The C99Shell (and its derivatives) can be devastating. The reason I am posting this is because it is another great example of a Remote Access Trojan (RAT), one which I didn't mention in the CompTIA Security+ SYO-201 Cert Guide.

One of my associate's websites was hacked into. He contacted me to see if I knew anything about a Web Shell. He had found that name within the syntax of one of the "new" files on his web server.
I told him that I had seen this before in several permutations: C99, C Shell, Web Shell, Web Shell by Orb, and others. He wasn't too happy when I told him that the person who installed this has full access to his web server! However (luckily for him) once we fixed the problem, he restored from backup without a hitch. Other customers of mine in the past weren't so lucky.

What is it? These web shells are programs that are installed on the web server by an attacker, and are used to remotely access and re-configure the server without the owner's consent. They are remote access Trojans, but are also referred to as backdoors, since they offer an alternative way of accessing the website for the attacker.

How it got there: Most likely, the hacker stole my associate's FTP password. Once the hacker had the password, it was just a matter of uploading the shell. Then the hacker could login through the new web shell, and do just about anything they wanted to the web server.

Why the web hosting company didn't notice: Many of these web shells allow the operator to access them through a proxy, thus hiding the location of the operator. Also, the shell can be bound to specific ports, and the information can be encrypted and hashed.

What were my recommendations to my associate? First I told him to increase password security for all important FTP accounts. I recommended making the passwords as complex as the web server would allow. Then, I recommended removing any unnecessary FTP accounts. Next, I recommended to delete the original RAT files and run a full scan of the system, or, to restore from an older backup. Finally I recommended that my associate verify his web host's scanning techniques, or scan his web files himself. I insisted that the host (or he) should be checking for web shells of this nature. This can be done by scanning files for particular lines of code, or by simply scanning them for the names they often go by whihc can be found within the first few lines of code.

Here's a link to some more information about one of these types of RATs, the C99 Shell:
http://www.securelist.com/en/descriptions/240456/Backdoor.PHP.C99Shell

This type of shell is usually written in PHP. Here's a link to an example of the code from a similar version called the Web Shell by Orb:
https://gist.github.com/378433