Web shell

Last updated September 10, 2024

A web shell is a shell-like interface that enables a web server to be remotely accessed, often for the purposes of cyberattacks.^[1] A web shell is unique in that a web browser is used to interact with it.^[2]^[3]

General usage

Web shells are used in attacks mostly because they are multi-purpose and difficult to detect.^[4] They are commonly used for:

Data theft ^[4]
Infecting website visitors (watering hole attacks)^[5]
Website defacement by modifying files with a malicious intent
Launch distributed denial-of-service (DDoS) attacks^[2]
To relay commands inside the network which is inaccessible over the Internet^[2]
To use as command and control base, for example as a bot in a botnet system or in way to compromise the security of additional external networks.^[2]

Web shells give hackers the ability to steal information, corrupt data, and upload malwares that are more damaging to a system. The issue increasingly escalates when hackers employ compromised servers to infiltrate a system and jeopardize additional machines. Web shells are also a way that malicious individuals target a variety of industries, including government, financial, and defense through cyber espionage. One of the very well known web shells used in this manner is known as “China Chopper.”^[6]

Delivery of web shells

Web shells are installed through vulnerabilities in web application or weak server security configuration including the following:^[2]^[4]

SQL injection;
Vulnerabilities in applications and services (e.g. web server software such as NGINX or content management system applications such as WordPress);^[7]^[8]
File processing and uploading vulnerabilities, which can be mitigated by e.g. limiting the file types that can be uploaded;^[8]
Remote file inclusion (RFI) and local file inclusion (LFI) vulnerabilities;
Remote code execution;
Exposed administration interfaces;^[2]

An attacker may also modify (spoof) the Content-Type header to be sent by the attacker in a file upload to bypass improper file validation (validation using MIME type sent by the client), which will result in a successful upload of the attacker's shell.

Example

The following is a simple example of a web shell written in PHP that executes and outputs the result of a shell command:

<?=`$_GET[x]`?>

Assuming the filename is example.php, an example that would output the contents of the /etc/passwd file is shown below:

https://example.com/example.php?x=cat%20%2Fetc%2Fpasswd

The above request will take the value of the x parameter of the query string, sending the following shell command:

cat/etc/passwd

This could have been prevented if the shell functions of PHP were disabled so that arbitrary shell commands cannot be executed from PHP.

Prevention and mitigation

A web shell is usually installed by taking advantage of vulnerabilities present in the web server's software. That is why removal of these vulnerabilities is important to avoid the potential risk of a compromised web server.

The following are security measures for preventing the installation of a web shell:^[2]^[3]

Regularly update the applications and the host server's operating system to ensure immunity from known bugs
Deploying a demilitarized zone (DMZ) between the web facing servers and the internal networks
Secure configuration of the web server^[2]
Closing or blocking ports and services which are not used^[2]
Using user input data validation to limit local and remote file inclusion vulnerabilities ^[2]
Use a reverse proxy service to restrict the administrative URL's to known legitimate ones^[2]
Frequent vulnerability scan to detect areas of risk and conduct regular scans using web security software (this does not prevent zero day attacks ^[2])
Deploy a firewall ^[2]
Disable directory browsing^{[ citation needed ]}
Not using default passwords^[2]

Detection

Web shells can be easily modified, so it's not easy to detect web shells and antivirus software are often not able to detect web shells.^[2]^[9]

The following are common indicators that a web shell is present on a web server:^[2]^[3]

Abnormal high web server usage (due to heavy downloading and uploading by the attacker);^[2]^[9]
Files with an abnormal timestamp (e.g. newer than the last modification date);^[9]
Unknown files in a web server;
Files having dubious references, for example, cmd.exe or eval ;
Unknown connections in the logs of web server

For example, a file generating suspicious traffic (e.g. a PNG file requesting with POST parameters).^[2]^[10]^[11]^[12] Dubious logins from DMZ servers to internal sub-nets and vice versa.^[2]

Web shells may also contain a login form, which is often disguised as an error page.^[2]^[13]^[14]^[15]

Using web shells, adversaries can modify the .htaccess file (on servers running the Apache HTTP Server software) on web servers to redirect search engine requests to the web page with malware or spam. Often web shells detect the user-agent and the content presented to the search engine spider is different from that presented to the user's browser. To find a web shell a user-agent change of the crawler bot is usually required. Once the web shell is identified, it can be deleted easily.^[2]

Analyzing the web server's log could specify the exact location of the web shell. Legitimate users/visitor usually have different user-agents and referers, on the other hand, a web shell is usually only visited by the attacker, therefore have very few variants of user-agent strings.^[2]

Related Research Articles

Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. Researchers tend to classify malware into one or more sub-types.

The Secure Shell Protocol (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. Its most notable applications are remote login and command-line execution.

In computing, a denial-of-service attack is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to a network. Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled. The range of attacks varies widely, spanning from inundating a server with millions of requests to slow its performance, overwhelming a server with a substantial amount of invalid data, to submitting requests with an illegitimate IP address.

A backdoor is a typically covert method of bypassing normal authentication or encryption in a computer, product, embedded device, or its embodiment. Backdoors are most often used for securing remote access to a computer, or obtaining access to plaintext in cryptosystems. From there it may be used to gain access to privileged information like passwords, corrupt or delete data on hard drives, or transfer information within autoschediastic networks.

Linux malware includes viruses, Trojans, worms and other types of malware that affect the Linux family of operating systems. Linux, Unix and other Unix-like computer operating systems are generally regarded as very well-protected against, but not immune to, computer viruses.

In computing, SQL injection is a code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution. SQL injection must exploit a security vulnerability in an application's software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.

A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform distributed denial-of-service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its connection. The owner can control the botnet using command and control (C&C) software. The word "botnet" is a portmanteau of the words "robot" and "network". The term is usually used with a negative or malicious connotation.

The Berkeley r-commands are a suite of computer programs designed to enable users of one Unix system to log in or issue commands to another Unix computer via TCP/IP computer network. The r-commands were developed in 1982 by the Computer Systems Research Group at the University of California, Berkeley, based on an early implementation of TCP/IP.

Code injection is a class of computer security exploits in which a vulnerable computer program is tricked into misinterpreting external data as part of its code. An attacker thereby "injects" code into the program and changes the course of its execution. The result of successful code injection can be disastrous, for example, by allowing computer viruses or computer worms to propagate.

Crimeware is a class of malware designed specifically to automate cybercrime.

Session poisoning is a method to exploit insufficient input validation within a server application. Typically a server application that is vulnerable to this type of exploit will copy user input into session variables.

On Internet usage, an email bomb is a form of net abuse that sends large volumes of email to an address to overflow the mailbox, overwhelm the server where the email address is hosted in a denial-of-service attack or as a smoke screen to distract the attention from important email messages indicating a security breach.

A file inclusion vulnerability is a type of web vulnerability that is most commonly found to affect web applications that rely on a scripting run time. This issue is caused when an application builds a path to executable code using an attacker-controlled variable in a way that allows the attacker to control which file is executed at run time. A file include vulnerability is distinct from a generic directory traversal attack, in that directory traversal is a way of gaining unauthorized file system access, and a file inclusion vulnerability subverts how an application loads code for execution. Successful exploitation of a file inclusion vulnerability will result in remote code execution on the web server that runs the affected web application. An attacker can use remote code execution to create a web shell on the web server, which can be used for website defacement.

Koobface is a network worm that attacks Microsoft Windows, Mac OS X, and Linux platforms. This worm originally targeted users of networking websites such as Facebook, Skype, Yahoo Messenger, and email websites such as GMail, Yahoo Mail, and AOL Mail. It also targets other networking websites, such as MySpace, Twitter, and it can infect other devices on the same local network. Technical support scammers also fraudulently claim to their intended victims that they have a Koobface infection on their computer by using fake popups and using built-in Windows programs.

Browser security is the application of Internet security to web browsers in order to protect networked data and computer systems from breaches of privacy or malware. Security exploits of browsers often use JavaScript, sometimes with cross-site scripting (XSS) with a secondary payload using Adobe Flash. Security exploits can also take advantage of vulnerabilities that are commonly exploited in all browsers.

XcodeGhost are modified versions of Apple's Xcode development environment that are considered malware. The software first gained widespread attention in September 2015, when a number of apps originating from China harbored the malicious code. It was thought to be the "first large-scale attack on Apple's App Store", according to the BBC. The problems were first identified by researchers at Alibaba, a leading e-commerce firm in China. Over 4000 apps are infected, according to FireEye, far more than the 25 initially acknowledged by Apple, including apps from authors outside China.

Mirai is malware that turns networked devices running Linux into remotely controlled bots that can be used as part of a botnet in large-scale network attacks. It primarily targets online consumer devices such as IP cameras and home routers. The Mirai botnet was first found in August 2016 by MalwareMustDie, a white hat malware research group, and has been used in some of the largest and most disruptive distributed denial of service (DDoS) attacks, including an attack on 20 September 2016 on computer security journalist Brian Krebs' website, an attack on French web host OVH, and the October 2016 DDoS attacks on Dyn. According to a chat log between Anna-senpai and Robert Coelho, Mirai was named after the 2011 TV anime series Mirai Nikki.

Numbered Panda is a cyber espionage group believed to be linked with the Chinese military. The group typically targets organizations in East Asia. These organizations include, but are not limited to, media outlets, high-tech companies, and governments. Numbered Panda is believed to have been operating since 2009. However, the group is also credited with a 2012 data breach at the New York Times. One of the group's typical techniques is to send PDF files loaded with malware via spear phishing campaigns. The decoy documents are typically written in traditional Chinese, which is widely used in Taiwan, and the targets are largely associated with Taiwanese interests. Numbered Panda appears to be actively seeking out cybersecurity research relating to the malware they use. After an Arbor Networks report on the group, FireEye noticed a change in the group's techniques to avoid future detection.

China Chopper is a web shell approximately 4 kilobytes in size, first discovered in 2012. This web shell is commonly used by malicious Chinese actors, including advanced persistent threat (APT) groups, to remotely control web servers. This web shell has two parts, the client interface and the receiver host file on the compromised web server.

A global wave of cyberattacks and data breaches began in January 2021 after four zero-day exploits were discovered in on-premises Microsoft Exchange Servers, giving attackers full access to user emails and passwords on affected servers, administrator privileges on the server, and access to connected devices on the same network. Attackers typically install a backdoor that allows the attacker full access to impacted servers even if the server is later updated to no longer be vulnerable to the original exploits. As of 9 March 2021, it was estimated that 250,000 servers fell victim to the attacks, including servers belonging to around 30,000 organizations in the United States, 7,000 servers in the United Kingdom, as well as the European Banking Authority, the Norwegian Parliament, and Chile's Commission for the Financial Market (CMF).

References

1 2 "How can web shells be used to exploit security tools and servers?". SearchSecurity. Archived from the original on 2019-03-28. Retrieved 2018-12-21.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 US Department of Homeland Security (9 August 2017). "Web Shells – Threat Awareness and Guidance". www.us-cert.gov. Archived from the original on 13 January 2019. Retrieved 20 December 2018. This article incorporates text from this source, which is in the public domain .
1 2 3 4 admin (3 August 2017). "What is a Web shell?". malware.expert. Archived from the original on 13 January 2019. Retrieved 20 December 2018.
1 2 3 "Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors – US-CERT". www.us-cert.gov. 16 March 2018. Archived from the original on 20 December 2018. Retrieved 20 December 2018.
↑ co-organizer, Makis MourelatosWordPress Security Engineer at FixMyWPWC Athens 2016; Support, W. P.; Aficionado, Security; Kitesurfer, Wannabe (16 October 2017). "The Definitive Guide about Backdoor Attacks - What are WebShell BackDoors". fixmywp.com. Archived from the original on 13 January 2019. Retrieved 20 December 2018.{{cite web}}: CS1 maint: numeric names: authors list (link)
↑ Hannousse, Abdelhakim; Yahiouche, Salima (2021-09-01). "Handling webshell attacks: A systematic mapping and survey". Computers & Security. 108: 102366. doi:10.1016/j.cose.2021.102366. ISSN 0167-4048.
↑ "Got WordPress? PHP C99 Webshell Attacks Increasing". 14 April 2016. Archived from the original on 29 December 2018. Retrieved 21 December 2018.
1 2 "Equifax breach was 'entirely preventable' had it used basic security measures, says House report". 10 December 2018. Archived from the original on 20 December 2018. Retrieved 21 December 2018.
1 2 3 "Breaking Down the China Chopper Web Shell - Part I « Breaking Down the China Chopper Web Shell - Part I". FireEye. Archived from the original on 13 January 2019. Retrieved 20 December 2018.
↑ "Intrusion Detection and Prevention Systems". Archived from the original on 2019-01-13. Retrieved 2018-12-22.
↑ LightCyber, Kasey Cross, Senior Product Manager (16 June 2016). "Five signs an attacker is already in your network". Network World. Archived from the original on 13 January 2019. Retrieved 22 December 2018.{{cite web}}: CS1 maint: multiple names: authors list (link)
↑ "Traffic Analysis for Network Security: Two Approaches for Going Beyond Network Flow Data". 15 September 2016. Archived from the original on 2016-11-14. Retrieved 2018-12-22.
↑ "Hackers Hiding Web Shell Logins in Fake HTTP Error Pages". BleepingComputer. Archived from the original on 26 July 2018. Retrieved 21 December 2018.
↑ "Hackers Hiding Web Shell Logins in Fake HTTP Error Pages". ThreatRavens. 24 July 2018. Archived from the original on 13 January 2019. Retrieved 17 February 2019.
↑ "Hackers Hiding Web Shell Logins in Fake HTTP Error Pages". cyware.com. Archived from the original on 13 January 2019. Retrieved 22 December 2018.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[techtarget.com-1] 1 2 "How can web shells be used to exploit security tools and servers?". SearchSecurity. Archived from the original on 2019-03-28. Retrieved 2018-12-21.

[us-cert.gov-2] 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 US Department of Homeland Security (9 August 2017). "Web Shells – Threat Awareness and Guidance". www.us-cert.gov. Archived from the original on 13 January 2019. Retrieved 20 December 2018. This article incorporates text from this source, which is in the public domain .

[auto-3] 1 2 3 4 admin (3 August 2017). "What is a Web shell?". malware.expert. Archived from the original on 13 January 2019. Retrieved 20 December 2018.

[us-cert.gov1-4] 1 2 3 "Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors – US-CERT". www.us-cert.gov. 16 March 2018. Archived from the original on 20 December 2018. Retrieved 20 December 2018.

[5] -organizer, Makis MourelatosWordPress Security Engineer at FixMyWPWC Athens 2016; Support, W. P.; Aficionado, Security; Kitesurfer, Wannabe (16 October 2017). "The Definitive Guide about Backdoor Attacks - What are WebShell BackDoors". fixmywp.com. Archived from the original on 13 January 2019. Retrieved 20 December 2018.{{cite web}}: CS1 maint: numeric names: authors list (link)

[6] Hannousse, Abdelhakim; Yahiouche, Salima (2021-09-01). "Handling webshell attacks: A systematic mapping and survey". Computers & Security. 108: 102366. doi:10.1016/j.cose.2021.102366. ISSN 0167-4048.

[7] "Got WordPress? PHP C99 Webshell Attacks Increasing". 14 April 2016. Archived from the original on 29 December 2018. Retrieved 21 December 2018.

[techcrunch.com-8] 1 2 "Equifax breach was 'entirely preventable' had it used basic security measures, says House report". 10 December 2018. Archived from the original on 20 December 2018. Retrieved 21 December 2018.

[fireeye.com-9] 1 2 3 "Breaking Down the China Chopper Web Shell - Part I « Breaking Down the China Chopper Web Shell - Part I". FireEye. Archived from the original on 13 January 2019. Retrieved 20 December 2018.

[10] "Intrusion Detection and Prevention Systems". Archived from the original on 2019-01-13. Retrieved 2018-12-22.

[11] LightCyber, Kasey Cross, Senior Product Manager (16 June 2016). "Five signs an attacker is already in your network". Network World. Archived from the original on 13 January 2019. Retrieved 22 December 2018.{{cite web}}: CS1 maint: multiple names: authors list (link)

[12] "Traffic Analysis for Network Security: Two Approaches for Going Beyond Network Flow Data". 15 September 2016. Archived from the original on 2016-11-14. Retrieved 2018-12-22.

[13] "Hackers Hiding Web Shell Logins in Fake HTTP Error Pages". BleepingComputer. Archived from the original on 26 July 2018. Retrieved 21 December 2018.

[14] "Hackers Hiding Web Shell Logins in Fake HTTP Error Pages". ThreatRavens. 24 July 2018. Archived from the original on 13 January 2019. Retrieved 17 February 2019.

[15] "Hackers Hiding Web Shell Logins in Fake HTTP Error Pages". cyware.com. Archived from the original on 13 January 2019. Retrieved 22 December 2018.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

v t e Information security
Related security categories	Computer security Automotive security Cybercrime Cybersex trafficking Computer fraud Cybergeddon Cyberterrorism Cyberwarfare Electromagnetic warfare Information warfare Internet security Mobile security Network security Copy protection Digital rights management	vectorial version
Threats	Adware Advanced persistent threat Arbitrary code execution Backdoors Bombs Fork Logic Time Zip Hardware backdoors Code injection Crimeware Cross-site scripting Cross-site leaks DOM clobbering History sniffing Cryptojacking Botnets Data breach Drive-by download Browser Helper Objects Viruses Data scraping Denial-of-service attack Eavesdropping Email fraud Email spoofing Exploits Fraudulent dialers Hacktivism Infostealer Insecure direct object reference Keystroke loggers Malware Payload Phishing Voice Polymorphic engine Privilege escalation Ransomware Rootkits Scareware Shellcode Spamming Social engineering Spyware Software bugs Trojan horses Hardware Trojans Remote access trojans Vulnerability Web shells Wiper Worms SQL injection Rogue security software Zombie
Defenses	Application security Secure coding Secure by default Secure by design Misuse case Computer access control Authentication Multi-factor authentication Authorization Computer security software Antivirus software Security-focused operating system Data-centric security Obfuscation (software) Data masking Encryption Firewall Intrusion detection system Host-based intrusion detection system (HIDS) Anomaly detection Information security management Information risk management Security information and event management (SIEM) Runtime application self-protection Site isolation

v t e Malware topics
Infectious malware	Comparison of computer viruses Computer virus Computer worm List of computer worms Timeline of computer viruses and worms
Concealment	Backdoor Clickjacking Man-in-the-browser Man-in-the-middle Rootkit Trojan horse Zombie computer
Malware for profit	Adware Botnet Crimeware Fleeceware Form grabbing Fraudulent dialer Infostealer Keystroke logging Malbot Privacy-invasive software Ransomware Rogue security software Scareware Spyware Web threats
By operating system	Android malware Classic Mac OS viruses iOS malware Linux malware MacOS malware Macro virus Mobile malware Palm OS viruses HyperCard viruses
Protection	Anti-keylogger Antivirus software Browser security Data loss prevention software Defensive computing Firewall Internet security Intrusion detection system Mobile security Network security
Countermeasures	Computer and network surveillance Honeypot Operation: Bot Roast