Resolved sentryme.com to 94.102.51.123 Server: Sentryme.com Gate file: /order.php Altnerate domain: stayattentive.com Bitcoin mining info: -a sha256 -o stratum+tcp://162.243.6.88:3333 -u Ghettoweed.R -p x -g no -t 4 -a sha256 -o stratum+tcp://162.243.6.88:3333 -u Ghettoweed.R -p x -t 0 -I 10 The username string in the binary is the sky daddy_v1$, which corresponds to this Hackforums account.Read more...
Betabot botnets linked to hackforums users
So if you have been following my posts on this blog, you may have noticed a large number of posts about the “betabot” malware. Betabot is a http bot which is sold on hackforums.net. Despite a number of complaints about serious stability issues, it has become popular with some of the more dedicated script kiddyRead more...
lpa4u.in (Betabot http botnet hosted by worldstream.nl)
Resolved lpa4u.in to 217.23.4.120 Server: lpa4u.in Gate file: /radioserver/order.php Downloaded by this andromeda. The domain was only registered yesterday. Hosting infos: http://whois.domaintools.com/217.23.4.120 Related md5s (search on malwr.com to download samples) Betabot: 4046fd4e5ddfc40548c2316d6cd289f4
boofer-villa.com (Betabot http botnet hosted by hetzner.de)
Resolved boofer-villa.com to 88.198.59.89 Server: boofer-villa.com Gate file: /secret/order.php Another betabot from our friend in the comments. Hosting infos: http://whois.domaintools.com/88.198.59.89
seattleschools.co (Betabot http botnet hosted by myhosting.com)
Resolved seattleschools.co to 168.144.32.16 Server: seattleschools.co Gate file: /beta/order.php Another betabot from this commentor. There is a umbra loader panel at hxxp://seattleschools.co/panel/Panel/ No sample again. Hosting infos: http://whois.domaintools.com/168.144.32.16
h4xinc.com (Betabot http botnet hosted by blueangelhost.com)
Resolved h4xinc.com to 91.218.244.221 Server: h4xinc.com Gate file: /matrix/order.php Thanks to this commentor for the report. No sample for this one, if anyone see something connecting to it, post a comment. Hosting infos: http://whois.domaintools.com/91.218.244.221
winblowservice.hopto.org (Betabot http botnet hosted by nyi.net)
Resolved winblowservice.hopto.org to 207.12.89.154 Server: winblowservice.hopto.org Gate file: /service/order.php Alternate domains: imafaggot.pw imtheop.redirectme.net Thanks to this commentor for the report Hosting infos: http://whois.domaintools.com/207.12.89.154 Related md5s (Search on malwr.com to download samples) Betabot: c994461c69b02a63d0f1bbcd2a56ba54
liveinsurance.org (Betabot http botnet hosted by worldstream.nl)
Resolved liveinsurance.org to 109.236.84.150 Server: liveinsurance.org Gate file: /loverboy/order.php freegamebox.us, a domain from a previous betabot is hosted on the same IP, so both are probably owned by the same person. Hosting infos: http://whois.domaintools.com/109.236.84.150 Related md5s (search on malwr.com to download samples) Betabot: 655b1833bfe7dc80391287ae6d568318
bicycletrainers.info (betabot http botnet proxied by cloudflare to 100tb.com)
Server: bicycletrainers.info Gate file: /wheellock/order.php Alternate domains: dirtybagmcgee.com womenhealthbody.pw It’s been a while since I’ve seen someone trying to use cloudflare with malware. Lets see how long it takes them to block it this time. Related md5s (Search on malwr.com to download samples) Betabot: ddb28ce54c501be046400ddaa474f257 EDIT: It’s been blocked, and I got the hosting info:Read more...
navega.pw (Betabot http botnet hosted by OVH.net)
Resolved navega.pw to 198.245.51.109 Server: navega.pw Gate file: /b7891/b986/bnav123/mar/360/vid5852/order.php This is on the same IP as the previously posted Athena irc botnet, and is one of three betabot botnets hosted on the server, with smalltoys and strike-file-hosting being the other two. Hosting infos: http://whois.domaintools.com/198.245.51.109 Related md5s (Search on malwr.com to download the samples) betabot: a422f5aabc160f5a8dbde033ea9e6d0bRead more...