filestorage.ws (37.221.170.221) (Athena irc botnet hosted by voxility.net)

Resolved filestorage.ws to 157.101.50.101 => Athena l33t ip decryption => 37.221.170.221

Athena now comes with a tool to crypt the server ip so that the address the domain points to is not the correct one. A disgruntled customer has already released the crypting program so anyone who doesn’t have access to a binary can try and reverse that to find the method. I wouldn’t run it outside of a vm as it seems awfully large for a simple program. Here it is.

Server:  37.221.170.221
Port:  90
Server password:  123
Channel:  #g1h11
Channel password:  g1h1

Opers:
[pig] (post@comodo): …
[pig] @#g1h11
[pig] irc.server.net :IRC server
[pig] is a Bot on IRC server
[pig] idle 04:15:54, signon: Mon Feb 04 01:48:42
[pig] End of WHOIS list.
[g1h1] (g1h1@comodo): …
[g1h1] @#g1h11
[g1h1] irc.server.net :IRC server
[g1h1] is a Bot on IRC server
[g1h1] idle 04:14:23, signon: Mon Feb 04 02:08:30
[g1h1] End of WHOIS list.

ddos logs

Now talking on #g1h11
Topic for #g1h11 is: !ddos.http.rudy http://www.cchs.com/ 80 80000
Topic for #g1h11 set by g1h1 at Mon Feb 04 16:20:00 2013
g1h1:    !ddos.layer4.udp 84.110.36.236 3074 1000
g1h1:    !ddos.layer4.udp 84.110.36.236 3074 1000
g1h1:    !ddos.layer4.udp 84.110.36.236 3074 1000
g1h1 has changed the topic to:
g1h1 has changed the topic to: !ddos.layer4.udp 84.110.36.236 3074 1000
g1h1 has changed the topic to: !ddos.http.rudy http://www.cchs.com/ 80 80000
g1h1:    !ddos.stop
g1h1 has changed the topic to:
g1h1:    !ddos.http.rapidget http://www.ynet.co.il/home/0,7340,L-8,00.html 80 500
g1h1:    !ddos.stop
g1h1:    !ddos.http.rapidget http://www.ynet.co.il 80 500
g1h1:    !ddos.stop
g1h1:    !ddos.http.slowpost http://my.vmbox.co 8081 100
g1h1:    !ddos.stop
g1h1:    !ddos.http.rapidget http://m.vmbox.co 80 500
g1h1:    !ddos.stop
g1h1:    !ddos.http.slowpost http://vmbox.co 8081 100
g1h1:    !ddos.stop
pig:    !decrypt c,c|SVN5
g1h1:    !ddos.http.rudy http://www.cchs.com/ 80 80000
g1h1 has changed the topic to: !ddos.http.rudy http://www.cchs.com/ 80 80000

Hosting infos: http://whois.domaintools.com/37.221.170.221

Categories: Uncategorized

1 Comment

Admin - February 14, 2013 at 6:10 am

No need for RE to figure out the IP encryption. It adds 120 to each octet if the octet value is < 123, else it adds 120.

Comments are closed