Joomla, XSS and Obfuscated Code

Hello again,

Yesterday, our chief engineer Ben, came about an interesting backdoor php script that a friend off irc was talking about. He was studying the joomla source, prior to implementation, and found that tons of joomla sites had been owned with a XSS used to load the r57shell php script.

We've included a copy of the script here for educational purposes: http://www.projectskyline.com/phplist/r57shell.txt

Ben went and posted this information to the NYPHPlist to provide fellow developers
an insight into the tools crackers are using against us.

A member of the PHPList pointed out that the script has some backdoor, author alerting features: http://seclists.org/fulldisclosure/2006/Sep/0083.html

Ben decided to base64_decode( ) the obfuscated variables and see what kinds of programs the
shellscript was building and executing.

The first section of code is that of the author alert...this provides the author w/the ip of the owned machine.

Ben then went ahead and decode the programs...a link to them is here:
http://www.projectskyline.com/phplist/test.php

Can't trust those russians!

- psl