c99 Shell Trojan


The C99Shell (and its cousin web shells) can be devastating. This is an extension article that stems from Chapter 2 of the CompTIA Security+ SY0-301 Cert Guide (2nd Edition).

One of my associate’s websites was hacked into. He contacted me to see if I knew anything about a Web Shell. He had found that name within the syntax of one of the “new” files on his web server.
I told him that I had seen this before in several permutations: C99, C Shell, Web Shell, Web Shell by Orb, and others. He wasn’t too happy when I told him that the person who installed this has full access to his web server! However (luckily for him) once we fixed the problem, he restored from backup without a hitch. Other customers of mine in the past weren’t so lucky.

What is it? These web shells are programs that are installed on the web server by an attacker, and are used to remotely access and re-configure the server without the owner’s consent. They are remote access Trojans, but are also referred to as backdoors, since they offer an alternative way of accessing the website for the attacker.

How it got there: Most likely, the hacker stole my associate’s FTP password. Once the hacker had the password, it was just a matter of uploading the shell. Then the hacker could login through the new web shell, and do just about anything they wanted to the web server.

Why the web hosting company didn’t notice: Many of these web shells allow the operator to access them through a proxy, thus hiding the location of the operator. Also, the shell can be bound to specific ports, and the information can be encrypted and hashed.

What were my recommendations to my associate?: First I told him to increase password security for all important FTP accounts. I recommended making the passwords as complex as the web server would allow. Then, I recommended removing any unnecessary FTP accounts. Next, I recommended to delete the original RAT files and run a full scan of the system, or, to restore from an older backup. Finally I recommended that my associate verify his web host’s scanning techniques, or scan his web files himself. I insisted that the host (or he) should be checking for web shells of this nature. This can be done by scanning files for particular lines of code, or by simply scanning them for the names they often go by which can be found within the first few lines of code.

In summary, be sure to scan your site often for malicious code. And make sure your FTP passwords are complex.