Resolved cureit.pw to 62.109.17.111 This is the same malware as this previous post. Correct gate request GET /cmd.php HTTP/1.0 Host: cureit.pw. Keep-Alive: 300 Connection: keep-alive User-Agent: Mozilla/4.0 (compatible; Synapse) HTTP/1.1 200 OK Date: Wed, 11 Sep 2013 19:17:35 GMT Server: Apache/2.2.24 (FreeBSD) PHP/5.4.15 mod_ssl/2.2.24 OpenSSL/1.0.1e X-Powered-By: PHP/5.4.15 Cache-Control: max-age=1 Expires: Wed, 11 Sep 2013 19:17:36Read more...
google-analytics.pw (WordPress bruting botnet hosted by intermedia.md)
Resolved google-analytics.pw to 89.45.14.74 Yet another wordpress brute forcing botnet. This one is different from the previously posted one as it uses HTTP for it’s C&C server. It gets a bit tricky, as it tries to hide it’s gate by sending Host: google-analytics.pw. In the request instead of Host: google-analytics.pw Here is a correct requestRead more...
74.121.150.39 (WordPress brute forcing botnet hosted by it7.net)
Server: 74.121.150.39 Port: 22503 (note, this is not irc based) This is one of the various botnets attempting to bruteforce wordpress blogs. It works pretty fast, during a short run on the malwr.com sandbox it attempted to login to 981 different blogs, all with domains starting with exp. Since malwr.com only allows the sample uploaderRead more...