> Usually the attacker, on their own computer, or some other server they have root on, will open a port and expose it to the internet and listen. The exploit payload will then make an outbound connection to that port. Once it's connected, the exploit will give the attacker's computer shell access. Search terms include 'reverse shell'.

Also "reverse tunnel" as a more general term, it can open any service not just those giving shell access. There have been similar hacks where the implanted tunnel have access to databases that weren't properly secured (anyone remember back when SQL Server defaulted to having a blank password for "sa" and many didn't change that thinking their firewall, which was really little more than a simple NAT setup, was sufficient protection?).

This is why there is the mantra "NAT is not a firewall": if something internal has no business making outgoing connections it should be blocked as well as incoming connections being difficult (also because there are various other NAT busting attacks too).