How to find c99 shell script hacked files

c99 Shell Scripts are one of the main headache for almost all cPanel server administrators even though they use mod_security and all.

The c99 php (Hypertext Preprocessor) shell script is an awesome piece of hacking script. The only limitation of it being that it needs an unsecured uploader in order to get it uploaded and then the execution part is a piece of cake.

This c99 shell allows an attacker to hijack the web server process, allowing the attacker to issue commands, force brute etc on the server as the account under which PHP is running. The interface of this shell script is very user friendly, something not so much associated with hackers. Hackers are known to write either ugly looking interface codes or none interface at all, but this piece of code is very different, it may be called something which as been done very aesthetically.

How to find c99 shell script hacked files?  Use the following shell script to scan hacked php files in cpanel.


and paste the following script.

cd /root
echo >> c99result.txt
for j in `ls /var/cpanel/users`
echo "Scanning user: $j"
cd /home/$j
find /home/$j -iname '*.php' > /root/c99list
for i in `cat /root/c99list`
result=$( perl -e 'alarm shift @ARGV; exec @ARGV' 10 php -q $i | grep -Eie '-rw-r--r--|drwxr-xr-x|drwxrwxrwx|-rw-r-xr-x|-rwxrwxrwx|-rw-rw-rw-|-rwx------')
if [ $? -eq 0 ]; then
echo "Possible Shell Script found on $i" >> /root/c99result.txt

echo "Completed processing $j" >> /root/c99result.txt

Save and Exit.

Run this shell script to scan hacked files.

root@server1 [~]# ./


Once scanning process completed, check report file /root/c99result.txt.

  • 0 Users Found This Useful
Was this answer helpful?

Related Articles

Heartbleed vulnerability in OpenSSL

This Heartbleed vulnerability allows an attacker to read 64 kilobyte chunks of...

Enable NAT behind the cpanel

How to enable NAT behind the cpanel ? Most of webhosting providers currently used NAT service...

How to prevent user creating certain domains

How to prevent user creating certain domains You can use cPanel & WHM to prevent users...

Enable SSH and WHM login Alert emails

We can enable SSH and WHM login alerts to your email accounts. For security reason, it is...

Email server troubleshooting

Email / Exim server troubleshooting techniques. You can use the following email server...