[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] r57shell "hidden" feature

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] r57shell "hidden" feature
From: full_disclosure full_disclosure <fulll_disclosure@xxxxxxxxx>
Date: Thu, 7 Sep 2006 11:11:02 -0700 (PDT)

Hello

Doing some forensics I found that R57shell(version 1.31) a widely used php 
shell by RST/GHC, has some "hidden features", it will log any usage to some 
russian stats counters. If those counters log the ip, and the script is not 
protected by a password, they cand 0wn everything you 0wned. 

Starting from line 1469 we have 2 base64 encoded variables $c1 and $c2, at line 
1592 the script will check if the variables are empty and die() if true, then 
they are decoded and appended to $f, which is echo-ed at line 2204. $f contains 
only the counters scripts. 

Trust no one(especialy commies), write your own tools.
                
---------------------------------
Yahoo! Messenger with Voice. Make PC-to-Phone Calls to the US (and 30+ 
countries) for 2¢/min or less.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: Re: [Full-disclosure] Orkut URL Redirection Vulnerability
Next by Date: Re: [Full-disclosure] Orkut URL Redirection Vulnerability
Previous by thread: [Full-disclosure] release uhooker v1.2
Next by thread: [Full-disclosure] RSA SecurID SID800 Token vulnerable by design
Index(es):
- Date
- Thread