Remote Host Port Number
128.204.202.111 6667 PASS nopw
NICK n{US|XPa}ubnrkxy
USER ubnrkxy 0 0 :ubnrkxy
PONG :92C7705D
JOIN #ngr# ngrBot
{NL|W7p}psvawzp) !v
Quits: {NL|W7p}psvawzp [net-217320@E4422491.8D3F578B.324BA75E.IP] (User has been permanently banned from Codeleak (gtfo.)) lol snifers allready in
The hecker runing this net
(boing7898@rox-F8ED71C3.ip61.fastwebnet.it): Boing
* ~#ngr# #codeleak
* irc.codeleak.com :Codeleak’s IRC
* is away (Playing TF2)
* is a Network Administrator
* idle 08:32:09, signon: Sun Apr 22 05:45:29
* End of WHOIS list.
hosting infos:
http://whois.domaintools.com/128.204.202.111
Anonymous - April 22, 2012 at 10:17 pm
boing is a hf kiddie
Anonymous - April 23, 2012 at 2:02 am
I found this, most likely an IRC bot or could be HTTP.
Here is link, see what you can do Pig.
http://sanduhhhbees.info/file2.exe
Pig - April 23, 2012 at 11:50 am
looks like sanduuh removed the file lol
if u still have it upload it somewhere and paste it here
Anonymous - April 23, 2012 at 2:53 pm
Yes, I use HF.
I had only 20 bots and an HTTP, but it wasn't completed.
The server is now offline, so the files are useless.
Boing.
Anonymous - April 24, 2012 at 5:19 am
http://www.2shared.com/file/yVRB5mlo/file2.html
Enjoy
Pig - April 24, 2012 at 6:31 pm
file2.exe is .NET no irc conections from this file
Anonymous - April 25, 2012 at 12:39 am
http://78.47.187.252/
Check it.
Anonymous - April 25, 2012 at 1:12 am
Are you sure you looked at it correctly Pig? I see irc connections going to our old friend we.be.thu.gs. And judging by the channel, #BV1, this is the owners bot. And even topic and connection encryption can't stop people from sniffing what the bot downloads. http://terror-squad.co/topic.txt
Nice selection of files on http://terror-squad.co/
http://pastebin.com/zD9Q5q90
Also, forgot to mention it in the paste, but if you block we.be.thu.gs, the bot attempts to connect to irc.bv1.co. I have also seen it try to connect to irc.bv1.us
Anonymous - April 25, 2012 at 4:57 am
Here is another net, sadly i don't have the exe.
* Connecting to 199.30.50.94 (6664)
–
-Mystical.gov- *** Looking up your hostname…
–
-Mystical.gov- *** Found your hostname (cached)
–
z Nickname is already in use.
–
Mystical.gov 001 g
M0dded by uNkn0wn Crew
Mystical.gov 003 g
–
http://www.uNkn0wn.eu – iD@uNkn0wn.eu
–
Message of the Day, Mystical.gov
Anonymous - April 25, 2012 at 4:43 pm
4chan's /g/ is taking a look at we.be.thu.gs due to all the spam. I'll link you to the archive as the thread will probably be down by the time you read this. https://archive.installgentoo.net/g/thread/24442662
Pig - April 25, 2012 at 5:49 pm
i saw it was .net file and i didnt spend much time on it yesterday lol
now i got all exe files from the terror thing
about mystical the hf hecker u can see his irc channels here http://www.exposedbotnets.com/search?q=Mystical
i m updating the we.be.thu.gs with your information again
and thank your for your contributions here
Pig - April 25, 2012 at 6:05 pm
http://78.47.187.252/ this one need user:passwd
Anonymous - April 26, 2012 at 1:42 pm
Put that http bot on the front page, someone might be able to crack it.
Pig - April 26, 2012 at 4:07 pm
if someone crack this shit dont wonder they will not post it to the public lol