Hooking pBot

I’m working on analyzing remote file inclusion (RFI) code. For pBot class which uses  an IRF server as their command and control (C&C) ,  we are interested to get the IP addresses of the C&C,  the channel name and  the nickname used to connect to irc server.

Below are sample of output:

ok!
(host=irc.server_name.net, port=6667, , , 30)
( 1160 , “USER inul07429 127.0.0.1 localhost :Linux phpsBox 2.6.24-24-server #1 SMP Fri Sep 18 17:24:10 UTC 2009 i686 ” ,  )
( 1160 , “NICK [E]inul92112 ” ,  )
( 1160 , “MODE [E]inul92112 +ps” ,  )
( 1160 , “JOIN #knk !anime” ,  )
( 1160 , “PRIVMSG #trouxanime :[uname!]: Linux phpsBox 2.6.24-24-server #1 SMP Fri Sep 18 17:24:10 UTC 2009 i686 (safe: off)” ,  )
( 1160 , “PRIVMSG #trouxanime :[vuln!]: http://” ,  )
( 1160 , “NICK [E]inul97869” ,  )
( 1160 , “PONG :1508829909” ,  )
( 1160 , “PONG :1508829909” ,  )
( 1160 , “PONG :1508829909” ,  )
( 1160 , “PONG :1508829909” ,  )

Leave a Reply