[Chris]

They will be good for practice, the only one thing is that FBI hostname freaks me out, im sure its fake but it still scares me lol :ph34r:

EDIT: Sat there using a SOCKS proxy atm, see if I can get a password then type $remove, should be funny!

I have enclosed an nmap log in case my idea dont work, seems they are using the BNCs to hide their IP, does anyone want to tell them it shuld be on a different server with no ties to them whatsoever or shall I?

EDIT EDIT:

They are changing the server, maybe we have pissed them off, new one is at:

WARNING THIS IS A VIRUS! POSTED FOR RESEARCH ONLY

hxxp://www.freewebtown.com/sexygirl1/sexy.exe

Not detected by AVG, can't see what its packed with (if its packed, maybe its not). I will have to fire up my test box tommorow to find data).

WARNING THIS IS A VIRUS! POSTED FOR RESEARCH ONLY

Will tell you the new server / channel / password asap



The zip file attached is the log not the virus.

http://65.110.55.15%20:10000/ webmin

Attached File(s)

•  log.zip (1.58K)
  Number of downloads: 21

[ash^]

chris105, on Mar 16 2005, 06:38 PM, said:

EDIT: Sat there using a SOCKS proxy atm, see if I can get a password then type $remove, should be funny!

Problem:
the bot has probs got a hostauth set so only the bot owner can login to the bots and do commands

the chans modes are +u so you not be able to see other bots in the channels.

sexy.exe
Is a self extracting file so right click and choose extract to /sexy ( if you have winrar )


:ph34r:

[tibbar]

it's still alive:

:23�40�51:. *** Looking up your hostname...
.:23�41�10:. *** Found your hostname
[%] ?��Connected��?
.:23�41�10:. (%) ?��Connected to CASH.NICK.FBI.GOV��?
.:23�41�10:. (%) Welcome to the FBI IRC Network Hax0r!tibret@serifos.eecs.harvard.edu
.:23�41�10:. (%) Your host is CASH.NICK.FBI.GOV, running version Unreal3.2.2
.:23�41�10:. (%) This server was created Sun Dec 19 2004 at 11:35:47 EST
.:23�41�10:. (%) CASH.NICK.FBI.GOV Unreal3.2.2 iowghraAsORTVSxNCWqBzvdHtGp lvhopsmntikrRcaqOALQbSeKVfMGCuzNT
.:23�41�10:. (%) CMDS=KNOCK,MAP,DCCALLOW,USERIP SAFELIST HCN MAXCHANNELS=10 CHANLIMIT=#:10 MAXLIST=b:60,e:60 NICKLEN=30 CHANNELLEN=32 TOPICLEN=307 KICKLEN=307 AWAYLEN=307 MAXTARGETS=20 WALLCHOPS are supported by this server
.:23�41�10:. (%) WATCH=128 SILENCE=15 MODES=12 CHANTYPES=# PREFIX=(ohv)@%+ CHANMODES=beqa,kfL,l,psmntirRcOAQKVGCuzNSMT NETWORK=FBI CASEMAPPING=ascii EXTBAN=~,cqnr ELIST=MNUCT STATUSMSG=@%+ EXCEPTS are supported by this server
.:23�41�10:. There are 1 users and 478 invisible on 1 servers
.:23�41�10:. 2 operator(s) online
.:23�41�10:. 14 channels formed
.:23�41�10:. I have 479 clients and 0 servers
.:23�41�10:. Current Local Users: 479 Max: 952
.:23�41�10:. Current Global Users: 479 Max: 952
.:23�41�10:. [%] - CASH.NICK.FBI.GOV Message of the Day -
.:23�41�10:. - 3/11/2004 9:35

There are two channels i can see:

%] Now talking in [#rx-mp]
[%] Topic is '.advscan dcom135 100 3 999 217.83.x.x -r'
(pwd 6677)

and:

[%] Now talking in [#rx-talal]
[%] Topic is '$advscan lsass_445 100 5 0 -b -r'
[%] Set by [TaLaL`] on Wednesday, March 16th, 2005 at 9:24pm

I'm guessing TaLal` is the other op on the botnet

Hehe: .:23�52�47:. Closing Link: TaLaL`[serifos.eecs.harvard.edu] (User has been permanently banned from FBI (no reason))

[ash^]

Ive just connected to the server again tried having a play around the default chan modes are +mnstu so i dont think any of us are going to get very far.