Resolved craftvps.com to 109.163.233.60 Server: craftvps.com Gate file: /admin2/gate.php Collector port: 8080 Login page: craftvps.com/users/client/index.php Hosting infos: http://whois.domaintools.com/109.163.233.60
genhagroup.com (Zeus banking malware hosted by United States Provo Unified Layer)
Resolved genhagroup.com to 74.220.199.26 When this site first got posted I though it was hacked, but now that I’ve taken a closer look it’s actually a lame spreading attempt. Zeus Server: genhagroup.com Gate file: /data/gate.php Config file: /data/cf.bin The zeus binary was hosted at utmeg.com, as a “resume creator” The download page warns that itRead more...
208.98.52.179 (Multiple irc bots hosted by United States Independence Sharktech)
Server: 208.98.52.179 Port: 6969 Channel: #KaRmA## #KaRmA## 24 [+smntu] Nick format: [USA|XP|kikwxww] Channel: #AryaN# #AryaN# 6 [+smntu] Nick format: AryaN{US-XP-x86}1352555 Channel: #pBot# #pBot# 8 [+smntMu] Nick format: KaRmA{VN-XP-x86}0123624 Channel: ##Nix## ##Nix## 4 [+smntMu] Nick format: Linux||296703 Channel: ##ngr ##ngr 6 [+smntu] Nick format: {VN|XPa}sqgblol Weed motd * - With Great Power, Comes Great Responsibility. *Read more...
techmanagement.info (Aryan irc botnet hosted by vpzzo.com)
Resolved techmanagement.info to 176.31.208.105 Server: techmanagement.info Port: 6969 Channel: #carb# Topic for #carb# is: no botkilling!Topic for #carb# set by Yoshi at Mon Dec 03 23:46:42 2012 Hmm same domain as a previously posted andromeda net Googling the ip also brings up insomnia.incorporatedhosting.info, a domain that has graced this blog before Hosting infos: http://whois.domaintools.com/176.31.208.105
painadiction.biz (Andromeda http botnet hosted by Ukraine Ukrainian Internet Names Center Ltd)
Resolved painadiction.biz to 91.231.85.228 I found this bot running as an update on a few of the barracuda http nets that I had already posted. I would imagine someone has found a vulnerability in the panel. Server: painadiction.biz Gate file: /moneymaker/image.php There are a few other domains with the same registration email (soyperlman@live.com) on theRead more...
genhagroup.com (Andromeda http botnet hosted by United States Provo Unified Layer)
Resolved genhagroup.com to 74.220.199.26 This looks like it’s hosted on a hacked server Server: genhagroup.com Gate file: /andro/image.php Plugins Rootkit: genhagroup.com/andro/r.pack Socks: genhagroup.com/andro/s.pack Formgrabber: genhagroup.com/andro/f.pack Gate file: genhagroup.com/andro/fg.php Hosting infos: http://whois.domaintools.com/74.220.199.26
i.greenleafyplants.info (Athena irc botnet hosted by Germany Frankfurt Am Main Voxility S.r.l.)
Resolved i.greenleafyplants.info to 37.221.170.211 Server: i.greenleafyplants.info Port: 15001 Server password: 69 Channel: #A Channel password: t Nick format: _[USA|U|L|WIN7|x64|4c]alcaiwfs Oper: _ [_] (u@v.Host): … [_] @#A [_] irc.server.net :IRC server [_] is a Bot on IRC server [_] idle 01:22:14, signon: Sun Dec 02 05:45:11 [_] End of WHOIS list. His debug bot: n[USA|U|D|WIN7|x64|4c]xqftcbqiRead more...
w4hw5wg3488h.net (snk asper mod irc botnet hosted by Germany Karlsruhe 1&1 Internet Ag)
Resolved w4hw5wg3488h.net to 213.165.89.117 Server: w4hw5wg3488h.net Port: 5050 Channel: #oh Topic for #oh is: .d /100/97/111/124/120/46/47/39/99/103/96/69/126/115/101/62/113/111/115/62/100/124/57/61/39/57/60/23/40/61/47/33/12/63/52/35/42/41/17/103/8/85/63/104/127/118/39/98/107/73/77/ Topic for #oh set by s at Sat Dec 01 18:36:05 2012 Oper: s!x@x Talking with snk <Userbased> hey <s> sup <Userbased> cool ircd mod <s> yea <Userbased> I like the link encryption as well <Userbased> is this anRead more...
new.najd.us (irc botnet hosted by Finland Espoo Csc – Tieteen Tietotekniikan Keskus Oy)
Resolved new.najd.us to 193.166.255.170 Server: new.najd.us Port: 7000 Server password: hipass Nick format: yhrhjz I don’t know the channels as I don’t have the binary. Hosting infos: http://whois.domaintools.com/193.166.255.170
dinosaur.no-ip.org (Andromeda and barracuda http botnets hosted by Russian Federation Moscow Pallada Web Service Llc)
Resolved dinosaur.no-ip.org to 37.0.123.119 I’ve been watching the barracuda for a while, and when I saw it load the andromeda I decided to post them both. Andromeda Server: dinosaur.no-ip.org Gate file: /andr/image.php Plugins Rootkit: dinosaur.no-ip.org/andr/r.pack Socks: dinosaur.no-ip.org/andr/s.pack Formgrabber: dinosaur.no-ip.org/andr/f.pack Gate file: dinosaur.no-ip.org/andr/fg.php Barracuda http Server: dinosaur.no-ip.org Gate file: dinosaur.no-ip.org/drgordon512/bot.php Here are someRead more...