Resolved www.yahgodz.com to 46.183.217.148 Server: www.yahgodz.com Gate file: /http/image.php Additional domains: bighecks.net/http/image.php (Missing gate file, hosted at worldstream.nl 217.23.4.155) sonic4us.ru/http/image.php (Pointed at 127.0.0.1) imageshells.com/admin/image.php (Missing gate file, hosted at worldstream.nl 217.23.4.107) All of these are mystical’s domains, used for various nefarious purposes in the past. A quick google shows that he’s been loading onto thisRead more...
privategallerie.info (Andromeda http botnet hosted by vmbox.co)
Resolved privategallerie.info to 198.20.67.66 Server: privategallerie.info Gate file: /admin/hippo/image.php Bitcoin mining info: http://pr3m1era_quio:mota@eu.triplemining.com:8344 A previously posted andromeda botnet had a similar folder path to the gate file. Hosting infos: http://whois.domaintools.com/198.20.67.66
oppnetspeed.co.ua (Andromeda http botnet hosted by Panamaserver.com)
C&C Discovered by Malekal Morte Resolved oppnetspeed.co.ua to 181.191.255.181 Server: oppnetspeed.co.ua Gate file: /forum/images/image.php Plugins Rootkit: /forum/r.pack All the info you would ever need to know about his server can be found on these handy pages. Hosting infos: http://whois.domaintools.com/181.191.255.181
demoralize.biz(Andromeda hosted in Germany Frankfurt Am Main Voxility S.r.l.)
Resolved :[demoralize.biz] To [37.221.170.194] Panel:hxxp://37.221.170.194/panel/image.php Module:hxxp://37.221.170.194/panel/r.pack DirtJumper:demoralize.biz/dj/index.php Other files:hxxp://demoralize.biz/f/ hosting infos: http://whois.domaintools.com/37.221.170.194
188.40.15.22 (Andromeda http botnet hosted by Up2vps.com)
This was loaded from snk’s latest irc net. The bot is pretty strange, as it tries to connect to five unregistered domains before connecting to the ip. Here they are: amnsreiuojy.ru amnsreiuojy.in amnsreiuojy.biz amnsreiuojy.com amnsreiuojy.nl Server: 188.40.15.22 Gate file: /sg.php Plugin: http://188.40.15.22/uploads/is.s It appears to be some sort of Facebook spreader. hosting infos: http://whois.domaintools.com/188.40.15.22
zeonyx.info (Andromeda http botnet hosted by voxility.net)
Resolved zeonyx.info to 37.221.170.240 Server: zeonyx.info Gate file: /Balls/Panel/Panel/image.php Some bitcoin mining infos: http://Slinky:abc123@pool.bitclockers.com:8332 http://Zeroexe7_Zero8:nigger1@eu.triplemining.com:8344 http://Zeroexe7_Indian:nigger1@us2.eclipsemc.com:8337 Hosting infos: http://whois.domaintools.com/37.221.170.240
index.myftp.org (Andromeda http botnet hosted by hostkey.com)
Note: Be careful if you visit this site, the index page redirects to a shitty java exploit. http://urlquery.net/report.php?id=814566 Resolved index.myftp.org to 141.105.67.83 Server: index.myftp.org Gate file: /andy/image.php Hosting infos: http://whois.domaintools.com/141.105.67.83
www.ultra-sales.com (Andromeda http botnet hosted by Vps6.net)
Resolved www.ultra-sales.com to 198.23.252.71 Server: www.ultra-sales.com Gate file: /an/image.php Updates and other malware hosted here: hxxp://www.ultra-sales.com/hosted/ Hosting infos: http://whois.domaintools.com/198.23.252.71
mywebst0rage.info (Andromeda http botnet hosted by vhostlayer.com)
Resolved mywebst0rage.info to 37.221.163.131 Server: mywebst0rage.info Gate file: /admin/hippo/image.php Hosting infos: http://whois.domaintools.com/37.221.163.131
voscomptesenligne.eu (Andromeda http botnet hosted by iws.co)
Resolved voscomptesenligne.eu to 91.223.82.179 Server: voscomptesenligne.eu Gate file: /joomla/image.php Plugins Rootkit: http://voscomptesenligne.eu/joomla/r.pack Formgrabber: http://voscomptesenligne.eu/joomla/f.pack Gate file: /joomla/fg.php http://whois.domaintools.com/91.223.82.179