Resolved dinosaur.no-ip.org to 37.0.123.119 I’ve been watching the barracuda for a while, and when I saw it load the andromeda I decided to post them both. Andromeda Server: dinosaur.no-ip.org Gate file: /andr/image.php Plugins Rootkit: dinosaur.no-ip.org/andr/r.pack Socks: dinosaur.no-ip.org/andr/s.pack Formgrabber: dinosaur.no-ip.org/andr/f.pack Gate file: dinosaur.no-ip.org/andr/fg.php Barracuda http Server: dinosaur.no-ip.org Gate file: dinosaur.no-ip.org/drgordon512/bot.php Here are someRead more...
37.221.163.175 (Andromeda http botnet hosted by Romania Voxility S.r.l.)
The laziest skids don’t even bother getting a domain at all. Why hello Nicolas Moses. What do you have for us today? It’s andromeda again, this time hosted on a windows vps. Server: 37.221.163.175 Gate file: /andro/image.php EDIT: Oh hey, bitcoin mining. Glad to see you’re still keeping the same old password. daily500:nigger123456@pool.bitclockers.com:8332 Also aRead more...
Multiple barracuda http bots hosted by Russian Federation Moscow Pallada Web Service Llc
This is the new ip of Tropical Paradise’s shared hosting for his shitty .net http bot. Domain: anet.h4ck.me Gate file: /endless14/bot.php Domain: deamonscentral.no-ip.info Gate file: /phpadmin141/bot.php Domain: fofogogo23http.no-ip.biz Gate file: /liquified61/bot.php Domain: barracudasecurity.tk Gate file: bot.php It looks like he’s finally figured out that leaving the panel in the root directory is a badRead more...
mirror.servehalflife.com (Barracuda http botnet hosted by Netherlands Haarlem Leaseweb B.v.)
Resolved mirror.servehalflife.com to 95.211.209.178 Server: mirror.servehalflife.com Gate file: /barra/bot.php You may remember this no-ip from a previous post Same shit is still in /files/ the only changes being that blackshades now connects on own3d-private.no-ip.org on port 55050, and it uses the no-ip files.serveblog.net to download the other files. More links found by Xylitol: hxxp://mirror.servehalflife.com/torrent/Read more...
Multiple Barracuda http nets (hosted by Russian Federation Moscow Pallada Web Service Llc)
Urls are: r00kiehttp.no-ip.info rabbit801.no-ip.org drhawks.no-ip.org pooostealer.no-ip.org To see what command is currently being sent, just add this to the end of the domain: /bot.php?ip=0.0.0.0&os=Microsoft%20Windows%20xp&name=FBI-PC&id=Federal-Agent-1.3.3.7 The command will show up in plain text on the page. Hosting infos: http://whois.domaintools.com/37.0.123.113 One other on different hosting: watchshopper.no-ip.org/backup/ Hosting infos: http://whois.domaintools.com/91.217.178.192
cdn.barracudasec.com (Barracuda http bot hosted by Seychelles Victoria Business Dialogue Ltd)
Resolved cdn.barracudasec.com to 91.217.178.192 Server: cdn.barracudasec.com Gate file: /bot.php http://cdn.barracudasec.com/images/logo.png Bot Get requests look like this: /bot.php?ip=0.0.0.0&os=Microsoft Windows xp&name=FBI-PC&id=Federal agent-barracuda version Bots will get ip from checkip.dyndns.com or api.wipmania.com Hint: $ip= $REMOTE_ADDR Hosting infos: http://whois.domaintools.com/91.217.178.192 Another panel is located at xn--y0h.co.cc. This one is on a different host. http://xn--y0h.co.cc/images/logo.png Hosting infos: http://whois.domaintools.com/37.0.124.66