Sure enough, wevbshells were just as easy to find as DoS scripts on hacked webservers, the most common webshell that I found was the C99 or C999 or R57 (Modified by everyone) but the code is the same, I located 54 of those, 21 had full root access meaning people are still running apache as root….shame shame. These webshells give you full access to the systems (most linux boxes) from where you can access databases, deface websites, spawn command line access, sniff the network to hack into other servers and just about anything one can think of. The second most common shell I found was the Egy Spider Shell, which is actually password protected so they stay active far longer as hundreds of kiddies aren’t on them playing around, I have left the host names in for the Egy Spider Shell ones so if someone wants to be a rat and notify the webmaster by all means it is at your discretion but personally I’m not the taddle tail type. So here some shots from less than an hours work:
Saudi Shells (First one didn’t fully install, still has some features and webserver still vulnerable for replacement shell)
Saudi Shell – Gets so much traffic someone is advertising on it LOL
Straight up PHP Backdoor by Jerem – usually used for initial access until a shell like C99 can be put on
Nother Jerem Shell ( They weren’t too common)
This might have been my favorite find, a “Lolipop” Shell by KingDefacer just for its unique appearance – these are rare, actually the only one I found.
Here is the infamous EgY_Sp1der Shell – I found loads of them but can’t really tell you much about the GUI, I have the source code and it has similar capabilities to the C99 shell so it is very powerful
Now this one…It is called Dhe Irawan Shell I had never even heard of, I found it by searching for strings
“MySQL: ON | MSSQL: ON | Oracle: OFF | Perl: ON | cURL: ON | WGet: ON” which I have seen many shells check for and boom
Using the hacker caller card hidden in the bottom I have since found close to 1000 more! Quick Google shot below with I have obfuscated:
Here are your stand C99Shells – there are more than I could have ever imaged with lots of variants so i’ll only post a few.
See post for GOogle dorking these things for RESEARCH ONLY – http://www.computersecurity.org/cyber-security-training-learning-videos/web-application-attacks-website-app-attack/webshells/for-research-how-easy-is-it-to-find-webshells-and-basically-have-rootadmin-or-user-level-access-without-hacking-anything-part-3/