PHP/C99Shell-A on Windows 2003 Server

[pananza]

I have Avast family pack with the server edition running on my Windows Home Server (Windows 2003 server) and the professional edition on my PC's. For three nights in a row Avast detects PHP/C99Shell-A in a temp file on the server. The file is detected and moved to the Chest presumably before it can do any damage.

This is from the Avast log:

05.08.2009 01:35:53   Sign of "PHP:C99Shell-A [Trj]" has been found in "C:\Documents and Settings\Administrator\Local Settings\Temp\Temp_{1F019F8F-5169-4018-9371-2972F7C1B064}.bin" file. 

06.08.2009 00:20:09   Sign of "PHP:C99Shell-A [Trj]" has been found in "C:\Documents and Settings\Administrator\Local Settings\Temp\Temp_{2E220728-EF7E-40CB-996E-204CBD09E616}.bin" file. 

07.08.2009 00:20:30   Sign of "PHP:C99Shell-A [Trj]" has been found in "C:\Documents and Settings\Administrator\Local Settings\Temp\Temp_{995E3DD3-82F6-4A0B-B4DA-5D159F4EB71B}.bin" file.

I've run several full scans, but no other signs of trouble are found. So the question is, who or what is downloading this file in the middle of the night? I'm the administrator and I'm asleep

Only open port in the router is 22 (SSH) since I always access the server via RDP over SSH when I'm out of the house. So this trojan is presumably being downloaded via some program I've inadvertently installed myself, or it's using some flaw in windows that has not yet been fixed by Microsoft (server is fully patched via windows update). The family's three laptops are also scanned without any trace of badware.

I don't like this at all. Any tips on how I can find the source is appreciated.

[Jtaylor83]

C99Shell is a backdoor trojan. You don't have a third-party firewall.

I suggest PCTools Firewall Plus (ThreatFire is optional at installation), Comodo Internet Security (without antivirus), and Online-Armor Firewall Free.

[pananza]

I have a firewall in the broadband router that blocks all incoming internet traffic but port 22. Also I have the Windows Firewall enabled.

What will installing a third party firewall do to help? Also, this is a "head-less" Windows Home Server. This means I don't have any screen connected. So I'm not tempted at installing anything that might disrupt my RDP session.

(Another entry in the log this night aswell, at 00:21 PHP/C99Shell was found in a temp file). So it's seems to be quite constant at around 00:20.)

[DavidR]

Your router firewall doesn't provide outbound protection, that is what a third party firewall brings to the table.

Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.

Now a server system has to be protected in much the same was as a stand alone system if it can be infected, it can be made to download more of the same, etc. and infect the whole network.

[pananza]

Ok, I see the point about a third-party firewall. Since my server does not have a screen (and not even a graphics card to connect one to) I'm real anxious about installing such software. My experience from installing them on a PC is that they by default block everything and you'll need to click "Allow" on a lot of dialog boxes after installation.

Since I'll be installing via RDP that connection cannot be broker, or else I'm not able to access the server again. I've read horror stories of other WHS users having to reinstall the OS or jank out the system disk, insert it into another machine, delete the firewall files from Program Files, reinstert the HD in the server and boot.

Anyways: I sat up yesterday with process monitor and at 00:20 a software I use for backing up an external web site via ftp was running. Seems the program (ftpsync) is writing to temp first and then moving the files to their destination afterwards. So it's not my server that's hacket, but the external web site. Or rather it's tried to be hacked. The external server is not supporting PHP so even if they managed to upload the PHP file there is not way for them to execute it.

[DavidR]

Well I don't know what to suggest to you as I don't use a server, but if that location given is for your server then if it can be infected, that infection could just as easily gain internet access to download more malware and probably infect the rest of the network.

Now that being the case you need to do something to stop that from happening, yes avast has caught this so it shouldn't get established, but there. is no AV solution that will give 100% protection.

The other area of concern is this appears in the Administrator area, so that indicates that something is running under the administrator account to be able to put files in the administrator area.