TA15-314A: Compromised Web Servers and Web Shells – Threat Awareness and Guidance

Web Shell Description

A web shell is a script that can be uploaded to a web server to enable remote administration of the machine. Infected web servers can be either Internet-facing or internal to the network, where the web shell is used to pivot further to internal hosts.

A web shell can be written in any language that the target web server supports. The most commonly observed web shells are written in languages that are widely supported, such as PHP and ASP. Perl, Ruby, Python, and Unix shell scripts are also used.

Using network reconnaissance tools, an adversary can identify vulnerabilities that can be exploited and result in the installation of a web shell. For example, these vulnerabilities can exist in content management systems (CMS) or web server software.

Once successfully uploaded, an adversary can use the web shell to leverage other exploitation techniques to escalate privileges and to issue commands remotely. These commands are directly linked to the privilege and functionality available to the web server and may include the ability to add, delete, and execute files as well as the ability to run shell commands, further executables, or scripts.

How and why are they used by malicious adversaries?

Web shells are frequently used in compromises due to the combination of remote access and functionality. Even simple web shells can have a considerable impact and often maintain minimal presence.

Web shells are utilized for the following purposes:

  1. To harvest and exfiltrate sensitive data and credentials;
  2. To upload additional malware for the potential of creating, for example, a watering hole for infection and scanning of further victims;
  3. To use as a relay point to issue commands to hosts inside the network without direct Internet access;
  4. To use as command-and-control infrastructure, potentially in the form of a bot in a botnet or in support of compromises to additional external networks. This could occur if the adversary intends to maintain long-term persistence.

While a web shell itself would not normally be used for denial of service (DoS) attacks, it can act as a platform for uploading further tools, including DoS capability.

Examples

Web shells such as China Chopper, WSO, C99 and B374K are frequently chosen by adversaries; however these are just a small number of known used web shells. (Further information linking to IOCs and SNORT rules can be found in the Additional Resources section).

  • China Chopper A small web shell packed with features. Has several command and control features including a password brute force capability.
  • WSO Stands for “web shell by orb” and has the ability to masquerade as an error page containing a hidden login form.
  • C99 A version of the WSO shell with additional functionality. Can display the server’s security measures and contains a self-delete function.
  • B374K PHP based web shell with common functionality such as viewing processes and executing commands.

Delivery Tactics

Web shells can be delivered through a number of web application exploits or configuration weaknesses including:

  • Cross-Site Scripting;
  • SQL Injection;
  • Vulnerabilities in applications/services  (e.g., WordPress or other CMS applications);
  • File processing vulnerabilities (e.g., upload filtering or assigned permissions);
  • Remote File Include (RFI) and Local File Include (LFI) vulnerabilities;
  • Exposed Admin Interfaces (possible areas to find vulnerabilities mentioned above).

The above tactics can be and are combined regularly. For example, an exposed admin interface also requires a file upload option, or another exploit method mentioned above, to deliver successfully.