Web Shell

A web shell is a web-based implementation of the shell concept that can be uploaded to a web server to enable remote administration of the web server.^[1] A web shell is unique in that it enables users to operate a remote computer by way of a web browser that acts like a command-line interface.^[2][3]
A user can log onto a remote computer using a web browser on any type of system, whether it’s a desktop computer or a web-enabled mobile phone, and perform tasks on the remote system. No command-line environment is required on either the host or the client. Web shells are used as backdoors that can run from the web browser.^[2][3] Infected web servers can be either connected to the Internet or internal to the network, where the web shell is used to infect further to internal hosts.^[2][3]

A web shell can be written in any language that the target web server supports. Web shells are most commonly written in PHP, Active Server Pages, or ASP.NET, but Perl, Ruby, Python, and Unix shell scripts are also used.^[1][2][3]

Using network monitoring tools such as Wireshark, an attacker can identify vulnerabilities that can be exploited and result in the installation of a web shell, these vulnerabilities can exist in content management system (CMS) or web server software.^[2]

An attacker can use a web shell to issue commands, increase privileges on the web server and include the ability to upload, delete, download and execute files as well as the ability to run shell commands, further executable, or scripts.^[2]

Usage[edit]

Web shells are used in attacks mostly because they are multi-purpose and are difficult to detect.^[4]

Web shells are commonly used for:

• Data theft^[4]
• Infecting website visitors (watering hole attacks)^[5]
• Website defacement
• Launch distributed denial of service (DDoS) attacks^[2]
• To use as a relay point to issue commands to hosts inside the network without direct Internet access^[2]
• To use as command-and-control infrastructure, potentially in the form of a bot in a botnet or in support of compromises to additional external networks. This could occur if the adversary intends to maintain long-term persistence^[2]

Delivery[edit]

Web shells can be delivered through a number of web application vulnerabilities or server configuration weaknesses including:^[2][4]

• Cross-site scripting;
• SQL injection;
• Vulnerabilities in applications and services (e.g., server software such as Apache HTTP Server or content management system applications);^[6][7]
• File processing vulnerabilities (e.g., upload filtering or assigned permissions);^[7]
• Remote file inclusion (RFI) and local file inclusion (LFI) vulnerabilities;
• Exposed administration interfaces^[2]

Examples of web shells[edit]

Attackers mostly use web shells such as "China Chopper", "WSO", "C99", and "b374k".^[2]

• China Chopper – A web shell with 4 kilobytes in size, which was first discovered in 2012. This web shell is widely used by Chinese and other malicious actors, including APT groups, to remotely access compromised web servers. This web shell consists of two parts, the client interface (an executable file) and the file on the compromised web server. Has several commands and control features including a password brute force capability.^[8][9][10]
• b374k – A PHP based web shell with common functionality such as viewing processes and executing commands.^[2][11][12]
• C99 – A version of the WSO shell which has the ability to display the server’s security measures and contains a self-delete function.^[2][13]
• WSO (web shell by orb) – Has the ability to pretend as an HTML error page containing a hidden login form.^[2][14][15]

Web shells can be as short as just one line of code, for example this PHP script which is 15 bytes long:

<?=`$_GET[x]`?>

If the attacker gets this line of code into a malicious file with a .php extension on the web server that is running PHP, the attacker can issue commands through a web browser using the following Uniform Resource Locator if the shell was located at /uploads/webshell.php:

https://example.com/uploads/webshell.php?x=cat%20%2Fetc%2Fpasswd

The above request will take the value of the x URL parameter, decode the URL it and send the following Bash command:

cat /etc/passwd

If the permissions of the /etc/passwd file allow viewing the file, the web server will send the contents of /etc/passwd to the browser and the browser will then display the contents of the /etc/passwd file or any other file the attacker wishes to view. This attack could have been prevented if the file permissions did not allow viewing or if the shell functions of PHP were disabled.

Prevention and mitigation[edit]

Installation of a web shell is commonly accomplished through web application vulnerabilities or configuration weaknesses. Therefore, removal of these vulnerabilities are important to avoid potential compromisation of a web server.
The following are security measures for preventing the installation of a web shell:^[2][3]

• Regularly update the applications and the host servers's operating system to ensure protection against known bugs.
• Deploy demilitarized zone (DMZ) between the web facing servers and the internal networks.
• Secure configuration of the web server.^[2]
• Unnecessary services and ports should be closed/blocked.^[2]
• Employ user input validation to restrict local and remote file inclusion vulnerabilities.^[2]
• Use a reverse proxy service to restrict the administrative URL's to known legitimate ones. ^[2]
• Frequent vulnerability scan to detect areas of risk and conduct regular virus signature checks. This method does not protect against zero day attacks.^[2]
• Deploy a web application firewall.^[2]
• Disable directory browsing.
• Not using default login credentials.^[2]

Detection[edit]

The ease of modification of a web shell makes it considerably hard to detect by system administrators, because it is equally not easy for programs developed with the aim of detecting viruses. For example, anti-virus products sometimes produce poor results in detecting web shells.^[2][16]

The following may be indicators that a web server has been infected by a web shell:^[2][3]

Abnormal high site usage (due to potential uploading and downloading activity by the attacker);^[2][16] Files with an unusual timestamp (e.g., more recent than the last time the files were modified.);^[16] Suspicious files in Internet-accessible locations (web root); Files containing references to suspicious keywords such as cmd.exe or eval; Unexpected connections in server logs

For example: A file type generating anomalous network traffic (e.g., a JPG file making requests with POST parameters);^{[2][17][18][19]} Suspicious logins originating from internal subnets to DMZ servers and vice versa.^[2]

Attackers can also hide web shell logins in fake error pages.^{[2][20][21][22]}

Often, web shells will be used to spread malware onto a server and the search engines are able to see it. Attackers are known to alter the .htaccess files on the server to redirect search engine requests to the webpage with malware or spam. Many web shells check the user-agent and the content presented to the search engine spider is different from that presented to the user's browser. To find a shell a user-agent change to one of the search engine bots is usually required. Once the shell is detected, it can be deleted easily.^[2]

Performing frequency analysis on the web server's access logs could indicate the location of a web shell. Most legitimate visits will have different user-agents and referrers (referers), whereas a web shell is only visited by the attacker, therefore have very few variants of user-agent strings.^[2]

See also[edit]

• Backdoor (computing)
• Cyberwarfare
• Internet security
• Network security

References[edit]

External links[edit]