Andromeda Server: 76.191.97.100 Gate file: /andro/image.php Plugins Rootkit: http://76.191.97.100/andro/r.pack Socks: http://76.191.97.100/andro/s.pack Formgrabber: http://76.191.97.100/andro/f.pack Gate file: /andro/fg.php Smoke loader Server: 76.191.97.100 Gate file: /smoke/index.php Pony Server: 76.191.97.100 Gate file: /p/gate.php POE stealer Server: 76.191.97.100 Gate file /poe/index.php Login details are admin:admin Hosting infos: http://whois.domaintools.com/76.191.97.100 EDIT: I see he’s trying bitcoin mining Mining infos:Read more...
adzu324nbasmdaoias.su (Smokeloader http botnet hosted by istanbuldc.com)
Resolved adzu324nbasmdaoias.su to 185.4.227.98 Server: adzu324nbasmdaoias.su Gate file: /wp/index.php Guest login: adzu324nbasmdaoias.su/wp/guest.php guest:guest Hosting infos: http://whois.domaintools.com/185.4.227.98
beerpigfarm.ru (Installs crap hosted by Santex.net)
Resolved beerpigfarm.ru to 46.166.130.216 I found a file on h4r3’s latest andromeda that downloaded a bunch of crap from this site. hxxp://beerpigfarm.ru/smo Smoke loader, posted here hxxp://beerpigfarm.ru/min is a bitcoin miner, uses 50btc Mining info: http://169TpR47JVcLaQXdGYE6Lv4Ps9DbVqHhSi:x@pool.50btc.com:8332 Since he’s using no account mode we can snoop on his mining by plugging in his address on theRead more...
blazehost.net (Andromeda and Smoke http botnets hosted by Seychelles Victoria Business Dialogue Ltd)
Resolved blazehost.net to 91.217.178.32 Andromeda Server: Blazehost.net gate file: /andro/image.php Plugins Rootkit: blazehost.net/andro/r.pack Socks: blazehost.net/andro/s.pack Formgrabber: blazehost.net/andro/f.pack Gate file: /andro/fg.php Smoke Server: Blazehost.net Gate file: /index.php Hosting infos: http://whois.domaintools.com/91.217.178.32
diablothreecracked.in (Smokeloader hosted by Luxembourg Luxembourg Root Sa)
Resolved diablothreecracked.in to 94.242.199.145 Zain got himself a new smokeloader. Server: diablothreecracked.in Gate file: /index.php He left the zip containing the panel and original exe up on the host: hxxp://diablothreecracked.in/smoke.zip Here it is if he notices and takes it down hxxp://diablothreecracked.in/install.php is still up as well. Hosting infos: http://whois.domaintools.com/94.242.199.145
vvv.exp1oit.in (Andromeda http hosted by France Roubaix Ovh Sas)
Resolved vvv.exp1oit.in to 178.33.241.61 This is the new andromeda of the french guy. It is the full version with all of the plugins. Server: vvv.exp1oit.in Gate file: /google/image.php Plugins: Formgrabber: beautyoftheworld.ca/xs/f.pack Gate file: /google/fg.php Socks: beautyoftheworld.ca/xs/s.pack Rootkit: beautyoftheworld.ca/xs/r.pack Downloads files from hxxp://jamboproducciones.com/xs/ and hxxp://ez-cs.net/dk/ He also has a new smoke loader up Server: smk.cheatgame.org GateRead more...
amazinghost.lt, yahgodz.com (Smoke and Andromeda loaders hosted by Netherlands Maasdijk Worldstream)
I happened to notice some people taking about one of mysticals old domains, indicating that it had been sold. I decided to check out the domains I had listed in the blog post to see what was on them. I found something new on 307dice.com Smoke loader Server: 307dice.com Gate file: /cp/index.php Check out 307dice.com/cp/guest.phpRead more...
planetstat2324.su (smoke loader http bot hosted by Poland Artnet Spolka Z Ograniczona Odpowiedzialnoscia)
This is the http loader for the gold installs ppi program. Resolved planetstat2324.su to 178.255.43.67 Server: planetstat2324.su Gate file: /gamenew/index.php Downloads files from ap2producoes.com/images/ minsabdedf.exe bitcoin miner pool info: http://hernyoooo@ymail.com:Bazdmeg1@pool.50btc.com:8332 ginamdasm.exe The file botnet owners are given installs smoke from hxxp://oroihfdbbnennm.in/update/0pdat3.exe Install statistics are then recorded by oroihfdbbnennm.in/activation.php Using the format activation.php?productid=(userid)&serial=(long string) Hosting infos:Read more...
Mystical Megapost (Botnets of all types) (Hosted by Ukraine Ukrainian Internet Names Center Ltd and Netherlands Maasdijk Worldstream)
As Mystical has now recently been banned from hackforums, I thought I would make an informative megapost of botnets he has or is currently using. Domains Bighecker.co 1212Mystic0801.info Sonic4us.com Sonic4me.com img196-imageshack.us rs-booter.com modtech360.info 307dice.com powerbot24.com img90-imageshack.com imageshells.com bighecks.net emails used for registration hlolgame@aim.com mikeydoc@hotmail.com #plug this into facebook to see his profile highroller098765@hotmail.com mikeshosting@yahoo.com bram.fadzulani@mail.comRead more...