icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons_061

PHP c99shell Backdoor Script Detection

High

Synopsis

The remote web server may contain a PHP backdoor script.

Description

The remote web server may contain a PHP script that acts as a backdoor and provides a convenient set of tools for attacking the affected host. At least one instance of 'c99shell' (or a derivative, such as c100 or Locus7Shell) is hosted on the remote web server.

Solution

Remove any instances of the script and conduct a forensic examination to determine how it was installed as well as whether other unauthorized changes were made.