c99shell Backdoor Detection

high Nessus Plugin ID 46349

Synopsis

The remote web server contains a PHP backdoor script.

Description

At least one instance of c99shell (or a derivative, such as c100 or Locus7Shell) is hosted on the remote web server. This is a PHP script that acts as a backdoor and provides a convenient set of tools for attacking the affected host.

Solution

Remove any instances of the c99shell script and conduct a forensic examination to determine how it was installed as well as whether other unauthorized changes were made.

See Also

http://vil.nai.com/vil/content/v_136948.htm

http://www.nessus.org/u?e4884d31

Plugin Details

Severity: High

ID: 46349

File Name: c99shell.nasl

Version: 1.9

Type: remote

Family: CGI abuses

Published: 5/14/2010

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Vulnerability Information

Required KB Items: www/PHP

Excluded KB Items: Settings/disable_cgi_scanning