daily pastebin goal
71%
SHARE
TWEET

#MalwareMustDie! Kuluoz CnC list

MalwareMustDie Jul 8th, 2013 506 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. // #MalwareMustDie! Win32/Kuluoz.B CnC list..
  2. // FakeAV spreader, Spam campaign attachment (mostly zips)
  3. // Within a week we took three takes for grabbing these CnC
  4. // Usually used port 8080 is not written
  5. // block these IP's 8080 or 993 is a way on mitigation
  6. // For cleanup purpose, I will keep on adding these..
  7.  
  8. // Service signature (header)
  9. // ngnix proxies, i.e.:
  10.  
  11. Server: nginx/1.2.6
  12. Date: Mon, 08 Jul 2013 07:56:51 GMT
  13. Content-Type: text/html
  14. Content-Length: 20
  15. Connection: close
  16. X-Powered-By: PHP/5.4.4-7
  17. Vary: Accept-Encoding
  18. Content-Encoding: gzip
  19.  
  20. // take one..
  21.  
  22. 178.208.35.190
  23. 186.112.214.158   <---- old
  24. 95.140.42.27
  25. 203.146.208.180:
  26. 202.29.229.232
  27. 77.92.140.241
  28.  
  29. // take two..
  30.  
  31. 149.210.130.18 (993)
  32. 95.140.42.27
  33. 186.112.214.158   <----- old
  34. 77.92.140.241
  35. 202.29.229.232
  36. 178.208.35.190
  37. 62.113.200.95 (993)
  38.  
  39. // take three..
  40.  
  41. 149.210.130.18 (993)
  42. 186.112.214.158   <----- old
  43. 202.29.229.232
  44. 178.208.35.190
  45. 64.76.19.241
  46. 95.173.186.184
  47. 176.122.224.62
  48. 82.192.91.224
  49.  
  50. //CnC data from config(decrypted)
  51. // CnC data extracted from spam config:
  52. 188.138.23.51:8080
  53. 213.180.70.141:8080
  54. 46.45.170.13:8080
  55. 50.57.228.220:8080
  56. 68.169.55.248:8090
  57. 80.78.245.96:8080
  58. 59.147.251.35
  59.  
  60. // Unique historical:
  61. 178.208.35.190
  62. 186.112.214.158
  63. 95.140.42.27
  64. 203.146.208.180
  65. 202.29.229.232
  66. 77.92.140.241
  67. 149.210.130.18
  68. 62.113.200.95
  69. 64.76.19.241
  70. 95.173.186.184
  71. 176.122.224.62
  72. 82.192.91.224
  73. 188.138.23.51
  74. 213.180.70.141
  75. 46.45.170.13
  76. 50.57.228.220
  77. 68.169.55.248
  78. 80.78.245.96
  79. 59.147.251.35
  80.  
  81.  
  82. // up and alive PoC:
  83.  
  84. Nmap scan report for 178.208.35.190.static.hosted.by.combell.com (178.208.35.190)
  85. Host is up (0.27s latency).
  86. Nmap scan report for 186.112.214.158
  87. Host is up (0.25s latency).
  88. Nmap scan report for server01.liveport.hu (95.140.42.27)
  89. Host is up (0.30s latency).
  90. Nmap scan report for 203.146.208.180
  91. Host is up (0.13s latency).
  92. Nmap scan report for 202.29.229.232
  93. Host is up (0.12s latency).
  94. Nmap scan report for mail.nusozluk.com (77.92.140.241)
  95. Host is up (0.34s latency).
  96. Nmap scan report for 149-210-130-18.colo.transip.net (149.210.130.18)
  97. Host is up (0.28s latency).
  98. Nmap scan report for 62.113.200.95
  99. Host is up (0.28s latency).
  100. Nmap scan report for boromir.mauriciofrappa.com.ar (64.76.19.241)
  101. Host is up (0.33s latency).
  102. Nmap scan report for 1844604uw.ni.net.tr (95.173.186.184)
  103. Host is up (0.36s latency).
  104. Nmap scan report for 176.122.224.62
  105. Host is up (0.31s latency).
  106. Nmap scan report for voip6.brite-voice.com (82.192.91.224)
  107. Host is up (0.28s latency).
  108. Nmap scan report for static-ip-188-138-23-51.inaddr.ip-pool.com (188.138.23.51)
  109. Host is up (0.30s latency).
  110. Nmap scan report for 213.180.70.141
  111. Host is up (0.32s latency).
  112. Nmap scan report for 46-45-170-13.turkrdns.com (46.45.170.13)
  113. Host is up (0.32s latency).
  114. Nmap scan report for 50-57-228-220.static.cloud-ips.com (50.57.228.220)
  115. Host is up (0.20s latency).
  116. Nmap scan report for entrevistasdeunhada.com (68.169.55.248)
  117. Host is up (0.20s latency).
  118. Nmap scan report for vm3990.vps.agava.net (80.78.245.96)
  119. Host is up (0.34s latency).
  120. Nmap scan report for 59.147.251.35 [host down]
  121. Nmap done: 19 IP addresses (18 hosts up) scanned in 3.87 seconds
  122.  
  123. // Scan the proxies use in 8080:
  124.  
  125. Scanning 18 hosts [1 port/host]
  126. Discovered open port 8080/tcp on 202.29.229.232
  127. Discovered open port 8080/tcp on 186.112.214.158
  128. Discovered open port 8080/tcp on 64.76.19.241
  129. Discovered open port 8080/tcp on 46.45.170.13
  130. Discovered open port 8080/tcp on 80.78.245.96
  131. Discovered open port 8080/tcp on 178.208.35.190
  132. Discovered open port 8080/tcp on 213.180.70.141
  133. Discovered open port 8080/tcp on 188.138.23.51
  134. Discovered open port 8080/tcp on 68.169.55.248
  135. Discovered open port 8080/tcp on 50.57.228.220
  136. Discovered open port 8080/tcp on 95.173.186.184
  137.  
  138. // Scan ports 993...
  139.  
  140. Discovered open port 993/tcp on 77.92.140.241
  141. Discovered open port 993/tcp on 82.192.91.224
  142. Discovered open port 993/tcp on 64.76.19.241
  143. Discovered open port 993/tcp on 46.45.170.13
  144. Discovered open port 993/tcp on 62.113.200.95
  145. Discovered open port 993/tcp on 68.169.55.248
  146. Discovered open port 993/tcp on 149.210.130.18
  147. Discovered open port 993/tcp on 213.180.70.141
  148.  
  149. #MalwareMustDie!
  150. $ date
  151. Mon Jul  10 15:00:02 JST 2013
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top