# Discovering the Web Shell ## **Discovering and Mitigating Web Shells in Web Servers** Web shells are one of the most common post-exploitation tools attackers use to maintain backdoor access. They allow remote command execution, file manipulation, and other malicious activities. Here's how to effectively discover, analyze, and mitigate web shells. *** ## **1. Identifying Web Shells** **Common Functions in PHP Web Shells** Web shells often utilize specific PHP functions to execute commands or manipulate the server environment. These include: * **Command Execution**:\ `system()`, `shell_exec()`, `exec()`, `passthru()`, `popen()` * **Dynamic Code Execution**:\ `eval()`, `assert()`, `preg_replace()`, `include()`, `require()` * **Encoding and Decoding**:\ `base64_decode()`, `str_rot13()`, `gzuncompress()`, `edoced_46esab` (reverse of `base64_decode`) * **File Manipulation**:\ `fopen()`, `fwrite()`, `fread()`, `unlink()` * **System Information**:\ `php_uname()`, `getenv()` **Scanning for Web Shells Using grep** To scan for files containing suspicious functions: ```bash grep -RPn "(system|shell_exec|eval|passthru|base64_decode|exec|assert|php_uname) *\(" /var/www ``` *** ## **2. Shell Hiding Techniques and Detection** Attackers employ various techniques to hide their web shells. **a. Remote Summoning** The web shell fetches its malicious payload from a remote server. * **Detection**: Look for functions fetching remote content: ```bash grep -Rn "(file_get_contents|curl_exec|include|require)" /var/www ``` **b. Encrypted or Obfuscated Shells** Web shells may be encoded in base64 or use obfuscation techniques. * **Detection**: ```bash grep -Rn "base64_decode *(" /var/www grep -Rn "edoced_46esab" /var/www ``` **c. Hidden in Images (EXIF Data)** Malicious code is stored in image metadata and executed by the server. * **Example**:\ The attacker adds a PHP shell in the `Comment` field of an image: ```bash exiftool -Comment='' image.jpg ``` * **Detection**: Search for image metadata parsing: ```bash grep -Rn "(exif_read_data|preg_replace)" /var/www ``` *** ## **3. Log Analysis for Web Shell Detection** Web shells often leave traces in access logs when accessed by the attacker. **Filter Log Entries for Suspicious Access** * Search for web shell access: ```bash cat /var/log/apache2/access.log | grep "cmd=" cat /var/log/nginx/access.log | grep "shell.php" ``` * Identify unusual file uploads or executions: ```bash cat /var/log/apache2/access.log | grep "POST" ``` **Example Log Entries:** ```plaintext 192.168.1.10 - - [12/Nov/2024:12:34:56 +0000] "GET /shell.php?cmd=whoami HTTP/1.1" 200 452 192.168.1.10 - - [12/Nov/2024:12:35:02 +0000] "POST /upload.php HTTP/1.1" 200 512 ``` *** ## **4. Mitigation and Protection** Once a web shell is identified, it is critical to act swiftly to remove it and secure the server. **a. Eradication** 1. **Delete the Web Shell**: ```bash rm /path/to/shell.php ``` 2. **Restore from Backup** (if available). **b. Secure Server Configuration** 1. **Disable Dangerous Functions in `php.ini`**: ```ini disable_functions = system,shell_exec,exec,passthru,eval,assert ``` This prevents the execution of high-risk functions. 2. **Apply Permissions**: Limit file upload directories to prevent PHP execution: ```bash chmod -R 750 /var/www/uploads ``` 3. **Regular Updates**: Keep web applications, libraries, and server software up to date to avoid vulnerabilities. **c. File Integrity Monitoring** 1. **Use File Monitoring Tools**: Tools like **Tripwire** or **AIDE** can detect unauthorized changes. 2. **Set Up Hash Checks**: Maintain a list of file hashes and periodically compare: ```bash sha256sum /var/www/*.php > baseline.txt sha256sum -c baseline.txt ``` **d. Web Application Firewall (WAF)** Deploy a WAF to block malicious requests, such as those targeting known web shell patterns. **e. Network Security** * **Monitor Outbound Traffic**: Identify unusual communication from the server to external IPs. ```bash netstat -tuln | grep ESTABLISHED ``` *** ## **5. Example Case: Real-World Detection** **Scenario:** An e-commerce website's server is suspected of hosting a web shell. 1. **Initial Detection**: * Analyze access logs: ```bash cat /var/log/apache2/access.log | grep "shell.php" ``` * Identify encoded requests: ```bash echo "ZWNobyAnc2hlbGwgc2NyaXB0IGxvZ2dlZCc=" | base64 --decode ``` 2. **Remediation**: * Remove the shell: ```bash rm /var/www/html/shell.php ``` * Disable uploads in vulnerable directories: ```bash chmod -R 750 /var/www/uploads ``` 3. **Hardening**: * Enable strict Content Security Policies (CSP). * Implement a WAF and actively monitor all incoming traffic. *** ## **Key Points** Web shells are a serious threat that provide attackers with persistent access to compromised servers. By employing proactive scanning, log analysis, and secure configurations, organizations can detect and mitigate these backdoors effectively, minimizing the risk of further exploitation.