Web Shells

Web shells are malicious scripts that attackers use as a point of entry into target systems. Threat actors use scanning tools, such as the publicly available shodan.io, to identify potential targets and attempt to exploit known vulnerabilities on systems. If successful, the threat actor can then upload web shells onto the network. It is important to note that while web shells cannot exploit vulnerabilities themselves, they provide a means for threat actors to compromise systems, maintain persistent backdoors, and escalate their privileges into targeted systems.

Use of web shells in cyberattacks has steadily increased in recent years. Attacks using web shells typically start by exploiting vulnerabilities in web servers via SQL injections, remote file inclusions, cross-site scripting, and similar web application attacks. These malicious scripts can be used to execute shell commands, probe the target server’s network, and add the compromised server to a botnet. Most importantly, attackers can enable persistent remote access, eliminating their need to exploit the same vulnerability each time they want to access the network. For example, Microsoft released a report last month disclosing how the CVE-2020-5902 vulnerability was exploited in order to install web shells onto servers. Additionally, threat actors used web shells to maintain access to compromised Microsoft Exchange servers in cyberattacks that exploited zero-day vulnerabilities.

Consider the above PHP web shell - this is a single line of code surrounded by the “<?php” and “?>” tags identifying the line as PHP code. In PHP, the “system()” function call accepts a shell command and prints out the output of this command. In this case, the input of this function is the value of the HTTP_ACCEPT_LANGUAGE field in the header of an HTTP request, which is sent by a client when trying to connect to a web page. If, for example, the attackers crafted the HTTP_ACCEPT_LANGUAGE field to have the command “cat /etc/passwd,” they would then be able to obtain the list of usernames and their privileges on the system.

 

Web shells are not executable files; therefore, anti-virus software often fails to detect these malicious scripts. While they are difficult to detect, system administrators can implement the following steps in order to harden their web servers against web shells:

• Ensure that all applications, as well as the operating system, are up to date.
• Disable functions that are commonly used in web shells, which are enabled by default in PHP. These include the exec(), shell_exec(), passthru(), and proc_open() function calls
• Enforce the Principle of Least Privilege, whereby users are granted only the minimum privileges to access the system.
• Ensure web servers are configured to block or disable unnecessary services and ports, and consider blocking external access to administrator panels.
• Utilize and configure a web application firewall (WAF) to perform regular virus signature checks, application fuzzing, and server network analysis.

 

Indicators of compromise include:

• Unusual periods of high site usage.
• Suspicious shell commands, such as directory traversal, by the web server process.
• Suspicious file activity, such as:
  • Files that include an unusual timestamp
  • Suspicious files found in internet-accessible locations
  • Contain reference to keywords such as cmd.exe
  • A file type generating unexpected or anomalous network traffic. For example, a JPG file making requests with POST parameters.

 

Additional resources:

Web Shell Attacks Continue to Rise - Microsoft

Compromised Web Servers and Web Shells - Threat Awareness and Guidance – CISA

Web Shells 101: Detection and Prevention – Rapid7

Detect and Prevent Web Shell Malware - NSA