Author Topic: Gozi Check-Ins  (Read 2510 times)

0 Members and 1 Guest are viewing this topic.

June 16, 2010, 07:56:16 pm
Read 2510 times

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
Seeing infected clients POST to these URL's with the user-agent "IE"

http://27.131.32.20/cgi-bin/forms.cgi
http://91.213.174.40/cgi-bin/forms.cgi


Pulling down files:
http://91.213.174.40/cgi-bin/options.cgi?user_id=2527700603&version_id=18&passphrase=fkjvhsdvlksdhvlsd&socks=0&version=18&crc=78c6dbd2
http://27.131.32.20/cgi-bin/options.cgi?user_id=2527700603&version_id=18&passphrase=fkjvhsdvlksdhvlsd&socks=0&version=18&crc=78c6dbd2