A web shell is a piece of code, when executed on a web server, gives access to its file system and/or terminal, with the ability to execute commands remotely.
What is a Web Shell?
Web shells are malicious scripts that allow cybercriminals to maintain persistent access on compromised web servers and execute terminal commands, brute-forcing passwords, access the file system, and more. Most often, scammers exploit vulnerabilities in the website code or use brute force to deliver the malicious script.
A web shell could be programmed in any programming language that is supported on a server. However, the most common languages are PHP, Python, Ruby, ASP, Perl, and Bash.
How are Web Shells installed?
A wide range of vulnerabilities are exploited to deliver web shells. The most common ways to infect web servers are:
- SQL injections: an attack vector that uses malicious SQL code for backend database manipulation to access confidential information.
- Exploiting server administrative and control features misconfigurations
- Cross-Site Scripting (XSS): It manipulates vulnerable websites to share malicious scripts with the users. When these scripts are executed, they can compromise communication between the user and the website application.
- File processing and uploading vulnerabilities: attackers can upload a malicious file that includes a web shell, which can be executed on the server.
- Remote code execution vulnerabilities
- Local and Remote File Inclusion (LFI, RFI) vulnerabilities: arise when a web application allows the user to upload input files to the server. In LFI, the file can be accessed on the local machine whereas RFI lets the hacker execute the malware remotely.
- Vulnerabilities in applications and services
However, web shells may become more complicated while additional features like detection prevention (encryption), user-friendly interface, etc. Once a web shell is installed on a web server, it can be used to perform malicious activities – such as stealing sensitive data, initiating secondary attacks, and maintaining persistent access to the server.
How often are web shells used in cyber attacks?
Web shells are one of the most efficient ways to induce a cyber attack, which is why they are commonly used. Web shells, in recent years, are one of the top-most detected malware.
Cybercriminals do not need supplementary programs to execute a web shell attack.
To deploy an attack, the threat actor needs to find a target system that contains vulnerabilities. Once a web shell is installed, attackers can use it to perform a variety of malicious activities, escalate their privileges on the target system, and maintain persistent access to the server even if the initial vulnerability that allowed them to install the web shell is patched.
Web shells are often used in conjunction with other attack techniques, such as phishing, to gain initial access to a target system. Once access is gained, the web shell can serve as a main point to issue commands to hosts located inside the network. It can also be used as a command-and-control server for botnets or other networks.
Cybercriminals use web shells for various attack scenarios:
- Exfiltrating and collecting sensitive data and credentials
- Installing malware that could create a path for further infection
- Defacing websites
- Redirecting traffic to advertising materials
- Placing links to third-party resources on compromised websites for profit for SEO and other purposes
- Using scripts for crypto mining on the devices of users visiting the website or crypto mining on the hosting server
- Redirecting users to special exploit kits in order to infect their computer
- Injecting JavaScript sniffers (JS sniffers) into a payment gateway in order to collect any payment information that the user enters
The main supplier of web shells on the dark web is a market called MagBo. Between July 1, 2021, and June 30, 2022, more than 284,000 web shells were detected on this market according to the Hi-Tech Crime Trends Report by Group-IB.
How are web shells detected?
Web shells are difficult to detect because they can be hidden within normal files, such as media files, videos, audio files, etc, which become malicious post-execution upon request from a web browser. Finding a web shell, post the attack is easier than before it happens, and it is mainly done through:
- File and network analysis: web shells are typically uploaded to the server as files. By monitoring file uploads and changes on the server, security teams can detect the presence of web shells. Similarly, network monitoring can detect web shell activity by analyzing network traffic for anomalous behavior, such as suspicious external connections and frequent requests.
- Log analysis: web server logs can provide information about web shell activity to help detect and take down network intrusions. Web server logs can help identify IP addresses used to access the server and the commands executed by the attacker, and provide trails about the attacker’s TTPs and motivations.
- Automated content analysis: an automated system look at the contents of newly uploaded or changed files and check if they match the existing web shell. This works with an existing web shell but not with a custom web shell.
- Pattern matching: this technique is used to scan code fragments that match a familiar pattern used in a web shell. However, this isn’t a very effective approach as the cybercriminals are aware about the technique and can overcome it by producing complex codes.
- Endpoint Detection and Response: web shells cause the webserver to show behavior anomalies. Endpoint detection and response can help detect web shells based on system call and process lineage anomalies.
How to defend against web shell attacks?
Here are a few concrete mitigation recommendations by our cybersecurity experts:
- regularly update the applications and the host server’s operating system to ensure immunity from known bugs
- deploy a demilitarized zone (DMZ) between the web-facing servers and the internal networks
- secure configuration of the web server
- close or block ports and services which are not used
- use user input data validation to limit local and remote file inclusion vulnerabilities
- use a reverse proxy service to restrict the administrative URLs to known legitimate ones
- deploy frequent vulnerability scans to detect areas of risk and conduct regular scans using web security software (this does not prevent zero-day attacks).
- deploy a firewall
- disable directory browsing [citation needed]
- avoid the use of default passwords
Overall, detecting and mitigating web shell attacks requires a comprehensive approach that includes network monitoring, behavioral analysis, and threat intelligence. Cyber threat intelligence helps organizations with information on previously-known web shells and their characteristics. This can guide the teams to track web shells and curb damage.
Group-IB Threat Intelligence solution is able to track and hunt for hundreds of various web shells, including popular public and highly-sophisticated private ones, which belong to Advanced Persistent Threat (APT) groups. Once a web shell is discovered in the client’s network, the system immediately informs the client and supports with all required information on how to mitigate/remove and respond to threats. Learn how you can enable Group-IB’s proprietary Threat Intelligence to protect your business against web shell attacks.
