API tools faq
paste
Advertisement
Guest User

IRC botnet launching ddos attacks jul2018

a guest
Jun 21st, 2018
787
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.83 KB | None | 0 0
raw download clone embed print report
  1. 29* Looking up 29skeu1.xyz
  2. 20* Unknown host. Maybe you misspelled it?
  3. 20* Disconnected (20)
  4. 29* Looking up 29skeu2.xyz
  5. 23* Connecting to 29skeu2.xyz (23162.255.119.153:7778)
  6. 23* Stopped previous connection attempt (242460)
  7. 29* Looking up 29skeu2.xyz
  8. 23* Connecting to 29skeu2.xyz (23162.255.119.153:7778)
  9. 23* Stopped previous connection attempt (245608)
  10. 29* Looking up 29skeu2.xyz
  11. 23* Connecting to 29skeu2.xyz (23162.255.119.153:7778)
  12. 23* Stopped previous connection attempt (2420500)
  13. 29* Looking up 29skeu2.xyz
  14. 23* Connecting to 29skeu2.xyz (23162.255.119.153:7778)
  15. 23* Stopped previous connection attempt (2422624)
  16. 29* Looking up 29skeu2.xyz
  17. 23* Connecting to 29skeu2.xyz (23162.255.119.153:7778)
  18. 23* Stopped previous connection attempt (2424352)
  19. 29* Looking up 29skeu2.xyz
  20. 23* Connecting to 29skeu2.xyz (23162.255.119.153:7778)
  21. 23* Stopped previous connection attempt (245248)
  22. 29* Looking up 29skeu2.xyz
  23. 23* Connecting to 29skeu2.xyz (23162.255.119.153:7778)
  24. 23* Stopped previous connection attempt (2418076)
  25. 29* Looking up 29skeu2.xyz
  26. 23* Connecting to 29skeu2.xyz (23162.255.119.153:7778)
  27. 23* Stopped previous connection attempt (2422232)
  28. 29* Looking up 29skeu2.xyz
  29. 23* Connecting to 29skeu2.xyz (23162.255.119.153:7778)
  30. 23* Stopped previous connection attempt (2423564)
  31. 29* Looking up 29185.61.138.151\7778
  32. 20* Unknown host. Maybe you misspelled it?
  33. 20* Disconnected (20)
  34. 29* Looking up 29185.61.138.151
  35. 23* Connecting to 29185.61.138.151:7778 (23185.61.138.151:7778)
  36. 23* Connected. Now logging in.
  37. 29* *** Looking up your hostname...
  38. 29* *** Couldn't resolve your hostname; using your IP address instead
  39. 23* Capabilities supported: 29userhost-in-names multi-prefix away-notify account-notify tls
  40. 23* Capabilities requested: 29userhost-in-names multi-prefix away-notify account-notify
  41. 29* Capabilities acknowledged: 29userhost-in-names multi-prefix away-notify account-notify
  42. 29* Welcome to the he IRC Network admin!890089@89.238.186.238
  43. 29* Your host is wee.wee.wee, running version UnrealIRCd-4.0.1
  44. 29* This server was created Tue May 15 2018 at 11:19:39 GMT
  45. 29* wee.wee.wee UnrealIRCd-4.0.1 iowrsxzdHtIRqpWGTSB lvhopsmntikraqbeIzMQNRTOVKDdGLPZSCcf
  46. 29* UHNAMES NAMESX SAFELIST HCN MAXCHANNELS=10 CHANLIMIT=#:10 MAXLIST=b:60,e:60,I:60 MAXNICKLEN=30 NICKLEN=30 CHANNELLEN=32 TOPICLEN=307 KICKLEN=307 AWAYLEN=307 :are supported by this server
  47. 29* MAXTARGETS=20 WALLCHOPS WATCH=128 WATCHOPTS=A SILENCE=15 MODES=12 CHANTYPES=# PREFIX=(qaohv)~&@%+ CHANMODES=beI,kLf,l,psmntirzMQNRTOVKDdGPZSCc NETWORK=he CASEMAPPING=ascii EXTBAN=~,SOcaRrnqj ELIST=MNUCT :are supported by this server
  48. 29* STATUSMSG=~&@%+ EXCEPTS INVEX CMDS=USERIP,STARTTLS,KNOCK,DCCALLOW,MAP :are supported by this server
  49. 29* 1B0D66B9.999BD695.C5CE82FF.IP :is now your displayed host
  50. 29* There are 1 users and 325 invisible on 1 servers
  51. 29* 1 :operator(s) online
  52. 29* 11 :unknown connection(s)
  53. 29* 2 :channels formed
  54. 29* I have 326 clients and 0 servers
  55. 29* 326 959 :Current local users 326, max 959
  56. 29* 326 355 :Current global users 326, max 355
  57. 29* 29MOTD File is missing
  58. 22* 26admin sets mode 24+i on 22admin
  59. 22* 26admin sets mode 24+w on 22admin
  60. 22* 26admin sets mode 24+x on 22admin
  61.  
  62. Linked binaries: https://www.hybrid-analysis.com/sample/644b64ec7261bace555c0f3b7b32c6a09c20217f11773dc5b0a96f0bc437069e
  63. https://www.virustotal.com/#/file-analysis/OWIwZjk5ZDZkZjdmZTI0MzVmODgyZDEwOTUzNWI0OGY6MTUyOTU5MTg1OA==
  64. Current direct-ip connection:
  65. Connecting to 185.61.138.151:7778 (185.61.138.151:7778)
  66. The mentioned domains seem to be part of a failback mechanism, as soon as primary ip goes down, botnet will use the domains:
  67. "185.61.138.151",
  68. "skeu1.xyz",
  69. "skeu2.xyz",
  70. "skeu3.xyz",
  71. "skeu4.xyz",
  72. "skeu5.xyz",
  73. In order of priority.
  74. Botnet is being used to launch attacks worldwide, a simple honeypot has recovered the following logs:
  75. * [IN]shahrukh|12635 (~INshahru@CF392AB1.BCF7C58D.3919FC61.IP) has joined
  76. * [FR]pc|37342 has quit (Read error)
  77. * [user][41420]|F (~user414@6ED884A1.8BCD64B3.30AD9F70.IP) has joined
  78. * [BR]NOTE|4447 (~BRNOTE4@he-BCDEEEA2.ondaagil.net.br) has joined
  79. * [pericolu (~pericolu@DD6CBEC3.54EA1F29.567A64C2.IP) has joined
  80. * [GH]Nagyeo|94730 (~GHNagyeo@DEE8028.8E5A799F.AB0D808F.IP) has joined
  81. * [SD]awab|67426 (~SDawab6@AA2156F3.692FD7D5.26EEF2DC.IP) has joined
  82. * [BR]User|94276 (~BRUser9@414AF2A8.B496FC66.CF9E86AF.IP) has joined
  83. * [IN]Welcome|54872 (~INWelcom@1C11B708.BA42402A.255EECA8.IP) has joined
  84. * [RO]Vali|42964 has quit (Read error)
  85. * [IN]Welcome|98011 has quit (Read error)
  86. * [PS]work-9|12391 has quit (Ping timeout: 380 seconds)
  87. * [VN]TD105|59997 (~VNTD105@C61BFAB3.31B610E7.F28EB75A.IP) has joined
  88. * [ID]Win7|88112 has quit (Read error)
  89. * [IQ]asmar|76037 has quit (Read error)
  90. * [IN]hp|9849 (~INhp984@he-38DFA587.rev.pcpli.net) has joined
  91. * [PH]pisonet|74972 has quit (Read error)
  92. * [Admin][53357]|F (~Admin53@8A8FBDAF.3FFA0445.D6720A6C.IP) has joined
  93. * [FR]pc|13531 (~FRpc135@he-73A63BE1.abo.bbox.fr) has joined
  94. <[Tudor][74470]|F> Running tasks: 12 >> Layer7 : Target https://mollerbil.se/ : Total time: 7200 : Elapsed time 5217 : Running method HTTPSTRONG | Layer7 : Target https://mollerbil.se/ : Total time: 7200 : Elapsed time 4792 : Running method HTTPNULL | Layer7 : Target https://mollerbil.se/ : Total time: 7200 : Elapsed time 4348 : Running method HTTP | Layer7 : Target https://mollerbil.se/ : Total time: 7200 : Elapsed time 4327 : Running method HTTP
  95. * [GR]PC1|55063 (~GRPC155@he-66BD4403.access.hol.gr) has joined
  96. * [MK]Shaban|2452 has quit (Read error)
  97. <[Tudor][74470]|F> Running tasks: 11 >> Layer7 : Target https://mollerbil.se/ : Total time: 7200 : Elapsed time 5223 : Running method HTTPSTRONG | Layer7 : Target https://mollerbil.se/ : Total time: 7200 : Elapsed time 4798 : Running method HTTPNULL | Layer7 : Target https://mollerbil.se/ : Total time: 7200 : Elapsed time 4354 : Running method HTTP | Layer7 : Target https://mollerbil.se/ : Total time: 7200 : Elapsed time 4333 : Running method HTTP
  98. * [JERAL][38494]|F (~JERAL38@E0AF18A0.59DD991B.13C645EB.IP) has joined
  99. * [VN]TD105|59997 has quit (Read error)
  100. * [Sandeep][76703]|F (~Sandeep@47F6066E.5AEFD61F.B527F152.IP) has joined
  101. * [ID]OPERATOR|39311 has quit (Ping timeout: 380 seconds)
  102. * [GAMER_ONE][51054]|F has quit (Read error)
  103. * [BR]User|2730 has quit (Ping timeout: 380 seconds)
  104. * [IN]windows|47797 (~INwindow@70593D1.B7AA9CAC.C5249ABA.IP) has joined
  105. * [BG]Gokhii|5522 has quit (Ping timeout: 380 seconds)
  106. <TOXICO> STOPALL
  107. * [work-3][15561]|F has quit (Ping timeout: 380 seconds)
  108. * [AR]user|77745 (~ARuser7@he-FA541017.telecom.net.ar) has joined
  109. * [IN]RJ_DoI_AL_NS272235|8830 has quit (Read error)
  110. * [EG]7|9538 (~EG79538@F00EDEE0.C6E1E800.BEF5D00A.IP) has joined
  111. * [PH]ThisPC|28976 (~PHThisPC@469CF8D3.FBABB69E.B896DFC4.IP) has joined
  112. * [E2][7266]|F (~E27266@381A3C87.C466A920.EBECB751.IP) has joined
  113. * [RU]i|20640 (~RUi2064@D437A95.B0694387.36CD865D.IP) has joined
  114. \<TOXICO> INFORMATION
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!