c99 shell is NOT part of cpanel
Funniest and scariest thing I've seen this week..
What can you do when you try to warn a webhost that their server has been hacked, and that the server has been compromised with a c99 shell script.
On top of that the hacked server is linked to active phishing sites you can plainly see in google results, and all they say to you is, no worries the c99 shell is just part of Cpanel.
Just run away as fast as you can.. ? :D
c99 Shell details :
Appendix B - c99.php utility | The Honeynet Project
For any webhosts reading this that don't know, c99 shell is NOT part of cpanel.
The c99 PHP utility provides functionality for listing files, brute-forcing FTP passwords, updating itself, executing shell commands and PHP code.
It also provides for connecting to MySQL databases, and initiating a connect-back shell session. In many ways it can be considered the web equivalent of the rootkits that successful attackers often download. In other ways it is the malware equivalent of PHPShell itself.
c99 is often one of the utility programs that is either downloaded if a web server is vulnerable due to being misconfigured, or can be used in a remote file include attack to try and execute shell commands on a vulnerable server. Figure 6 provides a screenshot of the c99 PHP shell running on a web server.