Web shell explained
A web shell is a shell-like interface that enables a web server to be remotely accessed, often for the purposes of cyberattacks.[1] A web shell is unique in that a web browser is used to interact with it.[2] [3]
A web shell could be programmed in any programming language that is supported on a server. Web shells are most commonly written in PHP due to the widespread usage of PHP for web applications. Though Active Server Pages, ASP.NET, Python, Perl, Ruby, and Unix shell scripts are also used.[1] [2] [3]
Using network monitoring tools, an attacker can find vulnerabilities that can potentially allow delivery of a web shell. These vulnerabilities are often present in applications that are run on a web server.[2]
An attacker can use a web shell to issue shell commands, perform privilege escalation on the web server, and the ability to upload, delete, download, and execute files to and from the web server.[2]
General usage
Web shells are used in attacks mostly because they are multi-purpose and difficult to detect.[4] They are commonly used for:
- Data theft[4]
- Infecting website visitors (watering hole attacks)[5]
- Website defacement by modifying files with a malicious intent
- Launch distributed denial-of-service (DDoS) attacks[2]
- To relay commands inside the network which is inaccessible over the Internet[2]
- To use as command and control base, for example as a bot in a botnet system or in way to compromise the security of additional external networks.[2]
Web shells give hackers the ability to steal information, corrupt data, and upload malwares that are more damaging to a system. The issue increasingly escalates when hackers employ compromised servers to infiltrate a system and jeopardize additional machines. Web shells are also a way that malicious individuals target a variety of industries, including government, financial, and defense through cyber espionage. One of the very well known web shells used in this manner is known as “China Chopper.”[6]
Delivery of web shells
Web shells are installed through vulnerabilities in web application or weak server security configuration including the following:[2] [4]
An attacker may also modify (spoof) the Content-Type
header to be sent by the attacker in a file upload to bypass improper file validation (validation using MIME type sent by the client), which will result in a successful upload of the attacker's shell.
Example
The following is a simple example of a web shell written in PHP that executes and outputs the result of a shell command:
=`$_GET[x]`?>
Assuming the filename is example.php
, an example that would output the contents of the [[Passwd#Password file|/etc/passwd]]
file is shown below:
https://example.com/example.php?x=cat%20%2Fetc%2Fpasswd
The above request will take the value of the x
parameter of the query string, sending the following shell command:
cat /etc/passwd
This could have been prevented if the shell functions of PHP were disabled so that arbitrary shell commands cannot be executed from PHP.
Prevention and mitigation
A web shell is usually installed by taking advantage of vulnerabilities present in the web server's software. That is why removal of these vulnerabilities is important to avoid the potential risk of a compromised web server.
The following are security measures for preventing the installation of a web shell:[2] [3]
Detection
Web shells can be easily modified, so it's not easy to detect web shells and antivirus software are often not able to detect web shells.[2] [9] The following are common indicators that a web shell is present on a web server:[2] [3]
- Abnormal high web server usage (due to heavy downloading and uploading by the attacker);[2] [9]
- Files with an abnormal timestamp (e.g. newer than the last modification date);[9]
- Unknown files in a web server;
- Files having dubious references, for example,
cmd.exe
or [[eval]]
;
- Unknown connections in the logs of web server
For example, a file generating suspicious traffic (e.g. a PNG file requesting with POST parameters).[10] [11] [12] Dubious logins from DMZ servers to internal sub-nets and vice versa.
Web shells may also contain a login form, which is often disguised as an error page.[2] [13] [14] [15]
Using web shells, adversaries can modify the .htaccess file (on servers running the Apache HTTP Server software) on web servers to redirect search engine requests to the web page with malware or spam. Often web shells detect the user-agent and the content presented to the search engine spider is different from that presented to the user's browser. To find a web shell a user-agent change of the crawler bot is usually required. Once the web shell is identified, it can be deleted easily.[2]
Analyzing the web server's log could specify the exact location of the web shell. Legitimate users/visitor usually have different user-agents and referers, on the other hand, a web shell is usually only visited by the attacker, therefore have very few variants of user-agent strings.[2]
See also
Notes and References
- Web site: How can web shells be used to exploit security tools and servers?. SearchSecurity. 2018-12-21. https://web.archive.org/web/20190328065900/https://searchsecurity.techtarget.com/answer/How-can-web-shells-be-used-to-exploit-security-tools-and-servers. 2019-03-28. live.
- Web site: Web Shells – Threat Awareness and Guidance. US Department of Homeland Security. www.us-cert.gov. 9 August 2017 . 20 December 2018. https://web.archive.org/web/20190113062745/https://www.us-cert.gov/ncas/alerts/TA15-314A. 13 January 2019. live.
- Web site: What is a Web shell?. admin. 3 August 2017. malware.expert. 20 December 2018. https://web.archive.org/web/20190113003907/https://malware.expert/general/what-is-a-web-shell/. 13 January 2019. live.
- Web site: Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors – US-CERT. www.us-cert.gov. 16 March 2018 . 20 December 2018. https://web.archive.org/web/20181220172706/https://www.us-cert.gov/ncas/alerts/TA18-074A. 20 December 2018. live.
- Web site: The Definitive Guide about Backdoor Attacks - What are WebShell BackDoors. Makis MourelatosWordPress Security Engineer at FixMyWPWC Athens 2016. co-organizer. W. P.. Support. Security. Aficionado. Wannabe. Kitesurfer. 16 October 2017. fixmywp.com. 20 December 2018. https://web.archive.org/web/20190113003929/https://fixmywp.com/security/what-are-web-shell-backdoors.php. 13 January 2019. live.
- Hannousse . Abdelhakim . Yahiouche . Salima . 2021-09-01 . Handling webshell attacks: A systematic mapping and survey . Computers & Security . 108 . 102366 . 10.1016/j.cose.2021.102366 . 0167-4048.
- Web site: Got WordPress? PHP C99 Webshell Attacks Increasing. 14 April 2016. 21 December 2018. https://web.archive.org/web/20181229190535/https://securityintelligence.com/got-wordpress-php-c99-webshell-attacks-increasing/. 29 December 2018. live.
- Web site: Equifax breach was 'entirely preventable' had it used basic security measures, says House report. 10 December 2018 . 21 December 2018. https://web.archive.org/web/20181220232937/https://techcrunch.com/2018/12/10/equifax-breach-preventable-house-oversight-report/. 20 December 2018. live.
- Web site: Breaking Down the China Chopper Web Shell - Part I « Breaking Down the China Chopper Web Shell - Part I. FireEye. 20 December 2018. https://web.archive.org/web/20190113182308/https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html. 13 January 2019. live.
- Web site: Intrusion Detection and Prevention Systems . 2018-12-22 . https://web.archive.org/web/20190113003930/https://ws680.nist.gov/publication/get_pdf.cfm?pub_id=901146 . 2019-01-13 . live .
- Web site: Five signs an attacker is already in your network. Kasey Cross, Senior Product Manager. LightCyber. 16 June 2016. Network World. 22 December 2018. https://web.archive.org/web/20190113003925/https://www.networkworld.com/article/3085141/network-security/five-signs-an-attacker-is-already-in-your-network.html. 13 January 2019. live.
- Web site: Traffic Analysis for Network Security: Two Approaches for Going Beyond Network Flow Data . 15 September 2016 . 2018-12-22 . https://web.archive.org/web/20161114084537/https://insights.sei.cmu.edu/sei_blog/2016/09/traffic-analysis-for-network-security-two-approaches-for-going-beyond-network-flow-data.html . 2016-11-14 . live .
- Web site: Hackers Hiding Web Shell Logins in Fake HTTP Error Pages. BleepingComputer. 21 December 2018. https://web.archive.org/web/20180726011308/https://www.bleepingcomputer.com/news/security/hackers-hiding-web-shell-logins-in-fake-http-error-pages/. 26 July 2018. live.
- Web site: Hackers Hiding Web Shell Logins in Fake HTTP Error Pages. 24 July 2018. ThreatRavens. 17 February 2019. https://web.archive.org/web/20190113062731/https://threatravens.com/hackers-hiding-web-shell-logins-in-fake-http-error-pages/. 13 January 2019. live.
- Web site: Hackers Hiding Web Shell Logins in Fake HTTP Error Pages. cyware.com. 22 December 2018. https://web.archive.org/web/20190113003916/https://cyware.com/news/hackers-hiding-web-shell-logins-in-fake-http-error-pages-f9f1b47e. 13 January 2019. live.