A web shell attack is a more advanced form of cybercrime in which the attackers attempt to plant a malicious file into the recipients’ server directory and execute that file from their web browser. If they are successful in doing this it opens up the door for all kinds of additional maneuvers through which the attacker can exploit the system in different ways.
What is a Web Shell?
A web shell is a bit of code that is written in one of the mainstream web application languages such as JSP or PHP and it is installed on a web server operating system so that it can be controlled remotely.
Web shells can be used to exploit servers of all kinds, both those that are linked to the internet and those that are just used for locally hosting resources. The way in which the attack unfolds depends entirely on how the web shell has been loaded and what it has been designed for.
What makes this a popular choice for criminals is that it doesn't require any additional software that can be operated through a traditional HTTP protocol that is commonly found in web browsers.
How It Works
The first step is to find either a server or an end-user that is exposed and can serve as targets to host the malicious. This is don't through a different program such as Shodan.io that will scan all kinds of devices.
Once a suitable candidate is found the next step is to immediately deploy a web shell before that exposure is patched. As companies and even server admins are constantly working to improve the security of their systems, this can be a very small window of time for the attacker. The first aim with the web shells is to compromise the outermost layer of the system. This is usually done by pumping a supply of corrupted web shells through web pages that allow file uploads.
Once the system shows signs of wear and tear the attacker will use a Local File Include (LFI) vulnerability to connect that malicious web shell with a web application page. Other than LFI an attacker can also use SQL injection, XSS, and many other strategies to achieve this result.
The web shell automatically creates a backdoor when it has been successfully installed and this gives the attacker direct access. The main reason for using web shells is the efficiency with which these kinds of attacks create back doors for the attacker. In most cases a web shell attack will not be followed through with any additional attacks such as data theft or ransomware, rather the entire purpose of the attack is to create that backdoor. Through is entry point the attacker can monitor the network and use this for a different attack in the future or it could be just used to facilitate a different attack altogether.
Defense
The best way to safeguard yourself from these attacks is to use a solution such as Shell Detector which will compare all suspected files against a database of known web shells. Similarly, the controls on the servers themselves can be modified to analyze all script file writes and also look into process executions to see if any file has a code that could potentially be harmful.
The real challenge is finding potentially harmful files as this kind of code could be hidden behind seemingly harmless files, such as an uploaded photo.
714-333-9620