Everhart, Glenn From: Stout, Bill [StoutB@pios.com] Sent: Tuesday, November 17, 1998 8:14 PM To: ntsecurity@iss.net Subject: RE: [NTSEC] Trojans & NT TO UNSUBSCRIBE: email "unsubscribe ntsecurity" to majordomo@iss.net Contact ntsecurity-owner@iss.net for help with any problems! --------------------------------------------------------------------------- Oooh, I like! Well, not really, but it underscores that to defeat a firewall, you go for the weakest proxy or port number. For someone to develop a reverse http shell was simply a matter of time, given our abuse of the http port via java/script/active-x/cookies, etc. OBtrojans: Any O.S. that allows mere users to install programs is insecure. Bill Stout P.S. 'Fun with numbers' - For those who haven't figured out yet, a URL like http://3230989350/ (l0pht) or http://3475931663/ (microsoft) is the binary of the IP octets converted to decimal. Ex: one www at MS = 207.46.130.15, = 1100 1111 0010 1110 1000 0010 0000 1111, = 34759316634. Network stacks convert decimal numbers to IP octet numbers, but not all proxies. Trip out your network admins! > ----- Original Message ----- > From: Weld Pond [SMTP:weld@l0pht.com] > > You can bypass a HTTP proxy with something called a Reverse WWW Shell. > The backdoored machine makes HTTP requests through an application layer > HTTP proxy to its master. The master then gives it a shell command to > execute. The backdoored machine then returns the output of the command as > an HTTP get request, and so on... > > There is a paper on the subject and sample code at: > http://www.genocide2600.com/~tattooman/thc/fw-backd.htm > > I hear the same techniques may be built into the next version of Back > Orifice. > > > > -weld