Index of c99.php


  • C99 shell : The infamous web shell
  • Got WordPress? PHP C99 Webshell Attacks Increasing
  • IBM Security is always looking for high-volume anomalies that might signify a new attack trend. An attacker could utilize a webshell to gain system-level access to a vulnerable server. Although we see many attempts to push malicious PHP code on a daily basis, the increased volume of this particular webshell is startling compared to other types of webshell activity IBM MSS tracks: a 45 percent increase from February through March.

    According to VirusTotal , relatively few antivirus vendors are catching this variant. Webshells in a Nutshell Webshells can be used legitimately by a system administrator to perform actions on the server, such as creating a user, reading system logs and restarting a service.

    They are basically backdoors that run from the browser. Webshells are considered post-exploitation tools. Before the webshell can be used in an attack, a vulnerability must be found on a target Web application. One way to accomplish this is by first uploading the webshell through a file upload page e.

    Attackers will purposely hide their malicious code in an effort to evade detection and assist in bypassing a Web application firewall WAF that may be protecting the website. The text file pagat. This obfuscated PHP code would be passed to the eval function only after it is deobfuscated using one of these three methods: Gzinflate inflates a deflated string.

    This function takes data compressed by gzdeflate and returns the original uncompressed data. Rot13 is a simple letter-substitution cipher that replaces a character with whatever comes 13 letters after it in the alphabet. Base64 features binary-to-text encoding schemes that represent binary data in an ASCII string format by translating it into radix Any of these three obfuscation methods can be used to decipher obfuscated code by simply using an online PHP decoding tool. The Mechanism The PHP module on the victim server will decode the obfuscated strings and execute the script.

    Once decoded, the script shows its intent. The examples below are purposely truncated for security reasons. This will enable the attacker to execute shell commands on the server as well as push additional files that can be used for other nefarious actions. Our data showed a distinct upward trend in alert volume tied specifically to this C99 variant. This specific variant is one of many being used by a mass Web defacer known as Hmei7, who reportedly defaced more than 5, WordPress websites over a two-day period.

    Hmei7 uses backdoors with a file uploading feature and changes critical site files like index. Hmei7 is known to have defaced more than , websites and is currently being tracked by Zone-H. Read the research report: Understanding the risks of content management systems Identification As of April 12, , a Google search for the file name pagat. Only nine of 68 antivirus products identify this malicious php script, according to VirusTotal. Below is more information about the script: MD5: 6bd69de0fcae1d9c5b5.

    But sometimes we have to do some changes to upload a shell. If so happens then just rename the shell name. An excellent example of a web shell is the c99 variant, which is a PHP malware often uploaded to a vulnerable web application to give hackers an interface. The c99 shell lets the attacker take control of the processes of the Internet server, allowing him or her give commands on the server as the account under which the threat is operating.

    We make tons of efforts to take boredom out of learning and make it fun. R57 shell, c99 shell, upload, web root, web hacking, php shell, sadrazam shell, angel, c, gaza, bypass shell, bk, php exploits, priv shell, 1n73ction, webadmin shell. Search for: Categories. Contact; Send me Shell? Angel angel. Compromised web servers with malicious web shells installed Overview This alert describes the frequent use of web shells as an exploitation vector. Web shells can be used to obtain unauthorized access and can lead to wider network compromise.

    This alert outlines the threat and provides prevention, detection, and mitigation strategies. Consistent use of web shells by Advanced Persistent Threat APT and criminal groups has led to significant cyber incidents. The detection and mitigation measures outlined in this document represent the shared judgement of all participating agencies. Description Web Shell Description A web shell is a script that can be uploaded to a web server to enable remote administration of the machine.

    Infected web servers can be either Internet-facing or internal to the network, where the web shell is used to pivot further to internal hosts.

    A web shell can be written in any language that the target web server supports. Perl, Ruby, Python, and Unix shell scripts are also used. Using network reconnaissance tools, an adversary can identify vulnerabilities that can be exploited and result in the installation of a web shell.

    For example, these vulnerabilities can exist in content management systems CMS or web server software. Once successfully uploaded, an adversary can use the web shell to leverage other exploitation techniques to escalate privileges and to issue commands remotely. These commands are directly linked to the privilege and functionality available to the web server and may include the ability to add, delete, and execute files as well as the ability to run shell commands, further executables, or scripts.

    How and why are they used by malicious adversaries? Web shells are frequently used in compromises due to the combination of remote access and functionality. Even simple web shells can have a considerable impact and often maintain minimal presence.

    Web shells are utilized for the following purposes: To harvest and exfiltrate sensitive data and credentials; To upload additional malware for the potential of creating, for example, a watering hole for infection and scanning of further victims; To use as a relay point to issue commands to hosts inside the network without direct Internet access; To use as command-and-control infrastructure, potentially in the form of a bot in a botnet or in support of compromises to additional external networks.

    This could occur if the adversary intends to maintain long-term persistence. While a web shell itself would not normally be used for denial of service DoS attacks, it can act as a platform for uploading further tools, including DoS capability.

    China Chopper — A small web shell packed with features. Has several command and control features including a password brute force capability. C99 — A version of the WSO shell with additional functionality. BK — PHP based web shell with common functionality such as viewing processes and executing commands. The above tactics can be and are combined regularly.

    For example, an exposed admin interface also requires a file upload option, or another exploit method mentioned above, to deliver successfully. Impact A successfully uploaded shell script may allow a remote attacker to bypass security restrictions and gain unauthorized system access. Solution Prevention and Mitigation Installation of a web shell is commonly accomplished through web application vulnerabilities or configuration weaknesses. Therefore, identification and closure of these vulnerabilities is crucial to avoiding potential compromise.

    The following suggestions specify good security and web shell specific practices: Employ regular updates to applications and the host operating system to ensure protection against known vulnerabilities. Control creation and execution of files in particular directories. If not already present, consider deploying a demilitarized zone DMZ between your webfacing systems and the corporate network.

    Limiting the interaction and logging traffic between the two provides a method to identify possible malicious activity. Ensure a secure configuration of web servers. All unnecessary services and ports should be disabled or blocked. All necessary services and ports should be restricted where feasible.

    This can include whitelisting or blocking external access to administration panels and not using default login credentials. Employ user input validation to restrict local and remote file inclusion vulnerabilities. Conduct regular system and application vulnerability scans to establish areas of risk.

    While this method does not protect against zero day attacks it will highlight possible areas of concern. Deploy a web application firewall and conduct regular virus signature checks, application fuzzing, code reviews and server network analysis. Detection C99 Shell Upload And Extracting Database Due to the potential simplicity and ease of modification of web shells, they can be difficult to detect. For example, anti-virus products sometimes produce poor results in detecting web shells.

    The following may be indicators that your system has been infected by a web shell. Note a number of these indicators are common to legitimate files. Any suspected malicious files should be considered in the context of other indicators and triaged to determine whether further inspection or validation is required.

    Abnormal periods of high site usage due to potential uploading and downloading activity ; Files with an unusual timestamp e.

    For example: A file type generating unexpected or anomalous network traffic e. Any evidence of suspicious shell commands, such as directory traversal, by the web server process. For investigating many types of shells, a search engine can be very helpful. Often, web shells will be used to spread malware onto a server and the search engines are able to see it.

    But many web shells check the User-Agent and will display differently for a search engine spider a program that crawls through links on the Internet, grabbing content from sites and adding it to search engine indexes than for a regular user. To find a shell, you may need to change your User-Agent to one of the search engine bots. Some browsers have plugins that allow you to easily switch a User-Agent. Once the shell is detected, simply delete the file from the server. Client characteristics can also indicate possible web shell activity.

    Thus, performing frequency analysis on the web access logs could indicate the location of a web shell. Most legitimate URI visits will contain varying user-agents, whereas a web shell is generally only visited by the creator, resulting in limited user-agent variants. C99shell Upload.

    One way to accomplish this is by first uploading the webshell through a file upload page e. Attackers will purposely hide their malicious code in an effort to evade detection and assist in bypassing a Web application firewall WAF that may be protecting the website.

    The text file pagat. This obfuscated PHP code would be passed to the eval function only after it is deobfuscated using one of these three methods: Gzinflate inflates a deflated string. This function takes data compressed by gzdeflate and returns the original uncompressed data.

    Rot13 is a simple letter-substitution cipher that replaces a character with whatever comes 13 letters after it in the alphabet. Base64 features binary-to-text encoding schemes that represent binary data in an ASCII string format by translating it into radix Any of these three obfuscation methods can be used to decipher obfuscated code by simply using an online PHP decoding tool. The Mechanism The PHP module on the victim server will decode the obfuscated strings and execute the script.

    C99 shell : The infamous web shell

    Once decoded, the script shows its intent. The examples below are purposely truncated for security reasons. This will enable the attacker to execute shell commands on the server as well as push additional files that can be used for other nefarious actions.

    Our data showed a distinct upward trend in alert volume tied specifically to this C99 variant. In this article we will learn about the infamous C99 shell. In our previous tutorial RFI hacking for beginners we learnt what is remote file inclusion vulnerability and how hackers use this vulnerability to upload files into the web server. In that tutorial, we uploaded a C99 php shell, which is the most popular shell used in RFI hacking. Today we will see further on how hackers upload shell and hack a website.

    We have successfully uploaded a shell in the above post. Let us go to the path where we uploaded our shell as shown below. You should see something as shown below. This is our PHP shell. As you can see, it already shows lot of information about our target system like OS, the web server software, version etc. It also shows all the files in our folder or directory where we uploaded our shell as shown below.

    Let us see some of the features of the shell.

    The first, second and third tabs are the Home, backward and forward buttons and need no explanation. This can be useful in navigating the web server. I have gone one directory back as shown below. We can search for a specific file as shown below using the search function.

    Using the Tools option, we can open ports on the target server to bind shells.

    This can be useful in making remote connections using netcat or any other program. We can also see the processes running on the web server using the proc function, but this depends on the privileges we acquire on our target. Many web servers have FTP server installed. We can download winnt passwords and crack them using any cracking software. Once again this depends on the privileges we are running as.

    Got WordPress? PHP C99 Webshell Attacks Increasing

    It allows us to get access to the all important database. As connection is established to the database, we can see all the databases present on the server. Click on the databases to view all the databases present on the server.

    Remember we can view all the databases present on the server, not just the database of this website. As it can be seen, it has two tables.

    You can select any table and can delete or edit that table. Hackers can even create new databases and delete the entire databases if you want. So after doing whatever he wants, hacker can remove the shell from the web server. Command Execute : Now let us see some more tricks of this shell. As the name implies, it is used to execute commands on the target OS.

    We can see the result as shown below.


    thoughts on “Index of c99.php

    Leave a Reply

    Your email address will not be published. Required fields are marked *