Internet threat level: 1
Home→Descriptions→Backdoor.PHP.C99Shell.an
Backdoor.PHP.C99Shell.an
| Detected | Jul 18 2008 09:17 GMT |
| Released | Dec 08 2009 17:42 GMT |
| Published | Jul 18 2008 09:17 GMT |
Payload
Patches
Technical Details
This Trojan provides a remote malicious user with access to the victim machine. It is a PHP script. It is 149170 bytes in size.
Installation
This backdoor can be installed on a web server by a remote malicious user by uploading it via FTP, using the administrator's log-in details which have already been stolen. It can also be used to exploit a range of web site vulnerabilities which make it possible to upload a random file to the directory which contains the site scripts. Once this has been done, a hidden page appears on the site. Opening this page makes it possible for the malicious user to launch the backdoor and make use of its malicious functionality.
Payload
This backdoor is designed to provide remote, unauthorised administration of web servers. When the backdoor is launched, the malicious user is shown the backdoor interface:
The backdoor is able to conduct the following actions on the remote server:
- provide full access to files on the hard disk
- calculate a range of hashes for strings
- launch the command interpreter and bind its standard input/ output to a specific TCP port
- bind the standard input/ output of the command interpreter to data from the IRC server (datapipe)
- View the list of processes launched on the server
- execute random PHP code
- download/ upload files from/to the server
- search the server's hard disk for files with specific content
- manage mysql databases (view/ create/ edit databases/ tables)
- run shell commands
- scan FTP server accounts for weak passwords (e.g. where the account name and password co-incide)
- delete the copy of itself from the server hard disk on command
- create a user account without password
- view active users in the system
- delete records of its own activity from Apache server logs
Patches
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
- Delete the original backdoor file (the location will depend on how the program originally penetrated the victim machine).
- Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
Backdoors are designed to give malicious users remote control over an infected computer. In terms of functionality, Backdoors are similar to many administration systems designed and distributed by software developers.
These types of malicious programs make it possible to do anything the author wants on the infected computer: send and receive files, launch files or delete them, display messages, delete data, reboot the computer, etc.
The programs in this category are often used in order to unite a group of victim computers and form a botnet or zombie network. This gives malicious users centralized control over an army of infected computers which can then be used for criminal purposes.
There is also a group of Backdoors which are capable of spreading via networks and infecting other computers as Net-Worms do. The difference is that such Backdoors do not spread automatically (as Net-Worms do), but only upon a special “command” from the malicious user that controls them.
Backdoor.
- PHP/C99Shell-A (Sophos)
- Trojan.
PHP. C99Shell (ClamAV) - PHP/C99Shell.
A (FPROT) - Backdoor:
PHP/C99shell. D (MS(OneCare)) - a variant of PHP/C99Shell.
C trojan (Nod32) - Virtool.
PHP. C99Shell. B (BitDef7) - PHP.
ShellBot. K (VirusBuster) - PHP:
C99Shell-A [Trj] (AVAST) - PHP/BackDoor.
C99Shell (AVG) - BDS/PHP.
C99Shell. AN (AVIRA) - PHP/C99Shell.
B (Norman) - Backdoor.
PHP. C99Shell. an [AVP] (FSecure)
© 1997-2013 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.
The authors' opinions do not necessarily reflect the official positions of Kaspersky Lab.