English
Log in
Search
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

HomeDescriptionsBackdoor.PHP.C99Shell.w

Backdoor.PHP.C99Shell.w

Detected Sep 12 2007 10:24 GMT
Released Sep 12 2007 10:24 GMT
Published Jul 15 2008 08:24 GMT

Technical Details
Payload
Removal instructions

Technical Details

This Trojan provides a remote malicious user with access to the victim machine. It is a PHP script. It is 229051 bytes in size.

Installation

This backdoor can be installed on a web server by a remote malicious user by uploading it via FTP, using the administrator's log-in details which have already been stolen. It can also be used to exploit a range of web site vulnerabilities which make it possible to upload a random file to the directory which contains the site scripts. Once this has been done, a hidden page appears on the site. Opening this page makes it possible for the malicious user to launch the backdoor and make use of its malicious functionality.


Payload

This backdoor is designed to provide remote, unauthorised administration of web servers. When the backdoor is launched, the malicious user is shown the backdoor interface:

The backdoor is able to conduct the following actions on the remote server:

  1. provide full access to files on the hard disk
  2. Calculate a range of hashes for strings
  3. launch the command interpreter and bind its standard input/ output to a specific TCP port
  4. bind the standard input/ output of the command interpreter to data from the IRC server (datapipe)
  5. view a list of processes launched on the server
  6. execute random PHP code
  7. download/ upload files from/to the server
  8. search the server's hard disk for files with specific content
  9. manage mysql databases (view/ create/ edit databases/tables)
  10. run shell commands
  11. scan FTP server accounts for weak passwords (e.g. where the account name and password co-incide)
  12. delete the copy of itself from the server hard disk on command
  13. create a user account without password
  14. view active users in the system
  15. delete records of its own activity from Apache server logs
  16. exploit a range of Linux kernel and bash command interpreter vulnerabilies
  17. run via the proxy server shown below
    http://*****faced.org/proxy/index.php?q=

hiding the address of the remote malicious user.


Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

  1. Delete the original backdoor file (the location will depend on how the program originally penetrated the victim machine).
  2. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).


Print
Bookmark and Share
Share
Trojans
Backdoor

Backdoors are designed to give malicious users remote control over an infected computer. In terms of functionality, Backdoors are similar to many administration systems designed and distributed by software developers.

These types of malicious programs make it possible to do anything the author wants on the infected computer: send and receive files, launch files or delete them, display messages, delete data, reboot the computer, etc.

The programs in this category are often used in order to unite a group of victim computers and form a botnet or zombie network. This gives malicious users centralized control over an army of infected computers which can then be used for criminal purposes.

There is also a group of Backdoors which are capable of spreading via networks and infecting other computers as Net-Worms do. The difference is that such Backdoors do not spread automatically (as Net-Worms do), but only upon a special “command” from the malicious user that controls them.


Other versions
Backdoor.PHP.C99Shell.an

Aliases

Backdoor.PHP.C99Shell.w (Kaspersky Lab) is also known as:

  • Mal/PHPShell-A (Sophos)
  • Trojan.PHP.C99Shell (ClamAV)
  • PHP/C99Shell.E (FPROT)
  • Backdoor:PHP/C99shell.D (MS(OneCare))
  • PHP/C99Shell.W trojan (Nod32)
  • Trojan.Script.180903 (BitDef7)
  • PHP.ShellBot.K (VirusBuster)
  • PHP:C99Shell-A [Trj] (AVAST)
  • Backdoor.PHP.C99Shell.y (Ikarus)
  • PHP/BackDoor.C99Shell (AVG)
  • PHP/C99Shell.A (AVIRA)
  • PHP.Backdoor.Trojan (NAV)
  • PHP/C99Shell.L (Norman)
  • Backdoor.PHP.C99Shell.w [AVP] (FSecure)
  • Backdoor.HTML.PHPShell-Interface (v) (Sunbelt)
  • PHP.ShellBot.K (VirusBusterBeta)

© 1997-2010 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.

kaspersky.com

Products

eStore

Threats

Downloads

Support

Partners

About Us

Search

securelist.com

Threats

Analysis

Blog

Descriptions

Glossary

RSS feeds

Contacts

Search