A web shell or backdoor shell is a script written in the supported language of a target web server to be uploaded to enable remote access and administration of the machine. Shells are able to infect servers that may not necessarily be internet-facing, servers for hosting of internal resources are also subject to web shell attacks where script owners try to access information saved on these systems.
How do web shells work?
Most web shells are written in popular scripting languages known to be supported by most of the web servers, this may be PHP, Python, Ruby, Perl, ASP, and Unix Shell Script. Content Management Systems and other web server software are scanned using a network reconnaissance tool to identify vulnerabilities that can be exploited leading to installation of the shell script.
The shell gives the creator the ability to create, edit, delete, or download any file of choice, top of the list for infiltrators is using a web shell to gain root access to the server. It is also important to note that web and system administrators also use shells to perform routine tasks like the creation of users, and reading of logs among others.
Web shells are known not to need additional programs to run on the victim system since communications happen simply over HTTP on browsers. Uploads of webshells are usually accomplished through document/file upload pages and then a Local File Include (LFI) weakness is used to include a webshell in one of the pages of the application. Other forms through which webshells are installed include Cross-site scripting (XSS) and Exposed Admin Interface.
Most common web shells
There are many different web shells, and new ones emerge regularly. Some of the most common web shells include:
- PHP Shells:
- c99 Shell: This is one of the most widely used PHP web shells. It provides various functionalities for attackers, including file manipulation and execution of arbitrary commands on the server.
- r57 Shell: Another popular PHP web shell that allows attackers to execute commands, upload, and download files, and perform other malicious activities.
- Wso Shell (Web Shell by Orb): Known for its stealthy features, the Wso Shell can be challenging to detect. It provides a range of functionalities for attackers.
- b374k Shell: This PHP web shell offers a user-friendly interface, making it easier for attackers to navigate and control the compromised server.
- ASP/ASP.NET Shells:
- ASPXSpy: This is a common ASP.NET web shell that provides an interface for attackers to execute commands, manipulate files, and interact with the compromised server.
- China Chopper: A small and stealthy ASP shell, China Chopper is often used for initial access and reconnaissance by attackers.
- JSP Shells:
- JSP Reverse Shell: Attackers deploy JSP web shells on Java-based web servers to execute arbitrary code and maintain control over the server.
- Python Shells:
- Weevely: Weevely is a popular Python-based web shell that is used for maintaining access to compromised systems and executing commands.
- Perl Shells:
- WSO Perl Shell: This is a Perl version of the Wso Shell mentioned earlier. It provides similar functionalities for attackers but is written in Perl.
- ColdFusion Shells:
- CF Webshell: This is a ColdFusion web shell that attackers use to manipulate files, execute commands, and control servers running ColdFusion.
How to detect web shells
The ease of modification of web shell makes it considerably hard to detect by system administrators, it is equally not easy for programs developed with the aim of detecting viruses. In a case where an administrator suspects the presence of a shell on their system either by notice of unusual timestamps or the presence of suspicious files in internet-available locations, the administrator should inspect the suspected file for suspicious commands or better still consider using special problems with known ability to detect shell commands, some website offer users the ability to submit suspected files for analysis of known web shell syntax using their web shell database, Shell Detector is known to have this feature, boosting 99% accuracy in detecting webshell presence in a server by simply adding their shell signature database with to root directory of an application. Another method is using a ClamAV scanner or some kind of malware removal tool with proper php malware signatures.
How to block web shells
Since webshell exploits are undertaken only on servers with web application vulnerabilities or configuration weaknesses, identification and closure of such vulnerabilities is crucial in avoiding compromise. For servers supporting PHP, potentially dangerous functions such as exec (), shell_exec (), eval (), assert () , etc and should be disabled in php.ini when not in use. This makes it hard to execute the content of a webshell should it be eventually uploaded. Also sensitive directories such as images or upload should also be disabled or name modified from its default state. Web Applications with file upload features should be secured and allow uploads of only allowed file types. In case of CMS like WordPress, third-party plugins that are not needed should be disabled.
Web Application Firewall (ModSecurity)
A Web Application Firewall (WAF) protects Web servers from malicious traffic and blocks attempts to compromise the system. We recommend use Open Source ModSecurity Firewall and ModSecurity rules.