the sample was uncrypted as well and its coded in .NET C# also .
also lets take a look inside ( .NET )
Traced bot back and found the host , hacked it , got his panel.rar lol so following pictures are just a demo
on my local net ..
// index.php
?php
error_reporting(E_ERROR | E_PARSE);
if (file_exists("phash") == false){
header("Location: register.php");
} else {
$filename = "phash";
$fp = fopen($filename, "r");
$content = fread($fp, filesize($filename));
fclose($fp);
$storedPassHash = $content;
$passHash = $_COOKIE['phash'];
if (md5("randomsalt".$passHash) != $storedPassHash){
header("Location: login.php");
Diferent ddos methods uses HTTP Proxy flood , Wordpres Pingback (xmlrpc) , TCP etc ...
looks like HyperBeamEngine
a demo of TCP flood , it requests
botserver/panel/target.ip
botserver/panel/target.method
botserver/panel/target.port
HTTP Flood , http proxys of setting are saved here " botserver/panel/proxy " thats how the bot reads it
if the target.method is HTTPFLOOD
Wordpress Pingback or how he calls it PRESS same as at the HTTPFLOD but here is the file savend uder
botserver/panel/blog thats the file which we add hosts at setting
an online running botnet i found is here :
hxxp://burimche.net/help/login.php // all online ip's of bots hxxp://burimche.net/help/visitors.txt hxxp://burimche.net/help/target.ip hxxp://burimche.net/help/target.method hxxp://burimche.net/help/target.port // online bots hxx://burimche.net/help/botlogger.php
Want Sample and Panel ? conntact me at email , for research purposes only !!
Can i get the sample and panel if you dont mind !
ReplyDeletesure just sent me a mail here : itsownzblog@gmail.com
DeleteCan i get the sample and panel ? please ? revo@doctor.com
ReplyDeleteGreat, but why upload to virus total and the blog list is how you launch the XMLRPC pingback attack by using blogs with it active.
ReplyDelete