Malware Domain List

Malware Related => Malicious Domains => Topic started by: foks on December 11, 2010, 06:00:53 pm

Title: 94.100.25.58 - New Koobface C&C?
Post by: foks on December 11, 2010, 06:00:53 pm
This week I found some hacked FTP accounts where Koobface pages were uploaded. 2 php scripts where only used to connect to a server and check for an answer. You can see the contents of one on the files on http://foks.se/wp-content/uploads/2010/12/mytest.png.

As you can see, the script connects to 94.100.25.58. This IP number is also used to retrieve stats from the Koobface pages. The IP range is blocked by Spamhaus, http://www.spamhaus.org/sbl//sbl.lasso?query=SBL95764.

Has anyone else seen activity from this IP number? If you are interested in the uploaded files, please PM me.

While investigating I found some more Koobface pages:
http://www.espositofotografi.it/v7dx7xlar/
http://odtugv.org.tr/07hsbck/
http://radiosrt.com/9r4l8y/
http://techmastersofct.com/gdws9/
http://www.amirlotan.com/dzwsnmhfq2/