Resolved myinstalls.info to 199.27.134.49, 173.245.60.132 Andromeda Server: myinstalls.info Gate file: /neuro/image.php kbot Server: myinstalls.info Gate file: /kb/gate.php I’m glad to see Khant has recovered from having some malicious individual run rm -rf / as root on his server. However I’m not sure if having bots connect through cloudflare is such a good idea.
devbug.su (Andromeda http botnet hosted by United Kingdom Pintwire)
Resolved devbug.su to 176.31.208.106 Server: devbug.su Gate file: /a/index.php Another cracked andro. No plugins from it yet. Hosting infos: http://whois.domaintools.com/176.31.208.106
coco.3chp.tk (Andromeda http botnet hosted by United States Asheville Hostinger International Limited)
Resolved coco.3chp.tk to 31.170.167.159 Server: coco.3chp.tk Gate file: /andro/image.php Plugins: All of the plugins are in /andro/plugins/ This is the first of what I’m sure will be many cracked andromeda nets as every skid who can figure out how to install the panel tests it out. Hosting infos: http://whois.domaintools.com/31.170.167.159
134.255.234.22 (irc botnet hosted by Zap-Hosting.com)
Server: 134.255.234.22 Port: 6667 Channel: #HabboParty Nickformat: Three different types DatLykosaSmexy811637 Lykosa10559 LykosaTEST10559 Oper: zeeeeeeek1 [zeeeeeeek1] (chatzilla@Habbo-B9F45668.pools.arcor-ip.net): New Now Know How [zeeeeeeek1] #HabboParty [zeeeeeeek1] PiotreksHabboServer.net :PiotreksHabboServer [zeeeeeeek1] idle 00:29:17, signon: Mon Nov 19 09:37:31 [zeeeeeeek1] End of WHOIS list. Commands: Only ones I have seen are <zeeeeeeek1> !isoffline <DatLykosaSmexy811637> seems like site is back onlineRead more...
mostvideo2012.no-ip.info (AryaN and Barracuda irc botnets hosted by Russian Federation Beringovskiy Mediaserviceplus Ltd.)
Resolved mostvideo2012.no-ip.info to 192.162.102.212 Server: mostvideo2012.no-ip.info Port: 4562 Server password: leroumain49 Channel Users Topic #plouque 41 [+nt] #mafia 2 [+nt] #arisauve 66 [+nt] #bio 3 [+nt] AryaN bots Channel: #arisauve Channel password: leroumain49 Channel: #bio Barracuda bots Channel: #plouque Channel: #mafia Command nick is RutE94 RutE94 (~RutE94@User-CD7BBD3D.rev.numericable.fr) has joined #plouque RutE94 !botkill [CATALIN-PC]58632 Startup Cleaned,Read more...
mirror.servehalflife.com (Barracuda http botnet hosted by Netherlands Haarlem Leaseweb B.v.)
Resolved mirror.servehalflife.com to 95.211.209.178 Server: mirror.servehalflife.com Gate file: /barra/bot.php You may remember this no-ip from a previous post Same shit is still in /files/ the only changes being that blackshades now connects on own3d-private.no-ip.org on port 55050, and it uses the no-ip files.serveblog.net to download the other files. More links found by Xylitol: hxxp://mirror.servehalflife.com/torrent/Read more...
control.av-update-server.net (Spyeye banking malware hosted by Latvia Riga Dedicated Servers)
Resolved control.av-update-server.net to 46.183.218.174 Server: control.av-update-server.net Gate file: /~ciscoFirewall/nginx_config/gate.php Login page: /~ciscoFirewall/ Collector port: 8080 Hosting infos: http://whois.domaintools.com/46.183.218.174
j3a.no-ip.biz (Athena irc botnet hosted by Netherlands Maasdijk Worldstream)
Resolved j3a.no-ip.biz to 217.23.12.204 Server: j3a.no-ip.biz Port: 6667 Channel: #Athena * Topic for #Athena is: !botkill * Topic for #Athena set by Cute at Sat Nov 17 19:32:19 2012 Only two bots in the channel, and one other in #3vBot * Current Global Users: 4 Max: 98 The owner is apparently a fan: *Read more...
needlifechange.com (Andromeda http botnet hosted by Netherlands International Widespread Services Limited)
Resolved needlifechange.com to 91.223.82.153 Server: needlifechange.com Gate file: image.php Plugins: Formgrabber: needlifechange.com/formgrabber.pack Gate file: fg.php Rootkit: needlifechange.com/rootkit.pack Hosting info: http://whois.domaintools.com/91.223.82.153
178.18.19.105 (Aryan irc botnet hosted by United States United Fibermax Networks Bv)
Server: 178.18.19.105 Port: 8375 Channel: #Break# #Break# 102 [+smnt] Oper: * [Break] (Break@pimp): Break * [Break] ~#Break# * [Break] irc.Break.gov :cia.gov * [Break] is a Network Administrator * [Break] is available for help. * [Break] idle 00:08:52, signon: Fri Nov 16 00:22:20 * Break (Break@gov-E1CAB504.nycmny.fios.verizon.net) has joined #Break# Nick format: Break{VN-XP-x86}2221143 Hosting infos: http://whois.domaintools.com/178.18.19.105