PHP c99shell Backdoor Script Detection

high Nessus Network Monitor Plugin ID 6925

Synopsis

The remote web server may contain a PHP backdoor script.

Description

The remote web server may contain a PHP script that acts as a backdoor and provides a convenient set of tools for attacking the affected host. At least one instance of 'c99shell' (or a derivative, such as c100 or Locus7Shell) is hosted on the remote web server.

Solution

Remove any instances of the script and conduct a forensic examination to determine how it was installed as well as whether other unauthorized changes were made.

See Also

http://bartblaze.blogspot.com/2015/03/c99shell-not-dead.html

http://vil.nai.com/vil/content/v_136948.htm

http://www.nessus.org/u?12540cda

Plugin Details

Severity: High

ID: 6925

Family: Backdoors

Published: 7/9/2013

Updated: 6/1/2015

Nessus ID: 46349

Vulnerability Information

CPE: cpe:/a:php:php