Found on a server who hosted Dorifel (http://www.securelist.com/en/blog?weblogid=208193776)
4 Differents Citadel kits targetting Netherlands, here is one of them:
8 397 976 reports, 48 033 bots.. not bad.
Search in database:
Search in files:
The second panel (hosted on the same server) is bigger
With 64 596 Bots and 17 887 287 reports, This one have the interface in Russian.
Malware execute task:
I says server with quote because it's very probable that these IP are just used as proxies.
If police takes that server, they won't have datas, only nginx/apache logs and probably server is not saving these logs, imho the backend server is elsewhere.
And surprise... yeah you guess it it's another Citadel:
And... yes it's a 4nd Citadel hosted on the same shit !
So for the moment: 113k Bots and 26351k reports in one ip... someone have better ?
Also for those who sent me their Citadel builders and who ask for cracks, let's make things clear:
The builder takes some information about your machine (some specifics params) and use these params to make a hash, this hash is used to decode the bot template inside the binary of builder.
So i need a valid hash from a costumer, because every builder has the bot template encrypted with different hash value.
it's impossible (for me) to crack it without having a good hash key.