TL:DR – I noticed someone attempt to use access a file called c99.php on one of my websites. It was blocked by the server, but I wanted to know more. ChatGPT explained that it was a hacking tool.
I was seeing some unusual activity in the logs for one of my websites, so I gave this prompt to ChatGPT, the language model, to see if it could offer an explanation:
You are to act as a web and programming expert with experience of PHP, WordPress, MySQL, and Apache. I noticed a visit to my site that was attempting to open a file called c99.php, is that file a hacking “backdoor” of some sort. It does not appear to exist on my server and if I try to open it, I get the following message in my web browser “This site can’t be reached, site unexpectedly closed the connection.”
Yes, c99.php is a commonly used backdoor file by hackers. It is usually uploaded to a vulnerable website to provide remote access and control to the hacker. The file name c99.php is derived from the popular web shell called “c99 shell”. This shell provides an easy-to-use interface for a hacker to access and manipulate files, databases, and other resources on the compromised server.
If you have noticed a request for c99.php on your website, it is likely that your website is being targeted by hackers. However, it’s good to note that this does not necessarily mean your site has already been compromised. It is possible that the hacker was simply scanning your site for vulnerabilities.
If the file does not exist on your server and you are unable to access it, it’s possible that your server’s security measures are preventing it from being uploaded or accessed. It is recommended that you take additional security measures to protect your website and server, such as regularly updating your software, using strong passwords, and implementing security plugins. It’s also a good idea to review your server logs to identify any suspicious activity and to report it to your hosting provider.
I then asked ChatGPT for advice on securing my site:
If you have identified any suspicious files on your server or if you suspect that your server has been compromised, it is important to take immediate action to secure your website and server. Here are some steps you can take to secure your server:
- Update your software: Make sure that your website software, including the CMS (e.g., WordPress), plugins, and themes, are up-to-date with the latest security patches. This will help to close any known vulnerabilities that could be exploited by hackers.
- Use strong passwords: Ensure that you and your users are using strong passwords that are not easy to guess. Use a mix of uppercase and lowercase letters, numbers, and symbols, and avoid using the same password across multiple accounts.
- Install security plugins: Install a security plugin such as Wordfence or Sucuri to monitor your website for suspicious activity, block malicious IPs, and detect and remove malware.
- Backup your data: Regularly backup your website files and databases so that you can restore your website quickly in case of a security breach or data loss.
- Limit user access: Only grant access to users who need it, and make sure that each user has the appropriate level of access. Use strong passwords, and consider implementing two-factor authentication for additional security.
- Use HTTPS: Enable HTTPS on your website to encrypt data transmitted between your website and users, preventing sensitive information from being intercepted by hackers.
- Contact your hosting provider: If you suspect that your server has been compromised, contact your hosting provider immediately. They may be able to help you identify and resolve the issue.
Given that all such security recommendations was already implemented on the WordPress side, I asked what might be done at teh server level via cPanel:
- Keep your cPanel account secure: Use strong passwords, and avoid using the same password across multiple accounts. Enable two-factor authentication if available. Also, make sure to log out of your cPanel account when you’re finished.
- Use an SSL certificate: Install an SSL certificate on your website to encrypt data transmitted between your website and users. This will help to prevent sensitive information from being intercepted by hackers.
- Monitor server logs: Check your server logs regularly to identify any suspicious activity. You can use tools such as AWStats or Webalizer to analyze your server logs and get insights into your website traffic.
- Enable ModSecurity: ModSecurity is a web application firewall that can help protect your website from common web-based attacks. It’s available in cPanel, and you can enable it under the “Security” section.
- Disable unused services: Disable any unused services in cPanel to reduce the attack surface of your server. For example, if you’re not using FTP, disable the FTP service.
- Install antivirus software: Install antivirus software on your server to scan for and remove any malware or viruses. There are several antivirus solutions available for cPanel, such as ClamAV.
- Backup your data: Regularly backup your website files and databases so that you can restore your website quickly in case of a security breach or data loss.
These are just a few suggestions for improving the security of your website and server. It’s important to note that some of these steps may require root access to the server, which may not be available on a shared hosting plan. However, your hosting provider may offer additional security features that you can take advantage of. It’s always a good idea to check with your hosting provider for specific recommendations on how to secure your server.