Author Topic: New Zeus server  (Read 346583 times)

0 Members and 1 Guest are viewing this topic.

January 19, 2010, 07:55:18 am
Reply #45

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Code: [Select]
hxxp://www.muchomucho.net

taken offline by provider.
Ruining the bad guy's day

January 19, 2010, 05:22:20 pm
Reply #46

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
Code: [Select]
hxxp://www.muchomucho.net

taken offline by provider.

Great news  :)
Go ahead!

and now config file:
Code: [Select]
6alava.com
Code: [Select]
hxxp://6alava.com/0d020d0340003s10/.p00p/config.bin



January 20, 2010, 05:54:25 pm
Reply #47

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
Code: [Select]
hxxp://littlednss.com
Config file
Code: [Select]
hxxp://littlednss.com/us/orders.xls
Binary file
Code: [Select]
hxxp://littlednss.com/us/directwin.exe
Drop zone
Code: [Select]
hxxp://littlednss.com/us/ie.php
IP 115.100.250.81
AS9811

Domain Admin (contact@privacyprotect.org)

January 20, 2010, 07:21:24 pm
Reply #48

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
littlednss.com doesn't seem to be resolving any longer :(
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

January 20, 2010, 07:22:38 pm
Reply #49

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
littlednss.com doesn't seem to be resolving any longer :(

taken down by registrar.
Ruining the bad guy's day

January 20, 2010, 07:42:15 pm
Reply #50

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
hehe my fault for not looking at the WhoIs status.
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

January 21, 2010, 12:41:45 am
Reply #51

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
littlednss.com doesn't seem to be resolving any longer :(

Now solves  115.100.250.81

Regards

January 21, 2010, 09:49:17 am
Reply #52

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
Code: [Select]
hxxp:www.electromusicnow.cnIP 122.115.63.17
AS9803
Administrative Email: williamashley40@yahoo.com

config file
Code: [Select]
hxxp:www.electromusicnow.cn/drum/trance.jpg
drop zone
Code: [Select]
hxxp://www.electromusicnow.cn/drum/dance.php
droppers:
Code: [Select]
hxxp://www.maquinaslitograficas.com/img/mujeres.jpg
hxxp://www.maquinaslitograficas.com/img/mujeress.jpg

Code: [Select]
hxxp:maquinaslitograficas.com
IP      67.205.111.201
Reverse abril.colombiaredes.info
Registrar: EVERYONES INTERNET, LTD. DBA RESELLONE.NET
AS32613

January 21, 2010, 05:58:38 pm
Reply #53

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
littlednss.com doesn't seem to be resolving any longer :(

Now solves  115.100.250.81

Regards

Meant to mention the URL's still worked if you replaced the domain name with the old IP ;)
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

January 21, 2010, 06:53:31 pm
Reply #54

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
Found new config file for
Code: [Select]
dolbanov.net
Code: [Select]
hxxp://dolbanov.net/images/cfg/new231/azukde.bin

January 21, 2010, 07:23:02 pm
Reply #55

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
Code: [Select]
hxxp://ubojnajasila.net
config file:
Code: [Select]
hxxp://ubojnajasila.net/zend/cfg.bin

trojan file
Code: [Select]
hxxp://ubojnajasila.net/zend/bot.exemd5sum e6cdf6691e224ef5c2158c63fa7ed4f0

dropzone
Code: [Select]
hxxp://ubojnajasila.net/zend/gate.php

IP 200.106.149.172
AS27990

Registrar: TUCOWS INC

Registration Service Provider:
Fasthosts Internet Limited, domains@fasthosts.co.uk

Administrative Contact:
contactprivacy.com, ubojnajasila.net@contactprivacy.com


January 21, 2010, 10:40:53 pm
Reply #56

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
Code: [Select]
hxxp://googlefastanalytics.eu/IP 93.190.141.102
Reverse twilight.void.fi


AS49981

e-mail: info@worldstream.nl


url config:
Code: [Select]
hxxp://googlefastanalytics.eu/forum/gdvfhsv2.bin

January 22, 2010, 08:00:19 am
Reply #57

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
Code: [Select]
hxxp://internazionale.vc/
IP 195.242.161.190
AS47434

Created On:13-Jan-2010 15:20:57 UTC

Registrant Name:charles fytche
Registrant Email:mihelonto@googlemail.com

url config:
Code: [Select]
hxxp://internazionale.vc/images/blend.jpg
hxxp://internazionale.vc/images/fly.gif




January 22, 2010, 08:10:53 am
Reply #58

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
New config for

Code: [Select]
nekovo.ru
url config:
Code: [Select]
hxxp://nekovo.ru/cbd/nekovo.bri
IP 109.95.114.72
AS50369

registrar: REGRU-REG-RIPN
Aleksey V Kijanskiy kievsk@yandex.ru
Created: 2010-01-06
nekovo.ru point to 109.95.114.72. It is not listed in any blacklists.

January 22, 2010, 01:27:42 pm
Reply #59

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
Downloads trojan Zbot and other malware.
The malware configure servers


Code: [Select]
http://klitar.cn/cp/l/28/088f1f3a888617973b88c21a23f907d5/f8fdf0601bcc3453b8b4d90fce622406
http://klitar.cn/cp/l/11/d38bb79c97509e07111c3dea6d92cb58/efc66d8f9d32309cfe56382f69c95e6e
hxxp://klitar.cn/cp/l/19/c95535db0ebc2d416bbefcacd3345420/f1a64914c01f584549056805acc61736
hxxp://klitar.cn/cp/l/20/299c49cc5225165610cd08227e9d5562/af73d9596a9a6363ffd5d968628f7a9c
hxxp://klitar.cn/cp/l/2/e99eb3a724872da6cff5f99b87ade5de/6ab84adb1bcb02622c89af526a2a2fe8
hxxp://klitar.cn/cp/l/12/e2b3be27fddbce37ba168e5bb9d7b484/47ce9e84a768603f9de7c1325386d39b
IP 193.104.110.89
AS50073
dministrative Email: gamegalenty@mail.ru
Registrant Name: googlegoogle