Figure 6. A screenshot of the c99 PHP shell
The c99 PHP utility provides functionality for listing files, brute-forcing FTP passwords, updating itself, executing shell commands and PHP code. It also provides for connecting to MySQL databases, and initiating a connect-back shell session. In many ways it can be considered the web equivalent of the rootkits that successful attackers often download. In other ways it is the malware equivalent of PHPShell itself. c99 is often one of the utility programs that is either downloaded if a web server is vulnerable due to being misconfigured, or can be used in a remote file include attack to try and execute shell commands on a vulnerable server. Figure 6 provides a screenshot of the c99 PHP shell running on a web server.
There are similar programs such the r57 shell which have equivalent functionality allowing the attacker to view files and directories, execute shell commands and some also have database integration. This allows an attacker to connect to MySQL, postgresql or other databases if they can guess a username and password which has access. Other 'helper' programs are very simple and only provide functionality to execute shell commands.