Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » Snort Newbies » BACKDOOR c99shell.php command request

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

BACKDOOR c99shell.php command request


Posted by fmonkey on October 22, 2007 15:23:18

Could someone explain these logs for me please, I know about the actual exploit I'm struggling to
see how it could be my end, as I have no server running this end.

[**] [1:12077:2] BACKDOOR c99shell.php command request [**]
[Classification: Potential Corporate Privacy Violation] [Priority: 1]
10/22-23:53:48.238813 192.168.1.64:8409 -> WEBSITE:80
TCP TTL:64 TOS:0x0 ID:45763 IpLen:20 DgmLen:1469 DF
***AP*** Seq: 0x304F8806 Ack: 0x879B019B Win: 0x3EA TcpLen: 32
TCP Options (3) => NOP NOP TS: 4703580 245232720
[Xref => http://vil.nai.com/vil/content/v_136948.htm]

Now I've been in contact with the web site and as far as they're concerned its my end, but I
struggle to see this as it only gets flagged when I visit this site.

Now I can't find the official docs for the mentioned alert please could someone point me to them
as well.

I've looked into this exploit and my understanding is I need php and web server running which I'm
not. I've seen some mentions of this working with attachments from the docs. But I'm running
linux, text mail by default and nothing unusual opened plus the system is a relative new install
minus all php bits and no apache.

Does anyone know of any good documentation on the exploit or can explain what I'm seeing?
Why I only see the exploit with one site, off which I know the src, yet it seems I'm doing the
attacking or is it I'm requesting a command?

Posted by mwatchinski on October 23, 2007 10:41:26

If you aren't running a webserver and this alert is happening when you browse somewhere it's a false positive.

Posted by fmonkey on October 23, 2007 16:44:48

Thank you mwatchinski

I had considered it could be.

Do you know where I can find definitions of the alerts someone pointed them out to me but I
forgot bookmark them. I've searched and seem to keep missing them.
Terms of Use | Privacy Policy | forum archives | site feedback ©2009 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.