Log In

"BotNet By AbduL" - shutdown

']['€AM€LiT€ Forum - News, Reports and Alerts

Author

Message

Vektor

2009-06-06
10:14:55

Quote:

[10:45] <[H-€]-toRR>

  Download Virtualx Multi Tools Pack v1.0:

  http://ploiesti.no-ip.org/Vx_1.0_Tool_Pack.exe

  * Acest pack contine:

    • ApexDC++ v1.2 Pro
    • BSPlayer v2.4.1 Pro
    • Daemon Tools v4.30.4
    • MW TV Station v2.3 Pro
    • Ratio Master v1.7.4 Pro
    • TeamViewer v4.1.6 PRo
    • Winamp v5.55.2 PRo
    • Windows 7 Genuine Activation v1.2
    • Yahoo! Messenger 9.0.12
    • Youtube Downloader v.4.1 Pro

  * Pentru a instala softul dorit click buton si setup'ul va porni.

  http://ploiesti.no-ip.org/Vx_1.0_Tool_Pack.exe

The address ploiesti.no-ip.org is hosted by the spammer,

Quote:

ploiesti.no-ip.org = 89.35.204.227

Nicknames used by this spammer: [-1-]-Abdul, AbduL (IP=' 89.35.204.227 ' Host=' ' User=' AbduL '), C0v0raSh (C0v0raSh 89.35.204.227, connected: 2009-06-05 22:16:00 for 24 minutes 27 seconds), [H-€]-toRR (IP=' 89.35.204.227 ' Host=' ' User=' [H-€]-toRR ').

Of course, Vx_1.0_Tool_Pack.exe extracts RxBot.

Settings:

Server address: cuczor.zapto.org:3000 (89.43.99.67)
Channel: #pv
Prefix for bots: [n]*
Login password for bots: dd0s
Changed about information: BotNet By AbduL [ modded ]
Local path to his botnet project: C:\Documents and Settings\Administrator\Desktop\botsrc7[1].6rx\Rxbot 7.6\Debug\rBot.pdb

Quote:

[11:08] *** Connected
[11:08] *** Join/part showing on
[11:08] *** Looking up your hostname
[11:08] *** Checking Ident
[11:08] *** Got ident response
[11:08] *** Couldn't look up your hostname
[11:08] <my.server.name> MODE :Register first.
[11:08] <my.server.name> Welcome to the Internet Relay Network [n]758887
Your host is my.server.name, running version beware1.5.7
This server was created Tue Jul 13 2004 at 20:36:07 GMT
my.server.name beware1.5.7 dgikoswx biklmnoprstv
MAP SILENCE=15 WHOX WALLCHOPS WALLVOICES USERIP CPRIVMSG CNOTICE MODES=6 MAXCHANNELS=10 MAXBANS=45 :are supported by this server
[11:08] <my.server.name> NICKLEN=9 TOPICLEN=160 AWAYLEN=160 KICKLEN=160 CHANTYPES=#& PREFIX=(ov)@+ CHANMODES=b,k,l,rimnpst CASEMAPPING=rfc1459 :are supported by this server
There are 75 users and 0 invisible on 1 servers
1 :unknown connection(s)
1 :channels formed
I have 75 clients and 0 servers
[11:08] *** [n]758887 Highest connection count: 152 (152 clients)
[11:08] <my.server.name> MOTD File is missing
[11:08] *** [n]758887 on 2 ca 2(4) ft 10(10)
[11:08] *** Joins: [n]855782
[11:08] *** Joins: [n]157019
[11:08] *** Joins: [n]148256
[11:08] *** Joins: [n]277134
[11:08] *** Joins: [n]136429
[11:08] *** Joins: [n]578785
[11:08] *** Joins: [n]773130
[11:08] *** Joins: [n]132408
[11:08] *** Joins: [n]769201
[11:08] *** Joins: [n]669999
[11:08] *** Joins: [n]151607
[11:08] *** Joins: [n]456041
[11:08] *** Joins: [n]756115
[11:08] *** Joins: [n]798933
[11:08] *** Joins: [n]068642
[11:08] *** Joins: [n]434838
[11:08] *** Joins: [n]210566
[11:08] *** Joins: [n]060802
[11:08] *** Joins: [n]836781
[11:08] *** Joins: [n]263559
[11:08] *** Joins: [n]170133
[11:08] *** Joins: [n]453453
[11:08] *** Joins: [n]500333
[11:08] *** Joins: [n]524460
[11:08] *** Joins: [n]129256
[11:08] *** Joins: [n]825094
[11:08] *** Joins: [n]554298
[11:08] *** Joins: [n]665002
[11:08] *** Joins: [n]054261
[11:08] *** Joins: [n]780193
[11:08] *** Joins: [n]127767
[11:08] *** Joins: [n]316211
[11:08] *** Joins: [n]793308
[11:08] *** Joins: [n]323583
[11:08] *** Joins: [n]720552
[11:08] *** Joins: [n]580708
[11:08] *** Joins: [n]475559
[11:08] *** Joins: [n]576366
[11:08] *** Joins: [n]798803
[11:08] *** Joins: [n]386695
[11:08] *** Joins: [n]833493
[11:08] *** Joins: [n]872219
[11:08] *** Joins: [n]080424
[11:08] *** Joins: [n]444874
[11:08] *** Joins: [n]648023
[11:08] *** Joins: [n]393927
[11:08] *** Joins: [n]399823
[11:08] *** Joins: [n]035921
[11:08] *** Joins: [n]439487
[11:08] *** Joins: [n]123187
[11:08] *** Joins: [n]507452
[11:08] *** Joins: [n]785143
[11:08] *** Joins: [n]873944
[11:08] *** Joins: [n]400495
[11:08] *** Joins: [n]549321
[11:08] *** Joins: [n]830865
[11:08] *** Joins: [n]323567
[11:08] *** Joins: [n]672890
[11:08] *** Joins: [n]147971
[11:08] *** Joins: [n]145951
[11:08] *** Joins: [n]308633
[11:08] *** Joins: [n]459703
[11:08] *** Joins: [n]060671
[11:08] *** Joins: [n]435426
[11:08] *** Joins: [n]024177
[11:08] *** Joins: [n]514580
[11:08] *** Joins: [n]402483
[11:08] *** Joins: [n]514988
[11:08] *** Joins: [n]661356
[11:08] *** Joins: [n]665697
[11:08] *** Joins: [n]269430
[11:08] *** Joins: [n]111767
[11:08] *** Joins: [n]367861
[11:08] *** Joins: [n]923666
[11:08] *** Joins: [n]862409
[11:09] *** Parts: [n]500333
[11:11] *** Parts: [n]830865
[11:12] *** Parts: [n]872219
[11:12] *** Parts: [n]263559
[11:12] *** Joins: [n]149180
[11:13] *** Parts: [n]780193
[11:13] *** Parts: [n]785143
[11:13] *** Parts: [n]793308
[11:13] *** Parts: [n]798803
[11:13] *** Parts: [n]136429
[11:13] *** Parts: [n]769201
[11:13] *** Parts: [n]773130
[11:13] *** Parts: [n]798933
[11:13] *** Parts: [n]825094
[11:13] *** Parts: [n]833493
[11:14] <my.server.name> [n]665002 :Target change too fast. Please wait 112 seconds.
[11:14] Private message from [n]648023: <[n]648023> [MAIN]: Removing Bot.
[11:14] <my.server.name> [n]665002 :Target change too fast. Please wait 113 seconds.
[11:14] *** Parts: [n]648023
[11:14] Private message from [n]661356: <[n]661356> [MAIN]: Removing Bot.
[11:14] *** Parts: [n]661356
[11:14] <my.server.name> [n]665697 :Target change too fast. Please wait 113 seconds.
[11:14] <my.server.name> [n]665697 :Target change too fast. Please wait 113 seconds.
[11:14] <my.server.name> [n]669999 :Target change too fast. Please wait 113 seconds.
[11:14] <my.server.name> [n]669999 :Target change too fast. Please wait 113 seconds.
[11:14] *** Parts: [n]147971
[11:15] <Lithium> .login dd0s
[11:15] <Lithium> .remove
[11:15] <[n]665697> [MAIN]: Password accepted.
[11:15] <[n]514988> [MAIN]: Password accepted.
[11:15] <[n]111767> [MAIN]: Password accepted.
[11:15] <[n]308633> [MAIN]: Password accepted.
[11:15] <[n]435426> [MAIN]: Password accepted.
[11:15] <[n]402483> [MAIN]: Password accepted.
[11:15] <[n]060671> [MAIN]: Password accepted.
[11:15] <[n]323567> [MAIN]: Password accepted.
[11:15] <[n]672890> [MAIN]: Password accepted.
[11:15] <[n]367861> [MAIN]: Password accepted.
[11:15] <[n]386695> [MAIN]: Password accepted.
[11:15] <[n]444874> [MAIN]: Password accepted.
[11:15] <[n]439487> [MAIN]: Password accepted.
[11:15] <[n]514580> [MAIN]: Password accepted.
[11:15] <[n]507452> [MAIN]: Password accepted.
[11:15] <[n]923666> [MAIN]: Password accepted.
[11:15] <[n]145951> [MAIN]: Password accepted.
[11:15] <[n]080424> [MAIN]: Password accepted.
[11:15] <[n]524460> [MAIN]: Password accepted.
[11:15] <[n]459703> [MAIN]: Password accepted.
[11:15] <[n]393927> [MAIN]: Password accepted.
[11:15] <[n]269430> [MAIN]: Password accepted.
[11:15] <[n]054261> [MAIN]: Password accepted.
[11:15] <[n]316211> [MAIN]: Password accepted.
[11:15] <[n]127767> [MAIN]: Password accepted.
[11:15] <[n]720552> [MAIN]: Password accepted.
[11:15] <[n]855782> [MAIN]: Password accepted.
[11:15] <[n]323583> [MAIN]: Password accepted.
[11:15] <[n]151607> [MAIN]: Password accepted.
[11:15] <[n]554298> [MAIN]: Password accepted.
[11:15] <[n]453453> [MAIN]: Password accepted.
[11:15] <[n]836781> [MAIN]: Password accepted.
[11:15] <[n]035921> [MAIN]: Password accepted.
[11:15] <[n]170133> [MAIN]: Password accepted.
[11:15] <[n]475559> [MAIN]: Password accepted.
[11:15] <[n]873944> [MAIN]: Password accepted.
[11:15] <[n]576366> [MAIN]: Password accepted.
[11:15] <[n]549321> [MAIN]: Password accepted.
[11:15] <[n]669999> [MAIN]: Password accepted.
[11:15] <[n]756115> [MAIN]: Password accepted.
[11:15] <[n]400495> [MAIN]: Password accepted.
[11:15] <[n]149180> [MAIN]: Password accepted.
[11:15] <[n]578785> [MAIN]: Password accepted.
[11:15] <[n]456041> [MAIN]: Password accepted.
[11:15] <[n]148256> [MAIN]: Password accepted.
[11:15] <[n]862409> [MAIN]: Password accepted.
[11:15] <[n]665002> [MAIN]: Password accepted.
[11:15] <[n]399823> [MAIN]: Password accepted.
[11:15] <[n]277134> [MAIN]: Password accepted.
[11:15] <[n]434838> [MAIN]: Password accepted.
[11:15] <[n]129256> [MAIN]: Password accepted.
[11:15] <[n]068642> [MAIN]: Password accepted.
[11:15] <[n]060802> [MAIN]: Password accepted.
[11:15] <[n]157019> [MAIN]: Password accepted.
[11:15] <[n]132408> [MAIN]: Password accepted.
[11:15] <[n]210566> [MAIN]: Password accepted.
[11:15] <[n]024177> [MAIN]: Password accepted.
[11:15] <[n]024177> [MAIN]: Removing Bot.
[11:15] <[n]665697> [MAIN]: Removing Bot.
[11:15] <[n]367861> [MAIN]: Removing Bot.
[11:15] <[n]148256> [MAIN]: Removing Bot.
[11:15] <[n]308633> [MAIN]: Removing Bot.
[11:15] <[n]386695> [MAIN]: Removing Bot.
[11:15] <[n]060671> [MAIN]: Removing Bot.
[11:15] <[n]277134> [MAIN]: Removing Bot.
[11:15] <[n]855782> [MAIN]: Removing Bot.
[11:15] <[n]157019> [MAIN]: Removing Bot.
[11:15] *** Parts: [n]024177
[11:15] *** Parts: [n]665697
[11:15] *** Parts: [n]148256
[11:15] *** Parts: [n]308633
[11:15] *** Parts: [n]060671
[11:15] *** Parts: [n]386695
[11:15] *** Parts: [n]444874
[11:15] *** Parts: [n]475559
[11:15] *** Parts: [n]720552
[11:15] *** Parts: [n]054261
[11:15] *** Parts: [n]665002
[11:15] *** Parts: [n]554298
[11:15] *** Parts: [n]129256
[11:15] *** Parts: [n]524460
[11:15] *** Parts: [n]068642
[11:15] *** Parts: [n]672890
[11:15] *** Parts: [n]277134
[11:15] *** Parts: [n]269430
[11:15] *** Parts: [n]514988
[11:15] *** Parts: [n]923666
[11:15] *** Parts: [n]367861
[11:15] *** Parts: [n]855782
[11:15] *** Parts: [n]549321
[11:15] *** Parts: [n]459703
[11:15] *** Parts: [n]456041
[11:15] *** Parts: [n]157019
[11:15] *** Parts: [n]149180
[11:15] *** Parts: [n]435426
[11:15] *** Parts: [n]145951
[11:15] *** Parts: [n]507452
[11:15] *** Parts: [n]439487
[11:15] *** Parts: [n]393927
[11:15] *** Parts: [n]514580
[11:15] *** Parts: [n]400495
[11:15] *** Parts: [n]080424
[11:15] *** Parts: [n]576366
[11:15] <[n]060802> [MAIN]: Removing Bot.
[11:15] <[n]873944> [MAIN]: Removing Bot.
[11:15] <[n]210566> [MAIN]: Removing Bot.
[11:15] <[n]580708> [MAIN]: Password accepted.
[11:15] *** Parts: [n]316211
[11:15] *** Parts: [n]453453
[11:15] *** Parts: [n]170133
[11:15] *** Parts: [n]434838
[11:15] *** Parts: [n]151607
[11:15] *** Parts: [n]669999
[11:15] *** Parts: [n]132408
[11:15] *** Parts: [n]862409
[11:15] *** Parts: [n]399823
[11:15] *** Parts: [n]035921
[11:15] *** Parts: [n]323567
[11:15] *** Parts: [n]402483
[11:15] *** Parts: [n]111767
[11:15] *** Parts: [n]756115
[11:15] *** Parts: [n]323583
[11:15] *** Parts: [n]127767
[11:15] *** Parts: [n]836781
[11:15] *** Parts: [n]578785
[11:15] *** Parts: [n]060802
[11:15] *** Parts: [n]873944
[11:15] *** Parts: [n]210566
[11:15] <[n]580708> [MAIN]: Removing Bot.
[11:15] *** Parts: [n]580708
[11:15] *** Joins: [n]175659
[11:15] <my.server.name> [n]175659 :Target change too fast. Please wait 41 seconds.
- [n]175659 :Target change too fast. Please wait 43 seconds.
[11:16] *** Joins: [n]750709
[11:16] Private message from [n]750709: <[n]750709> [MAIN]: Password accepted.
[11:16] Private message from [n]750709: <[n]750709> [MAIN]: Removing Bot.
[11:16] *** Parts: [n]750709
[11:16] <my.server.name> [n]175659 :Target change too fast. Please wait 106 seconds.
- [n]175659 :Target change too fast. Please wait 108 seconds.
[11:16] *** Joins: [n]729443
[11:16] <Lithium> .login dd0s
[11:16] <Lithium> .remove
[11:17] *** Joins: [n]374383
[11:17] <[n]175659> [MAIN]: Password accepted.
[11:17] <[n]175659> [MAIN]: Removing Bot.
[11:17] *** Parts: [n]374383
[11:17] *** Parts: [n]175659
[11:17] *** Parts: [n]729443
[11:19] <my.server.name> Channel :Users Name
#pv 2 :
End of /LIST
[11:19] *** Parts: [n]123187
[11:20] *** Joins: [n]157922
[11:21] Private message from [n]157922: <[n]157922> [MAIN]: Password accepted.
[11:21] Private message from [n]157922: <[n]157922> [MAIN]: Removing Bot.
[11:21] *** Parts: [n]157922
[11:22] *** Joins: [n]865109
[11:23] *** Joins: [n]636263
[11:23] Private message from [n]865109: <[n]865109> [MAIN]: Password accepted.
[11:23] Private message from [n]865109: <[n]865109> [MAIN]: Removing Bot.
[11:23] *** Parts: [n]865109
[11:23] Private message from [n]636263: <[n]636263> [MAIN]: Password accepted.
[11:23] *** Parts: [n]636263
[11:37] *** Disconnected

____________________

krypt

2009-06-06
12:33:45

Quote

what method use for Decompilation bots and what software?

Vektor

2009-06-06
14:22:28

Quote

So you are bored of using supernova to DDoS hubs like "ElitteHUB" and now you want to use someone else's botnet. You should do better things with your time than DDoS-ing random hubs. Why not learn a programming language for start instead of assuming everyone uses programs made by someone else?
BTW AOL can hide your IP but cannot hide your stupidity.

krypt

2009-06-06
15:10:24

Quote

Vektor referitor la folosirea supernovei pentru a da ddos in hubul ElitteHub aici te inseli amarnic,de ce? pai sa iti explic hubul respectiv este creat de pogo iar eu l-am ajutat,cand totul a fost gata si sa trecut de la un soft la hexhub(nu dau numele celuilalt soft utilizat pentru a nu face reclama)a zis omu sa faca un test respectivului hub utilizand softul (hexhub),pogo fiind hostul a zis sa fac eu testul pentru a nu fi probleme atunci am primit un supernova si am inceput testul"ddos" pentru a vedea ce rezultatea avem.
Legat de intrebarea mea era doar o simpla curiozitate daca doresti sa raspunsi ii bine daca nu puteam trai incontinoare si fara sa stim nu? :P
Si a da nu am vrut si nu o sa vreau(doresc) vreodata botnet lui alti pentru uimirea ta si eu sunt impotriva lor si chiar am raportat cateva servere de botneti.

P.S legat de AOL in momentul respectiv eram logat pe cont pentru a verifica mail-urile nici de cum pentru a ascunde ip-ul,pentru ce sa imi ascund ip-ul am facut ceva rau?

"BTW AOL can hide your IP but cannot hide your stupidity." pacat ca judeci o persona fara sa o cunosti,stiu ca esti roman si este tipic romaneste dar asteptam din partea ta mai multa maturitate sincer pentru ca eu chiar admir ceea ce faci chiar daca nu faci nimic sub emblema RO.

Eu va doresc mult succes incontinoare in ceea ce faceti aici "white hat" se poate zice ca este mai sigur internetul cu asemenea persoane :P

Am scris acest post in romana pentru ca stiu ca intelegi doar esti roman si de lene daca este vreo problema o sa il rescriu si in engleza.

Vektor

2009-06-06
15:51:19

Quote

krypt wrote:

In hublist la supernova sunt multe hub-uri, majoritatea au facut update / au corectat setarile / au schimbat soft-ul. Unele soft-uri (cum este HeXHub) inlocuiesc IP-ul in $ConnectToMe cu IP-ul celui care trimite comanda. In cazul tau, tu ai bagat supernova pe unele hub-uri care inlocuiau adresa ce-o trimiteai cu IP-ul tau, shi pe langa asta aratau rapoarte in OpChat.
Tu crezi ca folosind supernova afectezi numai hub-ul care vrei tu, cand de fapt ii afectezi pe totzi userii care-s folositzi (daca tzi-a aparut vreodata in clientul tau "out of buffer space" mai mult ca sigur e din cauza ca era folosit de un bot sau script sa faca "teste" pe undeva).

Now the english part...

krypt wrote:

what method use for Decompilation bots and what software?

I don't decompile trojans. I disassemble them and sometimes I trace them with a debugger. In this case the trojan was encrypted with Armadillo v1.71, so the first thing that needs to be done is to decrypt it. Public unpackers for Armadillo are not good because they execute the trojan. The best thing you can do in this case is to unpack it yourself or write an unpacker.
Also, the fact that this is RxBot simplifies things because its sourcecode is public. No need to disassemble the trojan unless the strings are encrypted, which is not the case here - these trojan spreaders have no idea of programming. With a hex editor like Hiew you can search for references of all interesting strings to see which is used for what.

krypt

2009-06-06
20:48:43

Quote

Thanks for response,aici mi-a fost curozitatea pentru ca am folosit Hex Workshop, Win32dasm ÅŸi odbg200 thanks a date still to answer

Pe aceasta cale imi cer si scuze daca am creat anumite probleme

krypt

2009-06-06
20:53:26

Quote

Thanks for response,here I was curozitatea because I used Hex Workshop, Win32dasm and odbg200 sorry for double post but because of the fatigue I wrote half Roman and half English thanks a date still to answer.

DrEinstein

2009-06-09
01:43:35

Quote

In addition to closed server which was hosted on IP 89.43.99.67 a couple of days ago:

Quote:

[2009-06-08 13:34:48] <DrEinstein> So.. Who asked you to host the IRC server?
...
[2009-06-08 13:39:44] <Zamo®enna™> AbduL or Covorash its him nick
...
[2009-06-08 13:44:39] <Zamo®enna™> he asked me to help with this hostarea irc, unknown what it is
...
[2009-06-08 13:46:51] <DrEinstein> Do you know what this kind of server was?
[2009-06-08 13:47:49] <Zamo®enna™> no ,i do`n know

They asked her to host a server without telling her what it was.. Let me use an article from Wikipedia here:

Quote:

On May 9, 2006, Jeanson James Ancheta (born 1986 in Downey, California) became the first person to be charged for controlling large numbers of hijacked computers or botnets.

Jeanson James Ancheta

Born: 1986 (age 22–23)
Alias(es): Gobo
Conviction(s): Pleaded guilty to four felony charges
Penalty: 60 months in prison

Article source: http://en.wikipedia.org/wiki/Jeanson_James_Ancheta

For all you kinds out there: See up for the things you and the others are playing with, you can burn yourself.

I hope that Zamo®enna™ learned her lesson:

Quote:

[2009-06-08 13:53:08] <DrEinstein> Btw.. are we clean about one thing.. You never again host a server for Adbul, Ok?
[2009-06-08 13:53:27] <Zamo®enna™> ok
[2009-06-08 13:53:29] <DrEinstein> Good
...
[2009-06-08 13:53:54] <Zamo®enna™> anyway you can be sure that I learned mind ..

Sir

2009-06-16
13:00:21

Quote

DrEinstein : te-ai mai legat de max , dark , hkecstasy

adio te pis pe voi :)

____________________
Sir///

Sir

2009-06-16
13:01:16

Quote

Sir wrote:

DrEinstein : te-ai mai legat de max , dark , hkecstasy

adio ma pis voi :)
Sir///

____________________
Sir///

Vektor

2009-06-16
19:45:15

Quote

Sir wrote:

DrEinstein : te-ai mai legat de max ,

Why do you speak about yourself in 3rd person? I guess the most important of your personalities came to light. There is no place for so many personalities / accounts from same person on a forum like this.
Banned.