top of page
shell c99 php for

Shell C99 Php For May 2026

Finding a C99 shell is only the first step. Proper remediation is essential to ensure the attacker hasn’t left multiple backdoors.

| What is c99? | A PHP-based backdoor that gives an attacker a GUI control panel for your server. | | --- | --- | | How does it get in? | Via vulnerable file uploads, SQL injection writing files, or outdated plugins. | | What can it do? | Execute system commands, browse files, edit databases, send spam, launch DDoS attacks. | | How to find it? | Search for c99, SafeMode, or eval(base64_decode( in PHP files. | | How to stop it? | Disable dangerous PHP functions (exec, shell_exec, system, passthru). Store uploads outside web root. Use a Web Application Firewall (WAF). |

C99 is a notorious PHP-based web shell used to remotely manage web servers through a browser interface. Originally designed for administrative tasks, it is frequently used by attackers to maintain persistence on compromised systems. 🛡️ What is a C99 Shell?

It is a "backdoor" script written in PHP that, once uploaded to a server, provides a visual dashboard for various unauthorized actions:

File Management: Browse, edit, delete, or download any file on the server. shell c99 php for

Command Execution: Run system-level terminal commands (like ls, cat, or whoami) directly from the web. Database Access: Connect to and manipulate MySQL databases.

Information Gathering: View server OS details, IP addresses, and user permissions. ⚠️ Security Risks

Using or having a C99 shell on your server is a critical security risk:

Embedded Backdoors: Many versions of C99 found online are "backdoored" themselves, meaning the person who created the script can also access your server. Finding a C99 shell is only the first step

Detection: Most modern antivirus and web application firewalls (WAFs) easily detect C99 due to its well-known code patterns.

Legal/Ethical: Using these tools on systems you do not own or have explicit permission to test is illegal and unethical. 🔎 Detection and Removal If you find a file named c99.php or similar on your server:

Isolate the Server: Take the site offline to prevent further damage. Delete the File: Remove the script immediately.

Check for Persistence: Look for other uploaded scripts (like r57 or b374k) in subdirectories. | A PHP-based backdoor that gives an attacker

Audit Logs: Check access logs to find how the attacker uploaded the file (often through vulnerable plugins or file upload forms).

If you are looking for legitimate ways to manage your server remotely, consider using SSH or a reputable control panel like cPanel or Plesk.

If you want to secure your server against these types of uploads: Which CMS are you using? (e.g., WordPress, Joomla) Do you have SSH access to run security scans? Are you interested in malware scanning tools?

Keeping Web Shells Under Cover (Web Shells Part 3) - Acunetix

Maya had to act fast. The attacker was likely asleep (the traffic came from a timezone 7 hours ahead). She followed the Incident Response Playbook for c99 Shells:

PHP can interact with the shell through functions like exec(), shell_exec(), and system(). These allow PHP scripts to execute shell commands.

bottom of page