Pages

Sunday, February 15, 2015

Blue Botnet - HTTP Botnet

Found a sample in the wild .



the sample was uncrypted as well and its coded in .NET C# also .



also lets take a look inside ( .NET )



Traced bot back and found the host , hacked it , got his panel.rar lol so following pictures are just a demo
on my local net ..



// index.php 
?php
error_reporting(E_ERROR | E_PARSE);
if (file_exists("phash") == false){
 header("Location: register.php");
} else {
 $filename = "phash";
 $fp = fopen($filename, "r");
 $content = fread($fp, filesize($filename));
 fclose($fp);
 $storedPassHash = $content;
 $passHash = $_COOKIE['phash'];
 if (md5("randomsalt".$passHash) != $storedPassHash){
  header("Location: login.php");

Diferent ddos methods uses HTTP Proxy flood , Wordpres Pingback (xmlrpc) , TCP etc ...
looks like HyperBeamEngine



a demo of TCP flood , it requests
botserver/panel/target.ip
botserver/panel/target.method
botserver/panel/target.port





HTTP Flood , http proxys of setting are saved here " botserver/panel/proxy " thats how the bot reads it
if the target.method is HTTPFLOOD







Wordpress Pingback or how he calls it PRESS same as at the HTTPFLOD but here is the file savend uder
botserver/panel/blog thats the file which we add hosts at setting



an online running botnet i found is here :
hxxp://burimche.net/help/login.php
// all online ip's of bots
hxxp://burimche.net/help/visitors.txt
hxxp://burimche.net/help/target.ip
hxxp://burimche.net/help/target.method
hxxp://burimche.net/help/target.port
// online bots
hxx://burimche.net/help/botlogger.php
test
Want Sample and Panel ? conntact me at email , for research purposes only !!

4 comments:

  1. Can i get the sample and panel if you dont mind !

    ReplyDelete
    Replies
    1. sure just sent me a mail here : itsownzblog@gmail.com

      Delete
  2. Can i get the sample and panel ? please ? revo@doctor.com

    ReplyDelete
  3. Great, but why upload to virus total and the blog list is how you launch the XMLRPC pingback attack by using blogs with it active.

    ReplyDelete