Tries to steal FTP credentials details “WAREsmartftpclient 2.0settingsbackup” (Indicator: “smartftp”) Sample here. Server : 188.138.40.39:18892 Hosting Infos : http://whois.domaintools.com/188.138.40.39
919computech.com (Andromeda http botnet and stealer hosted by main-hosting.com)
Resolved 919computech.com to 31.170.162.85 Andromeda Server: 919computech.com Gate file: /Panel/image.php Stealer Server: 919computech.com Gate file: /stealer/index.php also there is a vertexnet panel at /web/, but I don’t think anyone uses that crap anymore. Hosting infos: http://whois.domaintools.com/31.170.162.85
76.191.97.100 (Multiple http botnets hosted by sentris.com)
Andromeda Server: 76.191.97.100 Gate file: /andro/image.php Plugins Rootkit: http://76.191.97.100/andro/r.pack Socks: http://76.191.97.100/andro/s.pack Formgrabber: http://76.191.97.100/andro/f.pack Gate file: /andro/fg.php Smoke loader Server: 76.191.97.100 Gate file: /smoke/index.php Pony Server: 76.191.97.100 Gate file: /p/gate.php POE stealer Server: 76.191.97.100 Gate file /poe/index.php Login details are admin:admin Hosting infos: http://whois.domaintools.com/76.191.97.100 EDIT: I see he’s trying bitcoin mining Mining infos:Read more...
painadiction.biz (Andromeda http botnet hosted by Ukraine Ukrainian Internet Names Center Ltd)
Resolved painadiction.biz to 91.231.85.228 I found this bot running as an update on a few of the barracuda http nets that I had already posted. I would imagine someone has found a vulnerability in the panel. Server: painadiction.biz Gate file: /moneymaker/image.php There are a few other domains with the same registration email (soyperlman@live.com) on theRead more...