Let's start with IceIX:
• dns: 1 ›› ip: 78.131.222.67 - adresse: POWIAT-LANCUT.COM.PL
Login:
Summary statistics:
OS:
Bots:
Scripts:
Search in database:
Search in files:
Jabber notifier:
Information:
Options:
'Zeus red':
Summary statistics:
OS:
Dynamic config (webinjects)
Options:
Black theme but with different theme it look like this,
Red:
Blue:
Green:
Matrix:
I noticed also a Multi Locker on the hijacked server:
4 chars root password, not sure if joke or human stupidity.
Fake Cloudflare:
Decoded:
Lame multiple Zeus:
• dns: 1 ›› ip: 5.135.179.88 - adresse: JAVADOWNLOAD.SYTES.NET
• dns: 1 ›› ip: 5.135.179.88 - adresse: CONNECTTOME1.SYTES.NET
• dns: 1 ›› ip: 5.135.179.88 - adresse: TESTPANEL.SYTES.NET
Login:
Summary statistics:
OS:
Scripts:
Summary2:
Summary3:
Jabber:
access.log:
87.177.174.133 - - [09/Jan/2013:15:19:41 +0100] "GET /zpanel/cp.php?m=reports_db HTTP/1.0" 302 - "-" "Mozilla/5.0"
87.177.175.210 - - [10/Jan/2013:05:44:08 +0100] "GET /zpanel/cp.php?m=reports_db HTTP/1.0" 302 - "-" "Mozilla/5.0"
No logs file available from 10/Jan/2013:16:13:51 to 13/Jan/2013:03:46:31
87.177.162.192 - - [13/Jan/2013:09:53:42 +0100] "GET /zpanel/cp.php?m=reports_db HTTP/1.0" 302 - "-" "Mozilla/5.0"
87.177.189.240 - - [14/Jan/2013:09:59:07 +0100] "GET /zpanel/cp.php?m=reports_db HTTP/1.0" 302 - "-" "Mozilla/5.0"
87.177.185.200 - - [15/Jan/2013:05:43:01 +0100] "GET /new/cp.php?m=reports_db HTTP/1.0" 302 - "-" "Mozilla/5.0"
87.177.169.81 - - [16/Jan/2013:13:37:18 +0100] "GET /zpanel/cp.php?m=reports_db HTTP/1.0" 302 - "-" "Mozilla/5.0"
87.177.161.20 - - [17/Jan/2013:08:25:56 +0100] "GET /zpanel/cp.php?m=reports_db HTTP/1.0" 302 - "-" "Mozilla/5.0"
87.177.187.177 - - [18/Jan/2013:14:37:36 +0100] "GET /new/cp.php?m=reports_db HTTP/1.0" 302 - "-" "Mozilla/5.0"
87.177.172.7 - - [19/Jan/2013:09:33:44 +0100] "GET /new/cp.php?m=reports_db HTTP/1.0" 302 - "-" "Mozilla/5.0"
87.177.183.21 - - [20/Jan/2013:12:34:49 +0100] "GET /zpanel/cp.php?m=reports_db HTTP/1.0" 302 - "-" "Mozilla/5.0"
87.177.175.210 - - [10/Jan/2013:05:44:08 +0100] "GET /zpanel/cp.php?m=reports_db HTTP/1.0" 302 - "-" "Mozilla/5.0"
No logs file available from 10/Jan/2013:16:13:51 to 13/Jan/2013:03:46:31
87.177.162.192 - - [13/Jan/2013:09:53:42 +0100] "GET /zpanel/cp.php?m=reports_db HTTP/1.0" 302 - "-" "Mozilla/5.0"
87.177.189.240 - - [14/Jan/2013:09:59:07 +0100] "GET /zpanel/cp.php?m=reports_db HTTP/1.0" 302 - "-" "Mozilla/5.0"
87.177.185.200 - - [15/Jan/2013:05:43:01 +0100] "GET /new/cp.php?m=reports_db HTTP/1.0" 302 - "-" "Mozilla/5.0"
87.177.169.81 - - [16/Jan/2013:13:37:18 +0100] "GET /zpanel/cp.php?m=reports_db HTTP/1.0" 302 - "-" "Mozilla/5.0"
87.177.161.20 - - [17/Jan/2013:08:25:56 +0100] "GET /zpanel/cp.php?m=reports_db HTTP/1.0" 302 - "-" "Mozilla/5.0"
87.177.187.177 - - [18/Jan/2013:14:37:36 +0100] "GET /new/cp.php?m=reports_db HTTP/1.0" 302 - "-" "Mozilla/5.0"
87.177.172.7 - - [19/Jan/2013:09:33:44 +0100] "GET /new/cp.php?m=reports_db HTTP/1.0" 302 - "-" "Mozilla/5.0"
87.177.183.21 - - [20/Jan/2013:12:34:49 +0100] "GET /zpanel/cp.php?m=reports_db HTTP/1.0" 302 - "-" "Mozilla/5.0"
Why is that named zeus red ?
ReplyDeleteI don't know if it's the right name but i found that on the installer
ReplyDeletedefine('APP_TITLE', 'Zeus Red');
I can ask you (via email) where you found zeus red?,
ReplyDeletematrix zeus amazing lol they changed the theme of the ghost panel lol.
ReplyDelete