{ "id": "772a66e0-adad-40a7-af91-4c74dfd60e9d", "created_at": "2026-04-06T01:29:40.177246Z", "updated_at": "2026-04-10T13:11:32.733401Z", "deleted_at": null, "sha1_hash": "5070154cd716d192d1c61a8ca7dc4088440b5841", "title": "C99Shell not dead", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 173466, "plain_text": "C99Shell not dead\r\nArchived: 2026-04-06 00:47:43 UTC\r\nIn today's blog post, we'll talk about C99shell - a powerful PHP backdoor.\r\nIntroduction\r\nAnalysis\r\nDisinfection\r\nPrevention\r\nConclusion\r\nIntroduction\r\nI recently got contacted on Twitter in regards to a hacked webpage:\r\nAfter I received the files two things became apparent:\r\nthe webserver (and thus the website) was infected with C99shell;\r\nthe webserver was infected with other PHP backdoors.\r\nAnalysis\r\nPHP/c99shell or simply c99shell should be well known by now - it is a PHP backdoor that provides a lot of\r\nfunctionality, for example:\r\nrun shell commands;\r\ndownload/upload files from and to the server (FTP functionality);\r\nfull access to all files on the hard disk;\r\nself-delete functionality.\r\n...\r\nIn short, it can pretty much do everything you want, which results in end-users getting malware onto their systems\r\nand/or data getting stolen and/or personal information compromised.\r\nThere's an excellent blog post over at Malwaremustdie in regards to C99shell, you can read it here:\r\nHow EVIL the PHP/C99Shell can be? From SQL Dumper, Hacktools, to Trojan Distributor Future?\r\nNow, here's one of the files gathered from the webserver:\r\nIt's heavily obfuscated as one would expect; after some deobfuscating/decoding we get:\r\nhttps://bartblaze.blogspot.com/2015/03/c99shell-not-dead.html\r\nPage 1 of 6\n\nIt also has a nice web interface:\r\nSeems like we are dealing with a slightly updated version of C99shell, version 2.1:\r\nAnd last but not least, some functionality:\r\nYou can find the decoded C99shell backdoor on Pastebin:\r\nDecoded PHP/c99shell\r\nDetections aren't too great for this PHP backdoor, but it surely has improved since Malwaremustdie started\r\nblogging about it, some VirusTotal results: 0, 1, 2.\r\nAs I mentioned before,\r\nother\r\nPHP backdoors were present, for example:\r\nhttps://bartblaze.blogspot.com/2015/03/c99shell-not-dead.html\r\nPage 2 of 6\n\nAfter some manual decoding, we turn up with the following interesting line:\r\ngetenv(HTTP_X_UP_CALLING_LINE_ID);\r\nAnother example:\r\ngetenv(HTTP_X_NOKIA_ALIAS);\r\nThe \"x-headers\" HTTP_X_UP_CALLING_LINE_ID and HTTP_X_NOKIA_ALIAS are actually part of WML,\r\nthe Wireless Markup Language.\r\nThus, this PHP backdoor seems specifically designed to target mobile users. I've put a copy of the script in\r\nscreenshot above on Pastebin as well:\r\nUnknown PHP backdoor\r\nDarryl from Kahu Security has written an excellent post on how to manually decode this kind of PHP obfuscation:\r\nDeobfuscating a Wicked-Looking Script\r\nIf you have any information on what kind of PHP backdoor this might be (if not generic), feel free to let me know.\r\nDisinfection\r\nWhat if your website's already been hacked and serving up malware to the unknowing visitor? Best practice is to\r\nsimply take your website offline and restore from an earlier back-up. (don't forget to verify if your back-up isn't\r\ninfected as well!)\r\nIf that's not a possibility for whatever reason, you'll first need to find where any malicious code was injected (or\r\ncreated) on your website, or how it was infected in the first place.\r\nAn easy way would be to simply check all recently changed files on your web server. However, those dates can be\r\naltered. So what's a better alternative? You can comb over the files one by one, or you can use an online tool to\r\ncheck your website.\r\nA short overview:\r\nhttp://sitecheck.sucuri.net/\r\nYou can use Sucuri's SiteCheck to quickly spot if they detect any malware, see if you're blacklisted and, the most\r\nuseful part in this case is to check whether or not you have any outdated plugin or CMS running - as well as a list\r\nof links.\r\nhttps://bartblaze.blogspot.com/2015/03/c99shell-not-dead.html\r\nPage 3 of 6\n\nhttp://aw-snap.info/file-viewer/\r\nUse Redleg's file viewer to easily see if any malicious iframes have been injected - you can even choose which\r\nReferrer and User Agent should be used (some malware requires you to visit the site via a specific Referrer or\r\nUser Agent).\r\nhttp://www.rexswain.com/httpview.html\r\nUseful additional tool to Redleg's file viewer. Allows you to only fetch headers of a website, or fetch both header\r\nand content.\r\nhttp://jsunpack.jeek.org/\r\nExcellent tool in case any malicious Javascript (iframe) is injected into any of your web server files. Less\r\nintuitive, but provides a great overview.\r\nhttp://urlquery.net/\r\nExcellent tool and more graphical as opposed to JSunpack - especially useful is to see if any IDS was triggered as\r\nwell as JavaScript and HTTP Transactions.\r\nhttps://www.virustotal.com/\r\nAs usual, VirusTotal is a great resource as well - it can pinpoint which Antivirus (if any) is triggering an alert\r\nrelated to your website.\r\nhttps://hackertarget.com/wordpress-security-scan/\r\nOnline WordPress Security Scanner to test vulnerabilities of a WordPress installation. Checks include application\r\nsecurity, WordPress plugins, hosting environment and web server.\r\nhttps://github.com/nbs-system/php-malware-finder\r\nNBS System's PHP Malware Finder does its very best to detect obfuscated/dodgy code as well as files using PHP\r\nfunctions often used in malwares/webshells.\r\nhttps://github.com/sullo/nikto\r\nNikto web server scanner.\r\nIf nothing is found using any of these tools, but you are still receiving reports from either blacklists (eg. Google)\r\nor users, you'll have to manually go over all your files to see if any code was attached.\r\nIf you're hosting a web server yourself, you obviously know where you've installed it, so be sure to check in there.\r\nIf you're not sure where it's installed, may want to look in any of these default locations, if they exist:\r\nLinux:\r\n/var/www/\r\n/var/www/html\r\nvar/lib/tomcat7/webapps\r\nWindows:\r\nC:\\inetpub\r\nhttps://bartblaze.blogspot.com/2015/03/c99shell-not-dead.html\r\nPage 4 of 6\n\nC:\\inetpub\\wwwroot\\\r\n...\r\n Another method (and obviously not foolproof) is to copy over all your files to a Windows system and scan them\r\nwith an antivirus. An example of such antivirus, which works on both Linux and Windows, is ClamAV. I think\r\nyou're starting to realize why back-ups are important.\r\nIf you had any outdated plugins running, chances are very high the backdoor or script was created/added in that\r\nspecific directory. For example for WordPress this is typically:\r\n/www/wp-content/plugins/\r\nYou can also install a plugin for your CMS which can scan your web server for any infected files. (Which is\r\nironic, but might still do the trick should you not be able to find anything manually.)\r\nLast but not least: check your access logs! See any unauthorized (FTP) logins for example? Take a look in any of\r\nthese locations:\r\n/var/log/httpd \r\nvar/log/nginx  \r\n/var/log/apache\r\n/var/log/apache2\r\nYou may also want to take a peek in:\r\n/var/log\r\nContact your hosting provider - they might be able to provide you with assistance.\r\nIf you're still stuck, feel free to shoot me an email or contact me on Twitter. Otherwise, contact one of X\r\ncompanies which can help you assist in clean-up.\r\nDon't forget\r\n: after clean-up, reset all your passwords (and don't use the same for everything) and follow the prevention tips\r\nabove, or you'll simply get infected again.\r\nAdditionally, always install relevant security patches or updates for your operating system if you are hosting the\r\nweb server yourself.\r\nPrevention\r\nThis shouldn't be repeated normally, but I will again just for good measure:\r\nCreate back-ups regularly! Yes, even for your website.\r\nKeep your CMS up-to-date; whether you use WordPress, Joomla, Drupal, ... \r\nKeep your installed plugins up-to-date. Remove any unnecessary plugins.\r\nUse strong passwords for your FTP account(s), as well as for your CMS/admin panel login.\r\nUse appropriate file permissions - meaning don't use 777 everywhere. (seriously, don't)\r\nhttps://bartblaze.blogspot.com/2015/03/c99shell-not-dead.html\r\nPage 5 of 6\n\nDepending on how you manage your website - keep your operating system up-to-date and, if applicable,\r\ninstall and update antivirus software.\r\nConsider using a tool like Splunk to monitor your access logs. \r\nConsider installing a security plugin. For WordPress, you have a plugin called All In One WordPress\r\nSecurity which has a ton of options to better secure your website.Don't forget to keep this one up-to-date as\r\nwell.\r\nMore (extended) tips can be found over at StopBadware:\r\nPreventing badware: Basics\r\nThere are also guides available on how to harden your specific CMS installation, for example:\r\nWordPress: Hardening WordPress\r\nJoomla: Security Checklist/Joomla! Setup\r\nDrupal: Writing secure code\r\nConclusion\r\nC99shell is obviously not dead and neither are other PHP backdoors - or any other malware for that matter.\r\nSecuring your website is not only beneficial for you, but also for your customers and other visitors. This blog post\r\nshould have provided you with the essentials on securing your website and cleaning it up should it ever be\r\ninfected\r\nRepeating\r\n: best practice is to take your website offline and restore from a back-up.\r\nResources\r\nFor webmasters:\r\nStopBadware - My site has badware\r\nGoogle - If your site is infected\r\nRedleg - If you're having redirects (\"Google says my site is redirecting to a malicious or spam site.\")\r\nFor researchers:\r\nOnline JavaScript Beautifier - http://jsbeautifier.org/\r\nPHP Formatter - http://beta.phpformatter.com/\r\nKahu Security tools - http://www.kahusecurity.com/tools/\r\n(for this specific blog post, PHP Converter is a must-use and very effective tool)\r\nBase 64 Decoder - http://www.opinionatedgeek.com/dotnet/tools/Base64Decode/\r\nAbove list is obviously my own personal flavor, feel free to leave a comment with your favorite tool.\r\nSource: https://bartblaze.blogspot.com/2015/03/c99shell-not-dead.html\r\nhttps://bartblaze.blogspot.com/2015/03/c99shell-not-dead.html\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://bartblaze.blogspot.com/2015/03/c99shell-not-dead.html" ], "report_names": [ "c99shell-not-dead.html" ], "threat_actors": [ { "id": "3fad11c6-4336-4b28-a606-f510eca5452e", "created_at": "2022-10-25T16:07:24.346573Z", "updated_at": "2026-04-10T02:00:04.948823Z", "deleted_at": null, "main_name": "Turbine Panda", "aliases": [ "APT 26", "Black Vine", "Bronze Express", "Group 13", "JerseyMikes", "KungFu Kittens", "PinkPanther", "Shell Crew", "Taffeta Typhoon", "Turbine Panda", "WebMasters" ], "source_name": "ETDA:Turbine Panda", "tools": [ "Agent.dhwf", "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "Derusbi", "Destroy RAT", "DestroyRAT", "FF-RAT", "FormerFirstRAT", "Hurix", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mivast", "PlugX", "RbDoor", "RedDelta", "RibDoor", "Sakula", "Sakula RAT", "Sakurel", "Sogu", "StreamEx", "TIGERPLUG", "TVT", "Thoper", "Winnti", "Xamtrav", "cobeacon", "ffrat" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775438980, "ts_updated_at": 1775826692, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5070154cd716d192d1c61a8ca7dc4088440b5841.pdf", "text": "https://archive.orkl.eu/5070154cd716d192d1c61a8ca7dc4088440b5841.txt", "img": "https://archive.orkl.eu/5070154cd716d192d1c61a8ca7dc4088440b5841.jpg" } }