TeamSpeakCrack.com Botnet

L. · Sep 29, 2015

Hey Guys,
some of you might know "TeamSpeakCrack.com" they are selling cracked "Licensed hosting provider" so looks like he is using you as Bot for DDoSing.

PHP:

=====
185.XX.XXX.XXX.20770 > 125.77.XX.XXX.websm: Flags [S], cksum 0x3e59 (correct), seq 736753997:736754967, win 63821, length 970
04:48:56.125306 IP (tos 0x0, ttl 250, id 64102, offset 0, flags [DF], proto TCP (6), length 1010)
185.XX.XXX.XXX.42861 > 125.77.XX.XXX.websm: Flags [S], cksum 0x8fac (correct), seq 540632826:540633796, win 61362, length 970
04:48:56.125316 IP (tos 0x0, ttl 251, id 10628, offset 0, flags [DF], proto TCP (6), length 1010)
185.XX.XXX.XXX.10220 > 125.77.XX.XXX.websm: Flags [S], cksum 0xb6b0 (correct), seq 1373668393:1373669363, win 63833, length 970
04:48:56.125324 IP (tos 0x0, ttl 253, id 23986, offset 0, flags [DF], proto TCP (6), length 1010)
185.XX.XXX.XXX.25616 > 125.77.XX.XXX.websm: Flags [S], cksum 0x51c4 (correct), seq 1490596445:1490597415, win 60661, length 970
04:48:56.125331 IP (tos 0x0, ttl 250, id 46144, offset 0, flags [DF], proto TCP (6), length 1010)
185.XX.XXX.XXX.47895 > 125.77.XX.XXX.websm: Flags [S], cksum 0x8486 (correct), seq 1026638004:1026638974, win 61564, length 970
04:48:56.125342 IP (tos 0x0, ttl 254, id 20271, offset 0, flags [DF], proto TCP (6), length 1010)
=====

"AccountingServerEmulator-Linux" is infected
Don't buy his shit you can get it for free

Regards

PS: i can upload you "his" Folder with the Crack so you can take a look at it.

Supervisor · Sep 29, 2015

Lotus said:
PS: i can upload you "his" Folder with the Crack so you can take a look at it.

Would be interesting to take a look at

Where did you get this information from?

L. · Sep 29, 2015

Supervisor said:
Would be interesting to take a look at

Where did you get this information from?

I will PM you with the full Folder.
One of my Friends bought it some Months ago and 2-3 Days ago his TS started lagging so i did take a look and saw that there is huge outcoming traffic.
Also asked the Server Support and they confirmed that it was the Emulator.

EDIT: *PMED*

L. · Sep 29, 2015

SYN Flood is strong

All are OVH IP's

PHP:

185.XX.XXX.XXX.54241 > 192.XX.XXX.XX.http: Flags [S], cksum 0xda43 (correct), seq 935158886:935159842, win 60702, length 956
185.XX.XXX.XXX.58320 > 192.XX.XXX.XX.http: Flags [S], cksum 0x973b (correct), seq 609196849:609197805, win 64729, length 956
185.XX.XXX.XXX.23514 > 192.XX.XXX.XX.http: Flags [S], cksum 0x8d68 (correct), seq 32528377:32529333, win 62521, length 956
185.XX.XXX.XXX.17731 > 192.XX.XXX.XX.http: Flags [S], cksum 0xd503 (correct), seq 381622212:381623168, win 61084, length 956
185.XX.XXX.XXX.20006 > 192.XX.XXX.XX.http: Flags [S], cksum 0xd92d (correct), seq 1002624671:1002625627, win 64943, length 956
185.XX.XXX.XXX.57019 > 192.XX.XXX.XX.http: Flags [S], cksum 0x8db7 (correct), seq 252297384:252298340, win 64320, length 956
185.XX.XXX.XXX.ibm-diradm > 192.XX.XXX.XX.http: Flags [S], cksum 0x532e (correct), seq 824093587:824094543, win 63923, length 956
185.XX.XXX.XXX.61545 > 192.XX.XXX.XX.http: Flags [S], cksum 0xd731 (correct), seq 1833571796:1833572752, win 60588, length 956
185.XX.XXX.XXX.29414 > 192.XX.XXX.XX.http: Flags [S], cksum 0xbdfa (correct), seq 1685498359:1685499315, win 63511, length 956
185.XX.XXX.XXX.serialgateway > 192.XX.XXX.XX.http: Flags [S], cksum 0x6527 (correct), seq 774154384:774155340, win 63152, length 956

Diffrent IP's

185.XX.XXX.XXX.53604 > 198.XX.XXX.XXX.http: Flags [S], cksum 0x4caf (correct), seq 1102532085:1102533041, win 64957, length 956
185.XX.XXX.XXX.6478 > 192.XX.XXX.XXX.http: Flags [S], cksum 0x2846 (correct), seq 339865801:339866757, win 61641, length 956

Supervisor · Sep 29, 2015

I did a simple hash comparison between the Accounting servers.. I guess your friend is having a different problem as the hash values match:
teamspeakcrack.com acc-server (linux):

r4p3.net acc-server (linux):

teamspeakcrack.com acc-server (windows):

r4p3.net acc-server (windows):

As you can see, they match. So neither r4p3.net nor teamspeakcrack.com altered the crack from mesmerize.

L. · Sep 29, 2015

Supervisor · Sep 29, 2015

well, who is that guy?
What if I told you *surprise* your windows is spying on you?

L. · Sep 29, 2015

"Patryk" is one guy from the Support Team.

I know.

Supervisor · Sep 29, 2015

what support team are you talking about? The TeamSpeak support Team? hahaha

I'd be surprised if they'd tell you anything different than to uninstall the crack.
Even some vps providers (if you have a managed server) will uninstall the crack, because it is "unwanted" software and, of course, it is a violation to the license agreement

L. · Sep 29, 2015

Talking about the blazingfast Support Team

9dc · Sep 29, 2015

blazingfast is shit, lol

L. · Sep 29, 2015

9dc said:
blazingfast is shit, lol

Tell me something i dont know

Supervisor · Sep 29, 2015

Well, this is the source of the AccountingServerEmulator, I have to admit I did not take a deep look into it, yet. Maybe you'll find something

http://pastebin.com/fea4Gat6

Bluscream · Sep 29, 2015

Code:

    printf("TeamSpeak 3 Accounting Server Emulator v0.1 - Windows");
    printf("\n(c) MESMERiZE 2011\n\n");
    printf("-? / --help\t\t- Print this\n");
    printf("-f <file>\t- define logfile\n");
    printf("-s\t\t- silent mode, no logging\n");
    printf("-p\t\t- define listening port (don't use this yet)\n");

Good to know. Never tried "--help", lol

Code:

"C:\\cr\\doc\\libs\\libtomcrypt\\src\\pk\\ecc\\ecc_import.c"
"c:\\cr\\doc\\libs\\libtomcrypt\\libtomcrypt-1.17\\src\\math\\ltm_desc.c"

https://github.com/libtom/libtomcrypt

Is also interesting...

+ Some example log with the mesmerize license key:

Code:

Tue Sep 29 17:12:20 2015
---begin client handler---
Tue Sep 29 17:12:20 2015
Server key data successfully initialized...
Tue Sep 29 17:12:20 2015
allocating memory for input buffer...
Tue Sep 29 17:12:20 2015
Awaiting packet from client...
Tue Sep 29 17:12:20 2015
Received client packet...
Tue Sep 29 17:12:20 2015
This must be the Hello-Packet from the client...
Tue Sep 29 17:12:20 2015
Received client packet...
Tue Sep 29 17:12:20 2015
This must be the encrypted key from the client...
Tue Sep 29 17:12:20 2015
Key from client successfully decrypted...
Tue Sep 29 17:12:20 2015
Setting up local key material...
Tue Sep 29 17:12:20 2015
Received client packet...
Tue Sep 29 17:12:20 2015
This must be the encrypted client license data header...
Tue Sep 29 17:12:21 2015
Received client packet...
Tue Sep 29 17:12:21 2015
This must be the encrypted client license data...
Tue Sep 29 17:12:21 2015
Sending server response to client
Tue Sep 29 17:12:21 2015
Received client packet...
Tue Sep 29 17:12:21 2015
This must be the last message the client sends to the accounting server...
Tue Sep 29 17:12:21 2015
---end client handler---

ehthe · Sep 29, 2015

Bluscream said:
Code:

"C:\\cr\\doc\\libs\\libtomcrypt\\src\\pk\\ecc\\ecc_import.c" "c:\\cr\\doc\\libs\\libtomcrypt\\libtomcrypt-1.17\\src\\math\\ltm_desc.c"

https://github.com/libtom/libtomcrypt

Is also interesting...

Well they use the same library as teamspeak

Bluscream · Sep 29, 2015

ehthe said:
Well they use the same library as teamspeak

Are they only using this on the Server<->Accountingserver way or also on the Client<->Server way? If so we could build fake join packets 'n stuff

ehthe · Sep 29, 2015

Bluscream said:
Are they only using this on the Server<->Accountingserver way or also on the Client<->Server way? If so we could build fake join packets 'n stuff

Server and client both.

Diggie · Apr 9, 2016

Is also interesting...

Skye · Apr 10, 2016

Could you send me the full folder please.

Supervisor · Apr 10, 2016

It is the exact same files we share. Except that ours are for free.
/closed.

TeamSpeakCrack.com Botnet

L.

Well-Known Member

Supervisor

L.

Well-Known Member

L.

Well-Known Member

Supervisor

L.

Well-Known Member

Supervisor

L.

Well-Known Member

Supervisor

L.

Well-Known Member

9dc

Member

L.

Well-Known Member

Supervisor

Bluscream

ehthe

Bluscream

ehthe

Diggie

Member

Skye

Member

Supervisor