Jump to content

NDIS reports c99shell.php from SpamCop


Rapakiwi

Recommended Posts

Though my little computer doesn't serve web pages, every time I change pages in the SpamCop forums, 'snort' believes SpamCop is sending me the command-line program c99shell.php.

Because this has been used for nefarious purposes on computers with, presumably, vulnerable applications, it would be nice to know if it's a false report by snort, legitimately sent by SpamCop, or illegitimately sent by SpamCop or another computer on the net. My firewall reports associated stealth connection attempts by TCP & UDP over port 80 and various high ports, originating in Amsterdam and Beijing.

Thanks, knurdy people.

Rapakiwi

Link to comment
Share on other sites

Though my little computer doesn't serve web pages, every time I change pages in the SpamCop forums, 'snort' believes SpamCop is sending me the command-line program c99shell.php.

Don't be so sure: http://168.150.253.56/ gives me "Test Page for Apache Installation" including the Help pages for "Apache HTTP Server Version 1.3"

Link to comment
Share on other sites

Don't be so sure: http://168.150.253.56/ gives me "Test Page for Apache Installation" including the Help pages for "Apache HTTP Server Version 1.3"
Yeah, I'm seeing "HTTP:Apache/1.3.27 (Unix) PHP/4.3.1" through Robtex.com, the test page and bala.omsoft.com which resolves the same as the above url.
Link to comment
Share on other sites

Thank you both.

Indeed, that's my ISP sending me what snort thinks is this little php program. It's likely innocent, since it only sends it to me when turning SpamCop pages. (I'm years out of date with Apache.) I've already reported this to my local ISP, so anything nefarious will be removed.

Thanks again!

Rapakiwi

Link to comment
Share on other sites

Though my little computer doesn't serve web pages, every time I change pages in the SpamCop forums, 'snort' believes SpamCop is sending me the command-line program c99shell.php.

I can find no evidence to support that this Forum server is or would be sending out such data. I will do some more reseach, but having spent the last 20 minutes or so looking for things like changed files, added files, anything in the log files that look like anything beyond the typical (failed) hacking attempts, I just do not find anything 'here' to support the possibility.

When you change pages, there is a bit of a Redirect page sent, basically a notification of the last action requested. For the most part, only folks on a slow dial-up connection will see this page (which s why it's there, actually ... to let the user know that the last mouse-click was in fact seen and responded to)

For those wondering about the connection from the initial post and the first replies, the IP Address noted was the posting IP Address of the Topic Starter.

If in fact, that IP Address does in fact point to "my computer" then there's the thought that a router is not in place. Not such a good configuration these days. Of course, even worse would be the aspect that the owner of that computer doesn't know what services are in fact running on that system. Just noting that a lot of this is circumstantial, as 'we' actually don't know how the system in question really is connected to the net.

Just a general note: normally one would post their reply "under" the quoted material (with unecessary dialog edited out) .. such that one has the concept of what the Reply pertains to .... or remove the quoted material in total if the Reply is the next post after the comments being replied to in the Discussion (though sometimes hard to tell if this will be the case or not ... for example, there was another post made while I was still researching and collecting notes to be possibly included in the post I was typing up.)

Indeed, that's my ISP sending me what snort thinks is this little php program. It's likely innocent, since it only sends it to me when turning SpamCop pages. (I'm years out of date with Apache.) I've already reported this to my local ISP, so anything nefarious will be removed.

I'm not sure at all just how you came to these conclusions.

That there is in fact a web-server running at the IP Address in question should have absolutely no connection to you browsing other web-sites. Why your ISP would be injecting files into the data-stream between your browser and the requested web-site is very unclear to me.

I'm not sure I understand your description of "the command-line program c99shell.php" .... where did you come up with the "command-line" part of this scenario? If in fact, this command-line description turns out to be a crucial detail, then that would have to end up pointing back to your system. The web-page HTML / XML stream including such a command string / program file would/should not be considered as a command-line string, it should be evaluated as a part of the HTML data-stream.

You didn't mention just what browser is in use, though also having to assume that this factoid would have little to do with 'snort results' ....

Link to comment
Share on other sites

Thank you! There was confusion on my part about where the program was coming from, because 'snort' announced it (over my speaker), but didn't log it. This I found extremely suspicious. This, and the concurrent login attempts I found serious enough to ask about. I've written my ISP's network administrator and help desk.

The ip address appears somewhat random (on our subnet), so I've asked whether it's owned by the ISP. I can't quite follow the possibilities, but, the text messages seem to imply there may be an incorrect setting, and the server may be in the process of being upgraded or patched.

In any case, I've been running an NDIS for six years, and these were the most dire-appearing announcements it has even given me; so I greatly appreciate your offering explanations. It would appear that the attempted logins were spurious.

Thank you again.

Rapakiwi

I can find no evidence to support that this Forum server is or would be sending out such data. I will do some more reseach, but having spent the last 20 minutes or so looking for things like changed files, added files, anything in the log files that look like anything beyond the typical (failed) hacking attempts, I just do not find anything 'here' to support the possibility.

When you change pages, there is a bit of a Redirect page sent, basically a notification of the last action requested. For the most part, only folks on a slow dial-up connection will see this page (which s why it's there, actually ... to let the user know that the last mouse-click was in fact seen and responded to)

For those wondering about the connection from the initial post and the first replies, the IP Address noted was the posting IP Address of the Topic Starter.

If in fact, that IP Address does in fact point to "my computer" then there's the thought that a router is not in place. Not such a good configuration these days. Of course, even worse would be the aspect that the owner of that computer doesn't know what services are in fact running on that system. Just noting that a lot of this is circumstantial, as 'we' actually don't know how the system in question really is connected to the net.

Link to comment
Share on other sites

I'm not sure I understand your description of "the command-line program c99shell.php" .... where did you come up with the "command-line" part of this scenario? If in fact, this command-line description turns out to be a crucial detail, then that would have to end up pointing back to your system. The web-page HTML / XML stream including such a command string / program file would/should not be considered as a command-line string, it should be evaluated as a part of the HTML data-stream.

You didn't mention just what browser is in use, though also having to assume that this factoid would have little to do with 'snort results' ....

Thank you for your immediate attention to this issue. That phrase is most likely inaccurate, but I chose it purposefully. I believe I qualified my question sufficiently to cover the other facts accurately. I preferred to use the term "command line", because the snort warning began with 'BACKDOOR', and I thought 'command line' was less alarming than this. A backdoor implied to me that c99shell.php had been known to install a root kit, and I have no reason to believe this can be done entirely within Apache (computers aren't my life). No web server is running on my computer, but php is available by command line; and when confronted with a security issue, I always assume the worst. This doesn't excuse, but explains my likely inaccurate choice of words.

Thank you again for all your valuable help!

Rapakiwi

PS, my browser is Safari 3.1.1, and my system is fully patched. No backdoor was installed (checked with 'tripwire'): my concern was more for other people.

Link to comment
Share on other sites

Thanks for the follow-up (and the change in posting style <g>)

Thank you for your immediate attention to this issue.

The possibilty of hacking demands immediate attention <g>

After much more and deeper reseach, I am comfortable now in stating that there is no issue with this server. On the other hand, I came across a snort.org support Topic that chooses to use the words of "false-positive" ... There's a heck of a lot of data in the 'warning message" for me to understand that possibility. However, also noting that in the sample offered, it was a local network / IP Address offered up, although assuming the URL at the bottom of that message was the site being browsed ????

BACKDOOR c99shell.php command request

That phrase is most likely inaccurate, but I chose it purposefully. I believe I qualified my question sufficiently to cover the other facts accurately. I preferred to use the term "command line", because the snort warning began with 'BACKDOOR', and I thought 'command line' was less alarming than this. A backdoor implied to me that c99shell.php had been known to install a root kit, and I have no reason to believe this can be done entirely within Apache (computers aren't my life).

Ah, but to the geeky types, those word choice selections carry specific definitions. Choosing 'other' words to describe a specific situation gets a lot of folks going down the wrong road quickly. I see that in the above refernced example, the word 'command' exists in the message, which would be much closer to the truth, as compared to "command-line" as I conjectured.

Unfortunately, I would now also challenge your description of a "root kit" for this particular file (type) exploit. A "root kit" carries a much more detailed set of actions, also impacted by the Operating System involved. There are a number of differences between a Windows root-kit and a *NIX root-kit, primarily due to the differences in the 'kernals' amd 'security rings' of those OSs.

my concern was more for other people.

As was mine when you brought this up <g> Just noting that the exploit you described is more of a server hacking issue, as compared to other exploits that are pointed to screwing up 'visiting' computers.

Link to comment
Share on other sites

After much more and deeper reseach, I am comfortable now in stating that there is no issue with this server. On the other hand, I came across a snort.org support Topic that chooses to use the words of "false-positive" ...

I've searched the entire snort database here and could not find a single warning associated with your ip address, which I assume begins with 66.232. I did, however, find a remarkable number of warnings from 'doubleclick', which I did not expect.

Indeed, I read elsewhere a message that the backdoor warning on a computer other than a web-server is a false positive; and that's what I hoped to read here. Still, because many people have personal web pages, the meaning of this message was unclear. I was hoping to hear that c99shell.php has a legitimate use; but now I can't find it even coming from your site.

The problem is not yours. However, your computer is in Florida and mine in California, so there is plenty of opportunity for mischief along the route. (This I've encountered many times, but there appears no one to report such problems to.)

Unfortunately, I would now also challenge your description of a "root kit" for this particular file (type) exploit. A "root kit" carries a much more detailed set of actions, also impacted by the Operating System involved. There are a number of differences between a Windows root-kit and a *NIX root-kit, primarily due to the differences in the 'kernals' amd 'security rings' of those OSs.

Sorry, an Apache command can, I should have assumed, create some kind of backdoor (for this is a very broad term). However, people who received this 'command' reported having their blogs erased. This may not require an increase in privilege if there were a vulnerability in Apache, and it were owned by 'administrator'; so 'rootkit' would be inappropriate, and I stand corrected. The 'command line' came from 'backdoor', not 'command': it was still an error.

It would be interesting to know whether other users in Northern California are experiencing this warning each time a SpamCop page is turned. I shall investigate this further locally (and also find out how so many advertising companies crept past my firewall or browser) and conclude this thread with a final explanation, if I can find one.

Thank you very much for all your help.

Rapakiwi

Link to comment
Share on other sites

I did, however, find a remarkable number of warnings from 'doubleclick', which I did not expect.

No doubt. If you're not aware of it, Google bout doubleclick a while back for $3.1. billion U.S. Trust me, doubleclick is 'everywhere' these days.

I was hoping to hear that c99shell.php has a legitimate use;

Technically, that's hard to say, the reason being that a filename has no direct connection to that file's content. There may have been 'one' file at some point time that was an absolute must-have for some Admin somewhere. However, when word got out, hackers snagged that filename to apply to their versions of something .. it may have been a copy of the real thing with some 'extra stuff added' .. or it may have had no relationship at all to the original file beyond the filename.

The problem is not yours. However, your computer is in Florida and mine in California, so there is plenty of opportunity for mischief along the route. (This I've encountered many times, but there appears no one to report such problems to.)

You are suggesting something normally called a "man-in-the-middle" type of exploit/attack. Yet, that's a pretty hard thing to accomplish against web-site traffic, as data-packets can follow many different paths between your browser and the requested web-site. If it's a real data-usurping type connection, it would pretty much have to be at your ISP or the web-site cerver itself.

Sorry, an Apache command can, I should have assumed, create some kind of backdoor (for this is a very broad term). However, people who received this 'command' reported having their blogs erased. This may not require an increase in privilege if there were a vulnerability in Apache, and it were owned by 'administrator'; so 'rootkit' would be inappropriate, and I stand corrected. The 'command line' came from 'backdoor', not 'command': it was still an error.

This isn't really an "Apache command" ... as you note, you can run a command invoking a PHP file on your own system. The actual scenario is that the hacker somehow figured out how to upload the file (in this case cshell99.php) to the server involved and also managed to place into the file system such that it was available, invokable, and executable. Once that was accomplished, then the hacker actually ran that file to do the damage. The point being that it's the contents and the capabilites allowed for that particular file that set the conditions for further hacking.

It would be interesting to know whether other users in Northern California are experiencing this warning each time a SpamCop page is turned.

We have users from all around the world reading and posting here. I'd imagine those running snort would be a very few. This issue hasn't come up before in the years we've been here .. hopefully it won't come up again <g> (Back to it's just me against all the hackers around the world .... which according to articles like India faces cyber challenge from China is obviously getting harder and harder.)

Link to comment
Share on other sites

You are suggesting something normally called a "man-in-the-middle" type of exploit/attack. Yet, that's a pretty hard thing to accomplish against web-site traffic, as data-packets can follow many different paths between your browser and the requested web-site. If it's a real data-usurping type connection, it would pretty much have to be at your ISP or the web-site cerver itself.

India faces cyber challenge from China is obviously getting harder and harder.)

When this term was invented, there really was a 'man-in-the-middle', and he usually lived in Salt Lake City (through which all intercontinental traffic flowed). It still occurs however, and I registered only this evening to answer a question about how someone who uses an e-mail account only to report spam here could be receiving over 500 spams a day on it. May I propose, until I resolve it with my ISP, this to be one way.

Though the internet would now appear necessarily complex, MSN, Yahoo, and other services may throw a wrench into this. I mention this because my connection from California to Italy had a man-in-the-middle, one who tried to insert a windows trojan in the blink of an eye. He was there for at least a week, while I tried to blot him out. He wasn't local, because the offending site was in the US, but pretended to be Italian. The connection was to Google.it, and I suspected this may have travelled over fewer computers, owned by Google (which, as you write, likes to watch its users).

I bother this thread with the 'man-in-the-middle' subject only because its users are interested in identity theft (which I gave up on years ago). My ISP is a small, very good, independent one, so I anticipate a innocent solution to the problem proposed in this thread.

Rapakiwi

Link to comment
Share on other sites

No web server is running on my computer, but php is available by command line;

Is 168.150.253.56 your specific IP address or is it an address that has a whole network hidden behind it?

There is some sort of web server running on/behind that IP address. Whether it is directed (through NAT) to another computer on your network we can not say from here. It also could be a fairly old version. The most recent version shown on the docs page are from 1.3.4. Apache 2.2.8 is currently available, though it appears there is also a recent 1.3.41 release.

Have you tried http://localhost/ recently? If you are in charge of that network, I would find out why someone is running a default web page there.

Link to comment
Share on other sites

Is 168.150.253.56 your specific IP address or is it an address that has a whole network hidden behind it?

There is some sort of web server running on/behind that IP address. Whether it is directed (through NAT) to another computer on your network we can not say from here. It also could be a fairly old version. The most recent version shown on the docs page are from 1.3.4. Apache 2.2.8 is currently available, though it appears there is also a recent 1.3.41 release.

Have you tried http://localhost/ recently? If you are in charge of that network, I would find out why someone is running a default web page there.

The last network I was in charge of served Gopher. (Peripatetic scholars in unwanted subjects need a second profession.)

However, the local ISP's network administrator tells me that 168.150.253.56 is a cache server; so yes, it would likely also serve as one of the proxy servers for at least two professional websites, as well as a University community's subnet.

Because the php program was received by me even when I bounced back and forth between two cached pages, it was very likely bouncing back from 'bala'. This, in itself, would argue against a 'man in the middle' attack; and the local administrator wasn't surprised I was receiving this message, stating that has I switched from PPPoE to straight DHCP (as he has been subtly encouraging me to do for months), I would not have received this warning. This may mean something to you. (Gopher, remember)

Now I no longer receive any snort warnings when browsing SpamCop's forum. I'll press for some details when I next write him (for the snort forum didn't resolve this issue adequately), but that would appear to sufficiently solve the security aspect of the problem.

The default message I would imagine is common security: you would know more that I (Gopher :-).

Pneumonia has been keeping me from networking my house adequately, which eats radio signals like a black hole, but should I soon connect it to the internet, when I shall know more.

Thank you all for helping me quickly isolate and resolve this security issue. Informational detail (which is important in distinguishing genuine false positives from a security problem) I'll attempt to add soon.

Rapakiwi

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...