PDA

View Full Version : Creating a BotNet



x1mpr0x
03-27-2008, 11:06 PM
Hello all! :D


A month ago this website I use was down for a few days. The owner contacted us saying they were "DDoSed". I knew nothing about the term so I googled it and read, and read and read and read. I became very interested and wanted to try "DoSing" someone myself, knowing one person can't do anything I figured 'hey, what's the harm?' So I downloaded a port scanner, and udp/syn/http flooder. I was very sure one person can't do anything to a website without a botnet or a group of people DoSing at the same time, but I was interested nonetheless. I figured I wouldn't be able to down a website but maybe bring a friend offline - I told him what I was going to do and he gave me his IP and I took a shot at it, failed. I knew I needed more people. That was the end of it for me, I forgot all about this and moved on with my life.

On monday, I was minding my own business on IRC and someone spoke of DoSing and I told him everything I knew because the guy was clueless lol, he had spoken of which port to attack with his SYN flooder to down a website and I told him it was wasting his time without a botnet. He obviously replied "HOW CAN I BOTNET LOL!" I told him a botnet was out of reach for him (I am sure they have to be created, not downloaded). So 20 minutes later someone I know and don't really like messaged me saying "botnets are possible faggot" and boom, I was offline. I netstat'd and I had a bunch of incoming SYN requests. I was being SYN flooded. So I got offline for a few hours. I was angrier than I'd ever been. I told some friends and they linked me this:

http://partyvan.info/index.php/Botnet

I did EVERYTHING that guide asked, and at the VERY end. TsunamiOverHost.exe wouldn't work. Scratch what I said earlier about being the angriest, NOW I was angry.


I seen a year+ old post on here where someone had a guide to a botnet with a bunch of dead links, so I decided to make my own thread.


I am interested in creating a Botnet. I need some help, I am not lazy and I'm willing to be patient, learn, and read. I will look myself if you provide me with a name of a program or something that will help me. I will work as hard as I can, I NEED to do this.


And before I start over on creating a botnet, is there anyway to carry on with what I've done? All I'm missing is TsunamiOverHost and it's like NOWHERE on the internet besides that website.


I am willing to paypal someone a few dollars if they'd like, for helping me of course.

I hope I put this in the right forum >.<



Thank you all, for helping a fellow human out ^.^

Moonbat
03-28-2008, 05:19 PM
Where are you hosting off of? If you are using a free host to run TsunamiOverhost, it's most likely not gonna work. Free hosts disable many of the functions needed for it to work, like fsockopen(). Also, a widespread botnet tool like TsunamiOverhost can probably be detected by the webserver and your account will be terminated. This is evident even more so on a paid host.

If I were you, I'd either use RFI to get on another site's server and go from there, or install WAMP on your own PC and run it off of there.

x1mpr0x
03-28-2008, 05:51 PM
Well, let me show you what I get when I try and open it TsunamiOverHost.exe

http://img*56.imageshack.us/img*56/*557/2***6246*7252kv8.png



Also, the host I am using is drivehq, and I am having problems giving "777" permission Update.txt to begin with lol..


DriveHQ is like the only free host that supports ftp ><

Moonbat
03-28-2008, 06:16 PM
Like I said, you have two choices really. A free host won't work for a botnet **% of the time.

You can either host off your own PC using WAMP, or you can try to hack into a server and use it for yourself.

x1mpr0x
03-28-2008, 08:49 PM
Can you please elaborate a little bit? I'd LOVE to do that. Because DriveHQ is sorta pissing me off, not letting me edit this. I notice you said you used TsunamiOverHost in another thread, I let out a sigh in relief lol.. Do you use WAMP for your Tsunami? Also, looking for WAMP now, will it require me to use an FTP client to connect to it? Like flashfxp, filezilla, etc.


On top of that, how can I solve my TsunamiOverHost.exe problem?

Moonbat
03-28-2008, 09:34 PM
WAMP is just a collection of Apache webserver, PHP, and MySQL in one. It lets you easily start up a webserver on your computer. Find more details here.

http://www.wampserver.com/en/

And no, WAMP will be running on your own computer, so you don't need FTP, lol.

x1mpr0x
03-28-2008, 10:06 PM
I am the admin of my computer, why do I get that message when I open up Tsunami? You think my copy may be corrupt?

Moonbat
03-28-2008, 10:24 PM
What message are you getting? Can you post a screenshot?

x1mpr0x
03-28-2008, 10:59 PM
http://img*56.imageshack.us/img*56/*557/2***6246*7252kv8.png



does that link work for ya? I tried [IMG] tagging like I usually do but they were thrown off, dunno why.


Update: Yeah if I try to open TsunamiOverHost.exe or any DoS tool that I got from this (http://rapidshare.com/files/5*88**6*/**_DDoS_Tools_by_-_Player_-.rar) I get:

Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.

I can't copy it either I get this:

Cannot copy: filename

Make sure the file isn't write protected or in use etc etc

I know it isn't in use.. and I can edit it's name so idk about write protected.. Can you help me with this? I'd really appreciate it.

I am administrator btw, I tried right clicking and selecting "run as" and going on administrator. I disabled all antiviruses/firewalls as well. Not helping.

Moonbat
03-29-2008, 10:51 AM
Well, I can't think of anything specific to help you, so let's just do a little checklist to make sure any obvious reasons are out of the way.

Do you have the latest version of the .NET Framework? Is the .exe file in the same directory as the other files?

x1mpr0x
03-29-2008, 12:29 PM
I've tried running the exe from different folders, from C:\ directly, and from the .rar it's in. Same message lol.. I basically can't run any file that has this icon:

http://img265.imageshack.us/img265/5**5/exeicontu*.png

I am using .NET Framework 2.0

gordo
03-29-2008, 12:43 PM
It looks like the standard warning when a security app disables an exe. Some free security apps are difficult to disable totally. Try booting in safe mode and go from there.

x1mpr0x
03-29-2008, 12:45 PM
Alright bro, I'll try that now then. Thanks.

x1mpr0x
03-29-2008, 12:59 PM
Okay, they worked in safe mode :D

It's most likely my antivirus, I'm using AVG Free Edition 7.5, what do you recommend I do?

Moonbat
03-29-2008, 03:39 PM
Uninstall AVG. :D If it still continues to operate even after you disable it, that's pretty much the company telling you that they think they know more about your security needs than you do. I'd trash such a program.

As far as antivirus goes, you shouldn't need it if you have some common sense, but if you are suspicious of a file, just scan it online with VirusTotal.

x1mpr0x
03-29-2008, 08:32 PM
Okay, so the only thing keeping me from my TsunamiOverHost Botnet, is not having a host, and not being able to change the CHMOD on update.txt to 777.


I downloaded WAMP, I don't know how to go about configuring this, I suppose I'll look online for a tutorial lol

Moonbat
03-29-2008, 09:25 PM
There's not much to 'configuring' WAMP. It's easy.

Also, you'll have to infect victims with the server.exe or whatever file was generated by TsunamiOverhost.exe. That's the harder part and requires you to find idiots dumb enough to open random .exe files.

x1mpr0x
03-29-2008, 09:45 PM
What exactly happens when the .exe is double clicked? It doesn't make it obvious at all does it? "DO YOU WISH TO BECOME PART OF THIS BOTNET?" Rofl xD! That was a joke of course. Okaayyyy I'm gonna follow this guide on setting up my WAMP: http://www.lunarforums.com/lunarpages_php_mysql/wamp_windowsapachemysqlphp_setup-t228*0.0.html . Do I need both Apache AND MySQL? They sorta seem like the same thing if I'm not mistaken

Moonbat
03-30-2008, 02:17 PM
To be honest, I've never clicked server.exe on myself before. I don't know what happens other than the clicker's system becomes part of the botnet. If they have a good AV or something maybe it'll catch it.

Apache and MySQL are two very different things. Apache is a web server, MySQL is a database manager.

x1mpr0x
03-30-2008, 03:19 PM
Ughhhh there are SO many downloads on apache website.



Could you possibly point me to what i'd have to download for WAMP to work? I don't have any options or anything for my WAMP, just says server offline in my taskbar. I can't open up any menus or anything, I'm guessing this is how it works, which means it has to be configured using something else? I'm guessing apache because I already have MySQL


Also for the "online.php" file, since I'm not using an FTP; what do I put in the $online_db_host field? This is what it looks like now.

// Set MySQL database variables
$online_db_host = "ftp.drivehq.com";
$online_db_name = "MYSQLDATABASENAME";
$online_db_user = "MYSQLNAME";
$online_db_pass = "MYSQLPASSWORD";

Moonbat
03-30-2008, 04:08 PM
WAMP comes with MySQL, Apache, and PHP already. There's no reason to download anything else.

Since you'll be hosting from your computer, you can set your db host to localhost.

To make sure WAMP is working properly, go to http://localhost and see if you get the WAMP start page. If you don't, that means something's wrong.

x1mpr0x
03-30-2008, 04:21 PM
Okay it's working properly, how can I upload my botnet folder to it


Taking an educated guess and saying it's c:\wamp

Now where in there, do I put my botnet folder? and how can I edit the CHMOD's after they are uploaded?




Also, I've already did this:


CREATE TABLE botnet (
date int NOT NULL,
ip varchar(40) NOT NULL,
b_id int unsigned primary key NOT NULL auto_increment
);


Into mysql 5.0 before I installed WAMP, Do I have to do this again for the WAMP version of mysql?

Moonbat
03-30-2008, 06:00 PM
I don't think you'll have to worry about CHMOD and all that.

Also, there should be a folder like wwwroot or something like that with an index page in it. Put your files in there.

x1mpr0x
03-30-2008, 06:47 PM
So I am safe to open up TsunamiOverHost now?


It says


Enter URL to your panel


do I just put http://localhost ?


I did that, it created server.exe, Now I gotta look for it.


I hope I am doing it right ><


I'll infect a few friends, see if it goes up :P




Update: Holy shit it's a mess in there, this is what "http://localhost/Xylophone" looks like.


http://img*00.imageshack.us/img*00/5*06/ffsfc2.png



ughh.. what did I do :(

Moonbat, since you also have Tsunami can I get your msn and I can go over what I have and match it to what you have? I can paypal you some ***** for all of this, you have helped out so much.

Moonbat
03-30-2008, 07:18 PM
I don't have Tsunami anymore. The server I had it on wised up on their security.

Also, for some reason I'm getting a 400 Bad Request for ImageShack. Can you host the pic somewhere else?

If you have a 2nd computer, you can try infecting yourself. I don't think your friends will appreciate it.

I barely get on MSN.

x1mpr0x
03-30-2008, 07:24 PM
K i'll host on tinypic:

http://tinypic.com/view.php?pic=2z57ib*&s=*


Do you still have any of the files when you had Tsunami? Do you know where you got yours from? >< Maybe this one I got off partyvan has messed up .txt's and .php's?



Sent it to GF who barely uses the computer, just to see if anything would change :P I'm gonna post some information

C:\wamp\www\Xylophone

index.php
online.php
update.php
update.txt

That's what's in there.

hmmm, here, lemme open up mysql;

show databases;

information_schema
mysql
test
xylophone



use xylophone;

database changed



show tables;

botnet


explain botnet;

http://tinypic.com/view.php?pic=2zekppe&s=*

Moonbat
03-30-2008, 07:34 PM
I got my copy of Tsunami off of h4cky0u. I don't have a link, and I think the thread is lost anyway because of the whole h4cky0u vs h4ck-y0u split.

Let's do another checklist before we start.

Are you able to login normally? It doesn't matter if the page looks messed up, as long as it works it's fine
Are you able to access your WAMP page from another computer using your computer's IP address? For example, if the computer w/ WAMP has IP 28.*04.54.2*0, type in http://28.*04.54.2*0 on another computer and see if it gets to your WAMP page.

x1mpr0x
03-30-2008, 07:39 PM
If you need any more information I can give it to you;

Here are the originals of the txts/phps and what they were after I edited them, maybe I screwed up here?

under index.php, original first, then my copy

<?
// SETTINGS FOR ADMIN ACCESS
$login = "admin"; // your login

//You must set it!
$password = ""; // your password


and mine:

<?
// SETTINGS FOR ADMIN ACCESS
$login = "x*mpr0x"; // your login

//You must set it!
$password = "thisismypwlol"; // your password



And now to look at online.php:

// Set MySQL database variables
$online_db_host = "";
$online_db_name = "";
$online_db_user = "";
$online_db_pass = "";

and my copy:

// Set MySQL database variables
$online_db_host = "http://localhost/";
$online_db_name = "Xylophone";
$online_db_user = "x*mpr0x";
$online_db_pass = "thisismypwlol";

Moonbat
03-30-2008, 07:41 PM
Ah, wait, hold on. Find the line:

$online_db_host = "http://localhost/";
And put in your computer's IP address:

$online_db_host = "http://YOURIPHERE/";
Sorry for my mistake telling you to put localhost, but I just realized that it won't work unless you put your own IP. Like I said, I've never used WAMP to host Tsunami.

So yeah, replace localhost with your IP. Then wait for someone to open up the server.exe or whatever. Then see if you can attack a site with it.

EDIT: Make sure you keep WAMP online. Always, otherwise your botnet won't work :)

x1mpr0x
03-30-2008, 07:44 PM
Login? If I go to http://localhost/ I'm automatically in. There are no logins.



if someone goes on they get this:

Forbidden

You don't have permission to access / on this server.

x1mpr0x
03-30-2008, 07:50 PM
WAMP is offline :S how do I get it online.

Moonbat
03-30-2008, 07:50 PM
No, go to the directory that Tsunami is in. There should be a control panel of some sort. I think you might've already logged in.

Is your WAMP server online? Do you have an index page in the main directory?

x1mpr0x
03-30-2008, 07:55 PM
http://tinypic.com/view.php?pic=*6s*6w&s=*

That's what http://localhost/ is


and in my taskbar, when I highlight WAMPSERVER it says "WAMPSERVER - server Offline"


Lemme ask you, do TsunamiOverHost.exe and server.exe have to be in a certain place? They are nowhere near c:\wamp\... in fact they are on d:\ lol

Moonbat
03-30-2008, 07:57 PM
I think you have to right-click the taskbar icon and put it online.

All your files are in the wwwroot folder right? So go to http://localhost/WHATEVERDIRECTORYTSUNAMIISIN and post a screenshot.

x1mpr0x
03-30-2008, 08:01 PM
okay, http://localhost/Xylophone:


http://tinypic.com/view.php?pic=2z57ib*&s=*


and in c:\wamp\www\Xylophone:

index.php
online.php
update.php
update.txt

Moonbat
03-30-2008, 08:03 PM
Hm.. okay, do you have IRC? If so, come to:

IRC server
irc.web******.com

Channel
#all-net-tools

x1mpr0x
04-01-2008, 03:11 PM
Yep, the WAMP didn't work, me and moon tried.



I can't run it properly from any FTP either, I'd need a specific name.



Gotta look around I guess.

indiansword
07-11-2009, 06:54 PM
I have read ENTIRE THREAD.

After reading the issues that ur facing with the WAMP. I am pretty positive that even if u can get the botnet to work. The part to spread ur virus would be tougher. And if u try to goto learn hexing to make ur virus undetectable i think u'd be in a big mess. As u said in ur first thread, u have patient and willing to learn.

If you want to learn how to HEX.. then check THIS WEBSITE (http://www.techmafias.com) out. A video tutorials is there under "video tutorials"

anjalia
08-02-2009, 05:47 AM
The only reason botnets are so effective is they are distributed. When they come from all over the place, you have to do a ton of individual blocks. If they are all from the same IP space, ok just black hole China's space and that's it. Wouldn't take a block from very many top level providers and they'd be doing nothing at all.

kuilu
08-16-2009, 01:53 AM
People do this for many reasons.Maybe to tell others look I can hack your site or they want to take info, such as license keys from Kaspersky's site (which one romanian hacker succeeded with ease i heard).But some just do it to prove that they can do it, or because they are angry and want revenge.This subject can be largely discussed but you can never know for sure.

lopez124
01-09-2010, 06:40 AM
A typical example is a web server log which maintains a history of page requests. The W*C maintains a standard format for web server log files, but other proprietary formats exist. More recent entries are typically appended to the end of the file. Information about the request,642-*64 (http://www.certpaper.com/642-*64.htm) including client IP address, request date/time, page requested, HTTP code, bytes served, user agent, and referer are typically added. These data can be combined into a single file, or separated into distinct logs, such as an access log, error log, or referer log. However, server logs typically do not collect user-specific information.These files are usually not accessible to general Internet users,642-566 (http://www.certpaper.com/642-566.htm) only to the web****** or other administrative person. A statistical analysis of the server log may be used to examine traffic patterns by time of day, day of week, referrer, or user agent. Efficient web site administration, adequate hosting resources and the fine tuning of sales efforts can be aided by analysis of the web server logs.*Y0-456 (http://www.certpaper.com/*Y0-456.htm) Marketing departments of any organization that owns a website should be trained to understand these powerful tools.