|
|
|
Analysis Tech Art Repositories |
|
|||||||
Tue Aug 29 21:42:34 2023
“We have begun a difficult and uncertain journey, and none of us can see its end, but our cause remains a just one. That truth honours and sanctifies our fallen comrades who have made the ultimate sacrifice so that we might carry on the work that is ahead of us. We are gathered here today to honour their memory and their names.”
“May God stand between you and harm in all the empty places where you must walk.”
(all are still regularly updated as of roughly the above date; I apologize for any organizational issues and the raw nature of this data, there’s a lot to manage and a lot coming in while still trying to analyze manually to a certain degree while monitoring services; I also have a disorganized mess of a mind)
https://bcable.net/analysis-ukr-prelim.html
https://bcable.net/analysis-ukr-graphs.html
https://bcable.net/analysis-ukr-indicators.html
https://bcable.net/analysis-ukr-ru_map_sessions.html
https://bcable.net/analysis-ukr-cn_map_sessions.html
https://bcable.net/analysis-ukr-miori_fail.html
https://bcable.net/analysis-ukr-botnet_perl.html
https://bcable.net/analysis-ukr-ddos_gh0st.html
https://bcable.net/analysis-ukr-indicators_2023.html
https://bcable.net/analysis-ukr-crew_001.html
https://bcable.net/analysis-ukr-inventory_attack.html
https://bcable.net/analysis-ukr-crew_002.html
inetnum: 81.161.229.0 - 81.161.229.255
netname: Serverion_BV-NET
org: ORG-DCB8-RIPE
abuse-c: SB27731-RIPE
country: NL
admin-c: SB27731-RIPE
mnt-lower: mnt-nl-descapital-1
mnt-routes: mnt-nl-descapital-1
mnt-domains: mnt-nl-descapital-1
tech-c: SB27731-RIPE
status: ASSIGNED PA
mnt-by: MNT-MCONSULTING
created: 2022-04-21T12:52:01Z
last-modified: 2022-09-26T14:11:36Z
source: RIPE
organisation: ORG-DCB8-RIPE
org-name: Des Capital B.V.
country: NL
org-type: LIR
address: Krammer 8
address: 3232HE
address: Brielle
address: NETHERLANDS
phone: +31851308338
phone: +13023803902
admin-c: AA35882-RIPE
tech-c: TA7409-RIPE
abuse-c: AR60082-RIPE
mnt-ref: mnt-nl-descapital-1
mnt-ref: RELCOMGROUP-EXT-MNT
mnt-ref: FREENET-MNT
mnt-ref: MNT-NETERRA
mnt-ref: MNT-MAYAK
mnt-ref: bg-mcreative-1-mnt
mnt-ref: mnt-bg-mconsulting15-1
mnt-ref: bg-mconsulting-1-mnt
mnt-ref: MNT-MCONSULTING
mnt-ref: mnt-bg-ccomp-1
mnt-by: RIPE-NCC-HM-MNT
mnt-by: mnt-nl-descapital-1
created: 2020-03-17T15:00:52Z
last-modified: 2022-09-26T13:22:34Z
source: RIPE # Filtered
mnt-ref: AZERONLINE-MNT
mnt-ref: interlir-mnt
real0days.mysellix.io. 300 IN A 104.18.4.210
real0days.mysellix.io. 300 IN A 104.18.5.210
$ curl -i 81.161.229.185
HTTP/1.1 200 OK
Date: Fri, 18 Aug 2023 23:49:16 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Wed, 16 Aug 2023 11:57:30 GMT
ETag: "46b-6030900028a2d"
Accept-Ranges: bytes
Content-Length: 1131
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html>
<html lang="en" >
<head>
<meta charset="UTF-8">
<title>HoneypotV3 - real0days.mysellix.io</title>
<link rel="stylesheet" href="./style.css">
</head>
<body>
<!-- partial:index.partial.html -->
<link href="https://fonts.googleapis.com/css2?family=Fira+Code:wght@500&family=Fira+Mono:wght@500&display=swap" rel="stylesheet">
<div class="TextGlitch" id="title">
<div class="TextGlitch-clip">
<div class="TextGlitch-word"></div>
<div class="TextGlitch-word TextGlitch-blend TextGlitch-blendA"></div>
<div class="TextGlitch-word TextGlitch-blend TextGlitch-blendB"></div>
</div>
<div class="TextGlitch-clip">
<div class="TextGlitch-word"></div>
<div class="TextGlitch-word TextGlitch-blend TextGlitch-blendA"></div>
<div class="TextGlitch-word TextGlitch-blend TextGlitch-blendB"></div>
</div>
<div class="TextGlitch-clip">
<div class="TextGlitch-word"></div>
<div class="TextGlitch-word TextGlitch-blend TextGlitch-blendA"></div>
<div class="TextGlitch-word TextGlitch-blend TextGlitch-blendB"></div>
</div>
</div>
<!-- partial -->
<script src="./script.js"></script>
</body>
</html>
dpd.arc: ELF 32-bit LSB executable, Synopsys ARCompact ARC700 cores, version 1 (SYSV), dynamically linked, interpreter /lib/ld-uClibc.so.0, for GNU/Linux 4.8.0, stripped
dpd.arm: ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, no section header
dpd.arm5: ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, no section header
dpd.arm6: ELF 32-bit LSB executable, ARM, EABI4 version 1 (GNU/Linux), statically linked, no section header
dpd.arm7: ELF 32-bit LSB executable, ARM, EABI4 version 1 (GNU/Linux), statically linked, no section header
dpd.i686: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, no section header
dpd.m68k: ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, stripped
dpd.mips: ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header
dpd.mpsl: ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header
dpd.ppc: ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (GNU/Linux), statically linked, no section header
dpd.sh4: ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped
dpd.spc: ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, stripped
dpd.x86: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, no section header
gpon443: Bourne-Again shell script, ASCII text executable
Shadows CNC
- Simple CnC Design
- Stable DDOS Bot
- Stable CnC No Crashes
Portability
- 32bit systems only (always compatable with 64 bit...) apply general s1ituational awareness dont strain small systems
- Process Persistance (if our process gets killed for some reason we will restart)
Malware Killer
- bot start copying it self and start as a normal system proccess (so we can kill /bin/busybox and effectivly lock the device)
- Scan Their Filenames And plus the files path
Attacks
- Attacks Will Be Ported To Be Slower For Saving More Resources For More Devices
Methods
- udpflood : Generic (UDP) Flood
- gameflood : Game (UDP) Flood
- udpplain : Custom (UDP) Flood With Plain Packets
- synflood : Basic (TCP) Food With (SYN) Flags
- ackflood : Basic (TCP) Food With (ACK) Flags
- icmpflood : Basic (TCP-SYN) Flood With Data Len
- tcpbypass : Advanced (TCP-SOCKET) Flood Overload CPU/SERVER With Rand Data & Open Connections
- tcpflood : Basic (TCP-ACK) Flood With Randomized Data/Payload
- hexflood : Complex (UDP) STDHEX Flood Bypass Mitigations
- tcplegit : Basic (TCP-ACK) Flood
- httpflood : Basic (HTTP) Flood
>> You Can Request More Methods If Needed
>> Contact https://t.me/no0days For Support You Will Get Lifetime Support
Malware infection message:
[ProjectYBot]_Initiating_Malware_Killer
Located malware C2 server: 217.32.184.17:23
$ nc 217.32.184.17 23
Ncat: Connection reset by peer.
inetnum: 217.32.184.0 - 217.32.184.255
netname: BT-ONEVOICE-GSIP
descr: BT-ONEVOICE-GSIP
country: GB
admin-c: BS1474-RIPE
tech-c: BS1474-RIPE
status: ASSIGNED PA
remarks: Please send abuse notification to abuse@bt.net
remarks: INFRA-AW
mnt-by: BTNET-MNT
mnt-lower: BTNET-MNT
mnt-routes: BTNET-MNT
created: 2018-10-18T08:50:22Z
last-modified: 2018-10-18T08:50:22Z
source: RIPE
role: BTnet Support
address: Adhara
address: Adastral Park
address: Martlesham Heath
address: Ipswich
address: SUFFLK IP5 3RE
address: GB
phone: +44 800 0858963 5
phone: +44 1473 336231
admin-c: FLS15-RIPE
tech-c: BS1474-RIPE
nic-hdl: BS1474-RIPE
remarks: For all queries contact as2856peering@bt.com
remarks: Please send delisting issues to btnetdns@bt.net
mnt-by: BTNET-MNT
created: 2002-04-30T07:54:10Z
last-modified: 2009-11-19T15:52:52Z
source: RIPE # Filtered