1. Introduction
The c99shell vulnerability is a PHP backdoor script found on remote web servers. It provides attackers with tools for compromising affected hosts, allowing them to execute commands and potentially steal sensitive data. Web servers are typically affected, especially those running vulnerable or outdated software. This can lead to complete compromise of confidentiality, integrity, and availability of the server and any connected systems.
2. Technical Explanation
The c99shell backdoor is a PHP script that allows remote command execution on a web server. Attackers typically exploit this vulnerability by gaining access to a vulnerable web server and uploading or locating existing instances of the c99shell script. The script then provides a web interface for attackers to execute commands, upload files, and modify system settings.
- Root cause: Unrestricted file uploads or weak security configurations on the web server allow malicious PHP scripts like c99shell to be uploaded and executed.
- Exploit mechanism: An attacker uploads c99shell to a writable directory on the web server, then accesses it via a web browser to gain remote command execution capabilities. For example, an attacker could upload `c99shell.php` to `/var/www/html/uploads/` and access it through `http://example.com/uploads/c99shell.php`.
- Scope: Web servers running PHP are affected. Specific versions of PHP do not directly cause the vulnerability, but older or unpatched systems are more likely to be vulnerable due to outdated security practices.
3. Detection and Assessment
To confirm if a system is vulnerable, you can check for the presence of c99shell scripts on the web server. Start with a quick file search, then use a thorough scan for related files.
- Quick checks: Use the `find` command to locate c99shell scripts. For example:
find /var/www/html -name "c99shell*" - Scanning: Nessus plugin ID e4884d31 can detect instances of c99shell. This is an example only, and other scanners may provide similar functionality.
- Logs and evidence: Check web server access logs for suspicious requests to PHP files with names like “c99shell”, “c100”, or “Locus7Shell”. Look for unusual activity patterns in the logs.
find /var/www/html -name "c99shell*"4. Solution / Remediation Steps
Remove any instances of the c99shell script and conduct a forensic examination to determine how it was installed.
4.1 Preparation
- Ensure you have access to restore from backup in case of issues. A roll back plan involves restoring the backed-up files.
- A change window may be needed depending on your organization’s policies and the impact of stopping the web service. Approval from a security team might be required.
4.2 Implementation
- Step 1: Locate all instances of c99shell scripts using the `find` command (e.g.,
find /var/www/html -name "c99shell*"). - Step 2: Delete any found c99shell scripts using the `rm` command (e.g.,
rm /var/www/html/uploads/c99shell.php). - Step 3: Examine web server logs for evidence of other malicious files or activity.
- Step 4: Scan the entire web server file system with an updated antivirus scanner.
4.3 Config or Code Example
Before
After
// No code - file should be deleted.4.4 Security Practices Relevant to This Vulnerability
Several security practices can help prevent this vulnerability type. Least privilege limits the impact of exploitation, while input validation blocks unsafe data.
- Practice 1: Implement least privilege for web server processes and file system access to reduce the potential damage from a compromised script.
- Practice 2: Enforce strict input validation on all user-supplied data to prevent attackers from uploading malicious files or executing arbitrary code.
4.5 Automation (Optional)
A simple Bash script can automate the removal of c99shell scripts, but use with caution.
#!/bin/bash
find /var/www/html -name "c99shell*" -delete
echo "Removed c99shell files."5. Verification / Validation
Confirm the fix by re-running the file search and verifying that no c99shell scripts are present. Also, perform a smoke test to ensure core web server functionality remains intact.
- Post-fix check: Run
find /var/www/html -name "c99shell*". The expected output should be empty. - Re-test: Re-run the earlier detection method (e.g., `find /var/www/html -name "c99shell*"`). No files matching this pattern should be found.
- Smoke test: Verify that basic web server functionality, such as accessing a homepage or submitting a form, still works correctly.
- Monitoring: Monitor web server access logs for any suspicious activity related to PHP file uploads or execution. Look for unexpected errors or requests.
find /var/www/html -name "c99shell*"6. Preventive Measures and Monitoring
Update security baselines and implement checks in CI pipelines to prevent this issue from recurring. A sensible patch review cycle is also important.
- Baselines: Update your web server security baseline or policy to include restrictions on file uploads and execution of PHP scripts. Consider using a CIS control for guidance.
- Asset and patch process: Implement a regular patch review cycle for web server software and associated components.
7. Risks, Side Effects, and Roll Back
- Risk or side effect 2: Stopping the web service may cause downtime for users. Mitigation: Schedule maintenance during off-peak hours and communicate the planned outage.
8. References and Resources
- Vendor advisory or bulletin: http://vil.nai.com/vil/content/v_136948.htm
- NVD or CVE entry: Not available in provided context.
- Product or platform documentation relevant to the fix: Not available in provided context.