[vc_row][vc_column][vc_column_text]In our previous tutorial, we saw how easily we could craft a simple yet powerful web shell in PHP. And, you may be surprised to know that many web servers are configured in such a way that even a simple web shell can cause significant damage to your system.
- Abnormal periods of high site usage (due to potential uploading and downloading activity);
- Files with an unusual timestamp (e.g., more recent than the last update of the web applications installed);
- Suspicious files in Internet-accessible locations (web root);
- Files containing references to suspicious keywords such as cmd.exe or eval;
- Unexpected connections in logs. For example:
- A file type generating unexpected or anomalous network traffic (e.g., a JPG file making requests with POST parameters);
- Suspicious logins originating from internal subnets to DMZ servers and vice versa.
- Any evidence of suspicious shell commands, such as directory traversal, by the web-server process.
[/vc_column_text][/vc_column][/vc_row][vc_row][vc_column][vc_column_text]
Detection
Method 1: Web Shell Detector – is a PHP script that helps you find and identify PHP/CGI(Perl)/asp/aspx shells. The creators of this tool claim that the web shell detector has a “web shell” signature database that helps to identify “web shell” up to 99%. It has a signature database of about 603 web shells as of today.
As they instruct in the README.MD, I have placed the shelldetect.db and shelldetect.php files in the root of the directory which in my case is /var/www/html.
[/vc_column_text][/vc_column][/vc_row][vc_row][vc_column][vc_column_text]Now I am adding a simple web shell that we created together in the previous tutorial.
[/vc_column_text][/vc_column][/vc_row][vc_row][vc_column][vc_column_text]Now I would check if the Web Shell Detector tool could detect the web-shell I have placed under the name –simple-web-shell.php. And, to do so, I shall go to my-domain-name.com/shelldetect.php and log in with the default username and password that is admin and protect respectively. (If you are using this tool in production, please keep a difficult password. You can easily edit shelldetect.php to change the password.)
As you can see above, you get a lot of information about the web shell we created. Remember, this script won’t remove the web shell automatically, you have to remove it yourself once it has been identified.[/vc_column_text][/vc_column][/vc_row][vc_row][vc_column][vc_column_text]Method 2: You must always search for common strings in files or filenames inside the webserver root directory.
grep -RPn "(passthru|exec|eval|shell_exec|assert|str_rot13|system|phpinfo|base64_decode|chmod|mkdir|fopen|fclose|readfile) *\("
Don’t forget to monitor the network traffic. It may give you a hint if anything has gone wrong.
[/vc_column_text][/vc_column][/vc_row][vc_row][vc_column][vc_column_text]
Prevention
- Never trust user input.
- Avoid using code snippets/files you find on the web. It is important to have an in-depth understanding of the working of code. Web shell can be shared through online plugins, code files, etc.
- As we have talked about some of the dangerous functions in the first tutorial, if you don’t use them, disable such as
exec(),shell_exec(),passthru(),system(),show_source(),proc_open(),pcntl_exec(),eval(), andassert() - Deploy a web application firewall and conduct regular virus signature checks, application fuzzing, code reviews, and server network analysis.
Further Reading
- Australian Cyber Security Centre – Securing Content Management Systems (CMS)
- FireEye China Chopper – The Little Malware That Could. Detecting and Defeating …
- MANDIANT – Old Web Shells New Tricks
- FireEye – Breaking Down the China Chopper Web Shell Part I
- FireEye – Breaking Down the China Chopper Web Shell Part II
- WSO Information
- Exploit-db – China Chopper
- C99
- INFOSEC Institute – Web Shell Detection
- Web Shell Detection and Prediction
[/vc_column_text][/vc_column][/vc_row]