Resolved axhost.info to 46.183.217.148 Server: axhost.info Gate file: /m/admin.php?1=HAX&v=0&q=0&b= Config file: /m/config.php Hosting infos: http://whois.domaintools.com/46.183.217.148
www.yahgodz.com (Andromeda http botnet hosted by dataclub.biz)
Resolved www.yahgodz.com to 46.183.217.148 Server: www.yahgodz.com Gate file: /http/image.php Additional domains: bighecks.net/http/image.php (Missing gate file, hosted at worldstream.nl 217.23.4.155) sonic4us.ru/http/image.php (Pointed at 127.0.0.1) imageshells.com/admin/image.php (Missing gate file, hosted at worldstream.nl 217.23.4.107) All of these are mystical’s domains, used for various nefarious purposes in the past. A quick google shows that he’s been loading onto thisRead more...
assler.hfgfr56745fg.com (Betabot http botnet hosted by ecatel.net)
Resolved assler.hfgfr56745fg.com to 80.82.66.205 Server: assler.hfgfr56745fg.com Gate file: /cakes/sale.php The bot has been updated, so it no longer crashes skype. However it still seems to have some issues with it. Sample Hosting infos: http://whois.domaintools.com/80.82.66.205
hfgfr56745fg.com (Betabot http botnet hosted by ecatel.net)
Resolved hfgfr56745fg.com to 80.82.66.204 Server: hfgfr56745fg.com Gate file: /rem/order.php Brian Krebs on the login page It still crashes skype. Sample here A previous version of the bot was posted here. Hosting infos: http://whois.domaintools.com/80.82.66.204
filestorage.ws (37.221.170.221) (Athena irc botnet hosted by voxility.net)
Resolved filestorage.ws to 157.101.50.101 => Athena l33t ip decryption => 37.221.170.221 Athena now comes with a tool to crypt the server ip so that the address the domain points to is not the correct one. A disgruntled customer has already released the crypting program so anyone who doesn’t have access to a binary can tryRead more...
androhosting.info (Athena irc botnet hosted by voxility.net)
Resolved androhosting.info to 37.221.170.211 Mystical is right back into the irc game, with a different server and domain. This is on the same ip as _Stoner’s Athena test server which was previously posted. Google indicates that the domain once hosted a blackhole exploit kit panel Server: androhosting.info Port: 44 Current global users 119, max 910Read more...
webhostingprotection.info (Betabot http botnet hosted by Santrex.net)
Resolved webhostingprotection.info to 46.166.163.131 Server: webhostingprotection.info Gate file: /icool/order.php This was from the closed beta of the betabot http bot. The server files have been taken down now so not much point visiting the site. There wasn’t much to see except evidence of the coder’s man crush on the steely gaze of Brian Krebs. ForRead more...
xtremehosting.info, sexwithme.info (Athena irc botnet hosted by voxility.net)
Resolved xtremehosting.info, sexwithme.info to 37.221.170.221 Server: xtremehosting.info Port: 6667 Channel: #boss Channel password: mystical Topic for #boss is: !stop Topic for #boss set by samiam at Fri Jan 25 10:31:21 2013 Nick format: [U|WIN7|x64|L]txzrks Server: sexwithme.info Port: 6667 Channel: #210 Nick format: _[USA|U|L|WIN7|x32|4c]rflbxwws Current Local Users: 823 Max: 1585 #boss 243 [+sntVCTk] !stop #210 402 Read more...
sharesend.info (smoke loader http botnet hosted by voxility.net)
Resolved sharesend.info to 37.221.170.8 Server: sharesend.info Gate file: /admin/index.php A pity the guest.php credentials have been changed from the default or fun could have be had. Download the panel from here if you want it: hxxp://sharesend.info/admin/admin.zip Hosting infos: http://whois.domaintools.com/37.221.170.8
amazinghost.lt, yahgodz.com (Smoke and Andromeda loaders hosted by Netherlands Maasdijk Worldstream)
I happened to notice some people taking about one of mysticals old domains, indicating that it had been sold. I decided to check out the domains I had listed in the blog post to see what was on them. I found something new on 307dice.com Smoke loader Server: 307dice.com Gate file: /cp/index.php Check out 307dice.com/cp/guest.phpRead more...