[Tut] - Hunting Botnets

Hexboy

Member
Jul 16, 2015
28
37
48
So I noticed that this was bare and decided to do something about it and started to do some hunting.
This is what I did and I think I have found a few.

What you will need:
Linux
Masscan (https://github.com/robertdavidgraham/masscan)
My attached scripts (Python for windows)
An Irc Client (mirc)

Sterilizer:

Code:
import time,re,sys,os,socket

fname = "botnets.txt"
outputfile = "clean_botnets.txt"

def Main():
    # STERALISZE RAW MASSCAN LOG INTO SINGLE IP PER LINE WITH \N
    with open(fname) as f:
        for line in f:
       
            if not "address addr=" in line:
                continue
            else:
                # tcp on (.*):
                ip = re.findall(r'address addr="(.*)" add',line)
                #print ip[0]
                with open(outputfile, 'a') as cleanfile:
                    cleanfile.write(ip[0] + "\n")
        print "Done."

Main()

Banner Grabber:

Code:
import time,re,sys,os,socket
import threading
from threading import Thread

filename = "clean_botnets.txt"
resultFile = "results_botnets.txt"
port = 6667

def main(x):
    with open(filename) as f:
        lines=f.readlines()
        newline = lines[x+1].rstrip("\r\n")  
        grab_banner(newline)

def file_len():
    with open(filename) as f:
        for i, l in enumerate(f):
            pass
    return i + 1

def grab_banner(currentIp):
                try:
                    s=socket.socket()
                    s.settimeout(1)
                    s.connect((currentIp,port))
                    s.settimeout(1)
                    banner = s.recv(1024) 
                    #print currentIp + ':' + banner
                    with open(resultFile, 'a') as results:
                        results.write(currentIp + ':' + banner + "\n")
                        results.close()
                except:

                    e = sys.exc_info()[0]
                    #print currentIp + ":" + str(e) + "\n"

countOfLines = file_len()

for x in range(0, countOfLines):
    thread = Thread(target=main, args=[x])
    thread.start()



What to do:

1.Run masscan (check out the git for more info on the commands.)
Code:
masscan 103.42.224.42/16 -p6665-6667 --banners -oX botnets.txt

2.Once complete, run your file through the sterilizer, be sure to set the input and output files in the script.

3.Then set the port,inputfile and outputfile in bannergrab and launch.

I have been opening the result file in notepad++ as it alerts when the file changes so you can monitor it for update aka BOTNETS(maybe).

Here is an example of what I got when I ran 1/4 of the hosts from the above results:

203.28.168.228::whitecore-sim.org NOTICE AUTH :*** Looking up your hostname...

:whitecore-sim.org NOTICE AUTH :*** Checking Ident


203.28.168.228:ERROR :Trying to reconnect too fast.


203.198.75.129::irc.foonet.com NOTICE AUTH :*** Looking up your hostname...


203.144.4.132:
203.183.217.153::irc.prime100.com NOTICE * :*** Looking up your hostname...


203.198.75.129::irc.foonet.com NOTICE AUTH :*** Looking up your hostname...

:irc.foonet.com NOTICE AUTH :*** Found your hostname (cached)


203.183.217.153::irc.prime100.com NOTICE * :*** Looking up your hostname...


203.198.160.233::irc.foonet.com NOTICE AUTH :*** Looking up your hostname...


203.45.199.110:
203.126.147.121:
203.47.6.6:SSH-2.0-OpenSSH_3.9p1

203.144.4.132:
203.144.4.132:
203.198.185.118::irc.foonet.com NOTICE AUTH :*** Looking up your hostname...


203.180.170.190:SSH-1.5-Server

203.58.93.40:NOTICE AUTH :*** Processing connection to irc1.riverwillow.net.au


203.183.46.41::irc.prime100.com NOTICE * :*** Looking up your hostname...


203.80.251.70::irc.foonet.com NOTICE AUTH :*** Looking up your hostname...

It's pretty dirty, I did all this in maybe 30 minutes, I'll get around to doing it in c# maybe tonight or tomorrow and make a video.
When you find one, it's mostly a matter of connecting with your IRC Client and attempting to sniff out the commands, you could also make/use a bot to do this and attempt to steal the zombies at some point.

Anyway hope this wasn't too scrappy and makes some sense :)
Peace!
 

Asphyxia

Owner
Administrator
Apr 25, 2015
1,844
2
2,197
327
Someone just used a shit load of WordPress pingback shit against the website. Here is a list of all of those WordPress sites. Feel free to hijack this fag's list:

174.129.192.209
britny.se
www.amjadzoghbi.com
54.194.113.40
54.247.102.157
divinecuisine.recipes
www.metapack.com
blog.tape.tv
www.generationiphone.fr
cannes2014.yr.com
samsungi8910omnia.com
resources.visual.ly
54.228.100.167
www.linkury.com
stardewvalley.net
www.canonwatch.com
54.244.121.5
54.247.82.175
dripdrop.com
terezacruvinel.com
demo.visualassay.com
servermanagementplus.com
epubook.net
www.hrmorning.com
54.214.4.246
www.QGMRO.com
cellbackpartners.com
lahora.gt
31.131.57.165
mommygiggle.com
151.248.0.209
ec2-54-187-200-224.us-west-2.compute.amazonaws.com
www.sefoo.org
www.naruto-mx.net
54.186.125.200
www.hhmautogroup.com
www.theurbandeveloper.com
www.kcdmusic.com
thegoodhood.com.au
79.125.112.158
blog.bankbazaar.com
www.redshoeinstitute.com
policeonline.gr
gopractice.ru
www.blogdomadeira.com.br
wsfun.com
www.messengerworld.nl
app.roadstruck.com
www.thedanholmes.com
www.sustainablejustice.com
ibommobile.com
www.adaptivereasoning.com
www.careerlunchbag.com
jeffbethke.com
notetoboss.com
hallyuback.com
giznet.pl
www.miriamsandler.com
blog.cabenamala.com.br
www.tradestreaming.com
journal.evr.st
www.stopbreathebump.com
baumanandkanner.com
withlovefromkat.com
www.thages.se
www.wamsource.com
www.carmagblog.co.za
50.87.188.126
www.dclit.com
www.internetbusinessmaven.com
www.artprivee.org
machinetech.biz
173.254.100.135
www.crossfitinvictus.com
www.weallwantsomeone.org
www.tuulavintage.com
www.qurbejoog.com
www.ajtt.org
domandhyo.com
bwdplus.com
www.gluten-freesimplicity.com
blog.sugaretcie.com
yanxicong.com
198.1.109.153
www.ambergate.com
magazine.shnsf.com
lamagiaazul.cl
hopeforturkey.com
blog.soukboard.com
54.215.136.208
antreando.com
www.cestchristine.com
www.myclassroomideas.com
54.183.10.4
www.penny4nasa.org
www.freepornosex.cz
sistemaucem.edu.mx
www.myhalos.com
commonwealthmagazine.org
reset.me
www.dcmerectors.com
171.65.25.58
www.aerosol-packaging-blog.com
bloggreyhound.com
www.hrpayrollsystems.net
www.doutyfoundation.org
www.redbullglobalrallycross.com
46.137.97.25
gabesimagination.com
femgineer.com
www.drinkgrumpycat.com
50.112.126.171
heirloomla.com
www.maxiflow.fr
whiteriverfamilypractice.com
marketing.scribe.com
23.22.7.140
50.3.221.198
www.marsdorian.com
www.theprivateequiteer.com
www.radio-caravelles.fr
company.alohar.com
ec2-50-19-202-76.compute-1.amazonaws.com
autogrip.gr
thrillersbook.com
www.southwind.fr
www.globaltechnologyblog.com
freshnewtracks.com
governe-se.com
sambaparty.com
www.rubikaz.com
www.diablo-3.net
diecutstickers.com
gladwell.com
storyboardwedding.com
testkariera.wikia.com
tech.tv2.no
www.mileslasater.com
pakmusic.net
everythingangela.com
www.nta.ng
199.242.204.120
196.30.15.59
ec2-176-34-202-158.eu-west-1.compute.amazonaws.com
www.umangrealtech.com
jennyagee.com
www.ole.cr
www.metrostardme.com
54.193.102.107
54.194.41.41
glamazonsblog.com
getmailmasta.com
www.derechoteca.com
www.theradiantgreens.com
dev.studio1d.com
54.186.251.151
www.shybirdy.com
www.cotiatododia.com.br
www.lgtv.cl
www.abeautifulpractice.com
www.idrak-interiors.com
www.hotelvelero.com
theplatencorp.com
54.183.134.65
ewot.com.au
174.129.217.85
www.virtualfarmmanager.com
54.183.150.119
54.72.43.120
off-white.eu
blog.theenergyshop.com
www.greenhellguides.com
lookgoodfeelgreatalways.com
www.thepixelart.com
blog.castlegreetings.com
www.trustintelligence.com
151.248.0.149
zhaobiz.com
54.186.25.53
www.paintingsbypolito.com
www.gravytrain.co.uk
www.epjournal.net
www.newdane.com
www.hdrone.com
www.privatecloudservers.org.uk
54.83.125.69
54.186.14.185
www.tednguyenusa.com
ellavandijk.nl
54.183.17.203
www.harpershappenings.com
54.186.66.5
www.bellhospital.org
ardalis.com
elhombrenoticia.net
www.mobilitytechgreen.com
www.obanshafts.com
morganbrown.co
www.weblogtheworld.com
54.186.64.0
216.220.97.51
sonamba.com
83.140.220.155
speakrealty.com
54.200.43.42
54.247.114.49
54.186.65.161
175.184.24.188
www.dirtysextoon.com
54.194.220.58
machinetech.biz
54.244.121.5
testkariera.wikia.com
qa.kgmedia.codelike.us

Tags: XMLRPC WordPress Exploit DDOS List
Report the list or do whatever you want with them, but understand it is your responsibility whatever you do with this information, not the responsibility of the R4P3 forum nor staff. ;)
 
Last edited:

TexxhornTV

Member
Sep 23, 2015
4
1
38
is it able to using it for unrealirc servers :D ?

have found over 1K Hosts ...

rate: 0.10-kpps, 38.67% done, 0:20:18 remaining, found=1249 ng, found=1172
Any Tips how to bind the hosts to my irc server are welcome in a private message :D

import time,re,sys,os,socket
import threading
import ctypes

from threading import Thread

filename = "clean_botnets.txt"
resultFile = "results_botnets.txt"
port = 6667

def main(x):
with open(filename) as f:
lines=f.readlines()
newline = lines[x+1].rstrip("\r\n")
grab_banner(newline)

def file_len():
with open(filename) as f:
for i, l in enumerate(f):
pass
return i + 1

def grab_banner(currentIp):
try:
s=socket.socket()
s.settimeout(1)
s.connect((currentIp,port))
s.settimeout(1)
banner = s.recv(1024)
#print currentIp + ':' + banner
with open(resultFile, 'a') as results:
results.write(currentIp + ':' + banner + "\n")
results.close()
except:
e = sys.exc_info()[0]
#print currentIp + ":" + str(e) + "\n"

countOfLines = file_len()

for x in range(0, countOfLines):
thread = Thread(target=main, args=[x])
thread.start()

Error :
C:\Users\PC>C:\Users\PC\Desktop\Banner.py
Traceback (most recent call last):
File "C:\Users\PC\Desktop\Banner.py", line 4, in <module>
import ctypes
File "C:\Python27\lib\ctypes\__init__.py", line 540, in <module>
from ctypes._endian import BigEndianStructure, LittleEndianStructure
File "C:\Python27\lib\ctypes\ctypes\__init__.py", line 20, in <module>
raise Exception, ("Version number mismatch", __version__, _ctypes_version)
Exception: ('Version number mismatch', '1.0.2', '1.1.0')

Exception in thread Thread-3275:
Traceback (most recent call last):
File "C:\Python27\lib\threading.py", line 810, in __bootstrap_inner
self.run()
File "C:\Python27\lib\threading.py", line 763, in run
self.__target(*self.__args, **self.__kwargs)
File "C:\Users\PC\Desktop\Banner.py", line 13, in main
with open(filename) as f:
IOError: [Errno 24] Too many open files: 'clean_botnets.txt'
 
Last edited:

cela

Member
Aug 10, 2016
1
0
33
can you send me file for python to hunting botnets ?? i want try in windows
 
Top