Prior to the Thanksgiving break, Check Point Software posted this blog alerting security professionals to the dangers of something called “web shells”. While web shells have been around for a few years it seems the awareness of what they are and how they operate is still relatively low so I thought I would take the time to explain what the threat is.

Web shells are scripts or executable software that can be uploaded to an unprotected server and then opened from a browser to give cyber criminals a web based interface to run system commands.  A web shell can be thought of as a backdoor into the system that can be run from a browser.  For any particular web server, the web shell script must be in the same programming language that the server is running on.  Examples of this are php, asp, jsp, perl, Ruby, Python or Unix. So if a server is running Python, the web shell must also be in Python.

Unlike reverse shells that run in a socket, web shells run purely over the web so they are quick to execute and lighting fast for hackers to use.  They do require some degree of sophistication since the interface is basically a web based command line tool.

Web shells are most commonly used in vulnerabilities such as arbitrary file uploads and remote file inclusion.  If any web server is experiencing any such vulnerability, a web shell can easily be uploaded by a hacker and then opened in a browser.  Once successfully uploaded, a cyber criminal can use the web interface to exploit the server further and escalate privileges to issue commands remotely.  These commands are directly linked to the privilege and functionality available to the web server and may include the ability to add, delete, and execute files as well as the ability to run shell commands, further executables, or scripts.

Protecting against web shells can be done through intrusion prevention features specifically designed to handle these threats.  This includes protecting against the following:

  • Web server file uploads
  • PHP print remote shell command execution
  • PHP GLOBALS remote file inclusion
  • OpenX Ad Server Backdoor PHP Code Execution
  • Web server CryptoPHP backdoor
  • FTP file uploads
The following two tabs change content below.

Zeus Kerravala

Zeus Kerravala is the founder and principal analyst with ZK Research. Kerravala provides a mix of tactical advice to help his clients in the current business climate and long term strategic advice.
Share This Post:
No Interactions

Be the first to comment!

Post a Comment:

You must be signed in to post a comment.

Insight and Influence Through Social Media
ZK Research: Home
RSS Feed
ZK Research is proudly powered by WordPress | Entries (RSS) | Comments (RSS) | Custom Theme by The Website Taylor