Re: [nyphp-talk] [OT] XSS, Joomla & Remote Shells

Ben Sgro $ProjectSkyline$ Fri, 29 Jun 2007 07:42:10 -0700

Hello again,

Just because I was curious, I decoded the remaining variables.


That provided 1 .c program and 3 .pl programs.

The c code binds to a shell and allows incomming connections
dropped to /bin/bash.

The first .pl program does the same.

The second .pl program connects via lynx to a port/host
you specify.

The third .pl program spawns child processes to push data
to a host/port.

Interesting ...

You can view the code here: http://www.projectskyline.com/phplist/test.php

- Ben

Ben Sgro, Chief Engineer
ProjectSkyLine - Defining New Horizons
+1 718.487.9368 (N.Y. Office)

Our company: www.projectskyline.com
Our products: www.project-contact.com

This e-mail is confidential information intended only for the use of theindividual to whom it is addressed.----- Original Message -----From: "Ben Sgro (ProjectSkyline)" <[EMAIL PROTECTED]>

To: "NYPHP Talk" <[email protected]>
Sent: Friday, June 29, 2007 10:21 AM
Subject: Re: [nyphp-talk] [OT] XSS, Joomla & Remote Shells

Hello,
Its funny you mentioned this because I kinda assumed it might behave thatway.
I've seen shellcode in the past that did things you didn't know about...

Great link, thanks!

I decided to see what was encoded in the $c1, $c2 variables,
which were base64 encoded strings. This is what they held:
<scriptlanguage="javascript">hotlog_js="1.0";hotlog_r=""+Math.random()+"&s=81606&im=1&r="+escape(document.referrer)+"&pg="+escape(window.location.href);document.cookie="hotlog=1;path=/"; hotlog_r+="&c="+(document.cookie?"Y":"N");</script><scriptlanguage="javascript1.1">hotlog_js="1.1";hotlog_r+="&j="+(navigator.javaEnabled()?"Y":"N")</script><scriptlanguage="javascript1.2">hotlog_js="1.2";hotlog_r+="&wh="+screen.width+'x'+screen.height+"&px="+(((navigator.appName.substring(0,3)=="Mic"))?screen.colorDepth:screen.pixelDepth)</script><scriptlanguage="javascript1.3">hotlog_js="1.3"</script><scriptlanguage="javascript">hotlog_r+="&js="+hotlog_js;document.write("<ahref='http://click.hotlog.ru/?81606' target='_top'><img "+"src='http://hit4.hotlog.ru/cgi-bin/hotlog/count?"+hotlog_r+"&;' border=0width=1 height=1 alt=1></a>")</script><noscript><ahref=http://click.hotlog.ru/?81606target=_top><imgsrc="http://hit4.hotlog.ru/cgi-bin/hotlog/count?s=81606&im=1";border=0width="1" height="1"alt="HotLog"></a></noscript><Br><br><scriptlanguage="JavaScript"></script>

- Ben

Ben Sgro, Chief Engineer
ProjectSkyLine - Defining New Horizons

Our company: www.projectskyline.com
Our products: www.project-contact.com
This e-mail is confidential information intended only for the use of theindividual to whom it is addressed.
----- Original Message -----From: "inforequest" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Friday, June 29, 2007 3:18 AM
Subject: Re: [nyphp-talk] [OT] XSS, Joomla & Remote Shells
Ben Sgro (ProjectSkyline) ben-at-projectskyline.com |nyphp dev/internalgroup use| wrote:
Hello again,
I've always had an interest in security. Not too long ago a friend waslookinginto deploying joomla for a client. He's a pentester/researcher for avery welleducated and influential firm = ] , so he had to make sure it was goingto be secure.He started researching and found that many joomla installs had/havebeen comprimised
via XSS attacks.
Today, he posted the link of a site that had been owned by XSS and thecrackers installed this
web based backdoor script.
I grabbed the script and included it herehttp://www.projectskyline.com/phplist/r57shell.txt to show PHPdevelopers AGAIN how important security is and give us an inside look at
some of the tools our enemies are armed with.
For those that deploy joomla, this is especially something to watchfor.
For everyone else, just something to checkout.
 You'll notice this script enables:
 - Mail to be sent out (w/or w/out files attached)
- Commands to be run.
- Search for SUID, writable directories, files, tmp files., .(files) ...
- Outgoing connections to be established
- Some kind of IRC implementation
- SQL to be run
- Files can be downloaded and uploaded
- and much, much more.
 - Ben
Perhaps most interesting about that r57shell is that it quietly remotelylogs its own use. So in addition to the use as a backdoor shell script,it becomes a beacon for compromised systems - the tool maker gets anotice of every IP compromised by the tool when used by others.
To quote full disclosure, "they [the script authors] can 0wn everythingyou 0wned...Trust no one... write your own tools."
http://seclists.org/fulldisclosure/2006/Sep/0083.html






--
-------------------------------------------------------------
Your web server traffic log file is the most important source of webbusiness information available. Do you know where your logs are rightnow? Do you know who else has access to your log files? When they werelast archived? Where those archives are? --John Andrews CompetitiveWebmaster and SEO Blogging at http://www.johnon.com
_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk

NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com

Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php
_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk

NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com

Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php


_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk

NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com

Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php

Re: [nyphp-talk] [OT] XSS, Joomla & Remote Shells

Reply via email to