// re-assemble url w/ IP... h00p://42.121.116.38:8080/forum/links/column.php h00p://202.180.221.186:8080/forum/links/column.php h00p://203.80.16.81:8080/forum/links/column.php h00p://208.87.243.131:8080/forum/links/column.php h00p://219.255.134.110:8080/forum/links/column.php //retry... 1st IP (42.121.116.38) http://42.121.116.38:8080/forum/links/column.php --14:16:37-- http://42.121.116.38:8080/forum/links/column.php => `./sample' Connecting to 42.121.116.38:8080... seconds 0.00, connected. Created socket 1916. Releasing 0x003d5600 (new refcount 0). Deleting unused 0x003d5600. ---request begin--- GET /forum/links/column.php HTTP/1.0 Referer: http://www.lincolnlutheran.org/mail.htm?BIX5MYP=X95RG45NH502A48920J6K&D5IS=IX2OLOH2BXWB4X&DM6=PCKKFX5TNF&0UPZJ4=ZX0L2OUF&OAJG8Q9=KAK0XV65C2F1G6W9I9PBV461O&I57G=R010XDKGQGJXDI&UI6=U6Z4ELZPRCW8FK0D15PUTV6&WPYXJ8=Y6C1G1BXWBE& User-Agent: MalwareMustdie is Burping at your doors Accept: */* Host: 42.121.116.38:8080 Connection: Keep-Alive ---request end--- HTTP request sent, awaiting response... ---response begin--- HTTP/1.1 200 OK Server: nginx/1.0.10 Date: Mon, 10 Dec 2012 05:16:36 GMT Content-Type: text/html; charset=CP-1251 Connection: close X-Powered-By: PHP/5.3.18-1~dotdeb.0 Vary: Accept-Encoding ---response end--- 200 OK Length: unspecified [text/html] [ <=> ] 102,671 42.00K/s Closed fd 1916 14:16:42 (41.89 KB/s) - `./sample' saved [102671] //retry... 2nd IP (202.180.221.186) http://202.180.221.186:8080/forum/links/column.php HTTP request sent, awaiting response... ---response begin--- HTTP/1.1 502 Bad Gateway Server: nginx/1.0.4 Date: Mon, 10 Dec 2012 05:19:00 GMT Content-Type: text/html; charset=CP-1251 Connection: keep-alive X-Powered-By: PHP/5.3.18-1~dotdeb.0 Vary: Accept-Encoding Content-Length: 0 ---response end--- 502 Bad Gateway Registered socket 1916 for persistent reuse. Skipping 0 bytes of body: [] done. 14:21:09 ERROR 502: Bad Gateway. // BHEK is UP in there but not accepting this request..(OVERDUE reference url) // retry 3rd (203.80.16.81) http://203.80.16.81:8080/forum/links/column.php --14:25:14-- http://203.80.16.81:8080/forum/links/column.php => `./sample' Connecting to 203.80.16.81:8080... seconds 0.00, Closed fd 1916 failed: Connection refused. // BHEK is INACTIVE // retry 4th http://208.87.243.131:8080/forum/links/column.php --14:26:44-- http://208.87.243.131:8080/forum/links/column.php => `./sample' Connecting to 208.87.243.131:8080... seconds 0.00, Closed fd 1916 failed: Connection refused. // BHEK is INACTIVE // retry 5th --14:28:00-- http://219.255.134.110:8080/forum/links/column.php => `./sample' Connecting to 219.255.134.110:8080... seconds 0.00, (TIMEOUT) // BHEK is DOWN/UNEXIST --- #MalwareMustDie - @unixfreaxjp