[nsp-sec] Attn gmail -- C99 PHP shell stuff

Ross, Jason Jason.Ross at GlobalCrossing.com
Wed Oct 15 20:36:26 EDT 2008 

> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net [mailto:nsp-security-
> bounces at puck.nether.net] On Behalf Of jose nazario
> Sent: Wednesday, October 15, 2008 5:09 PM
> To: nsp-security
> Subject: [nsp-sec] Attn gmail -- C99 PHP shell stuff
>
> ----------- nsp-security Confidential --------
>
> Gmail
>
> Is the account "doscoder at gmail.com" still active? It's turned up in a
> couple of C99 PHP shells I've seen around, one I was just investigating.
>
> To the wider community, is this a default one or could this be specific
> to this attack?


It's not one that I've seen in the (few live) c99 shells I've run across fwiw, and the generic defaults I've seen have almost always been " $log_email = "user at host.tld"; //Default e-mail for sending logs"


A quick netblitz of 'doscoder' I did shows some interesting hits in a few places, none of which may be related to same person as the gmail account:

   * a h4cky0u.org profile which has only a single post (a "thank you" on a thread that contains code for a gmail brute force script)
   * The address doscoder at mail.ru shows up in  on what appears to be a defaced website.
   * The site at hxxp://www.midnightplaytime.com refers to doscoder.t35.com

The latter one at first glance looks like it may be an interesting rabbit hole to start falling down[0], but so far what digging I've done all results in rather innocuous (at least, not malicious in the sense of loading malware) results, so it may be a red herring.

--
Jason




[0]:
$ grep doscoder index.html:
<a href='/index.php?q=http+++www+freewebs+com+daimonium+daimo+txt++++errors+php+error+http+++doscoder+t35+com+polmm+ssl+txt+'>Http   Www Freewebs Com Daimonium Daimo Txt    Errors Php Error Http   Doscoder T35 Com Polmm Ssl Txt  </a>

and after fetching that, there's this:
<script src='http://s.afnt.co.uk/df/dfjs.aspx?a=114503&q=http+++www+freewebs+com+daimonium+daimo+txt++++errors+php+error+http+++doscoder+t35+com+polmm+ssl+txt+&n=10&t=itpd2.xsl&r='>

That one loads up a page with a ton of products on it, seems similar in nature to a number of various "great deal on software" spam links I've seen.

More information about the nsp-security mailing list