*FOR RESEARCH* How Easy is it to find Webshells and basically have Root/Admin or User Level Access without “Hacking” Anything – PART 2


Acronis Cyber Protect

Sure enough, wevbshells were just as easy to find as DoS scripts on hacked webservers, the most common webshell that I found was the C99 or C999 or R57 (Modified by everyone) but the code is the same, I located 54 of those, 21 had full root access meaning people are still running apache as root….shame shame. These webshells give you full access to the systems (most linux boxes) from where you can access databases, deface websites, spawn command line access, sniff the network to hack into other servers and just about anything one can think of. The second most common shell I found was the Egy Spider Shell, which is actually password protected so they stay active far longer as hundreds of kiddies aren’t on them playing around, I have left the host names in for the Egy Spider Shell ones so if someone wants to be a rat and notify the webmaster by all means it is at your discretion but personally I’m not the taddle tail type. So here some shots from less than an hours work:

Saudi Shells (First one didn’t fully install, still has some features and webserver still vulnerable for replacement shell)

saudi_r57

Saudi Shell – Gets so much traffic someone is advertising on it LOL

saudi

Straight up PHP Backdoor by Jerem – usually used for initial access until a shell like C99 can be put on

php_backdoor1

Nother Jerem Shell ( They weren’t too common)

php_backdoor

This might have been my favorite find, a “Lolipop” Shell by KingDefacer just for its unique appearance – these are rare, actually the only one I found.

lolipop_1
lolipop_2

Here is the infamous EgY_Sp1der Shell – I found loads of them but can’t really tell you much about the GUI, I have the source code and it has similar capabilities to the C99 shell so it is very powerful

egy_shell3
egy_shell
egy_shell2

Now this one…It is called Dhe Irawan Shell I had never even heard of, I found it by searching for strings

“MySQL: ON | MSSQL: ON | Oracle: OFF | Perl: ON | cURL: ON | WGet: ON” which I have seen many shells check for and boom

Using the hacker caller card hidden in the bottom I have since found close to 1000 more! Quick Google shot below with I have obfuscated:

Dhe_Iraewan_shell
injection_shell

Here are your stand C99Shells – there are more than I could have ever imaged with lots of variants so i’ll only post a few.

c994
c993
c992
c99

See post for GOogle dorking these things for RESEARCH ONLY – http://www.computersecurity.org/cyber-security-training-learning-videos/web-application-attacks-website-app-attack/webshells/for-research-how-easy-is-it-to-find-webshells-and-basically-have-rootadmin-or-user-level-access-without-hacking-anything-part-3/



Leave a Comment