A web shell or backdoor shell is a script written in the supported language of a target web server to be uploaded to enable remote access and administration of the machine. Shells are able to infect servers that may not necessary be internet-facing, servers for hosting of internal resources are also subject to web shell attacks where script owners try to access information saved on this systems.
Most web-shells are written in popular scripting languages known to be supported by most of the web servers, this may be PHP, Python, Ruby, Perl, ASP and Unix Shell Script. Content Management Systems and other web server software are scanned using network reconnaissance tool to identify vulnerabilities that can be exploited leading to installation of the shell script.
The shell gives the creator the ability to create, edit, delete or download any file of choice, top of the list for infiltrators is using a web shell to gain root access to server. It is also important to note that web and system administrators also use shells to perform routine tasks like creation of users, reading of logs among others.
Webshells are known not to need additional programs to run on victims system since communications happens simply over HTTP on browsers. Uploads of webshells are usually accomplished through document/file upload pages and then a Local File Include (LFI) weakness is used to include webshell in one of the pages of the application. Other forms through which webshells are installed include Cross-site scripting (XSS) and Exposed Admin Interface.
How to detect Web Shells
The ease of modification of web shell makes it considerably hard to detect by system administrators, it is equally not easy for programs developed with the aim of detecting viruses. In a case where an administrator suspects the presence of shell on their system either by notice of unusual timestamps or presence of suspicious files in internet available locations, the administrator should inspect the suspected file for suspicious commands or better still consider using special problems with known ability to detect shell commands, some website offer users the ability to submit suspected files for analysis of known webshell syntax using their webshell database, Shell Detector is known to have this feature, boosting 99% accuracy in detecting webshell presence in a server by simply adding their shell signature database with to root directory of an application. Another method is using ClamAV scanner or some kind malware removal tools with prober php malware signatures.
How to block Webshells
Since webshell exploits are undertaken only on servers with web application vulnerabilities or configuration weaknesses, identification and closure of such vulnerabilities is crucial in avoiding compromise. For servers supporting PHP, potentially dangerous functions such as exec (), shell_exec (), eval (), assert () , etc and should be disabled in php.ini when not in use. This makes it hard to execute the content of a webshell should it be eventually uploaded. Also sensitive directories such as images or upload should also be disabled or name modified from its default state. Web Applications with file upload features should be secured and allow uploads of only allowed file types. In case of CMS like WordPress, third-party plugins that are not needed should be disabled.
Web Application Firewall (ModSecurity)
A Web Application Firewall (WAF) protects Web servers from malicious traffic and blocks attempts to compromise the system. We recommend use Open Source ModSecurity Firewall and ModSecurity rules.