Month: November 2012 (Barracuda irc botnet hosted by France Paris

Server: Port:  6667 Channel:  #Aryan Oper: [Paradoxun] (Paradoxun@rofl12345): … [Paradoxun] ~#Aryan [Paradoxun] :Lee’s [Paradoxun] idle 00:03:03, signon: Sat Nov 24 13:31:20 [Paradoxun] End of WHOIS list. You may remember Paradoxun from here or here It looks like he may have some aryan bots in the channel as well. Paradoxun .botkill -s Paradoxun (ngrbot irc botnet hosted by United States Chicago Steadfast Networks)

Resolved to, Server: Port:  1887 Server password:  leonis Channel:  #pool Channel password:  leonis * Topic for #pool is: ~pu hxxp:// 3ea04ecdc19fad85fdf2eb15ba20cc9a ~s -o ~s * Topic for #pool set by google at Fri Nov 23 10:26:12 2012 Channel:  #XP * Topic for #xp is: ~dw hxxp:// 55c6bf0eac7a786de324c7f34ef6db12 ~dw hxxp:// ee2dcac3f9f630c69dd750cc6abc5b8a * (Andromeda http malware hosted by

Server: Gate file:  /andro/image.php This is just the standard cracked andro, but I noticed something interesting about it. The domain is whoisguard protected, which is often used by skids who don’t want to spend 30 seconds making up fake info for the whois. However I noticed something in the assembly info of the (Zeus banking malware and other crap hosted by Germany Frankfurt Am Main Ovh Gmbh)

Resolved to Zeus Server: Gate file: Config file: Hosting zeus on a free host seems like a great idea. Bonus “secure soft” bot from the same guy Server: Gate file:  /Vote%20Gateway%20%20%20blabla%20%20%20Metin2%20P-Server%20Liste_files/Admin/acces/update/connect.php He was using this to ddos israeli sites during the gaza bombardment. Germany strikes again. Stats panel Loading (ngr irc botnet hosted by Germany Frankfurt Am Main Voxility S.r.l.)

Server: Port:  1234 Server password:  secret Channel:  #nigg Channel password:  secret Topic for #nigg is: .slow 80 .slow 80 .slow 80 .slow 80 Topic for #nigg set by pb at Wed Nov 21 14:38:45 2012 Oper:  pb!abuse@boss Checking out the ips it looks like he is attacking carding/dumps websites

Multiple barracuda http bots hosted by Russian Federation Moscow Pallada Web Service Llc

This is the new ip of Tropical Paradise’s shared hosting for his shitty .net http bot. Domain: Gate file:  /endless14/bot.php Domain: Gate file:  /phpadmin141/bot.php Domain: Gate file:   /liquified61/bot.php Domain: Gate file:  bot.php It looks like he’s finally figured out that leaving the panel in the root directory is a bad