Thread: c99 shell is NOT part of cpanel

Funniest and scariest thing I've seen this week..

What can you do when you try to warn a webhost that their server has been hacked, and that the server has been compromised with a c99 shell script.

On top of that the hacked server is linked to active phishing sites you can plainly see in google results, and all they say to you is, no worries the c99 shell is just part of Cpanel.

Just run away as fast as you can.. ?

c99 Shell details :
Appendix B - c99.php utility | The Honeynet Project

The c99 PHP utility provides functionality for listing files, brute-forcing FTP passwords, updating itself, executing shell commands and PHP code.

It also provides for connecting to MySQL databases, and initiating a connect-back shell session. In many ways it can be considered the web equivalent of the rootkits that successful attackers often download. In other ways it is the malware equivalent of PHPShell itself.

c99 is often one of the utility programs that is either downloaded if a web server is vulnerable due to being misconfigured, or can be used in a remote file include attack to try and execute shell commands on a vulnerable server. Figure 6 provides a screenshot of the c99 PHP shell running on a web server.

For any webhosts reading this that don't know, c99 shell is NOT part of cpanel.

Originally Posted by Mike-XS

... and all they say to you is, no worries the c99 shell is just part of Cpanel.

Oh man... evolution is not working fast enough!

popular shells that are use by scriptkiddies are c99 and r57.

Oh man... evolution is not working fast enough!

It's crazy.

Originally Posted by geeknb

popular shells that are use by scriptkiddies are c99 and r57.

Yep and to protect yourself, disable some stuff in your php.ini and also install Mod Security with some rules and suPHP for extra protection.