by ?
ForBot 2.4.2 [private(internal)] AfroNerd & ghosn based on AgoBot 2.3 ------------------ Changes (06/08/04): ghosn - improved packet sniffing shows LESS spam and gives more useful information ghosn - logic command fixed now back to 'logic.if' ghosn - show total sends after every complete ftp transfer ghosn - all redirect commands now working ghosn - fixed -o, -s, -n (were not working before) ghosn - FOR DEBUG: added better connection debug messages ghosn - lsass removed variable that was reseting random dport value Changes (06/05/04): ghosn - ftp shows total bytes sent ghosn - ftp/advscan messages changed ghosn - !ftp.stats command shows total sends and current port ghosn - !ftp.stats [x] only display if total sends are greater/equal to 'x' ghosn - fixed bad-encrypted commands afronerd - fixed multiple topic again only uses 1 bar (|) for dividing now Changes (06/04/04): ghosn - advscan clean up ghosn - FTP displays messages to scan channel ghosn - only display stats over x amount (!adv.stats [stats-over]) ghosn - cleaned up optix scanner (little faster & cleaner) afronerd - setcvar, setcvard (shortcuts to registering cvars with and without descriptions) ghosn - open cmd works properly afronerd - multiple topic commands work properly ghosn & afronerd - file search (!file (directory) (to-look-for)) Changes (06/03/04): ghosn - optix scanner + masterpass afronerd & ghosn - WORKING(so gooood) lsass with CSendFileFTP afronerd - multiple topic command using || afronerd - AddEx function to display and add stats Changes (06/02/04): afronerd - cleaned up shit afronerd - 0 warnings ;x ghosn - dcc send Changes (05/22/04): ghosn - packet sniffer afronerd - ssl compatability ghosn - config afronerd - logic afronerd - cdkey logic ghosn - yahoo/aim afronerd - scanner: rBot 3.3 Base Implimented for advscan && dcom ghosn - netstat (!netstat) afronerd - netstat wildcard (!netstat [port] [state]) ------------------ Features: - Encrypted command/config skeleton (hidden strings) - Limited Packeting Sniffing - SSL Compatability - Logic - Game CDKey Grabber - Yahoo/AIM ScreenName Grabber - MSN Contacts / Address Book Grabber - Online: - World-Wide speed test - net info - irc raw commands - Computer: - shutdown - reboot - logoff - command exec - run file - system info - registry reading - enhanced secure - process list - process kill (name/pid) - add/remove/list services - add/remove registry run locations - Scanning: - ADVScan - dcom - dDos: - forsyn - synflood - udpflood - httpflood - pingflood - Serving: - HTTPd Web Based File Browser - Redirect: - Socks4 - Socks5 - TCP - GRE - HTTP -------------------------- ToDo: - check for suspicious bots in services - aim buddy list retrevil - yahoo password decrypt - mirc perform.ini checking - desktop snapshot served off web-server - logic rewrit - remove unsightly string from encryption - maybe rewrite using int forced to char * - keylogging (msg all keys pressed to a channel) - packet sniff bots seperatly - mirc DDE hooking to receive/send variables/commands - MD5 Brute Force - shell - port scanner - http dir. exploits (!http.exploit mywebsite.com/exploits.txt targetsite.com) Commands: () -> required [] -> optional bot.cpp - b.id - b.rndnick - b.secure - b.sysinfo - b.remove (bot nickname) - b.flushdns - b.open (file) - b.quit - b.cmd (command) - b.exe (file) - b.dns (host) - b.longuptime [days] - b.nick (nickname) cvar.cpp - cvar.list - cvar.get (cvar) - cvar.set (cvar) (value) findfile.cpp - find (directory) (search-for) httpd.cpp - http.start (port) (directory) - http.stop -> not done - http.snap -> not done irc.cpp - i.raw (command) - i.reconnect - i.part (channel) - i.mode (mode) - i.msg (target) (message) - i.notice (target) (message) - i.disconnect - i.gethost (search) - i.netinfo - i.join (channel) logic.cpp - logic.if (type) (mode) (value) (command) mac.cpp - set (user) (password) - bye netstat.cpp - netstat [port] [state -e / -l] utility.cpp - ftp.dl (ftp web-based address) (local location) - ftp.exe (ftp web-based address) (local location) - ftp.up (ftp web-based address) (local location) - http.dl (full address) (local location) - http.exe (full address) (local location) - http.up (full address) (local location) - pc.shutdown - pc.reboot - pc.logoff dropped file: c:\WINDOWS\system32\svxhost.exe Size: 376.832 bytes port: 15802 TCP startup: HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run "SVX Control Service" data: svxhost.exe HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce "SVX Control Service" data: svxhost.exe HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run "SVX Control Service" data: svxhost.exe HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\RunOnce "SVX Control Service" data: svxhost.exe HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "SVX Control Service" data: svxhost.exe HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce "SVX Control Service" data: svxhost.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "SVX Control Service" data: svxhost.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce "SVX Control Service" data: svxhost.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices "SVX Control Service" data: svxhost.exe tested on Windows XP November 29, 2004MegaSecurity