Thursday, March 20, 2014

upgradetoserver.com - Botnets, Phishing, Mass Mailers

upgradetoserver.com
194.44.160.178
inetnum:        194.44.160.0 - 194.44.160.255
netname:        UARNET-LL-20060614
descr:          UARNet
descr:          Svientsitsky st.1
descr:          Lviv
remarks:      INFRA-AW
country:       UA

Whois Domain Information
Registrant Name: JONATHAN AFOLAYAN
Registrant Organization:
Registrant Street: JONATH4U@ROCKETMAILCOM
Registrant City: LAGOS
Registrant State/Province:
Registrant Postal Code: 23401
Registrant Country: NG
Registrant Phone: +1.2347013182809



Started out looking at a "rebranded" Citadel panel.




Its Citadel with a different background. 
"World Carding Management System!"


Then I saw some crazy stuff.

Phishing?


This is a joke, right?


Some sort of four-in-one, lazy as hell, ghetto phishing page. 



I'm shocked.. do people actually fall for this and fill it out?

Looking at the php for the phishing forms.


b_hacker_1@yahoo.com


Using the same email on advertisements 


Google+
Hacking is not a Crime..Is an Art


Two mass mailers.






I shell on yer boxen too...

Broken "Bank of America ReZu1T (Thief)"


Notes

  • admin claims to be Russian in posted advertisements
  • unskilled, re-seller
  • server hosted in Ukraine 
vps user:
jonatha8

contactemail: 
root@upgradetoserver.com


index.html Google Analytics
 var _gaq = _gaq || [];
  _gaq.push(['_setAccount', 'UA-5263515-4']);
  _gaq.push(['_setDomainName', '.3eeweb.com']);
  _gaq.push(['_trackPageview']);


Botnet MySQL configs

$config['mysql_user']          = 'jonatha8_admin';
$config['mysql_pass']          = 'Oluwanoni407@';
$config['mysql_db']            = 'jonatha8_user1';
$config['mysql_user']          = 'jonatha8_crome';
$config['mysql_pass']          = 'computer12';
$config['mysql_db']            = 'jonatha8_crome';
http://upgradetoserver.com/crome/cp.php?m=login
$config['mysql_user']          = 'jonatha8_unix2';
$config['mysql_pass']          = 'Lorenna1984';
$config['mysql_db']            = 'jonatha8_unix2';
http://upgradetoserver.com/iamcoder/cp.php?m=home
$config['mysql_user']          = 'jonatha8_keran';
$config['mysql_pass']          = 'Lorenna1984';
$config['mysql_db']            = 'jonatha8_keran';
$config['mysql_user']          = 'jonatha8_unix';
$config['mysql_pass']          = 'Lorenna1984';
$config['mysql_db']            = 'jonatha8_unix';

1 comment: