Resolved painadiction.biz to 91.231.85.228 I found this bot running as an update on a few of the barracuda http nets that I had already posted. I would imagine someone has found a vulnerability in the panel. Server: painadiction.biz Gate file: /moneymaker/image.php There are a few other domains with the same registration email (soyperlman@live.com) on theRead more...
genhagroup.com (Andromeda http botnet hosted by United States Provo Unified Layer)
Resolved genhagroup.com to 74.220.199.26 This looks like it’s hosted on a hacked server Server: genhagroup.com Gate file: /andro/image.php Plugins Rootkit: genhagroup.com/andro/r.pack Socks: genhagroup.com/andro/s.pack Formgrabber: genhagroup.com/andro/f.pack Gate file: genhagroup.com/andro/fg.php Hosting infos: http://whois.domaintools.com/74.220.199.26
dinosaur.no-ip.org (Andromeda and barracuda http botnets hosted by Russian Federation Moscow Pallada Web Service Llc)
Resolved dinosaur.no-ip.org to 37.0.123.119 I’ve been watching the barracuda for a while, and when I saw it load the andromeda I decided to post them both. Andromeda Server: dinosaur.no-ip.org Gate file: /andr/image.php Plugins Rootkit: dinosaur.no-ip.org/andr/r.pack Socks: dinosaur.no-ip.org/andr/s.pack Formgrabber: dinosaur.no-ip.org/andr/f.pack Gate file: dinosaur.no-ip.org/andr/fg.php Barracuda http Server: dinosaur.no-ip.org Gate file: dinosaur.no-ip.org/drgordon512/bot.php Here are someRead more...
freshairhosting.nl (Andromeda http botnet hosted by Thailand Bangkok Metrabyte Th)
Resolved freshairhosting.nl to 119.59.99.200 When will these skids finally get tired of andromeda? Server: freshairhosting.nl Gate file: image.php Hosting infos: http://whois.domaintools.com/119.59.99.200
37.221.163.175 (Andromeda http botnet hosted by Romania Voxility S.r.l.)
The laziest skids don’t even bother getting a domain at all. Why hello Nicolas Moses. What do you have for us today? It’s andromeda again, this time hosted on a windows vps. Server: 37.221.163.175 Gate file: /andro/image.php EDIT: Oh hey, bitcoin mining. Glad to see you’re still keeping the same old password. daily500:nigger123456@pool.bitclockers.com:8332 Also aRead more...
uberchat.no-ip.biz (Andromeda http botnet hosted by Romania Voxility S.r.l.)
Resolved uberchat.no-ip.biz to 37.221.160.124 Yet another cracked andromeda. Skids don’t even bother to get a real domain for it. Server: uberchat.no-ip.biz Gate file: /chat/image.php Clicking on adf.ly links, someone’s clearly trying to make some big bucks. public void adfly() { this.WebBrowser1.Navigate("http://adf.ly/FHZcZ"); } Hosting infos: http://whois.domaintools.com/37.221.160.124
46.166.139.177 (Andromeda http botnet hosted by Italy Florence Santrex Internet Services Ltd.)
Server: 46.166.139.177 Gate file: /Panel/image.php Plugins Rootkit: 46.166.139.177/Panel/r.pack Formgrabber: 46.166.139.177/Panel/f.pack Gate file: fg.php Hosting infos: http://whois.domaintools.com/46.166.139.177
z.7z.lt (Andromeda http malware hosted by United States Fremont Hurricane Electric Inc.)
Resolved z.7z.lt to 216.66.72.159 Server: z.7z.lt Gate file: /ad/image.php Plugins (currently 404): Formgrabber crap.leet.la/ad/f.task Rootkit: crap.leet.la/ad/r.task Socks: crap.leet.la/ad/s.task Hosting infos: http://whois.domaintools.com/216.66.72.159
mal-labs.asia (Andromeda http botnet hosted by United States Denver Fdcservers.net)
Resolved mal-labs.asia to 37.221.170.238 Server: mal-labs.asia Gate file: image.php Plugins: Rootkit mal-labs.asia/plugins/r.pack Formgrabber mal-labs.asia/plugins/f.pack Gate file: fg.php This is the file Paradoxun was running on his bots (cachke.exe). Hosting infos: http://whois.domaintools.com/37.221.170.238
apocsvr.info (Andromeda http malware hosted by vHostLayer.com)
Server: apocsvr.info Gate file: /andro/image.php This is just the standard cracked andro, but I noticed something interesting about it. The domain is whoisguard protected, which is often used by skids who don’t want to spend 30 seconds making up fake info for the whois. However I noticed something in the assembly info of theRead more...