[nsp-sec] PHP Botnets are fun. C&C's discovered

Dave Mitchell davem at yahoo-inc.com
Tue Feb 5 16:16:24 EST 2008 

Hey all,
   We've found some nice PHP botnets out there roaming around and
providing UDP packet love (it is teh suck). We found the nice php bot files 
hosted in a variety of places. I don't have timestamps for the few
dynamic IP's listed, but the majority of the info should be useable.

PHP script hosting
------------------

SHARKTECH INTERNET SERVICES - 64.32.13.169/ma.txt
FREEWEBS                    - freewebs.com/larry123/bot.txt
Ripside Interactive, Inc.   - h1.ripway.com/tsk4/botlogin.txt
GOOGLE                      - joaobenner.googlepages.com/script2.txt
GOOGLE                      - ownsirc.googlepages.com/botnet.txt
GOOGLE                      - yahwek.dll.googlepages.com/phpbot1.txt
GOOGLE                      - seideiaslegais.googlepages.com/own.txt
EVERYDNS                    - kt.digital-poison.net/readme.txt
Inames Co.                  - namhaesusan.hs.kr/bbs/.hd/raw.txt
AFRAID.ORG NSes             - pucorp.org/pbot.txt
www.californiasecession.org/discuss/images/themes/obb108/.jst/php.txt
PrivacyProtect.org          - www.fxmsn.org/11.txt
PrivacyProtect.org          - www.hackmsn.org/11.txt
www.santiagoonline.com.ar/readme.txt


These sites hosted variations of the following code to let them join
C&C's and to emulate a client with added fun functionality.  For those C&C's 
that are legit IRC servers or ICQ, we'll need to sort through all the
above php files to find out what channel and what key. I've attached the rest of 
the php script to this email as php.txt.

class pBot 
{ 
var $config = array("server"=>"irc.mildnet.org", 
                     "port"=>6667, 
                     "pass"=>"", //senha do server
                     "prefix"=>"[THEOWNS]-", 
                     "maxrand"=>4, 
                     "chan"=>"#theowns", 
                     "key"=>"666", //senha do canal
                     "modes"=>"+p", 
                     "password"=>"bnet",  //senha do bot
                     "trigger"=>".", 
                     "hostauth"=>"theowns.com" // * for any hostname 
                     ); 


C&C servers broken down by AS:
-------------------------------

174     | 216.152.66.45    | COGENT Cogent/PSI
174     | 216.152.66.54    | COGENT Cogent/PSI
174     | 216.152.67.49    | COGENT Cogent/PSI
812     | 72.138.178.248   | ROGERS-CABLE - Rogers Cable Communications
Inc.
1668    | 64.12.165.56     | AOL-ATDN - AOL Transit Data Network
2044    | 198.145.112.210  | IINET-2044 - Infinity Internet, Inc.
5413    | 212.241.181.225  | AS5413 PIPEX Communications
7788    | 69.20.226.82     | MAGMA-COMM - Magma Communications Ltd.
8001    | 82.146.50.146    | NET-ACCESS-CORP - Net Access Corporation
8151    | 200.23.34.45     | Uninet S.A. de C.V.
10481   | 201.212.0.76     | Prima S.A.
13749   | 66.98.156.85     | EVERYONES-INTERNET - Everyones Internet
17048   | 69.42.211.121    | AWKNET - Awknet Communications, LLC
17048   | 69.42.215.24     | AWKNET - Awknet Communications, LLC
17048   | 69.42.219.55     | AWKNET - Awknet Communications, LLC
17464   | 202.9.108.44     | TMIDC-AP Hosting Services (MYLOCA),
20773   | 212.241.202.123  | HOSTEUROPE-AS AS of Hosteurope Germany /
Cologne
20773   | 212.241.214.143  | HOSTEUROPE-AS AS of Hosteurope Germany /
Cologne
20793   | 217.198.160.65   | CONCORD Concord Ltd Autonomous System
23522   | 66.252.1.112     | IPNAP-ES - GigeNET
23522   | 66.252.10.51     | IPNAP-ES - GigeNET
23522   | 66.252.24.172    | IPNAP-ES - GigeNET
25700   | 208.99.193.130   | 25700 - SWIFT VENTURES Inc
26347   | 208.113.156.111  | DREAMHOST-AS - New Dream Network, LLC
30058   | 208.98.32.131    | FDCSERVERS - FDC Servers.net, LLC
30058   | 64.32.10.177     | FDCSERVERS - FDC Servers.net, LLC
30058   | 64.32.13.143     | FDCSERVERS - FDC Servers.net, LLC
30058   | 64.32.13.145     | FDCSERVERS - FDC Servers.net, LLC
30058   | 64.32.13.161     | FDCSERVERS - FDC Servers.net, LLC
30058   | 64.32.13.169     | FDCSERVERS - FDC Servers.net, LLC
30496   | 72.249.24.98     | COLO4 - Colo4Dallas LP
32613   | 67.205.67.39     | IWEB-AS - Groupe iWeb Technologies inc.
36420   | 209.62.20.200    | EVERYONES-INTERNET3 - Everyones Internet


C&C servers by hostname/ip and port
-----------------------------------

198.145.112.210:2328
200.23.34.45:1729
201.212.0.76:2328
202.9.108.44:ircd
208.98.32.131:ircd
208.99.193.130:ircd
212.241.214.143:ircd
216.152.66.54:ircd
216.152.67.49:ircd
217.198.160.65:6698
64.12.165.56:ircd
64.32.10.177:ircd
64.32.13.143:ircd
64.32.13.145:4949
64.32.13.161:44441
64.32.13.169:ircd
66.252.1.112:ircd
66.252.24.172:ircd
69.42.215.24:ircd
69.42.219.55:ircd
72.138.178.248:ircd
72.249.24.98:ircd
CPE0050bacdd2da-CM000f9f7c1b0a.cpe.net.cable.rogers.com:ircd
apache2-rank.malt.dreamhost.com:http
fullserver.patan.com.ar:2328
hellmaker.info:5555
ip-67-205-67-39.static.privatedns.com:ircd
irc-m.icq.aol.com:ircd
ks1.adsl2-911qualitynet.net:ircd
listening.musicworld.ru:ircd
lvps212-241-214-143.vps.webfusion.co.uk:ircd
ottawa-hs-69-20-226-82.s-ip.magma.ca:ircd
pool.glass.webchat.org:ircd
serv1.alterecho.be:ircd
server4337.123-serv.co.uk:6665
smartass.dd05.us:ircd
support.tvku.tv:ircd
tukang.susu.be:ircd
wvps212-241-202-123.vps.webfusion.co.uk:6698


Thanks.

-dave

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20080205/24fae60e/attachment-0001.sig>

More information about the nsp-security mailing list