To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- Hi again!
Hope you doing well ;) Today i would like to point your attention to some spam-net, which i beleive has been run by some russian "kaker". First of all, bellow is a list of his bots (i'm sure it's not all!): hzzp:// afrik.geimanen.com/imgbak/imgbak.php hzzp:// angelstroyru.32.com1.ru/imgbak/imgbak.php hzzp:// apiscom.ro/imgbak/imgbak.php hzzp:// Arcadepatio.com/imgbak/imgbak.php hzzp:// atsnet.ro/imgbak/imgbak.php hzzp:// aulttechsynthetics.com/imgbak/imgbak.php hzzp:// auto-dental-health-life.com/imgbak/imgbak.php hzzp:// avataroff.net/imgbak/imgbak.php hzzp:// beijuburger.com.br/imgbak/imgbak.php hzzp:// beklenenkurtarici.com/imgbak/imgbak.php hzzp:// cannibalracing.com/imgbak/imgbak.php hzzp:// colafix.com.br/imgbak/imgbak.php hzzp:// csrezwa.com/imgbak/imgbak.php hzzp:// ctv-roscom.ru/imgbak/imgbak.php hzzp:// daelim-forum.com/imgbak/imgbak.php hzzp:// ddhp.net.ru/imgbak/imgbak.php hzzp:// develon.intway.info/imgbak/imgbak.php hzzp:// devilll.com/imgbak/imgbak.php hzzp:// djpillaru.87.com1.ru/imgbak/imgbak.php hzzp:// doku-par.com.tr/imgbak/imgbak.php hzzp:// e-books.topworld.org/imgbak/imgbak.php hzzp:// efectotangoru.84.com1.ru/imgbak/imgbak.php hzzp:// elephants.org.ru/imgbak/imgbak.php hzzp:// expoforum.crimea.com/imgbak/imgbak.php hzzp:// fandoc.ru/imgbak/imgbak.php hzzp:// fishecoru.58.com1.ru/imgbak/imgbak.php hzzp:// fl-real-estate-florida.com/imgbak/imgbak.php hzzp:// folies.net/imgbak/imgbak.php hzzp:// games.ip-com.com.ua/imgbak/imgbak.php hzzp:// gardennatura.com/imgbak/imgbak.php hzzp:// ga-real-estate-georgia.com/imgbak/imgbak.php hzzp:// ghuto.com/imgbak/imgbak.php hzzp:// glasgowcostumehire.com/imgbak/imgbak.php hzzp:// golden.udaff.com/imgbak/imgbak.php hzzp:// goldnutru.36.com1.ru/imgbak/imgbak.php hzzp:// gospelurl.com/imgbak/imgbak.php hzzp:// guru.sevstar.net/imgbak/imgbak.php hzzp:// hawaiifunplanner.com/imgbak/imgbak.php hzzp:// himsnru.67.com1.ru/imgbak/imgbak.php hzzp:// home-team-advantage.com/imgbak/imgbak.php hzzp:// ildar999.intway.info/imgbak/imgbak.php hzzp:// jaro.topworld.org/imgbak/imgbak.php hzzp:// jc-engineering.com/imgbak/imgbak.php hzzp:// joinm.net/imgbak/imgbak.php hzzp:// kadenciya.ru/imgbak/imgbak.php hzzp:// kjcindustrial.com/imgbak/imgbak.php hzzp:// koly.org/imgbak/imgbak.php hzzp:// krygl.unfriends.net/imgbak/imgbak.php hzzp:// leonzik.hostrocket.com/imgbak/imgbak.php hzzp:// manaadmru.58.com1.ru/imgbak/imgbak.php hzzp:// manisatrambolin.net/imgbak/imgbak.php hzzp:// maxphotoru.59.com1.ru/imgbak/imgbak.php hzzp:// mbpazar.com/imgbak/imgbak.php hzzp:// mbtuningtr.com/imgbak/imgbak.php hzzp:// mercimekvezeytin.com/imgbak/imgbak.php hzzp:// mishal.org/imgbak/imgbak.php hzzp:// obshepit.com/imgbak/imgbak.php hzzp:// okpp.ru/imgbak/imgbak.php hzzp:// olmax.de/imgbak/imgbak.php hzzp:// outdoorsexy.com.br/imgbak/imgbak.php hzzp:// ow22.com/imgbak/imgbak.php hzzp:// pa-246.com/imgbak/imgbak.php hzzp:// pawbeachresort.com/imgbak/imgbak.php hzzp:// people.homelande.com/imgbak/imgbak.php hzzp:// persecution.com.ua/imgbak/imgbak.php hzzp:// pinfotru.92.com1.ru/imgbak/imgbak.php hzzp:// pioneersportsmumbai.com/imgbak/imgbak.php hzzp:// pjwstk.devtown.net/imgbak/imgbak.php hzzp:// postach.utkc.net/imgbak/imgbak.php hzzp:// pssostrow.pl/imgbak/imgbak.php hzzp:// radioplus.on.panonnet.net/imgbak/imgbak.php hzzp:// rapidnow.com/imgbak/imgbak.php hzzp:// rayancom.ir/imgbak/imgbak.php hzzp:// razvlekis.cwx.ru/imgbak/imgbak.php hzzp:// reanet.com.ua/imgbak/imgbak.php hzzp:// savour.com/imgbak/imgbak.php hzzp:// sellpoint.ru/imgbak/imgbak.php hzzp:// shawata.com/imgbak/imgbak.php hzzp:// shipad.com/imgbak/imgbak.php hzzp:// simpleworks.org.ru/imgbak/imgbak.php hzzp:// stokelektro.com/imgbak/imgbak.php hzzp:// teknoalem.com/imgbak/imgbak.php hzzp:// udrcmon.org/imgbak/imgbak.php hzzp:// ukwaterbeds.com/imgbak/imgbak.php hzzp:// upets.kw.ukrtel.net/imgbak/imgbak.php hzzp:// usdzru.30.com1.ru/imgbak/imgbak.php hzzp:// voiceofjudea.com/imgbak/imgbak.php hzzp:// wmpage.com/imgbak/imgbak.php hzzp:// wol-poltava.org/imgbak/imgbak.php hzzp:// www.airaventura.com/imgbak/imgbak.php hzzp:// www.capten.get62host.com/imgbak/imgbak.php hzzp:// www.dahabhost.com/imgbak/imgbak.php hzzp:// www.globalvoicegroup.com/imgbak/imgbak.php hzzp:// www.gollesz-iregszemcse.sulinet.hu/imgbak/imgbak.php hzzp:// www.haarstudio-rosi.com/imgbak/imgbak.php hzzp:// www.jbt.co.yu/imgbak/imgbak.php hzzp:// www.killa.get62host.com/imgbak/imgbak.php hzzp:// www.mhg-media-solutions.com/imgbak/imgbak.php hzzp:// www.miningmongolia.mn/imgbak/imgbak.php hzzp:// www.oiltir.co.yu/imgbak/imgbak.php hzzp:// www.satdonbass.com/imgbak/imgbak.php hzzp:// www.svc.com.br/imgbak/imgbak.php hzzp:// www.tidconsulting.com/imgbak/imgbak.php hzzp:// www.tradelock.alternet.com.ua/imgbak/imgbak.php hzzp:// www.vargiyapi.net/imgbak/imgbak.php hzzp:// www.vatrachioreana.lx.ro/imgbak/imgbak.php hzzp:// www.violafarma.lv/imgbak/imgbak.php hzzp:// www.worldcitytourist.com/imgbak/imgbak.php hzzp:// xtrail-travel.com/imgbak/imgbak.php hzzp:// yourtouches.dev.mvisolutions.com/imgbak/imgbak.php All these, have their "brother" at same host, and in most cases it will be in "/topimgbak/img1.php" These bots receive their cmds via such post request: *********************.00080: POST /imgbak/imgbak.php HTTP/1.0 Host: victim.com User-Agent: Mozilla/4.0 Content-Type: application/x-www-form-urlencoded Content-Length: 229 serverURI=http%3A%2F%2F74.54.99.194%2Fsp1%2Fb_control.php&query=newTask&chunkId=dcc765de87a808ca4570f0bb7a7c4c94&taskId=13840&dbPath=http%3A%2F%2F74.54.99.194%2Fsp1%2Ftask_db%2F13840%2F559.txt&bId=b8f78c49c9440da5c36cfb5c37c32d66 Curently this (74.54.99.194) ip is down, and you can't see that unpassworded C&C. Anyway, all writtings there was in russian ;) Source of these bots is base64 encoded, but you can decode it easily. Contact me if you need it. Thanks, Dan _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
