[nsp-sec] ACK 5413/20773 Re: PHP Botnets are fun. C&C's discovered

Ian Dickinson iand at eng.pipex.net
Wed Feb 6 11:50:15 EST 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ACK - getting these looked at...

5413    | 212.241.181.225  | AS5413 PIPEX Communications
5413    | 212.241.181.226  | AS5413 PIPEX Communications
20773   | 212.241.202.123  | HOSTEUROPE-AS Hosteurope Germany
20773   | 212.241.214.143  | HOSTEUROPE-AS Hosteurope Germany

Ian

Dave Mitchell wrote:
> ----------- nsp-security Confidential --------
> 
> 
> 
> ------------------------------------------------------------------------
> 
> Hey all,
>    We've found some nice PHP botnets out there roaming around and
> providing UDP packet love (it is teh suck). We found the nice php bot files 
> hosted in a variety of places. I don't have timestamps for the few
> dynamic IP's listed, but the majority of the info should be useable.
> 
> PHP script hosting
> ------------------
> 
> SHARKTECH INTERNET SERVICES - 64.32.13.169/ma.txt
> FREEWEBS                    - freewebs.com/larry123/bot.txt
> Ripside Interactive, Inc.   - h1.ripway.com/tsk4/botlogin.txt
> GOOGLE                      - joaobenner.googlepages.com/script2.txt
> GOOGLE                      - ownsirc.googlepages.com/botnet.txt
> GOOGLE                      - yahwek.dll.googlepages.com/phpbot1.txt
> GOOGLE                      - seideiaslegais.googlepages.com/own.txt
> EVERYDNS                    - kt.digital-poison.net/readme.txt
> Inames Co.                  - namhaesusan.hs.kr/bbs/.hd/raw.txt
> AFRAID.ORG NSes             - pucorp.org/pbot.txt
> www.californiasecession.org/discuss/images/themes/obb108/.jst/php.txt
> PrivacyProtect.org          - www.fxmsn.org/11.txt
> PrivacyProtect.org          - www.hackmsn.org/11.txt
> www.santiagoonline.com.ar/readme.txt
> 
> 
> These sites hosted variations of the following code to let them join
> C&C's and to emulate a client with added fun functionality.  For those C&C's 
> that are legit IRC servers or ICQ, we'll need to sort through all the
> above php files to find out what channel and what key. I've attached the rest of 
> the php script to this email as php.txt.
> 
> class pBot 
> { 
> var $config = array("server"=>"irc.mildnet.org", 
>                      "port"=>6667, 
>                      "pass"=>"", //senha do server
>                      "prefix"=>"[THEOWNS]-", 
>                      "maxrand"=>4, 
>                      "chan"=>"#theowns", 
>                      "key"=>"666", //senha do canal
>                      "modes"=>"+p", 
>                      "password"=>"bnet",  //senha do bot
>                      "trigger"=>".", 
>                      "hostauth"=>"theowns.com" // * for any hostname 
>                      ); 
> 
> 
> C&C servers broken down by AS:
> -------------------------------
> 
> 174     | 216.152.66.45    | COGENT Cogent/PSI
> 174     | 216.152.66.54    | COGENT Cogent/PSI
> 174     | 216.152.67.49    | COGENT Cogent/PSI
> 812     | 72.138.178.248   | ROGERS-CABLE - Rogers Cable Communications
> Inc.
> 1668    | 64.12.165.56     | AOL-ATDN - AOL Transit Data Network
> 2044    | 198.145.112.210  | IINET-2044 - Infinity Internet, Inc.
> 5413    | 212.241.181.225  | AS5413 PIPEX Communications
> 7788    | 69.20.226.82     | MAGMA-COMM - Magma Communications Ltd.
> 8001    | 82.146.50.146    | NET-ACCESS-CORP - Net Access Corporation
> 8151    | 200.23.34.45     | Uninet S.A. de C.V.
> 10481   | 201.212.0.76     | Prima S.A.
> 13749   | 66.98.156.85     | EVERYONES-INTERNET - Everyones Internet
> 17048   | 69.42.211.121    | AWKNET - Awknet Communications, LLC
> 17048   | 69.42.215.24     | AWKNET - Awknet Communications, LLC
> 17048   | 69.42.219.55     | AWKNET - Awknet Communications, LLC
> 17464   | 202.9.108.44     | TMIDC-AP Hosting Services (MYLOCA),
> 20773   | 212.241.202.123  | HOSTEUROPE-AS AS of Hosteurope Germany /
> Cologne
> 20773   | 212.241.214.143  | HOSTEUROPE-AS AS of Hosteurope Germany /
> Cologne
> 20793   | 217.198.160.65   | CONCORD Concord Ltd Autonomous System
> 23522   | 66.252.1.112     | IPNAP-ES - GigeNET
> 23522   | 66.252.10.51     | IPNAP-ES - GigeNET
> 23522   | 66.252.24.172    | IPNAP-ES - GigeNET
> 25700   | 208.99.193.130   | 25700 - SWIFT VENTURES Inc
> 26347   | 208.113.156.111  | DREAMHOST-AS - New Dream Network, LLC
> 30058   | 208.98.32.131    | FDCSERVERS - FDC Servers.net, LLC
> 30058   | 64.32.10.177     | FDCSERVERS - FDC Servers.net, LLC
> 30058   | 64.32.13.143     | FDCSERVERS - FDC Servers.net, LLC
> 30058   | 64.32.13.145     | FDCSERVERS - FDC Servers.net, LLC
> 30058   | 64.32.13.161     | FDCSERVERS - FDC Servers.net, LLC
> 30058   | 64.32.13.169     | FDCSERVERS - FDC Servers.net, LLC
> 30496   | 72.249.24.98     | COLO4 - Colo4Dallas LP
> 32613   | 67.205.67.39     | IWEB-AS - Groupe iWeb Technologies inc.
> 36420   | 209.62.20.200    | EVERYONES-INTERNET3 - Everyones Internet
> 
> 
> C&C servers by hostname/ip and port
> -----------------------------------
> 
> 198.145.112.210:2328
> 200.23.34.45:1729
> 201.212.0.76:2328
> 202.9.108.44:ircd
> 208.98.32.131:ircd
> 208.99.193.130:ircd
> 212.241.214.143:ircd
> 216.152.66.54:ircd
> 216.152.67.49:ircd
> 217.198.160.65:6698
> 64.12.165.56:ircd
> 64.32.10.177:ircd
> 64.32.13.143:ircd
> 64.32.13.145:4949
> 64.32.13.161:44441
> 64.32.13.169:ircd
> 66.252.1.112:ircd
> 66.252.24.172:ircd
> 69.42.215.24:ircd
> 69.42.219.55:ircd
> 72.138.178.248:ircd
> 72.249.24.98:ircd
> CPE0050bacdd2da-CM000f9f7c1b0a.cpe.net.cable.rogers.com:ircd
> apache2-rank.malt.dreamhost.com:http
> fullserver.patan.com.ar:2328
> hellmaker.info:5555
> ip-67-205-67-39.static.privatedns.com:ircd
> irc-m.icq.aol.com:ircd
> ks1.adsl2-911qualitynet.net:ircd
> listening.musicworld.ru:ircd
> lvps212-241-214-143.vps.webfusion.co.uk:ircd
> ottawa-hs-69-20-226-82.s-ip.magma.ca:ircd
> pool.glass.webchat.org:ircd
> serv1.alterecho.be:ircd
> server4337.123-serv.co.uk:6665
> smartass.dd05.us:ircd
> support.tvku.tv:ircd
> tukang.susu.be:ircd
> wvps212-241-202-123.vps.webfusion.co.uk:6698
> 
> 
> Thanks.
> 
> -dave
> 
> 
> 
> ------------------------------------------------------------------------
> 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________


- --
Ian Dickinson                            INOC-DBA: 5413*426
Senior Network Development Engineer        Mobile: +44 7967 463023
Pipex Communications                       Direct: +44 1865 381522
iand at eng.pipex.net                            Fax: +44 1865 778160
ian.dickinson at pipex.net                      http://www.pipex.net
PGP Fingerprint: 1A5E 74B1 2BDD 214A 2131 69E9 C3B3 B72A DDF8 862A
This e-mail is subject to: http://www.pipex.net/disclaimer.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Cygwin)

iD8DBQFHqeVFw7O3Kt34hioRAtXjAJ9rIyc+/Dl4hsM0QZjwZzcdK9p74wCg75aJ
OBedgQSF/BsbmASIlYRzrtk=
=Suq9
-----END PGP SIGNATURE-----

More information about the nsp-security mailing list