Resolved dorblu99.net to 88.198.17.49 Server: dorblu99.net Gate file: /cmd.php Hosting info: http://whois.domaintools.com/88.198.17.49 Related md5s (Download sample from Malwr.com) Malware: 1e8cd0f0f1702820c870302520bc0176
cureid.pw (pop3 bruteforcing botnet hosted by firstvds.ru)
Resolved cureid.pw to 62.109.17.111 Server: cureid.pw Gate file: /cmd.php The fort disco brute forcing malware has been upgraded, and is now bruteforcing pop3 accounts. The url list to bruteforce is now a list of domains and MX servers. motorisationplus.com:mx00.1and1.fr instagift.com:aspmx.l.google.com paddypartners.it:cluster2a.eu.messagelabs.com nunofi.sk:mail3.itstudio.cz realasianbabes.com:oxmail.registrar-servers.com kvalitetskatalog.se:kvalitetskatalog.se caissedesdepots.fr:mail1.caissedesdepots.fr siat.ac.cn:mx.cstnet.cn A list is mirrored here, you can see moreRead more...
cureit.pw (WordPress bruting botnet hosted by firstvds.ru)
Resolved cureit.pw to 62.109.17.111 This is the same malware as this previous post. Correct gate request GET /cmd.php HTTP/1.0 Host: cureit.pw. Keep-Alive: 300 Connection: keep-alive User-Agent: Mozilla/4.0 (compatible; Synapse) HTTP/1.1 200 OK Date: Wed, 11 Sep 2013 19:17:35 GMT Server: Apache/2.2.24 (FreeBSD) PHP/5.4.15 mod_ssl/2.2.24 OpenSSL/1.0.1e X-Powered-By: PHP/5.4.15 Cache-Control: max-age=1 Expires: Wed, 11 Sep 2013 19:17:36Read more...
google-analytics.pw (WordPress bruting botnet hosted by intermedia.md)
Resolved google-analytics.pw to 89.45.14.74 Yet another wordpress brute forcing botnet. This one is different from the previously posted one as it uses HTTP for it’s C&C server. It gets a bit tricky, as it tries to hide it’s gate by sending Host: google-analytics.pw. In the request instead of Host: google-analytics.pw Here is a correct requestRead more...