c99 Shell Scripts are one of the main headache for almost all cPanel server administrators even though they use mod_security and all.
The c99 php (Hypertext Preprocessor) shell script is an awesome piece of hacking script. The only limitation of it being that it needs an unsecured uploader in order to get it uploaded and then the execution part is a piece of cake.
This c99 shell allows an attacker to hijack the web server process, allowing the attacker to issue commands, force brute etc on the server as the account under which PHP is running. The interface of this shell script is very user friendly, something not so much associated with hackers. Hackers are known to write either ugly looking interface codes or none interface at all, but this piece of code is very different, it may be called something which as been done very aesthetically.
How to find c99 shell script hacked files? Use the following shell script to scan hacked php files in cpanel.
and paste the following script.
#!/bin/sh cd /root echo >> c99result.txt for j in `ls /var/cpanel/users` do echo "Scanning user: $j" cd /home/$j find /home/$j -iname '*.php' > /root/c99list for i in `cat /root/c99list` do result=$( perl -e 'alarm shift @ARGV; exec @ARGV' 10 php -q $i | grep -Eie '-rw-r--r--|drwxr-xr-x|drwxrwxrwx|-rw-r-xr-x|-rwxrwxrwx|-rw-rw-rw-|-rwx------') if [ $? -eq 0 ]; then echo "Possible Shell Script found on $i" >> /root/c99result.txt fi done echo "Completed processing $j" >> /root/c99result.txt done
Save and Exit.
Run this shell script to scan hacked files.
root@server1 [~]# ./scanfiles.sh
Once scanning process completed, check report file /root/c99result.txt.