You'll get a TON of results, odds are the first one you'll hit is this one: http://lectures.princeton.edu/?cat=17, so I'll give you a quick hint as to what you're looking at.
As people awake to find their web-servers hacked up, this little gem is repeatedly there and found to be running in place of the expected web pages... interesting! So you may ask - what exactly is c99madshell?
Apparently this gem is being used to hack into WordPress blogs and inject pages upon pages of SPAM which then becomes indexed or simply pointed to for mass-mail spam. Interesting!
Reading along, I found a post that a person wrote up which describes the attack in some detail, here. A great write-up - but still doesn't quite explain the vulnerability which lead to the injection of the trojan code. Digging a little deeper I found a post on Derek Fountain's blog which very nicely details the attack with some of the code behind c99MadShell analyzed. To quote Derek... "You have to remember as you read this that PHP is a full featured scripting language which provides access to files, sockets, databases and all other system level resources." Right on. So making use of this little gem requires 2 things: first, you have to be able to upload a file to where you can call it with a browser, second - your target has to have PHP installed and working. After that, you're relying on lax directory permissions, and common poor configuration to make things fun.
Derek's write-up gives a resounding "configure your servers correctly" echo... much like we've all heard forever now - but with a slight twist. Let's outline some things that can protect you from attack scripts like this taking over your box and making nasties run all over your system:
- Don't allow arbitrary file uploads (hello, McFly?)
- Run your web-server process as "nobody" or some other un-priviliged user
- Run PHP in SAFE MODE if using PHP version <6.0.0!
- Ensure proper file, directory permissions rwx?