Tag: ice9

Resolved dreiansc.ws to 31.131.28.121  Server: dreiansc.ws Gate file:  /adm/gate.php Config file:  /config/index.php The owner forgot to remove the panel installation file. hxxp://dreiansc.ws/adm/install/index.php Hosting infos: http://whois.domaintools.com/31.131.28.121 Related md5s (Search on malwr.com to download samples) Ice9: edb77957d11c9add8d8bcc615ba3d392

Resolved runawaswarm.ru to 79.174.65.19 Server:  runawaswarm.ru Config file:  /xml/config.php Gate file:  /xml/redir.php Hosting infos: http://whois.domaintools.com/79.174.65.19 Related md5s (search on malwr.com to download the samples): a9ca2d05060008f988ed72db5eebe67f

Resolved florasister.com to 81.176.232.201 Server:  florasister.com Gate file:  gigling.php (backup hxxp://forandroid.tk/yandex.php (suspended)) Sites checked for configs (no droppers appear to be live): hxxp://www.jcurve.com/templates/beez/params.php hxxp://www.ivemon.es/templates/beez/params.php hxxp://www.justicecameroun.com/templates/beez/params.php hxxp://www.jackwalshcarpets.com/Joomla/templates/beez/params.php hxxp://www.kocaelidho.org.tr/templates/beez/params.php hxxp://www.moraditrade.com/en/templates/beez/params.php hxxp://www.mm-nn.com/main/templates/beez/params.php hxxp://www.jakmurowane.pl/templates/beez/params.php Also attempted to connect to bigdealworked.com on port 9702 Hosting infos: http://whois.domaintools.com/81.176.232.201

Resolved bootcamp4wealth.com to 173.199.181.60 Server:   bootcamp4wealth.com Gate file:  bootcamp4wealth.com/wp-directory/images/config/adm/gate.php Config file:  bootcamp4wealth.com/wp-directory/images/config/config/index.php Login page:  bootcamp4wealth.com/wp-directory/images/config/adm/index.php?m=login Anyone infected with this is safe for now as the owner hasn’t figured out that the bot and config dropper need the same key for it to work. Hosting infos: http://whois.domaintools.com/173.199.181.60