C&C Discovered by Malekal Morte Resolved oppnetspeed.co.ua to 181.191.255.181 Server: oppnetspeed.co.ua Gate file: /forum/images/image.php Plugins Rootkit: /forum/r.pack All the info you would ever need to know about his server can be found on these handy pages. Hosting infos: http://whois.domaintools.com/181.191.255.181
paradisetest.ru (Paradise ddos botnet hosted by hostnoc.net)
Resolved paradisetest.ru to 184.22.118.71 Server: paradisetest.ru Gate file: /par/bfg.php The installation directory is still up and includes an EULA. Someone should ask iserdo how well using a EULA worked out for him Hosting infos: http://whois.domaintools.com/184.22.118.71
armadva.ru (Amageddon ddos botnet hosted by hostnoc.net)
Resolved armadva.ru to 184.22.118.71 Server: armadva.ru Gate file: /arm/gs.php Other domains it tries to connect to if this one is down: armab.ru armatri.ru You can see a record of a previous attack in the virustotal sandbox records. Hosting infos: http://whois.domaintools.com/184.22.118.71
serv16.3sli.us(ngrBot hosted in Romania Bucharest Voxility S.r.l.)
Thanks to anonymous guy here for the sample wich u can download here:hxxp://sharesend.com/ola3pkmx for finding this botnet Resolved : [serv16.3sli.us] To [109.163.233.44] 109.163.233.44:8939Nick: n{US|XPa}uufzjxqUsername: uufzjxqServer Pass: newJoined Channel: ##new with Password newChannel Topic for Channel ##new: “&mod usbi on &mod pdef on &mdns hxxp://109.163.233.44/dns.txt” hosting infos: http://whois.domaintools.com/109.163.233.44
zxvfircd.no-ip.biz (Athena irc botnet hosted by digitalocean.com)
Resolved zxvfircd.no-ip.biz to 192.34.58.99 Server: zxvfircd.no-ip.biz Port: 6667 Current global users 213, max 506 Channel: #bots Topic for #bot is: hxxp://192.34.58.99/WinDefender.exeTopic for #bot set by FreeBSD at Fri Feb 01 17:56:41 2013 #bot 212 [+nt] hxxp://192.34.58.99/WinDefender.exe Hosting infos: http://whois.domaintools.com/192.34.58.99
46.38.63.119(reptile mod hosted in Russian Federation Moscow Jsc Tel Company)
From the nick format looks like reptile mod Local users: 45 147 Current local users 45, max 147 Global users: 45 147 Current global users 45, max 147 Server: 46.38.63.119:6667 Username: 3 Nickname: [D|x86|DEU|XP|1020942] Channel: #inet (Password: ) Channeltopic: :?bitcoin-24896128560982359857125906 gpu high * Topic for #inet set by Dexter at Mon Jan 28 15:08:05 2013Read more...
monstercvv.cc (Multilocker 3 winlocker hosted by altushost.com)
Resolved monstercvv.cc to 37.46.125.111 Server: monstercvv.cc Gate file: /mplock/Panel/lending/tds.php Lots of interestingly named zips on the root of the domain. Hosting infos: http://whois.domaintools.com/37.46.125.111
ads.pr4d.tk/teams.xsaudix.net/y.servicesql.info(ngrBot hosted in United States Scranton Network Operations Center Inc.)
This botnet was found from anonymous guy here thanks to him for the submition Resolved : [ads.pr4d.tk] To [64.120.186.229] Resolved : [teams.xsaudix.net] To [64.120.186.230] arab heckers Resolved : [y.servicesql.info] To [64.120.186.228] Server: 64.120.186.229:1433 Username: zdbcuzs Nickname: n{DE|XPa}zdbcuzs Channel: #tmw5 (Password: ngrBot) Channeltopic: :!u5 hxxp://bmc.linkpc.net/download/s1.exe 5b8fe0ee31617ee9596a5861a2192304 !u5 hxxp://bmc.linkpc.net/s1cr.exe cdfc01b434fc787d487ce088dd391e0b !u6 hxxp://bmc.linkpc.net/chat.exe 7140176e63651b027fd5f3b19252c4bf Server: 64.120.186.228:1434 Username: mmgamzuRead more...
demoralize.biz(Andromeda hosted in Germany Frankfurt Am Main Voxility S.r.l.)
Resolved :[demoralize.biz] To [37.221.170.194] Panel:hxxp://37.221.170.194/panel/image.php Module:hxxp://37.221.170.194/panel/r.pack DirtJumper:demoralize.biz/dj/index.php Other files:hxxp://demoralize.biz/f/ hosting infos: http://whois.domaintools.com/37.221.170.194
androhosting.info (Athena irc botnet hosted by voxility.net)
Resolved androhosting.info to 37.221.170.211 Mystical is right back into the irc game, with a different server and domain. This is on the same ip as _Stoner’s Athena test server which was previously posted. Google indicates that the domain once hosted a blackhole exploit kit panel Server: androhosting.info Port: 44 Current global users 119, max 910Read more...