220.127.116.11 - www.lbmedical.se/media/system/css/cp.php?m=login
18.104.22.168 - gaskotel.by/templates/system/css/cp.php?m=login
Usual Citadel panels and bots, however this time I find another C&C in the log files. Seems that a PC was infected with two different Citadel bots and one of them grabbed the POST traffic to the gate.php of another C&C. This 'double infection' is something that happens, but this particular one was kind of interesting.
This new found server: taking.no-ip.biz resolves to a network in Nigeria. More on this development later.
Found another Citadel in the logs
Lets have a look:
Yep, it looks like Citadel.
Interesting note on the index.
We recently survived a server shutdown due to high load on our servers. We have now relocated our servers to keep providing the best City service. Please send your username and link to firstname.lastname@example.org to setup your new info.Are you sure it was due to high load? It couldn't have been someone that maybe deleted your panels, dropped your databases and shut the servers down?
Found malware sample.