Resolved webhostingprotection.info to 46.166.163.131
Server: webhostingprotection.info
Gate file: /icool/order.php
This was from the closed beta of the betabot http bot. The server files have been taken down now so not much point visiting the site. There wasn’t much to see except evidence of the coder’s man crush on the steely gaze of Brian Krebs.
For something that apparently took so long to code, the bot seems to be pretty shitty. It injects to skype to bypass the windows firewall, and for some reason this makes it kill skype as soon as you attempt to login. I’m assuming this will negatively affect the skype spreader that is apparently included.
Anyone who want to check out the “userkit” or formgrabbers or any other supposed feature can examine one of the binaries below.
Hosting infos: http://whois.domaintools.com/46.166.163.131
EDIT: apparently this post caused some drama
<Mystical> ddosing linkbucks <BV1> ok <Mystical> next is exposedbotnets to get ddosed <Illuminatus> lol'd <Illuminatus> Even though they're hosted on Google's servers. <BV1> arent they on google server? <Mystical> not if i have the real ip for it lol. <Mystical> and they are hosted on a small box <Illuminatus> Umm... <BV1> mystical its not like that <BV1> its a blogger acc with a paid domain <Illuminatus> Thought it was hosted on blogger... <BV1> blogger is all google <Illuminatus> Which is hosted on Google's servers... <Illuminatus> ^ <Mystical> fuck it. <BV1> it's literally on googles server <Mystical> I report to abuse.ch <Illuminatus> lol <Mystical> ughghghghhghghghghghghhghghghgh fuckkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk <Illuminatus> Google doesn't care about reports. <Illuminatus> Unless it's like OMFG EXPLOIT PACK status. <BV1> I think google is giving Skidlist some heat unless I misunderstood him <R3TR0_TBYH> drive by bitch.... <Illuminatus> Why would Google be giving them heat? <bake> Mystical you could probably blacklist the domain <bake> just throw the domain in a few banking bot bins and then distribute it over fuckall <Mystical> bake <Mystical> He removed file <Mystical> So allis good. <bake> ahh very nice :) <Mystical> or not. <bake> http://gyazo.com/7b44bd184b08e0250f6e712e535b84b6 <Mystical> fuck it mind as well kill linkbucks till they stop <bake> he'll probably re upload <bake> wasnt taken off on purpose <Mystical> yeah <Illuminatus> http://www.hackforums.net/showthread.php?tid=3196344&pid=30139510#pid30139510 <Mystical> w/e ill see how many of the largest sites i can drop. <Illuminatus> Didn't fall for it. <Illuminatus> or did he... <Illuminatus> Categorized as trolled? <Illuminatus> What is he trying to upload? <Illuminatus> I got ya. <Illuminatus> I'm slow. <Illuminatus> http://www.exposedbotnets.com/2013/01/webhostingprotectioninfo-betabot-http.html <Illuminatus> Mand crush? <Illuminatus> man* <cr0ss> the fuck <cr0ss> lol <Illuminatus> cr0ss <Illuminatus> The vm kid didn't get what I was saying. <Illuminatus> : <cr0ss> lol <cr0ss> ... <TouchMe> http://www.youtube.com/watch?v=LkKKTsJZ5kU <TouchMe> lolol <gaymonkey> For something that apparently took so long to code, they bot seems pretty shit. <gaymonkey> lol betamonkey <R3TR0_TBYH> wtf did i just watch <R3TR0_TBYH> :'( <Illuminatus> I read that and was like... wow. <Illuminatus> Why does he have to crush dreams? <betamonkey> gaymonkey: well <betamonkey> he doesn't reverse things now does he <betamonkey> lol <TouchMe> now i know how people at the fb datacenter feel <snooze> "the coder's man crush on the steely gaze of Brian Krebs." <snooze> what was that about? <betamonkey> lol <betamonkey> the login page displays a krebs face <betamonkey> if you enter wrong info <cr0ss> thA fucK
Anonymous - January 29, 2013 at 3:44 am
Please re upload file!
Anonymous - January 29, 2013 at 3:50 am
Can you re upload the sample!? I'd love to reverse and crack this, I have have been waiting for this for a while
Pig - January 29, 2013 at 2:12 pm
links are working fine check the mirror
Anonymous - April 2, 2013 at 6:51 pm
Download from here http://trojanforge.com/attachment.php?attachmentid=420&d=1359435717
pass:-infected
you need acc to download
check md5 hash its same
so here is i uploaded .panel is too there on that site but am lazy.
http://uppit.com/2cqj9zweudl6/Beta_bot.rar
mirrors:- http://www.mirrorcreator.com/files/0VENWLSK/Beta_bot.rar_links
pass is same