Author Topic: 94.100.25.58 - New Koobface C&C?  (Read 2203 times)

0 Members and 1 Guest are viewing this topic.

December 11, 2010, 06:00:53 pm
Read 2203 times

foks

  • Jr. Member

  • Offline
  • **

  • 14
This week I found some hacked FTP accounts where Koobface pages were uploaded. 2 php scripts where only used to connect to a server and check for an answer. You can see the contents of one on the files on http://foks.se/wp-content/uploads/2010/12/mytest.png.

As you can see, the script connects to 94.100.25.58. This IP number is also used to retrieve stats from the Koobface pages. The IP range is blocked by Spamhaus, http://www.spamhaus.org/sbl//sbl.lasso?query=SBL95764.

Has anyone else seen activity from this IP number? If you are interested in the uploaded files, please PM me.

While investigating I found some more Koobface pages:
http://www.espositofotografi.it/v7dx7xlar/
http://odtugv.org.tr/07hsbck/
http://radiosrt.com/9r4l8y/
http://techmastersofct.com/gdws9/
http://www.amirlotan.com/dzwsnmhfq2/