To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- Hi,
Denzel was op in chan, and also when he rejoineds, xeQt did say: "He is the owner", yes I now, it's only sentence. Aslpls- did play active role in talk with xeQt, also I now, that it's not point to be botnet herder, my mistake, but I think he cooperates with these herders. >From eu.undernet.org they moved to 72.20.41.242:6667, it's some Turkish IRC. Bot source http://globizgroup.com/.img/weed.txt http://www.honeynet.cz//bots/be122b32f47b56101c156b5f38b55526.txt Log from yesterday session.. http://www.honeynet.cz/trash/72.24.41.242.log Cheers David Vorel On Wed, Mar 21, 2007 at 08:50:01PM -0400, PinkFreud wrote: > What makes you think Denzel and aslpls- are running the bots? I saw > one line where aslpls- changed his nick (he was obviously friendly with > xeQt), but I saw nothing in the log about Denzel. > > Also, as far as the bot script, toyo.txt, goes: > > $vhost = "e8ea21c62fc9b75647054059b815d350"; > $vhost2 = "7886906c819599697c97aa15d8e37f62"; > $vhost3 = 'xeQt.users.undernet.org'; > > ... > > if ( md5(md5($hostname[1])) == $vhost || md5(md5($hostname[1])) > == $vhost2 > || $hostname[1] == $vhost3 ) { > > The md5 of xeQt.users.undernet.org is e8ea21c62fc9b75647054059b815d350 > - however, I don't think that first match will ever work, as it passes > the result of the first md5 to a second call of md5() - which should > effectively generate an md5 of an md5. > > I'm not sure what the host in $vhost2 is yet - if I can find more > information on the drone herders in the channel, it may be possible to > figure that out. > > Also, on a side note, xeQt appears to be coming from 217.116.179.150 > (either ns.host4u.at or ns2.host4u.at, depending on whether you believe > the A or the PTR). > > > On Wed, Mar 21, 2007 at 07:03:16PM +0100, David Vorel babbled thus: > > zombie based botnet spreads throught various bugs in PHP. Undernet > > admins please take look on it. Description follows. Botnet herders are > > Denzel, xeQt, aslpls-. > > -- > PinkFreud > Chief of Security, Nightstar IRC network > irc.nightstar.net | www.nightstar.net > Server Administrator - Blargh.CA.US.Nightstar.Net > Unsolicited advertisements sent to this address are NOT welcome. _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
