mailing list archives
Re: connect back PHP hack
From: Justin Rogosky <jrogosky () gmail com>
Date: Tue, 10 Feb 2009 22:01:34 -0500
Just as an FYI:
Webscarab and Paros (web application proxies) both have a good Base64
This is useful for any sniffed requested using basic authentication as
On Tue, 2009-02-10 at 14:34 -0500, sr. wrote:
i really appreciate all of the responses. this is what community is all about.
i'd seen the "==" in other encoding schemes, but just wasn't sure and
wanted a quick response...thanks to everyone who responded!
I'll post the rest of my findings on here asap. i'm looking into an
old compromised machine. this is nothing new..
whoever mentioned the r57 shell, you're probably right as the script
connects to a remote box @ port 11457. this is r57 behaviour.
i also found a copy of the same script i'm dissecting on someone
else's box, you can check it out here:
in my case, a bunch of php files were modified. i'll zip everything up
and host it so you can all analyze...
sr. aka "fabrizio siciliano"
On Tue, Feb 10, 2009 at 2:10 PM, Gustavo Castro <gcastrop () gmail com> wrote:
This is base64 encoded.
2009/2/10 sr. <staticrez () gmail com>:
can anyone tell me what encoding this is?
this has to do with old php 4.x.x version with magic quotes enabled.
i'm just trying to figure out what the connect back code does.
any input is much appreciated.
Gustavo Castro Puig.
E-Mail: gcastrop () gmail com
LPI Level-1 Certified (https://www.lpi.org/es/verify.html
LPID:LPI000042304 Verification Code: hp6re8w5qg )
-----BEGIN GEEK CODE BLOCK-----
GCS/CM/IT/ED dx s-:- a? C(+++)$ UL++++*$ P+ L++++(++)$ E--- W+++$ N+ o?
K- w O M V-- PS PE++(-) Y-(+) PGP+ t(++) 5+ X++ R tv+ b++(++++) DI+++
D++ G++ e++ h--- r y+++
------END GEEK CODE BLOCK------
Registered Linux User #69342
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/