Month: December 2009

Remote Host Port Number85.234.148.2 17402 Other details * The following port was open in the system: Port Protocol Process1050 TCP lsass.exe (%Windir%systemlsass.exe) Registry Modifications * The newly created Registry Value is: o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun] + lsass = “lsass.exe” so that lsass.exe runs every time Windows starts Memory Modifications * There was a new process created inRead more...

* Unknown Connections o Host By Name: + Requested Host: love.blowingbabes.net + Resulting Address: 192.168.1.1 o Connection Established: 0 o Socket: 0 * UDP Connections o Send Datagram + Remote Address 192.168.1.1 + Remote Port: 6061 + Size: 7 o Receive Datagram + Local Port: 0 + Remote Address 192.168.1.1 + Remote Port: 6061 +Read more...

Remote Host Port Number112.78.219.146 80222.76.217.154 8098.126.125.202 47221 * The data identified by the following URLs was then requested from the remote web server: o http://www.nippon.to/cgi-bin/prxjdg.cgi o http://www.cooleasy.com/cgi-bin/prxjdg.cgi PRIVMSG [N00_USA_XP_3663@ :scan// Trying to get external IP.@ :scan// Random Port Scan started on 192.168.x.x:445 with a delay of 5 seconds for 0 minutes using 25 threads.@ :scan//Read more...

Remote Host Port Number112.78.219.146 80222.76.217.154 80195.190.13.163 47221 * The data identified by the following URLs was then requested from the remote web server: o http://www.nippon.to/cgi-bin/prxjdg.cgi o http://www.cooleasy.com/cgi-bin/prxjdg.cgi MODE [N00_USA_XP_2766612]@ -ixPRIVMSG [N00_USA_XP_2766@ :scan// Trying to get external IP.@ :scan// Random Port Scan started on 192.x.x.x:445 with a delay of 5 seconds for 0 minutes using 25Read more...

Remote Host Port Number 116.114.20.98 80 119.42.233.243 80 202.110.64.130 80 202.110.64.140 80 220.181.68.221 80 221.204.231.66 80 221.204.231.91 80 221.9.252.248 80 221.9.252.251 80 221.9.252.252 80 218.6.8.204 6688 ircd here 61.137.190.246 6688 ircd here 222.35.250.32 6060 ircd here 222.35.250.56 21 222.35.250.56 23793 USER FunshionSoftC PASS ZhiMaKaiMenC for the ftp on port 21

Host Name IP Addressdell-d3e62f7e26 10.1.8.2sniff.runescapetube.com 65.23.155.179 * C&C Server: 65.23.155.179:8164 * Server Password: * Username: XP-6306 * Nickname: [00|DEU|293761] * Channel: #test# (Password: ) * Channeltopic: :.msn.msg RIP 🙁 http://inlakehouse.com/video002.php?=|.aim.msg this kid died from eating halloween candy he got.. look http://inlakehouse.com/video002.php?=|.triton.msg kid died from halloween candy he got http://inlakehouse.com/video002.php?= Registry Changes by all processesCreate orRead more...

Host Name IP Addressdell-d3e62f7e26 10.1.10.2fgp.e2doo.com 66.7.216.18 * C&C Server: 66.7.216.18:2345 * Server Password: * Username: XP-8343 * Nickname: [DEU|00|P|83992] * Channel: #imb (Password: test) * Channeltopic: :.msn.stop|.msn.msg hahaha u foto http://freelook.fr.ohost.de/viewimg.php?= Registry Changes by all processesCreate or Open Changes HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOnce “wextract_cleanup0” = rundll32.exe C:WINDOWSsystem32advpack.dll,DelNodeRunDLL32 “C:DOKUME~1ADMINI~1LOKALE~1TempIXP000.TMP”HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “Firevall Administrating” = rndll.exeHKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRun “Firevall Administrating” = rndll.exeHKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsListRead more...

Host Name IP Addressftp.xtserverxt.com 64.211.66.173Outgoing connection to remote server: ftp.xtserverxt.com TCP port 21Outgoing connection to remote server: ftp.xtserverxt.com TCP port 45685 USER xtserverxtPASS xt#server#xt Registry Changes by all processesCreate or Open Changes Reads HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIMM “Ime File”HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “10”HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSecurityProviders “SecurityProviders”HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Name”HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Comment”HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Capabilities”HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dllRead more...

Remote Host Port Number82.146.52.236 6667 MODE [solo][USA|XP|LAN|71546] -ixJOIN #nes# usbPONG FBI.GoV * The following port was open in the system: Port Protocol Process1050 TCP winsvc32.exe (%Windir%winsvc32.exe) Registry Modifications * The newly created Registry Value is: o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun] + winsvc32 = “winsvc32.exe” so that winsvc32.exe runs every time Windows starts Memory Modifications * There was aRead more...

Remote Host Port Number67.43.226.242 808067.43.232.37 186391.207.7.116 80 USER pmawga pmawga pmawga :ymfiwtkaatzcxdhrNICK RGqbPVQeMODE RGqbPVQe +xiJOIN #las6USERHOST RGqbPVQeMODE #m +smntuMODE #las6 +smntuNICK gYZaluELEMODE gYZaluELE +xiJOIN #rrrrrUSERHOST gYZaluELEMODE ##xddc +smntuMODE #xddc1 +smntuMODE #xddc2 +smntuMODE #rrrrr +smntuUSER ixaexy ixaexy ixaexy :dpsqkauvusrtzeaz Other details * The following ports were open in the system: Port Protocol Process1052 TCP spoolsvc.exe (%System%spoolsvc.exe)2335Read more...