loruybe] End of WHOIS list. This is the same authhost as another posted athena botnet. Hosting infos:Read more...
Predhost.in (Smokeloader hosted by Digitalocean.com)
Resolved predhost.in to 198.199.109.163 Server: Predhost.in Gate file: /sm/index.php Logging into hxxp://predhost.in/sm/guest.php with guest:guest works. Anyone want to test if the sqli got fixed? Hosting infos: http://whois.domaintools.com/198.199.109.163 Related md5s (Search on malwr.com to download samples) Smokeloader: 4c438005e17b968813f3df1fb2e15f4a
main-firewalls.com (Pony stealer hosted by virtacore.com)
Resolved main-firewalls.com to 74.204.171.69 Server: main-firewalls.com Gate file: /gate.php Downloaded FakeAV and Zeroaccess Hosting infos: http://whois.domaintools.com/74.204.171.69 Related md5s (Search on malwr.com to download sample) Pony: a3243c1f6fe92db72af7b5c1f9b207ea
37.9.53.121 (Pony Stealer hosted by pinspb.ru)
Server: 37.9.53.121 Gate file: //xSZ64Wiax/WiOzJe3G7u7ok3gOYqHdv2xk.php According to virustotal this is an affiliate program, with the pony file downloaded from the same site. Hosting infos: http://whois.domaintools.com/37.9.53.121 Related md5s (Search on malwr.com to download the sample) Pony: 37ae22ba2799ed146c47085268dd481b
fackestructur.be (Warbot http botnet hosted by firstvds.ru)
Resolved fackestructur.be to 82.146.42.62 Server: fackestructur.be Gate file: /bymedstar_01/index.php One of the files downloaded by this andromeda. I don’t know why anyone would waste their time setting up this old piece of crap, let alone spreading it. Hosting infos: http://whois.domaintools.com/82.146.42.62 Related md5s (search on Malwr.com to download samples) Warbot: a0ef373644caec98e666048a581a4cf0
towi4-place.com (Andromeda http botnet hosted by core-vps.lv)
Resolved towi4-place.com to 193.105.240.20 Server: towi4-place.com Gate file: /1800/image.php Downloads Cutwail as well as other malware. The owner has left a message on the index page. То, что мы называем злом, является всего лишь неизбежностью в нашем бесконечном развитии. Ф.Кафка >Вопросы и предожения сотрудничества (JID): ToWi4@cryptovpn.com Google translated: What we call evil is simply inevitableRead more...
bicycletrainers.info (betabot http botnet proxied by cloudflare to 100tb.com)
Server: bicycletrainers.info Gate file: /wheellock/order.php Alternate domains: dirtybagmcgee.com womenhealthbody.pw It’s been a while since I’ve seen someone trying to use cloudflare with malware. Lets see how long it takes them to block it this time. Related md5s (Search on malwr.com to download samples) Betabot: ddb28ce54c501be046400ddaa474f257 EDIT: It’s been blocked, and I got the hosting info:Read more...