126.96.36.199 - 188.8.131.52
These two IP published by Kaspersky contained alot of criminal stuff, you can view some screenshots here:
But they was just a small part of the server, obviously there was also Fragus:
But i think it's a bit useless to talk about this.
For the rest, Rickey Gevers have do a cool post, check it out !
Dorifel/Citadel samples: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=1795
Closer view of the Dorifel code http://translate.google.com/translate?hl=en&sl=nl&tl=en&u=http://webwereld.nl/analyse/111452/de-code-van-dorifel-nader-bekeken/1.html
I got a lack of time to brute force everything, now the port 80 seem filtered, but basic service like ssh still run on the ip.
Edit 11 Aug: No more communication to the C&C: