Over the past two decades, web applications as an alternative to traditional desktop application have been on to rise.
As their name suggests, they are installed on web servers and accessed via a web browser. This gives web apps a rather long list of advantages: multi-platform cross-compatibility, no installation required for the users, cheap and fast development, easier maintenance and support, universal access, and so on.
But what about their downsides? Well, in their biggest strength lies also their arguably most important disadvantage: vulnerability. Since they are being deployed online they are prone to hackers.
Among the many different threats, today we are going to talk about WEB SHELLS.
So, what exactly are web shells?
Simply put, they are pieces of code, uploaded to a web server which allow to access it remotely. They act as a command-line interface and can be written in any language supported by the server. The most usually observed web shells are written in widely supported languages, such as PHP and ASP. Perl, Python, Ruby, and Unix shell scripts are also used.
The most common way these malicious web shells are exploited by attackers is by creating backdoors - access points to a site or system. These opened “doors” allow hackers to bypass the usual authentication and can lead to wider network compromise. An attacker can use a web shell to issue commands, perform privilege escalation on the web server, and the ability to upload, delete, download and execute files on the web server.
Backdoors can be hard to find because they are usually hidden in files that are already part of the site or downloaded as new files with innocent names, most often placed in a directory with many files. Due to the potential simplicity and ease of modification of web shells, they can be difficult to detect. For example, anti-virus products sometimes produce poor results in detecting web shells.
So, how can we try to detect them?
There are a number of different indicators which we should be on the lookout:
1. Abnormal periods of high site usage (due to potential uploading and downloading activity);
2. Files with an unusual timestamps (more recent than the last update of the web applications installed);
3. Suspicious files in Internet-accessible locations (web root);
4. Files containing references to suspicious keywords such as cmd.exe or eval;
5. Unexpected connections in logs. For example: A file type generating unexpected or anomalous network traffic (e.g., a JPG file making requests with POST parameters);
And what measures can we take?
We could set up an automated system which checks all newly uploaded or changed files and see if they match a known web shell, similar to how an antivirus software does with other forms of malware.
Due to the fact that backdoors scripts often need to use non-legitimate PHP commands, we could look for these commands in the files on your server. Search programs which search for text in files could be helpful.
Another possibility is comparing the different app versions to see if there are any differences which could be a sign of unusual activity. Moreover, by using web traffic monitoring tools, we can check for any eventual anomalies.
But the ultimate question is - how to prevent attacks in the first place?
Installation of a web shell is commonly accomplished through server configuration weaknesses or web application vulnerabilities.
Let’s focus on the latter:
Most web apps have permission to make modifications directly to an accessible web directory. As a result, the systems themselves open the door seamlessly for attackers. It is therefore recommended that modification permissions be blocked. However, if this is not possible, there are other more sophisticated options:
Using Intrusion Detection System (IDS) and/or Intrusion Protection System (IPS)
Both these systems operate at the network layer, watching network traffic and are a step up from a firewall. An IDS matches data within packets against a signature database while simultaneously searching for and detecting anomalies against a pre-defined "normal" traffic profile. An Intrusion Protection System (IPS) goes even further by reacting or responding to what it detects. Both technologies are complementary but share the same inherent shortcoming, as they operate on known signatures and therefore have trouble with newer attacks and unknown signatures.
Using Web Application Firewall (WAF)
WAF can be described as “reverse proxy”. They too, similar to IPS, sit in-line, but operate at the application layer. They job is to monitor network traffic to and from a specific web application or server. That implies that it is dealing with the data stream, not the network stream. This means they are applied after decryption, gaining them full access to the request and response header and body. And a WAF can generally be expected to focus on application-specific signatures, more so than an IDS/IPS. WAF is also more likely to look at things like JSON or XML format validation; looking for things that aren't right instead of just looking for things that are wrong.A WAF can provide protection against threats like Cross-Site-Scripting or SQL injection, but can only detect an attack when it looks like a pattern that the WAF is configured to expect.
The two technologies are intersecting sets - in an attack, some traffic will trigger both the WAF and the IDS/IPS; some will only trigger the WAF; some will only trigger the IDS/IPS. The recommended way is to use a multi-layered approach to data security, including all of the components listed above.
Confirming that web shells are indeed a formidable problem, The U.S. National Security Agency (NSA) and the Australian Signals Directorate (ASD) have jointly released a Cybersecurity Information Sheet on mitigating web shell malware. The CSI provides techniques to detect—and recommendations to prevent—malicious web shells.
Moreover, NSA published a repository on Github where we can find a wide list of methods and tools that will help protect your system from web shell malware.
Web security is undoubtedly one of the most important aspects to keep in mind when developing web applications. Making sure to stay up-to-date when it comes to new threats as well as possibilities of their prevention is a task all developers should take seriously.
Iveta Karailievova
Originally coming from a marketing background, decided to turn her life around and immerse herself into the wonderful exciting and most importantly – never boring world of technology and web development. Proud employee at MA-NO . Easily loses track of time when enjoying working on code. Big fan of Placebo, cats and pizza.
Related Posts
How to trim a video without downloading programs
You recently experienced one of the most epic concerts in recent years and now you're in the process of showing the videos you recorded to friends and family who, unfortunately,…
The ultimate cybersecurity checklist for programmers
In today's digital age, cybersecurity has become an essential concern for programmers. With cyber threats on the rise, it is crucial for programmers to adopt robust security practices to protect…
Network attacks and how to avoid them
Nowadays it is impossible to list all the different types of attacks that can be carried out on a network, as in the world of security this varies continuously. We…
6 Best Alternative Privacy Focused Browsers in 2021
In today's article we take a look at free private browsers which are relevant in 2021. We will compare their advantages and disadvantages, specs, etc. Let's get into it. What are alternative…
How to hide the you are typing text in a WhatsApp group
With WhatsApp groups there is usually no middle ground: either you like them or you hate them from the first moment you are put -sometimes 'dragged' reflects better- into one. And…
Top Whatsapp alternatives in 2021
From the communication platform WhatsApp leaves more and more users for different reasons. If you're one of them, there are a lot of possibilities on how to replace it with…
Read comics online: best websites and apps to download and read digital comics
Comic book lovers (like us), today we're going to give you a special tribute: a small collection of websites and applications to download and read digital comics, both on your…
Install MacOS on PC - the Ultimate Guide (Hackintosh)
There has always been a belief that the Apple MacOS Operating System could only be installed on computers sold directly by Apple. But on the Internet there is a large…
Security of Internet providers: can we trust it?
This year has been a time of many changes. Now, more people are connected to the Internet through their home routers for teleworking, shopping, or leisure. This is where the…
Brief History of Biometric Authentication
These days, biometric authentication seems to be part of every little gadget or device we use. You’ve no doubt used it when logging onto your laptop, your tablet, or your…
A beginner’s guide to software vulnerabilities
What are software vulnerabilities The number of devices connected to the Internet is growing every day. And among those devices we find not only computers and smartphones, but also an ever-rising…
The BleedingTooth vulnerability and other Bluetooth security risks
Have you ever heard of BleedingTooth? And we do not mean the really disturbing looking mushroom which goes by this name and is totally real (we double checked) but one of…