A web shell is a piece of code that essentially takes over your web server.  By providing a simple web-executable file (e.g. aspx file, php file…) that contains code to allow remote administration.

It enables the ‘command center’ (typically, a hacker with a browser client) to remotely administer the machine.  Infected web servers can be either Internet-facing or internal to the network, where the web shell is used to pivot further to internal hosts.

1. Lateral Propagation : If ANY folder under the web root has the corporate domain user privileges – the EXE gains access to those credentials. Once access to a domain credential is gained, it keeps trying for lateral hosts that will let that domain user in. And infects them similarly if it finds such.

2. DMZ Vulnerabilities – Having a DMZ (that is not completely isolated) makes the problem worse – since the shell can easily get onto a DMZ server – and then find its way to the corporate network.

3. Dormancy Period –   The web shell is typically dormant for an extended period of time – before someone decides to upload the .exe that does the real damage. The shell is simply used as an upload mechanism for the exe. From here on, it can execute whatever commands that the IIS (or webserver) process has privileges to execute. This may include system level commands from the web root folder itself. 

Challenges in controlling it

1. Why not just kill the host? Any host based mitigation likely to fail if the attacker already has admin privileges.

2. Why not ‘burn the box’? Easy to re-compromise a “remediated” environment.

3. Why not trace all activity from the malware? Difficult to trace all lateral movement. No trace in log files – no trace in event logs.

4. Why not put its signature into a virus definition – and let the anti-virus catch it? Lots of variants – difficult to nail down a specific signature.

Detection of Web Shells

Due to the potential simplicity and ease of modification of web shells, they can be difficult to detect. For example, anti-virus products sometimes produce poor results in detecting web shells.

Option A – Run your own detection software – A powerful and free (python) utility to diagnose files – and analyze them for obfuscated web shells is NEOPI . Simply install python on your windows system, and execute the neopi.py file as follows.

python neopi.py -a c:\inetpub\wwwroot\ "php|txt|aspx|asp|asax"

Option B – Online Submission – If you suspect a malicious web shell in your web app, you can upload it to shelldetector.com – to have them analyze it.

ShellDetector.com has a php/python script that helps you find and identify php/cgi(perl)/asp/aspx shells.

Summary

Web shells can be difficult to detect – and can cause unlimited damage to your system – and even laterally connected systems.

http://resources.infosecinstitute.com/web-shell-detection/

Anuj holds professional certifications in Google Cloud, AWS as well as certifications in Docker and App Performance Tools such as New Relic. He specializes in Cloud Security, Data Encryption and Container Technologies.

Initial Consultation

Anuj Varma – who has written posts on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.