Hacked with c999 shell

We encourage users to post events happening in the community to the community events group on https://www.drupal.org.
amax's picture
Posted by amax on August 19, 2011 at 12:50pm

Hi All, I was wondering doesn anyone have any info on how to remove the c999 shell from a hacked Drupal install. The hacker was able to upload a file through an old Drupal 6 website which installed this shell in some way. The script that did this was uploaded from the /files/images/ directory. We have upgraded the whole website (core and third party modules) and have it running on a local system now again. However, when browsing some pages, e.g. http://localhost/mysite/?q=content/my-page-2011 it still seems to present the shell interface on the local copy(only loads, doesnt seem active) This c999 seems like a serious hackers tool and thee appears to be barely any info on the web about it. Has anyone ever come across this before

Comments

I'm sorry that I haven't

Posted by msathesh on August 31, 2011 at 4:24am
msathesh's picture

I'm sorry that I haven't faced a similar situation before. How did you go with that cleaning? Please share it here so that others can also know.

The hacker was able to upload

Posted by greggles on September 20, 2011 at 6:41pm
greggles's picture

The hacker was able to upload a file through an old Drupal 6 website which installed this shell in some way

Are you sure about that? Do you have apache logs that show it or something?

My experience is that file uploads are caused by viruses on a computer of someone who administers the site, a vulnerability in a different site on the server, or a compromised account on the server.

C99 is a powerful hacker tool. It's even more dangerous on a typical shared hosting environment where a user with it can easily alter all files in your site.

knaddison blog | Morris Animal Foundation