Discovering the Web Shell

Discovering and Mitigating Web Shells in Web Servers

Web shells are one of the most common post-exploitation tools attackers use to maintain backdoor access. They allow remote command execution, file manipulation, and other malicious activities. Here's how to effectively discover, analyze, and mitigate web shells.

1. Identifying Web Shells

Common Functions in PHP Web Shells

Web shells often utilize specific PHP functions to execute commands or manipulate the server environment. These include:

  • Command Execution: system(), shell_exec(), exec(), passthru(), popen()

  • Dynamic Code Execution: eval(), assert(), preg_replace(), include(), require()

  • Encoding and Decoding: base64_decode(), str_rot13(), gzuncompress(), edoced_46esab (reverse of base64_decode)

  • File Manipulation: fopen(), fwrite(), fread(), unlink()

  • System Information: php_uname(), getenv()

Scanning for Web Shells Using grep

To scan for files containing suspicious functions:

grep -RPn "(system|shell_exec|eval|passthru|base64_decode|exec|assert|php_uname) *\(" /var/www

2. Shell Hiding Techniques and Detection

Attackers employ various techniques to hide their web shells.

a. Remote Summoning

The web shell fetches its malicious payload from a remote server.

  • Detection: Look for functions fetching remote content:

    grep -Rn "(file_get_contents|curl_exec|include|require)" /var/www

b. Encrypted or Obfuscated Shells

Web shells may be encoded in base64 or use obfuscation techniques.

  • Detection:

    grep -Rn "base64_decode *(" /var/www
grep -Rn "edoced_46esab" /var/www

c. Hidden in Images (EXIF Data)

Malicious code is stored in image metadata and executed by the server.

  • Example: The attacker adds a PHP shell in the Comment field of an image:

    exiftool -Comment='<?php system($_GET["cmd"]); ?>' image.jpg

    • Detection: Search for image metadata parsing:

      grep -Rn "(exif_read_data|preg_replace)" /var/www

3. Log Analysis for Web Shell Detection

Web shells often leave traces in access logs when accessed by the attacker.

Filter Log Entries for Suspicious Access

  • Search for web shell access:

    cat /var/log/apache2/access.log | grep "cmd="
cat /var/log/nginx/access.log | grep "shell.php"

  • Identify unusual file uploads or executions:

    cat /var/log/apache2/access.log | grep "POST"

Example Log Entries:

192.168.1.10 - - [12/Nov/2024:12:34:56 +0000] "GET /shell.php?cmd=whoami HTTP/1.1" 200 452
192.168.1.10 - - [12/Nov/2024:12:35:02 +0000] "POST /upload.php HTTP/1.1" 200 512

4. Mitigation and Protection

Once a web shell is identified, it is critical to act swiftly to remove it and secure the server.

a. Eradication

  1. Delete the Web Shell:

    rm /path/to/shell.php

  2. Restore from Backup (if available).

b. Secure Server Configuration

  1. Disable Dangerous Functions in php.ini:

    disable_functions = system,shell_exec,exec,passthru,eval,assert

    This prevents the execution of high-risk functions.

  2. Apply Permissions: Limit file upload directories to prevent PHP execution:

    chmod -R 750 /var/www/uploads

  3. Regular Updates: Keep web applications, libraries, and server software up to date to avoid vulnerabilities.

c. File Integrity Monitoring

  1. Use File Monitoring Tools: Tools like Tripwire or AIDE can detect unauthorized changes.

  2. Set Up Hash Checks: Maintain a list of file hashes and periodically compare:

    sha256sum /var/www/*.php > baseline.txt
sha256sum -c baseline.txt

d. Web Application Firewall (WAF)

Deploy a WAF to block malicious requests, such as those targeting known web shell patterns.

e. Network Security

  • Monitor Outbound Traffic: Identify unusual communication from the server to external IPs.

    netstat -tuln | grep ESTABLISHED

5. Example Case: Real-World Detection

Scenario:

An e-commerce website's server is suspected of hosting a web shell.

  1. Initial Detection:

    • Analyze access logs:

      cat /var/log/apache2/access.log | grep "shell.php"

    • Identify encoded requests:

      echo "ZWNobyAnc2hlbGwgc2NyaXB0IGxvZ2dlZCc=" | base64 --decode

  2. Remediation:

    • Remove the shell:

      rm /var/www/html/shell.php

    • Disable uploads in vulnerable directories:

      chmod -R 750 /var/www/uploads

  3. Hardening:

    • Enable strict Content Security Policies (CSP).

    • Implement a WAF and actively monitor all incoming traffic.

Key Points

Web shells are a serious threat that provide attackers with persistent access to compromised servers. By employing proactive scanning, log analysis, and secure configurations, organizations can detect and mitigate these backdoors effectively, minimizing the risk of further exploitation.

PreviousVulnerabilities in Programming LanguageNextHacked Web Server Analysis Example

Last updated