What is a web shell?
A web shell is an interface that enables a web server to be remotely accessed, often for the purpose of Cyber Attacks.
What is a web shell attack?
An attacker can use a web shell to issue shell commands, perform privilege escalation on the web server, and the ability to upload, delete, download, and execute files to and from the web server.
A web shell is a malicious script used by an attacker with the intent to escalate and maintain persistent access on a web application or website. The common functionality used in web shell includes shell command execution (access to cmd /command line), code execution, database enumeration, and file management.
A web shell itself cannot attack or exploit a remote vulnerability, so it is always the second step of an attack (this stage is also referred to as post-exploitation).
Basic of web shell attack
Client generates a request by typing a URL on the browser that points to the code on the Web Server, the Web Servers execute the server-side code which is processed (interpreted) at runtime and the response is sent to the client’s browser.
For example: When the client’s browser requests an URL, such as “www.myapp.com/home” the web-server executes the code in the file “home” and returns the response generated by the code to the client browser.
In other words, each time a URL is requested from the web-server you could consider the browsers request as simply an instruction to “execute the file on the server”
A web shell attack happens when a malicious attacker is able to inject his own file into the web server’s directory so they can later instruct the web-server to execute that file simply by requesting it from their web browser.
How does web shell attacks occur?
Every application has vulnerabilities which can be exploited. An attacker can easily find vulnerabilities in your web applications and websites by performing a simple vulnerability scan using free tools available on internet. Most of these scans goes undetected as Web application firewall don’t monitor or block such scans.
A web shell is usually installed/uploaded by the attacker on the web server by taking advantage of vulnerabilities present in the applications including but not limited to SQL injection, remote file inclusion (RFI)cross-site scripting (XSS) or Zero day vulnerabilities like Log4shell.
Once the web shell is uploaded on the web server, the attacker can simply access this file via a remote browser and can take control of your entire web server. He can further compromise the server and can upload additional malware’s to stage further attacks like data exfiltration, mining, or simply using the resources of your server to launch attacks on other web servers.
Why are web shells not easily detected?
Web shells are codes/scripts in programming languages to execute legitimate shell commands. Web shells can be easily modified by the attacker and hence it’s not easy to be detected by signature based Anti-virus.
Vulnerabilities are always patched at some stage of the patching cycle, however once a web shell is uploaded on the web server, it can exist and execute without any dependencies on the vulnerability.
An attacker might also choose to fix the vulnerability themselves in order to ensure that no one else will exploit that vulnerability. This way the attacker can keep a low profile and avoid any interaction with an administrator, while still obtaining the same result.
Several popular web shells use password authentication and other techniques to ensure that only the attacker uploading the web shell has access to it. Such techniques include locking down the script to a specific custom HTTP header, specific cookie values, specific IP addresses, or a combination of these techniques. Most web shells also contain code to identify and block search engines from listing the shell which may result in blacklisting the entire domain or server.
Obfuscation and stealth mode are built-in in the web-shell. Many a times, these codes are embedded into already existing legitimate files on the web server.
Web developers often updated websites and web applications by uploading codes from their systems. A compromised end user system can also be the source of web shell upload on to the web server.
Most administrators of the web servers are not developers and have limited knowledge of coding. Hence, they fail to identify such new scripts dropped in the web directory.
What are the indicators of web shell on the web server?
The following are common indicators that a web shell is present on a web server
1) Abnormal high web server usage (due to mining, heavy downloading and uploading by the attacker etc.).
2) Files with an abnormal timestamp (e.g.: newer than the last modification date).
3) Unknown files in a web server.
4) Files having dubious references, for example, cmd or shell access.
5) Unknown connections in the logs of web server.
How can I prevent Web shell attacks on my web server?
A web shell is usually installed by taking advantage of vulnerabilities present in the web applications. Addressing these vulnerabilities are important to avoid the potential risk of a compromised web server.
Below security best practices should be followed for prevention of a web shell
1) Regularly patch / update the application and the host server’s operating system for any known vulnerabilities.
2) Perform server hardening. Block port and services which are not in use on the web server.
3) Never use default password. Deploy a password change policy.
4) Disable directory browsing in Web application.
5) Perform user input data validation in applications to limit local and remote file inclusion vulnerabilities.
6) Perform Frequent vulnerability scan to detect areas of risk and conduct regular scans using web security software (this does not prevent zero day attacks)
7) Deploy a Web application firewall.
Does Web application Firewall (WAF) protect against web shell attacks?
Web shells are designed to target web servers and web applications. Hence, all Web application firewall should detect and protect against web shells attacks. However today, most of the available commercial WAF lacks web shell detection capability. Some WAF’s try to inspect network traffic to detect web shell attacks.
Does SiteWALL detects web shell attacks?
SiteWALL with its multi-layer protection capability, can detect and prevent web shell attacks on your websites and web applications.
Web Shell attacks stages are as follows:
1) Scanning websites for vulnerabilities
2) Exploiting the vulnerabilities and
a. uploading web shell / injecting code on existing file
b. web shells can also be uploaded by a compromised web developer
3) Executing web shell and uploading further malware or exfiltrating data.
SiteWALL has unique multi-layer security modules which can detect and prevent each stage of the web shell attack. With artificial intelligence (AI) and machine learning (ML) SiteWALL can detect and block, vulnerabilities scans performed on the website. SiteWALL’s vulnerability management module keeps you updated with the risk of the open vulnerabilities on your web applications. SiteWALL’s Virtual patching module prevents your web applications against exploits targeting these open vulnerabilities till you patch your server. SiteWALL’s defacement module detects any changes performed on your website and identifies any code injection on the existing file. Finally, the Web shell module detects and prevents the web shell uploaded on your web-server either by an attacker or by a compromised / insider malicious user.
The analytic module joins all these dots and showcase you the entire attack life cycle for web shell attacks.