Tag Archives: bitcoin

142.252.249.27 is Scanning for Crypto Wallets and Backups

Found a log entry from 142.252.249.27 this morning:

142.252.249.27 - - [09/Sep/2019:07:59:18 -0700] "HEAD /backup.zip HTTP/1.1" 404 4128 "http://www.freefixer.com/backup.zip" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"

The bot running at 142.252.249.27 is scanning freefixer.com for backups, databases, data, code, bitcoin wallets, bitcoin cash wallets, litecoin wallets, dogecoin wallets, etc. It looks for various file formats such as .zip, .rar, .dat, .7z, .sql, .mdb, .mdf, .tgz, .tar and .sql. Here’s the complete lite of requests that 142.252.249.27 did:

 HEAD /backup.zip
 HEAD /backup.rar
 HEAD /backup.dat
 HEAD /backup.7z
 HEAD /backup.sql
 HEAD /backup.mdb
 HEAD /backup.mdf
 HEAD /backup.tgz
 HEAD /backup.tar.gz
 HEAD /db.zip
 HEAD /db.rar
 HEAD /db.dat
 HEAD /db.7z
 HEAD /db.sql
 HEAD /db.mdb
 HEAD /db.mdf
 HEAD /db.tgz
 HEAD /db.tar.gz
 HEAD /web.zip
 HEAD /web.rar
 HEAD /web.dat
 HEAD /web.7z
 HEAD /web.sql
 HEAD /web.mdb
 HEAD /web.mdf
 HEAD /web.tgz
 HEAD /web.tar.gz
 HEAD /database.zip
 HEAD /database.rar
 HEAD /database.dat
 HEAD /database.7z
 HEAD /database.sql
 HEAD /database.mdb
 HEAD /database.mdf
 HEAD /database.tgz
 HEAD /database.tar.gz
 HEAD /data.zip
 HEAD /data.rar
 HEAD /data.dat
 HEAD /data.7z
 HEAD /data.sql
 HEAD /data.mdb
 HEAD /data.mdf
 HEAD /data.tgz
 HEAD /data.tar.gz
 HEAD /web.zip
 HEAD /web.rar
 HEAD /web.dat
 HEAD /web.7z
 HEAD /web.sql
 HEAD /web.mdb
 HEAD /web.mdf
 HEAD /web.tgz
 HEAD /web.tar.gz
 HEAD /wwwroot.zip
 HEAD /wwwroot.rar
 HEAD /wwwroot.dat
 HEAD /wwwroot.7z
 HEAD /wwwroot.sql
 HEAD /wwwroot.mdb
 HEAD /wwwroot.mdf
 HEAD /wwwroot.tgz
 HEAD /wwwroot.tar.gz
 HEAD /www.zip
 HEAD /www.rar
 HEAD /www.dat
 HEAD /www.7z
 HEAD /www.sql
 HEAD /www.mdb
 HEAD /www.mdf
 HEAD /www.tgz
 HEAD /www.tar.gz
 HEAD /code.zip
 HEAD /code.rar
 HEAD /code.dat
 HEAD /code.7z
 HEAD /code.sql
 HEAD /code.mdb
 HEAD /code.mdf
 HEAD /code.tgz
 HEAD /code.tar.gz
 HEAD /test.zip
 HEAD /test.rar
 HEAD /test.dat
 HEAD /test.7z
 HEAD /test.sql
 HEAD /test.mdb
 HEAD /test.mdf
 HEAD /test.tgz
 HEAD /test.tar.gz
 HEAD /admin.zip
 HEAD /admin.rar
 HEAD /admin.dat
 HEAD /admin.7z
 HEAD /admin.sql
 HEAD /admin.mdb
 HEAD /admin.mdf
 HEAD /admin.tgz
 HEAD /admin.tar.gz
 HEAD /user.zip
 HEAD /user.rar
 HEAD /user.dat
 HEAD /user.7z
 HEAD /user.sql
 HEAD /user.mdb
 HEAD /user.mdf
 HEAD /user.tgz
 HEAD /user.tar.gz
 HEAD /sql.zip
 HEAD /sql.rar
 HEAD /sql.dat
 HEAD /sql.7z
 HEAD /sql.sql
 HEAD /sql.mdb
 HEAD /sql.mdf
 HEAD /sql.tgz
 HEAD /sql.tar.gz
 HEAD /wallet.zip
 HEAD /wallet.rar
 HEAD /wallet.dat
 HEAD /wallet.7z
 HEAD /wallet.sql
 HEAD /wallet.mdb
 HEAD /wallet.mdf
 HEAD /wallet.tgz
 HEAD /wallet.tar.gz
 HEAD /wallet.backup.zip
 HEAD /wallet.backup.rar
 HEAD /wallet.backup.dat
 HEAD /wallet.backup.7z
 HEAD /wallet.backup.sql
 HEAD /wallet.backup.mdb
 HEAD /wallet.backup.mdf
 HEAD /wallet.backup.tgz
 HEAD /wallet.backup.tar.gz
 HEAD /litecoin.zip
 HEAD /litecoin.rar
 HEAD /litecoin.dat
 HEAD /litecoin.7z
 HEAD /litecoin.sql
 HEAD /litecoin.mdb
 HEAD /litecoin.mdf
 HEAD /litecoin.tgz
 HEAD /litecoin.tar.gz
 HEAD /Litecoin.zip
 HEAD /Litecoin.rar
 HEAD /Litecoin.dat
 HEAD /Litecoin.7z
 HEAD /Litecoin.sql
 HEAD /Litecoin.mdb
 HEAD /Litecoin.mdf
 HEAD /Litecoin.tgz
 HEAD /Litecoin.tar.gz
 HEAD /Bitcoin.zip
 HEAD /Bitcoin.rar
 HEAD /Bitcoin.dat
 HEAD /Bitcoin.7z
 HEAD /Bitcoin.sql
 HEAD /Bitcoin.mdb
 HEAD /Bitcoin.mdf
 HEAD /Bitcoin.tgz
 HEAD /Bitcoin.tar.gz
 HEAD /bitcoin.zip
 HEAD /bitcoin.rar
 HEAD /bitcoin.dat
 HEAD /bitcoin.7z
 HEAD /bitcoin.sql
 HEAD /bitcoin.mdb
 HEAD /bitcoin.mdf
 HEAD /bitcoin.tgz
 HEAD /bitcoin.tar.gz
 HEAD /HShare.zip
 HEAD /HShare.rar
 HEAD /HShare.dat
 HEAD /HShare.7z
 HEAD /HShare.sql
 HEAD /HShare.mdb
 HEAD /HShare.mdf
 HEAD /HShare.tgz
 HEAD /HShare.tar.gz
 HEAD /btc.zip
 HEAD /btc.rar
 HEAD /btc.dat
 HEAD /btc.7z
 HEAD /btc.sql
 HEAD /btc.mdb
 HEAD /btc.mdf
 HEAD /btc.tgz
 HEAD /btc.tar.gz
 HEAD /bch.zip
 HEAD /bch.rar
 HEAD /bch.dat
 HEAD /bch.7z
 HEAD /bch.sql
 HEAD /bch.mdb
 HEAD /bch.mdf
 HEAD /bch.tgz
 HEAD /bch.tar.gz
 HEAD /btm.zip
 HEAD /btm.rar
 HEAD /btm.dat
 HEAD /btm.mdb
 HEAD /btm.mdf
 HEAD /btm.tgz
 HEAD /btm.tar.gz
 HEAD /bcd.zip
 HEAD /bcd.rar
 HEAD /bcd.dat
 HEAD /bcd.7z
 HEAD /bcd.sql
 HEAD /bcd.mdb
 HEAD /bcd.mdf
 HEAD /bcd.tgz
 HEAD /bcd.tar.gz
 HEAD /bcx.zip
 HEAD /bcx.rar
 HEAD /bcx.dat
 HEAD /bcx.7z
 HEAD /bcx.sql
 HEAD /bcx.mdb
 HEAD /bcx.mdf
 HEAD /bcx.tgz
 HEAD /bcx.tar.gz
 HEAD /qianbao.zip
 HEAD /qianbao.rar
 HEAD /qianbao.dat
 HEAD /qianbao.7z
 HEAD /qianbao.sql
 HEAD /qianbao.mdb
 HEAD /qianbao.mdf
 HEAD /qianbao.tgz
 HEAD /qianbao.tar.gz
 HEAD /doge.zip
 HEAD /doge.rar
 HEAD /doge.dat
 HEAD /doge.7z
 HEAD /doge.sql
 HEAD /doge.mdb
 HEAD /doge.mdf
 HEAD /doge.tgz
 HEAD /doge.tar.gz
 HEAD /dogecoin.zip
 HEAD /dogecoin.rar
 HEAD /dogecoin.dat
 HEAD /dogecoin.7z
 HEAD /dogecoin.sql
 HEAD /dogecoin.mdb
 HEAD /dogecoin.mdf
 HEAD /dogecoin.tgz
 HEAD /dogecoin.tar.gz
 HEAD /backup.zip
 HEAD /backup.rar
 HEAD /backup.dat
 HEAD /backup.7z
 HEAD /backup.sql
 HEAD /backup.mdb
 HEAD /backup.mdf
 HEAD /backup.tgz
 HEAD /backup.tar.gz
 HEAD /db.zip
 HEAD /db.rar
 HEAD /db.dat
 HEAD /db.7z
 HEAD /db.sql
 HEAD /db.mdb
 HEAD /db.mdf
 HEAD /db.tgz
 HEAD /db.tar.gz
 HEAD /data.zip
 HEAD /data.rar
 HEAD /data.dat
 HEAD /data.7z
 HEAD /data.sql
 HEAD /data.mdb
 HEAD /data.mdf
 HEAD /data.tgz
 HEAD /data.tar.gz
 HEAD /web.zip
 HEAD /web.rar
 HEAD /web.dat
 HEAD /web.7z
 HEAD /web.sql
 HEAD /web.mdb
 HEAD /web.mdf
 HEAD /web.tgz
 HEAD /web.tar.gz
 HEAD /wwwroot.zip
 HEAD /wwwroot.rar
 HEAD /wwwroot.dat
 HEAD /wwwroot.7z
 HEAD /wwwroot.sql
 HEAD /wwwroot.mdb
 HEAD /wwwroot.mdf
 HEAD /wwwroot.tgz
 HEAD /wwwroot.tar.gz
 HEAD /database.zip
 HEAD /database.rar
 HEAD /database.dat
 HEAD /database.7z
 HEAD /database.sql
 HEAD /database.mdb
 HEAD /database.mdf
 HEAD /database.tgz
 HEAD /database.tar.gz
 HEAD /www.zip
 HEAD /www.rar
 HEAD /www.dat
 HEAD /www.7z
 HEAD /www.sql
 HEAD /www.mdb
 HEAD /www.mdf
 HEAD /www.tgz
 HEAD /www.tar.gz
 HEAD /code.zip
 HEAD /code.rar
 HEAD /code.dat
 HEAD /code.7z
 HEAD /code.sql
 HEAD /code.mdb
 HEAD /code.mdf
 HEAD /code.tgz
 HEAD /code.tar.gz
 HEAD /test.zip
 HEAD /test.rar
 HEAD /test.dat
 HEAD /test.7z
 HEAD /test.sql
 HEAD /test.mdb
 HEAD /test.mdf
 HEAD /test.tgz
 HEAD /test.tar.gz
 HEAD /admin.zip
 HEAD /admin.rar
 HEAD /admin.dat
 HEAD /admin.7z
 HEAD /admin.sql
 HEAD /admin.mdb
 HEAD /admin.mdf
 HEAD /admin.tgz
 HEAD /admin.tar.gz
 HEAD /user.zip
 HEAD /user.rar
 HEAD /user.dat
 HEAD /user.7z
 HEAD /user.sql
 HEAD /user.mdb
 HEAD /user.mdf
 HEAD /user.tgz
 HEAD /user.tar.gz
 HEAD /sql.zip
 HEAD /sql.rar
 HEAD /sql.dat
 HEAD /sql.7z
 HEAD /sql.sql
 HEAD /sql.mdb
 HEAD /sql.mdf
 HEAD /sql.tgz
 HEAD /sql.tar.gz
 HEAD /bf.zip
 HEAD /bf.rar
 HEAD /bf.dat
 HEAD /bf.7z
 HEAD /bf.sql
 HEAD /bf.mdb
 HEAD /bf.mdf
 HEAD /bf.tgz
 HEAD /bf.tar.gz
 HEAD /beifen.zip
 HEAD /beifen.rar
 HEAD /beifen.dat
 HEAD /beifen.7z
 HEAD /beifen.sql
 HEAD /beifen.mdb
 HEAD /beifen.mdf
 HEAD /beifen.tgz
 HEAD /beifen.tar.gz
 HEAD /shujuku.zip
 HEAD /shujuku.rar
 HEAD /shujuku.dat
 HEAD /shujuku.7z
 HEAD /shujuku.sql
 HEAD /shujuku.mdb
 HEAD /shujuku.mdf
 HEAD /shujuku.tgz
 HEAD /shujuku.tar.gz
 HEAD /shuju.zip
 HEAD /shuju.rar
 HEAD /shuju.dat
 HEAD /shuju.7z
 HEAD /shuju.sql
 HEAD /shuju.mdb
 HEAD /shuju.mdf
 HEAD /shuju.tgz
 HEAD /shuju.tar.gz
 HEAD /ziliao.zip
 HEAD /ziliao.rar
 HEAD /ziliao.dat
 HEAD /ziliao.7z
 HEAD /ziliao.sql
 HEAD /ziliao.mdb
 HEAD /ziliao.mdf
 HEAD /ziliao.tgz
 HEAD /ziliao.tar.gz
 HEAD /freefixer.zip
 HEAD /freefixer.com.zip
 HEAD /www.freefixer.com.zip
 HEAD /freefixer.rar
 HEAD /freefixer.com.rar
 HEAD /www.freefixer.com.rar
 HEAD /freefixer.dat
 HEAD /freefixer.com.dat
 HEAD /www.freefixer.com.dat
 HEAD /freefixer.7z
 HEAD /freefixer.com.7z
 HEAD /www.freefixer.com.7z
 HEAD /freefixer.sql
 HEAD /freefixer.com.sql
 HEAD /www.freefixer.com.sql
 HEAD /freefixer.mdb
 HEAD /freefixer.com.mdb
 HEAD /www.freefixer.com.mdb
 HEAD /freefixer.mdf
 HEAD /freefixer.com.mdf
 HEAD /www.freefixer.com.mdf
 HEAD /freefixer.tgz
 HEAD /freefixer.com.tgz
 HEAD /www.freefixer.com.tgz
 HEAD /freefixer.tar.gz
 HEAD /freefixer.com.tar.gz
 HEAD /www.freefixer.com.tar.gz

Vanta Telecommunications Limited and egihosting.com are names that shows up then I did a lookup in ARIN register, as shown in the screenshot below. I’m assuming one of their customers have been hacked.

If you’ve been following this blog for the last week you know that I’ve been trying to weed out fake Bingbots, Yandexbots and Googlebots and other types of bad behaviour. Since 142.252.249.27 is currently trying to gain access to non-public information I’m going to block it in Apache’s .htaccess file.

WiseManager’s CfjdkPfhrU.exe is a Bitcoin Miner – Removal Instructions

I found yet another Bitcoin miner this morning. You might have spotted it because of a new file called WiseManager.exe running at startup or the high CPU usage by CfjdkPfhrU.exe as shown in the screenshot of the Task Manager below:

CfjdkPfhrU.exe CPU Setup Task Manager

The Wise Manager files are located in C:\Users\%USER%\AppData\Roaming\WiseManager\ and C:\Users\%USER%\AppData\Roaming\WiseManager\CGMInerDLLs.

wisemanager cgminerdlls folder

Currently no anti-virus detects the two main files, WiseManager.exe and CfjdkPfhrU.exe when I uploaded them to VirusTotal, but I assume the scanners will start picking them up sooner than later. WiseManager.exe is digitally signed by Moresta Holdings LimitedCfjdkPfhrU.exe is unsigned.

By the way, CfjdkPfhrU.exe sounds like it been given a random file name. Does your computer show another file hogging the CPU?

Removing WiseManger.exe and CfjdkPfhrU.exe is easy with FreeFixer. Just check WiseManager.exe and CfjdkPfhrU.exe for removal and click the Fix button and the problem is solved.

wisemanager.exe startup in the roaming folder wisemanager.exe and cfjdkPfhrU.exe processes

Now you can remove the C:\Users\%USER%\AppData\Roaming\WiseManager\ folder manually in Explorer.

I found the Wise Manager Bitcoin miner while testing a free download. WiseManager was bundled inside the download. How did you get Wise Manager and CfjdkPfhrU.exe on your computer?

DGen.exe 100% CPU Usage? – Bitcoin Miner Removal

Do you see a process named dgen.exe running at 99% or even 100% CPU usage? If that is the case someone is mining Bitcoins on your machine!

dgen.exe high cpu usage in the task manager

The dgen.exe Bitcoin miner has been around for some time. I first spotted it about a month ago, but for some reason I chose not to blog about it at that time. However, today I found it again, bundled with another download, so I thought I should post about it after all. Many of the anti-virus programs detect it as you can see in the scan result from VirusTotal:

dgen.exe virus total scan

How did you get dgen.exe on your machine? Please share by posting a comment.

To remove the dgen.exe bitcoin miner you can check the dgen.exe process and the starthelp.exe service for removal in FreeFixer. This will also fix the high CPU usage that you probably see on your machine.

dgen.exe-process

The starthelp.exe service appear as “Protect Monitor”:

starthelp.exe service called "ProtectMonitor" or "Protect Monitor".

Here’s a video where I show FreeFixer in action while removing dgen.exe and starthelp.exe:

Hope you found this useful. Thank you for watching!

Update 2014-08-11: I’ve seen a few cases where other filenames appear in the “c:\Program Files\PCDapp”  folder:

  • cudaminer.exe