PHP_C99SHELL.E

This backdoor may be hosted on a website and run when a user accesses the said website.

It executes commands from a remote malicious user, effectively compromising the affected system.

Arrival Details

This backdoor may be hosted on a website and run when a user accesses the said website.

This malware arrives via the following means:

• May be uploaded and installed on a web server by a remote malicious user after gaining access to the server

Backdoor Routine

This backdoor executes the following commands from a remote malicious user:

• Upload/dowload files to/from the web server
• Detect available drives on the system
• List files and folders
• Provide user full access to files and folders
• Search files with specific contents
• Create file and folder
• View file and folder information
• Execute shell commands
• View list of processes running on the system
• Bind standard input/output of the command interpreter to assigned TCP port
• Bind standard input/ output of the command interpreter to data from certain IRC server (Datapipe)
• Manage SQL databases
• Execute PHP code
• Remove itself from the server
• Scan FTP accounts for weak passwords using brute force and log them to file and e-mail

NOTES:

Once this PHP script is installed, the user may launch a backdoor on the affected system.

The malicious user is shown the following GUI upon opening the page: