Hosting Provided By

perl/php connect-back backdoor?

From: Victor Pereira <vpereira(at)modulo.com.br>
Date: Tue Jul 29 2003 - 15:33:13 EDT

Hi, you can use the reverse shell from THC ( http://www.thc.org/releases/rwwwshell-2.0.pl.gz)

<cut>

Well, a program is run on the internal host, which spawns a child every day at a special time. For the firewall, this child acts like a user, using his netscape client to surf on the internet. In reality, this child executes a local shell and connects to the www server owned by the hacker on the internet via a legitimate looking http request and sends it ready signal. The legitimate looking answer of the www server owned by the hacker are in reality the commands the child will execute on it's machine it the local shell. All traffic will be converted (I'll not call this "encrypted", I'm not Micro$oft) in a Base64 like structure and given as a value for a cgi-string to prevent caching.
</cut>

You can use netcat compiled with the execute option and run with a time option to connect to your machine either.

Reguards,

Victor Pereira - LPI, CCSA, CCSE - Security Analyst

http://www.modulo.com.br
http://getdata.codigolivre.org.br Received on Wed Jul 30 15:40:36 2003

This message: [ Message body ]
Next message: Victor Pereira: "is it even possible for a worm with dcom vuln?"
Previous message: Diode Trnasistor: "Re: perl/php connect-back backdoor?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:40 EDT

Do you need help?