To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- On Mon, 5 Nov 2007, Interspace System Department wrote: > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > ---------- > Hi again! > > Hope you doing well ;)
Thanka again for posting. :) When obfuscating links, www shoudl be made into w ww. > > Today i would like to point your attention to some spam-net, which i > beleive has been run by some russian "kaker". > First of all, bellow is a list of his bots (i'm sure it's not all!): > > hzzp:// afrik.geimanen.com/imgbak/imgbak.php > hzzp:// angelstroyru.32.com1.ru/imgbak/imgbak.php > hzzp:// apiscom.ro/imgbak/imgbak.php > hzzp:// Arcadepatio.com/imgbak/imgbak.php > hzzp:// atsnet.ro/imgbak/imgbak.php > hzzp:// aulttechsynthetics.com/imgbak/imgbak.php > hzzp:// auto-dental-health-life.com/imgbak/imgbak.php > hzzp:// avataroff.net/imgbak/imgbak.php > hzzp:// beijuburger.com.br/imgbak/imgbak.php > hzzp:// beklenenkurtarici.com/imgbak/imgbak.php > hzzp:// cannibalracing.com/imgbak/imgbak.php > hzzp:// colafix.com.br/imgbak/imgbak.php > hzzp:// csrezwa.com/imgbak/imgbak.php > hzzp:// ctv-roscom.ru/imgbak/imgbak.php > hzzp:// daelim-forum.com/imgbak/imgbak.php > hzzp:// ddhp.net.ru/imgbak/imgbak.php > hzzp:// develon.intway.info/imgbak/imgbak.php > hzzp:// devilll.com/imgbak/imgbak.php > hzzp:// djpillaru.87.com1.ru/imgbak/imgbak.php > hzzp:// doku-par.com.tr/imgbak/imgbak.php > hzzp:// e-books.topworld.org/imgbak/imgbak.php > hzzp:// efectotangoru.84.com1.ru/imgbak/imgbak.php > hzzp:// elephants.org.ru/imgbak/imgbak.php > hzzp:// expoforum.crimea.com/imgbak/imgbak.php > hzzp:// fandoc.ru/imgbak/imgbak.php > hzzp:// fishecoru.58.com1.ru/imgbak/imgbak.php > hzzp:// fl-real-estate-florida.com/imgbak/imgbak.php > hzzp:// folies.net/imgbak/imgbak.php > hzzp:// games.ip-com.com.ua/imgbak/imgbak.php > hzzp:// gardennatura.com/imgbak/imgbak.php > hzzp:// ga-real-estate-georgia.com/imgbak/imgbak.php > hzzp:// ghuto.com/imgbak/imgbak.php > hzzp:// glasgowcostumehire.com/imgbak/imgbak.php > hzzp:// golden.udaff.com/imgbak/imgbak.php > hzzp:// goldnutru.36.com1.ru/imgbak/imgbak.php > hzzp:// gospelurl.com/imgbak/imgbak.php > hzzp:// guru.sevstar.net/imgbak/imgbak.php > hzzp:// hawaiifunplanner.com/imgbak/imgbak.php > hzzp:// himsnru.67.com1.ru/imgbak/imgbak.php > hzzp:// home-team-advantage.com/imgbak/imgbak.php > hzzp:// ildar999.intway.info/imgbak/imgbak.php > hzzp:// jaro.topworld.org/imgbak/imgbak.php > hzzp:// jc-engineering.com/imgbak/imgbak.php > hzzp:// joinm.net/imgbak/imgbak.php > hzzp:// kadenciya.ru/imgbak/imgbak.php > hzzp:// kjcindustrial.com/imgbak/imgbak.php > hzzp:// koly.org/imgbak/imgbak.php > hzzp:// krygl.unfriends.net/imgbak/imgbak.php > hzzp:// leonzik.hostrocket.com/imgbak/imgbak.php > hzzp:// manaadmru.58.com1.ru/imgbak/imgbak.php > hzzp:// manisatrambolin.net/imgbak/imgbak.php > hzzp:// maxphotoru.59.com1.ru/imgbak/imgbak.php > hzzp:// mbpazar.com/imgbak/imgbak.php > hzzp:// mbtuningtr.com/imgbak/imgbak.php > hzzp:// mercimekvezeytin.com/imgbak/imgbak.php > hzzp:// mishal.org/imgbak/imgbak.php > hzzp:// obshepit.com/imgbak/imgbak.php > hzzp:// okpp.ru/imgbak/imgbak.php > hzzp:// olmax.de/imgbak/imgbak.php > hzzp:// outdoorsexy.com.br/imgbak/imgbak.php > hzzp:// ow22.com/imgbak/imgbak.php > hzzp:// pa-246.com/imgbak/imgbak.php > hzzp:// pawbeachresort.com/imgbak/imgbak.php > hzzp:// people.homelande.com/imgbak/imgbak.php > hzzp:// persecution.com.ua/imgbak/imgbak.php > hzzp:// pinfotru.92.com1.ru/imgbak/imgbak.php > hzzp:// pioneersportsmumbai.com/imgbak/imgbak.php > hzzp:// pjwstk.devtown.net/imgbak/imgbak.php > hzzp:// postach.utkc.net/imgbak/imgbak.php > hzzp:// pssostrow.pl/imgbak/imgbak.php > hzzp:// radioplus.on.panonnet.net/imgbak/imgbak.php > hzzp:// rapidnow.com/imgbak/imgbak.php > hzzp:// rayancom.ir/imgbak/imgbak.php > hzzp:// razvlekis.cwx.ru/imgbak/imgbak.php > hzzp:// reanet.com.ua/imgbak/imgbak.php > hzzp:// savour.com/imgbak/imgbak.php > hzzp:// sellpoint.ru/imgbak/imgbak.php > hzzp:// shawata.com/imgbak/imgbak.php > hzzp:// shipad.com/imgbak/imgbak.php > hzzp:// simpleworks.org.ru/imgbak/imgbak.php > hzzp:// stokelektro.com/imgbak/imgbak.php > hzzp:// teknoalem.com/imgbak/imgbak.php > hzzp:// udrcmon.org/imgbak/imgbak.php > hzzp:// ukwaterbeds.com/imgbak/imgbak.php > hzzp:// upets.kw.ukrtel.net/imgbak/imgbak.php > hzzp:// usdzru.30.com1.ru/imgbak/imgbak.php > hzzp:// voiceofjudea.com/imgbak/imgbak.php > hzzp:// wmpage.com/imgbak/imgbak.php > hzzp:// wol-poltava.org/imgbak/imgbak.php > hzzp:// www.airaventura.com/imgbak/imgbak.php > hzzp:// www.capten.get62host.com/imgbak/imgbak.php > hzzp:// www.dahabhost.com/imgbak/imgbak.php > hzzp:// www.globalvoicegroup.com/imgbak/imgbak.php > hzzp:// www.gollesz-iregszemcse.sulinet.hu/imgbak/imgbak.php > hzzp:// www.haarstudio-rosi.com/imgbak/imgbak.php > hzzp:// www.jbt.co.yu/imgbak/imgbak.php > hzzp:// www.killa.get62host.com/imgbak/imgbak.php > hzzp:// www.mhg-media-solutions.com/imgbak/imgbak.php > hzzp:// www.miningmongolia.mn/imgbak/imgbak.php > hzzp:// www.oiltir.co.yu/imgbak/imgbak.php > hzzp:// www.satdonbass.com/imgbak/imgbak.php > hzzp:// www.svc.com.br/imgbak/imgbak.php > hzzp:// www.tidconsulting.com/imgbak/imgbak.php > hzzp:// www.tradelock.alternet.com.ua/imgbak/imgbak.php > hzzp:// www.vargiyapi.net/imgbak/imgbak.php > hzzp:// www.vatrachioreana.lx.ro/imgbak/imgbak.php > hzzp:// www.violafarma.lv/imgbak/imgbak.php > hzzp:// www.worldcitytourist.com/imgbak/imgbak.php > hzzp:// xtrail-travel.com/imgbak/imgbak.php > hzzp:// yourtouches.dev.mvisolutions.com/imgbak/imgbak.php > > All these, have their "brother" at same host, and in most cases it will > be in "/topimgbak/img1.php" > > These bots receive their cmds via such post request: > > *********************.00080: POST /imgbak/imgbak.php HTTP/1.0 > Host: victim.com > User-Agent: Mozilla/4.0 > Content-Type: application/x-www-form-urlencoded > Content-Length: 229 > > serverURI=http%3A%2F%2F74.54.99.194%2Fsp1%2Fb_control.php&query=newTask&chunkId=dcc765de87a808ca4570f0bb7a7c4c94&taskId=13840&dbPath=http%3A%2F%2F74.54.99.194%2Fsp1%2Ftask_db%2F13840%2F559.txt&bId=b8f78c49c9440da5c36cfb5c37c32d66 > > > Curently this (74.54.99.194) ip is down, and you can't see that unpassworded > C&C. > Anyway, all writtings there was in russian ;) > > Source of these bots is base64 encoded, but you can decode it easily. Contact > me if you need it. > > Thanks, > Dan > > > > > > > _______________________________________________ > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > All list and server information are public and available to law enforcement > upon request. > http://www.whitestar.linuxbox.org/mailman/listinfo/botnets > _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
