Web shell

A web shell is a malicious web-based shell-like interface that enables remote access and control to a web server by allowing execution of arbitrary commands.[1] A web shell is able to be uploaded to a web server to allow remote access to the web server, such as the web server's file system.[2] A web shell is unique in that it enables users to access a web server by way of a web browser that acts like a command-line interface.[3][4]

Part of a series on
Information security
Related security categories
Threats
Defenses

A user can access a remote computer via the World Wide Web using a web browser on any type of system, whether it's a desktop computer or a mobile phone with a web browser, and perform tasks on the remote system. No command-line environment is required on either the host or the client.[3][4] A web shell is often considered a remote access trojan.[5]

A web shell could be programmed in any language that the target server supports. Web shells are most commonly written in PHP due to the widespread use of PHP, however, Active Server Pages, ASP.NET, Python, Perl, Ruby, and Unix shell scripts are also used, although not as common because it is not very common for web servers to support these languages.[2][3][4]

Using network monitoring tools such as Wireshark, an attacker can find vulnerabilities which are exploited resulting in a web shell installation. These vulnerabilities may be present in content management system applications or the web server's software.[3]

An attacker can use a web shell to issue commands, perform privilege escalation on the web server, and the ability to upload, delete, download, and execute files on the web server.[3]

General usage

Web shells are used in attacks mostly because they are multi-purpose and difficult to detect.[6]

Web shells are commonly used for:

Delivery of web shells

Web shells are installed through vulnerabilities in web application or weak server security configuration including the following:[3][6]

An attacker may also modify (spoof) the Content-Type header to be sent by the attacker in a file upload to bypass improper file validation (validation using MIME type sent by the client), which will result in a successful upload of the attacker's shell.

Examples of notable web shells
A b374k shell running on a Windows 7 Ultimate Edition server.
An example of what a fake error page might look like in a WSO web shell.
  • b374k – A web shell written in PHP with abilities such as monitoring processes & command execution. The latest version of the b374k shell is 3.2.3.[3][10][11][12]
  • C99 – A web shell capable of showing the web server's security standards and has a self-destruction option.[3][13] The original version of C99Shell does not work with PHP 7 due to the usage of removed functions.
  • China Chopper – A web shell which is only 4 kilobytes in size, which was first discovered in 2012. This web shell is commonly used by malicious Chinese actors, including advanced persistent threat (APT) groups, to remotely access web servers. This web shell has two parts, the client interface (an executable file) and the receiver host file on the compromised web server. Has many commands and control features such as a password brute-force attack option.[14][15][16]
  • R57 – The R57 web shell has tools to scan the infected web server for other web shell installations, with the option to remove or overwrite them.[17]
  • WSO (web shell by oRb) – Has the ability to be password protected with a login form, some variants can disguise as a fake HTTP error page.[3][18][19]

Web shells can be as short as just one line of code. The following example PHP script is 15 bytes in size:

<?=`$_GET[x]`?>

If an attacker inserts this line of code into a malicious file with a PHP filename extension (such as .php) on a web server that is running PHP, the attacker can issue commands, for example reading the /etc/passwd file, through a web browser using the following Uniform Resource Locator if the web shell was located at uploads/webshell.php:

http://example.com/uploads/webshell.php?x=cat%20%2Fetc%2Fpasswd

The above request will take the value of the x URL parameter, decode the URL and send the following shell command:

cat /etc/passwd

If the permissions of the /etc/passwd file allow viewing the file, the web server will send the contents of /etc/passwd to the web browser and the browser will then display the contents of the /etc/passwd file or any other file the attacker wishes to view.

This attack could have been prevented if the file permissions did not allow viewing the file or if the shell functions of PHP were disabled so that arbitrary shell commands cannot be executed from PHP.

Other malicious actions are able to be executed by attackers with that web shell, such as replacing the contents of a file on the web server. For example, consider the following command:

echo x > index.php

The above command could be used to replace the contents of the index.php file with the text "x", which is one way a web page could be defaced, or create the index.php file with the contents if the file does not exist. Attackers can also use the Bash command rm to delete files on the web server and mv to move files.

Prevention and mitigation

A web shell is usually installed by taking advantage of vulnerabilities present in the web server's software. That is why removal of these vulnerabilities are important to avoid the potential risk of a compromised web server.

The following are security measures for preventing the installation of a web shell:[3][4]

Detection

Web shells can be easily modified, so it's not easy to detect web shells and antivirus software are often not able to detect web shells.[3][20]

The following are common indicators that a web shell is present on a web server:[3][4]

  • Abnormal high web server usage (due to heavy downloading and uploading by the attacker);[3][20]
  • Files with an abnormal timestamp (e.g. newer than the last modification date);[20]
  • Unknown files in a web server;
  • Files having dubious references, for example, cmd.exe or eval;
  • Unknown connections in the logs of web server

For example, a file generating suspicious traffic (e.g. a PNG file requesting with POST parameters);[3][21][22][23] Dubious logins from DMZ servers to internal sub-nets and vice versa.[3]

Web shells may also contain a login form, which is often disguised as an error page.[3][24][25][26]

Using web shells, adversaries can modify the .htaccess file (on servers running the Apache HTTP Server software) on web servers to redirect search engine requests to the web page with malware or spam. Often web shells detect the user-agent and the content presented to the search engine spider is different from that presented to the user's browser. To find a web shell a user-agent change of the crawler bot is usually required. Once the web shell is identified, it can be deleted easily.[3]

Analyzing the web server's log could specify the exact location of the web shell. Legitimate users/visitor usually have different user-agents and referers (referrers), on the other hand, a web shell is usually only visited by the attacker, therefore have very few variants of user-agent strings.[3]

See also

References
  1. "An Introduction to Web-shells". www.acunetix.com. Archived from the original on 2019-03-28. Retrieved 2019-03-28.
  2. "How can web shells be used to exploit security tools and servers?". SearchSecurity. Archived from the original on 2019-03-28. Retrieved 2018-12-21.
  3. US Department of Homeland Security. "Web Shells – Threat Awareness and Guidance". www.us-cert.gov. Archived from the original on 13 January 2019. Retrieved 20 December 2018. This article incorporates text from this source, which is in the public domain.
  4. admin (3 August 2017). "What is a Web shell?". malware.expert. Archived from the original on 13 January 2019. Retrieved 20 December 2018.
  5. Wrench, P. M.; Irwin, B. V. W. (1 August 2015). "Towards a PHP webshell taxonomy using deobfuscation-assisted similarity analysis". 2015 Information Security for South Africa (ISSA). pp. 1–8. doi:10.1109/ISSA.2015.7335066. ISBN 978-1-4799-7755-0 via IEEE Xplore.
  6. "Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors – US-CERT". www.us-cert.gov. Archived from the original on 20 December 2018. Retrieved 20 December 2018.
  7. co-organizer, Makis MourelatosWordPress Security Engineer at FixMyWPWC Athens 2016; Support, W. P.; Aficionado, Security; Kitesurfer, Wannabe (16 October 2017). "The Definitive Guide about Backdoor Attacks - What are WebShell BackDoors". fixmywp.com. Archived from the original on 13 January 2019. Retrieved 20 December 2018.
  8. "Got WordPress? PHP C99 Webshell Attacks Increasing". 14 April 2016. Archived from the original on 29 December 2018. Retrieved 21 December 2018.
  9. "Equifax breach was 'entirely preventable' had it used basic security measures, says House report". Archived from the original on 20 December 2018. Retrieved 21 December 2018.
  10. "Google Code Archive - Long-term storage for Google Code Project Hosting". code.google.com. Archived from the original on 23 January 2019. Retrieved 22 December 2018.
  11. "The Webshell Game Continues". 8 July 2016. Archived from the original on 29 December 2018. Retrieved 22 December 2018.
  12. "GitHub - b374k/b374k: PHP Webshell with handy features". Archived from the original on 2019-05-07. Retrieved 2019-04-19.
  13. "Got WordPress? PHP C99 Webshell Attacks Increasing". 14 April 2016. Archived from the original on 29 December 2018. Retrieved 22 December 2018.
  14. "China Chopper". NJCCIC. Archived from the original on 13 January 2019. Retrieved 22 December 2018.
  15. "What is the China Chopper Webshell, and how to find it on a compromised system?". 28 March 2018. Archived from the original on 13 January 2019. Retrieved 22 December 2018.
  16. "Breaking Down the China Chopper Web Shell - Part I « Breaking Down the China Chopper Web Shell - Part I". FireEye. Archived from the original on 13 January 2019. Retrieved 22 December 2018.
  17. "Web Shells: The Criminal's Control Panel | Netcraft". news.netcraft.com. Archived from the original on 2019-01-13. Retrieved 2019-02-22.
  18. "WSO Shell: The Hack Is Coming From Inside The House!". 22 June 2017. Archived from the original on 9 January 2019. Retrieved 22 December 2018.
  19. "Web Shells: The Criminal's Control Panel - Netcraft". news.netcraft.com. Archived from the original on 13 January 2019. Retrieved 22 December 2018.
  20. "Breaking Down the China Chopper Web Shell - Part I « Breaking Down the China Chopper Web Shell - Part I". FireEye. Archived from the original on 13 January 2019. Retrieved 20 December 2018.
  21. "Intrusion Detection and Prevention Systems". Archived from the original on 2019-01-13. Retrieved 2018-12-22.
  22. LightCyber, Kasey Cross, Senior Product Manager (16 June 2016). "Five signs an attacker is already in your network". Network World. Archived from the original on 13 January 2019. Retrieved 22 December 2018.
  23. "Traffic Analysis for Network Security: Two Approaches for Going Beyond Network Flow Data". Archived from the original on 2016-11-14. Retrieved 2018-12-22.
  24. "Hackers Hiding Web Shell Logins in Fake HTTP Error Pages". BleepingComputer. Archived from the original on 26 July 2018. Retrieved 21 December 2018.
  25. "Hackers Hiding Web Shell Logins in Fake HTTP Error Pages". ThreatRavens. 24 July 2018. Archived from the original on 13 January 2019. Retrieved 17 February 2019.
  26. "Hackers Hiding Web Shell Logins in Fake HTTP Error Pages". cyware.com. Archived from the original on 13 January 2019. Retrieved 22 December 2018.
This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.