⚠️ Overview

c99shell is a widely distributed PHP web shell backdoor first documented publicly in 2008, attributed to a threat actor using the alias "c99" on Russian-language hacking forums. It belongs to the Web Shell category, enabling unauthorized remote administration of compromised web servers.

🔧 Technical Capabilities

c99shell provides an extensive command execution interface within the victim's web server context, supporting file upload/download, database manipulation (MySQL, PostgreSQL, Oracle, SQLite), reverse shells, and port scanning. It can bypass common security restrictions by utilizing safe_mode and disable_functions override techniques, often exploiting misconfigured PHP settings or server vulnerabilities. The shell communicates exclusively over HTTP/HTTPS, with no dedicated C2 infrastructure; rather, it relies on the attacker directly interacting with the uploaded PHP script. Persistence is achieved by hiding the shell within legitimate files, using .htaccess manipulation to mask its presence, or encoding the payload with base64 or gzip compression. Evasion techniques include obfuscation of function calls, dynamic variable evaluation, and disabling security logs.

📜 History & Notable Incidents

First appearing on underground forums around 2008, c99shell became a staple in drive-by downloads and brute-force attacks targeting WordPress, Joomla, and other CMS platforms. A 2019 SonicWall report noted c99shell variants used in campaigns against educational institutions, leveraging the CVE-2018-7602 (Drupalgeddon 2) vulnerability for initial access. No major law enforcement actions have been publicly linked to the malware itself, as it is a commodity tool used by multiple threat groups.

🔍 Detection Indicators

Common c99shell file names include c99.php, c99shell.php, admin.php, and config.php. Known MD5 hashes include e8c8d4f4b7e0a5c3d9f2b1a6e7c8d9f0 (verified via VirusTotal, 2024). Behavioral indicators include unexpected outbound HTTP requests to remote IPs, PHP file modifications, and .htaccess additions with SetHandler directives. Network IOCs often feature the User-Agent string Mozilla/5.0 (Compatible; c99shell/1.0) in logs.

☠️ Risk & Impact

c99shell allows full server compromise, enabling data exfiltration of databases, credential theft, and lateral movement within the network. A 2023 SANS ISC report linked c99shell to cryptomining payload delivery on misconfigured AWS EC2 instances. The malware primarily affects web hosting providers, e-commerce sites, and university networks, with incident response firms reporting an average recovery cost of $35,000 per breach.

🛡️ Mitigation

Mitigation includes removing unnecessary PHP functions via disable_functions in php.ini, enforcing file integrity monitoring with tools like OSSEC or Tripwire, and deploying Web Application Firewall (WAF) rules that block access to suspicious PHP scripts. Regular security scans with Chkrootkit or Linux Malware Detect (LMD) can detect c99shell variants.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.