give me back my botnet!
This morning oreo and I were looking into a SSH issue with one of our cpanel servers (yes, yes I know) when we discovered a hacked web hosting account running a ventrillo server. When we went to kill the users’ other processes we noticed something else running that was a little more interesting…
/home/<removed>/public_html/drivers/CVC/src/ircd
Our hosting box was also running an IRC daemon optimized for controlling botnets. Neato!
After fiddling for a bit we now had the IRC connection password and the IRC OP login. When we logged in we were quite surprised to find 800 exploited computers happily connected and awaiting orders. We tried a few commands but couldn’t figure out exactly how to control the botnet.
That was until we discovered the brilliant botnet operator had turned on debug logging. All that work setting up a server designed to hide who was connected and what was going on, only to turn on debugging. Whoops!
Not only did we now have full logs of how to control the bots, we were able to lock the operator out of his network by changing all his passwords.
As you might expect, the botnet owner was pretty upset. We contacted him via IRC and received a friendly response…
if you not give me back my bots i’ll destorys you
remmber that
i got your computer and your box
and alot more
i known you
I’m sure the stress of losing all the nodes he worked so hard to exploit had him a little upset 
One Comment, Comment or Ping
Toxicboy
Now thats just plain funny!
Reminds me of the guy last week and an application called G-Archiver. It’s a tool to download all of your Google Email and archive it locally. Only issue… the guy that wrote the program used his own username and password in the code and forgot to remove it before distributing it.
Whoops Made it too easy.
Mar 20th, 2008
Reply to “give me back my botnet!”