请输入您要查询的百科知识:

 

词条 Web shell
释义

  1. General usage

  2. Delivery tactics

  3. Examples of web shells

  4. Prevention and mitigation

  5. Detection

  6. Usage by malicious adversaries

  7. See also

  8. References

  9. External links

{{Short description|Web security exploit that enables remote access to a web server}}{{Information security}}

A web shell (classified as a remote access trojan[1]) is a web security threat that is a web-based implementation of the shell concept.[2] A web shell is able to be uploaded to a web server to allow remote access to the web server, such as the web server's file system.[3] A web shell is unique in that it enables users to access a web server by way of a web browser that acts like a command-line interface.[4][5]
A user can access a remote computer via the World Wide Web using a web browser on any type of system, whether it's a desktop computer or a mobile phone with a web browser, and perform tasks on the remote system. No command-line environment is required on either the host or the client.[4][5]

A web shell could be programmed in any language that the target server supports. Web shells are most commonly written in PHP, Active Server Pages, or ASP.NET, but Python, Perl, Ruby and Unix shell scripts are also used, although not as common because it is not very common for web servers to support these languages.[3][4][5]

Using network monitoring tools such as Wireshark, an attacker can find vulnerabilities which are exploited resulting in a web shell installation. These vulnerabilities may be present in content management system applications (abbreviated CMS) or the web server's software.[4]

An attacker can use a web shell to issue commands, perform privilege escalation on the web server, and the ability to upload, delete, download and run scripts and files on the web server.[4]

General usage

Web shells are used in attacks mostly because they are multi-purpose and are difficult to detect.[6]

Web shells are commonly used for:

  • Data theft[6]
  • Infecting website visitors (watering hole attacks)[7]
  • Website defacement by modifying files with a malicious intent
  • Launch distributed denial of service (DDoS) attacks[4]
  • To relay commands inside the network which is inaccessible over the Internet[4]
  • To use as command and control base, for example as a bot in a botnet system or in way to compromise the security of additional external networks.[4]

Delivery tactics

Web shells are installed through vulnerabilities in web application or weak server security configuration including the following:[4][6]

  • SQL injection;
  • Vulnerabilities in applications and services (e.g. web server software such as NGINX or content management system applications such as WordPress);[8][9]
  • File processing and uploading vulnerabilities (e.g. limiting the file types that can be uploaded);[9]
  • Remote file inclusion (RFI) and local file inclusion (LFI) vulnerabilities;
  • Exposed administration interfaces;[4]
  • Cross-site scripting

Examples of web shells

  • b374k – A web shell written in PHP with abilities such as monitoring processes & command execution.[4][10][11]
  • C99 – A special type of the WSO web shell which is capable to show the web server's security standards and has a self-destruction option.[4][12]
  • China Chopper – A web shell which is only 4 kilobytes in size, which was first discovered in 2012. This web shell is commonly used by malicious Chinese actors, including advanced persistent threat (APT) groups, to remotely access web servers. This web shell has two parts, the client interface (an executable file) and the receiver host file on the compromised web server. Has many commands and control features such as a password brute-force attack option.[13][14][15]
  • R57 – The R57 web shell has tools to scan the infected web server for other web shell installations, with the option to remove or overwrite them.[16]
  • WSO (web shell by orb) – Has the ability to pretend as an HTML error page with a hidden form to login to the web shell.[4][17][18]

Web shells can be as short as just one line of code. The following example PHP script is 15 bytes in size:

If an attacker inserts this line of code into a malicious file with a PHP filename extension (such as .php) on a web server that is running PHP, the attacker can issue commands, for example reading the /etc/passwd file, through a web browser using the following Uniform Resource Locator if the web shell was located at uploads/webshell.php (regardless if the page is encrypted with TLS or SSL):

The above request will take the value of the x URL parameter, decode the URL and send the following Bash command:

cat /etc/passwd

If the permissions of the /etc/passwd file allow viewing the file, the web server will send the contents of /etc/passwd to the web browser and the browser will then display the contents of the /etc/passwd file or any other file the attacker wishes to view.

This attack could have been prevented if the file permissions did not allow viewing the file or if the shell functions of PHP were disabled so that arbitrary shell commands cannot be executed from PHP.

Other malicious actions are able to be executed by attackers with that web shell, such as replacing the contents of a file on the web server. For example, consider the following Bash command:

echo Hijacked page contents > index.php

The above command could be used to replace the contents of the index.php file with the text "Hijacked page contents", which is one way a web page could be defaced, or create the index.php file with the contents if the file does not exist. Attackers can also use the Bash command rm to delete files on the web server and mv to move files.

Prevention and mitigation

A web shell is usually installed by taking advantage of vulnerabilities present in the web server's software. That is why removal of these vulnerabilities are important to avoid the potential risk of a compromised web server.

The following are security measures for preventing the installation of a web shell:[4][5]

  • Regularly update the applications and the host server's operating system to ensure immunity from known bugs
  • Deploy a demilitarized zone (DMZ) between the web facing servers and the internal networks
  • Secure configuration of the web server[4]
  • Ports and services which are not used should be closed or blocked[4]
  • Using user input data validation to limit local and remote file inclusion vulnerabilities[4]
  • Use a reverse proxy service to restrict the administrative URL's to known legitimate ones [4]
  • Frequent vulnerability scan to detect areas of risk and conduct regular scans using web security software (this does not prevent zero day attacks[4])
  • Deploy a firewall[4]
  • Disable directory browsing
  • Not using default passwords[4]

Detection

Web shells can be easily modified so it's not easy to detect web shells and antivirus software are often not able to detect these web shells.[4][19]

The following are common indicators that a web shell is present on a web server:[4][5]

  • Abnormal high web server usage (due to heavy downloading and uploading by the attacker);[4][19]
  • Files with an abnormal timestamp (e.g. newer than the last modification date);[19]
  • Unknown files in server;
  • Files having dubious references, for example, cmd.exe or eval;
  • Unknown connections in the logs of web server

For example, a file generating suspicious traffic (e.g. a PNG file requesting with POST parameters);[4][20][21][22]

Dubious logins from DMZ servers to internal sub-nets and vice versa.[4]

Web shells may also contain a login form, which can be hidden in fake error pages.[4][23][24][25]

Using web shells, adversaries can modify the .htaccess file (on servers running the Apache HTTP Server software) on web servers to redirect search engine requests to the web page with malware or spam. Often web shells detect the user-agent and the content presented to the search engine spider is different from that presented to the user's browser. To find a web shell a user-agent change of the crawler bot is usually required. Once the web shell is identified, it can be deleted easily.[4]

Analyzing the web server's log could specify the exact location of the web shell. Legitimate users/visitor usually have different user-agents and referers (referrers), on the other hand, a web shell is usually only visited by the attacker, therefore have very few variants of user-agent strings.[4]

Usage by malicious adversaries

{{Clean|section|reason=Needs fixing|date=March 2019}}

On February 19, 2019, a sophisticated state actor used web shells to hack into the Australian Parliament House computer network and attacked some political parties such as Liberal, Labor and the Nationals.[26][27][28] In the 2016 Democratic National Committee email leak incident, the P.A.S. web shell (author Profexer, a pseudonym) was used by Guccifer 2.0.[29][30]

China Chopper was used in attacks against eight Australian web hosting providers, they were compromised due to usage of a vulnerable operating system, which was Windows Server 2008. Hackers connected the web servers to a Monero mining pool (a way by which cryptocurrency miners pool their resources), by which they mined about AU$3868 worth of Monero.[31]

Web shells were used to attack Verticalscope, a Canadian web forums manager that manages hundreds of popular web forums with more than 45 million user accounts.[32] Web forums affected included Toyota Nation Forum, Jeep Forum and watchuseek.[33][34]

Sea pirates hacked a shipping company's vulnerable content management system using a web shell to sort targets based on cost of the cargo.[35][36][37]

Security researchers at Flashpoint discovered that over 3,000 backdoor-ed websites' details were sold on MagBO (a Russian website for selling access to servers) with price ranging from $0.50 to $1,000 per site.[38] Price was based on the traffic, hosting parameters and access on the backdoor-ed server.[39]

According to MagBO's search filters, a customer could buy access to[40]:

  • PHP shell access
  • Hosting control access
  • Domain control access
  • File Transfer Protocol (FTP) access
  • Secure Shell (SSH) access
  • Admin panel access
  • Database or Structured Query Language (SQL) access

There are also some trojan WordPress plugins, such as WooComerce and Aksimet (not to be confused with WooCommerce and Akismet) which uploads a web shell to the web server with the WordPress installation. The web shells use the add_action('init',") function to self-activate and then take commands from an attacker.[41]

A JBoss (now known as WildFly) vulnerability was used by hackers to expose the HTTP Invoker service by which web shell was installed on the web servers of over 200 sites , including servers belonging to governments and universities .[42]

From December 31, 2012 to January 1, 2013, an Indonesian website defacer known as "Hmei7" defaced 5,000 websites with WordPress installations in two days.[43] Hmei7 used web shells with a file uploading feature and changed web server files, such as index.php. Hmei7 has defaced more than 154,000 sites which are notified on Zone-H.[44][45]

See also

  • Backdoor (computing)
  • Cyberwarfare
  • Internet security
  • Network security
  • China Chopper

References

1. ^{{cite book|chapter-url=https://ieeexplore.ieee.org/abstract/document/7335066|chapter=Towards a PHP webshell taxonomy using deobfuscation-assisted similarity analysis|first1=P. M.|title=2015 Information Security for South Africa (ISSA)|last1=Wrench|first2=B. V. W.|last2=Irwin|date=1 August 2015|pages=1–8|accessdate=17 February 2019|via=IEEE Xplore|doi=10.1109/ISSA.2015.7335066|isbn=978-1-4799-7755-0}}
2. ^{{Cite web|url=https://www.acunetix.com/websitesecurity/introduction-web-shells/|title=An Introduction to Web-shells|website=www.acunetix.com}}
3. ^{{cite web|url=https://searchsecurity.techtarget.com/answer/How-can-web-shells-be-used-to-exploit-security-tools-and-servers|title=How can web shells be used to exploit security tools and servers?|website=SearchSecurity}}
4. ^10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 {{cite web|url=https://www.us-cert.gov/ncas/alerts/TA15-314A|title=Web Shells – Threat Awareness and Guidance|author=US Department of Homeland Security|date=|website=www.us-cert.gov|accessdate=20 December 2018}} {{PD-notice}}
5. ^{{cite web|url=https://malware.expert/general/what-is-a-web-shell/|title=What is a Web shell?|last=admin|date=3 August 2017|website=malware.expert|accessdate=20 December 2018}}
6. ^{{cite web|url=https://www.us-cert.gov/ncas/alerts/TA18-074A|title=Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors - US-CERT|author=|date=|website=www.us-cert.gov|accessdate=20 December 2018}}
7. ^{{cite web|url=https://fixmywp.com/security/what-are-web-shell-backdoors.php|title=The Definitive Guide about Backdoor Attacks - What are WebShell BackDoors|first1=Makis MourelatosWordPress Security Engineer at FixMyWPWC Athens 2016|last1=co-organizer|first2=W. P.|last2=Support|first3=Security|last3=Aficionado|first4=Wannabe|last4=Kitesurfer|date=16 October 2017|website=fixmywp.com|accessdate=20 December 2018}}
8. ^{{cite web|url=https://securityintelligence.com/got-wordpress-php-c99-webshell-attacks-increasing/|title=Got WordPress? PHP C99 Webshell Attacks Increasing|date=14 April 2016}}
9. ^{{cite web|url=https://techcrunch.com/2018/12/10/equifax-breach-preventable-house-oversight-report/|title=Equifax breach was 'entirely preventable' had it used basic security measures, says House report|accessdate=21 December 2018}}
10. ^{{cite web|url=https://code.google.com/archive/p/b374k-shell/|title=Google Code Archive - Long-term storage for Google Code Project Hosting.|website=code.google.com|accessdate=22 December 2018}}
11. ^{{cite web|url=https://securityintelligence.com/the-webshell-game-continues/|title=The Webshell Game Continues|date=8 July 2016|accessdate=22 December 2018}}
12. ^{{cite web|url=https://securityintelligence.com/got-wordpress-php-c99-webshell-attacks-increasing/|title=Got WordPress? PHP C99 Webshell Attacks Increasing|date=14 April 2016|accessdate=22 December 2018}}
13. ^{{cite web|url=https://www.cyber.nj.gov/threat-profiles/trojan-variants/china-chopper|title=China Chopper|website=NJCCIC|accessdate=22 December 2018}}
14. ^{{cite web|url=https://www.andreafortuna.org/cybersecurity/what-is-the-china-chopper-webshell-and-how-to-find-it-on-a-compromized-system/|title=What is the China Chopper Webshell, and how to find it on a compromised system?|date=28 March 2018|accessdate=22 December 2018}}
15. ^{{cite web|url=https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html|title=Breaking Down the China Chopper Web Shell - Part I « Breaking Down the China Chopper Web Shell - Part I|website=FireEye|accessdate=22 December 2018}}
16. ^{{Cite web|url=https://news.netcraft.com/archives/2017/05/18/web-shells-the-criminals-control-panel.html|title=Web Shells: The Criminal's Control Panel {{!}} Netcraft|website=news.netcraft.com|access-date=2019-02-22}}
17. ^{{cite web|url=https://www.wordfence.com/blog/2017/06/wso-shell/|title=WSO Shell: The Hack Is Coming From Inside The House!|date=22 June 2017|accessdate=22 December 2018}}
18. ^{{cite web|url=https://news.netcraft.com/archives/2017/05/18/web-shells-the-criminals-control-panel.html|title=Web Shells: The Criminal's Control Panel - Netcraft|website=news.netcraft.com|accessdate=22 December 2018}}
19. ^{{cite web|url=https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html|title=Breaking Down the China Chopper Web Shell - Part I « Breaking Down the China Chopper Web Shell - Part I|author=|date=|website=FireEye|accessdate=20 December 2018}}
20. ^{{Cite web | url=https://ws680.nist.gov/publication/get_pdf.cfm?pub_id=901146 | title=Intrusion Detection and Prevention Systems}}
21. ^{{cite web|url=https://www.networkworld.com/article/3085141/network-security/five-signs-an-attacker-is-already-in-your-network.html|title=Five signs an attacker is already in your network|first=Kasey Cross, Senior Product Manager|last=LightCyber|date=16 June 2016|website=Network World|accessdate=22 December 2018}}
22. ^{{Cite web | url=https://insights.sei.cmu.edu/sei_blog/2016/09/traffic-analysis-for-network-security-two-approaches-for-going-beyond-network-flow-data.html | title=Traffic Analysis for Network Security: Two Approaches for Going Beyond Network Flow Data}}
23. ^{{cite web|url=https://www.bleepingcomputer.com/news/security/hackers-hiding-web-shell-logins-in-fake-http-error-pages/|title=Hackers Hiding Web Shell Logins in Fake HTTP Error Pages|website=BleepingComputer|accessdate=21 December 2018}}
24. ^{{cite web|url=https://threatravens.com/hackers-hiding-web-shell-logins-in-fake-http-error-pages/|title=Hackers Hiding Web Shell Logins in Fake HTTP Error Pages|date=24 July 2018|website=ThreatRavens|accessdate=17 February 2019}}
25. ^{{cite web|url=https://cyware.com/news/hackers-hiding-web-shell-logins-in-fake-http-error-pages-f9f1b47e|title=Hackers Hiding Web Shell Logins in Fake HTTP Error Pages|website=cyware.com|accessdate=22 December 2018}}
26. ^{{cite web|url=https://newsroom.unsw.edu.au/news/science-tech/state-actor-has-targeted-australian-politics-%E2%80%93-shouldnt-surprise-us|title=A state actor has targeted Australian politics – but that shouldn't surprise us|last=z3525182|date=19 February 2019|website=UNSW Newsroom}}
27. ^{{cite web|url=http://theconversation.com/state-actor-makes-cyber-attack-on-australian-political-parties-111993|title='State actor' makes cyber attack on Australian political parties|first=Michelle|last=Grattan|website=The Conversation}}
28. ^{{Cite web|url=https://edition.cnn.com/2019/02/07/australia/australia-parliament-hack-intl/index.html|title=Australian parliament's computer network targeted by unknown hacker|last=CNN|first=Ben Westcott|website=CNN|access-date=2019-03-17}}
29. ^{{Cite web|url=https://krebsonsecurity.com/tag/dnc-hack/|title=DNC hack — Krebs on Security|language=en-US|access-date=2019-02-25}}
30. ^{{Cite news|url=https://www.nytimes.com/2017/08/16/world/europe/russia-ukraine-malware-hacking-witness.html|title=In Ukraine, a Malware Expert Who Could Blow the Whistle on Russian Hacking|last=Kramer|first=Andrew E.|date=2017-08-16|work=The New York Times|access-date=2019-02-25|last2=Higgins|first2=Andrew|language=en-US|issn=0362-4331}}
31. ^{{cite web|url=https://www.zdnet.com/article/australian-web-hosts-hit-with-a-manic-menagerie-of-malware/|title=Australian web hosts hit with a Manic Menagerie of malware|last=Stilgherrian|website=ZDNet}}
32. ^{{Cite web|url=https://www.itworldcanada.com/article/canada-third-in-reported-data-breaches-so-far-this-year/395132|title=Canada third in reported data breaches so far this year|last=Solomon|first=Howard|website=IT World Canada|language=en-US|access-date=2019-03-17}}
33. ^{{Cite web|url=https://krebsonsecurity.com/2017/11/2nd-breach-at-verticalscope-impacts/|title=2nd Breach at Verticalscope Impacts Millions — Krebs on Security|language=en-US|access-date=2019-02-25}}
34. ^{{Cite web|url=https://www.zdnet.com/article/ubuntu-forums-hack-exposes-two-million-users/|title=Ubuntu Forums hack exposes 2 million users|last=Whittaker|first=Zack|website=ZDNet|language=en|access-date=2019-03-17}}
35. ^{{Cite web|url=https://www.businessinsider.com/pirates-hacked-vessels-2016-3|title=High-tech pirates hacked a shipping company to figure out the perfect vessels to plunder|last=Insider|first=pzdupe2, Tech|website=Business Insider|access-date=2019-03-17}}
36. ^{{Cite web|url=https://boingboing.net/2016/03/03/pirates-hacked-shipping-compan.html|title=Pirates hacked shipping company, cherry-picking targets based on cargo|website=Boing Boing|language=en-US|access-date=2019-02-25}}
37. ^{{Cite web|url=https://www.foxnews.com/tech/from-high-seas-to-high-tech-pirates-hack-shipping-company|title=From high seas to high tech: Pirates hack shipping company|last=Rogers|first=James|date=2016-03-02|website=Fox News|language=en-US|access-date=2019-03-17}}
38. ^{{Cite web|url=https://threatpost.com/thousands-of-breached-websites-turn-up-magbo-black-market/137564/|title=Thousands of Breached Websites Turn Up On MagBo Black Market|website=threatpost.com|language=en|access-date=2019-02-25}}
39. ^{{Cite web|url=https://www.zdnet.com/article/access-to-over-3000-backdoored-sites-sold-on-russian-hacking-forum/|title=Access to over 3,000 backdoored sites sold on Russian hacking forum|last=Cimpanu|first=Catalin|website=ZDNet|language=en|access-date=2019-02-25}}
40. ^{{Cite web|url=https://hackercombat.com/magbo-black-market-hacking-site-caught-selling-3000-website-login-credentials/|title=MagBO Black Market Hacking Site, Caught Selling 3,000 Website Login|language=en-US|access-date=2019-03-21}}
41. ^{{Cite web|url=https://malware.expert/backdoor/malware-plugins-to-wordpress-woocomerce-aksimet/|title=Malware plugin's to WordPress (woocomerce & aksimet)|last=admin|date=2019-01-15|website=Malware Expert|language=en-US|access-date=2019-02-25}}
42. ^{{Cite web|url=https://www.pcworld.com/article/2064580/hackers-actively-exploiting-jboss-vulnerability-to-compromise-servers-researchers-say.html|title=Hackers actively exploiting JBoss vulnerability to compromise servers|date=2013-11-18|website=PCWorld|language=en|access-date=2019-02-25}}
43. ^{{Cite web|url=http://www.ehackingnews.com/2013/01/Indonesian-top-defacer-hmei7.html|title=5,000+ sites hacked in 2 days by Indonesian Top Hacker Hmei7|last=News|first=E. Hacking|date=|website=E Hacking News - Latest Hacker News and IT Security News|archive-url=|archive-date=|dead-url=|access-date=2019-03-17}}
44. ^{{Cite web|url=https://securityintelligence.com/got-wordpress-php-c99-webshell-attacks-increasing/|title=Got WordPress? PHP C99 Webshell Attacks Increasing|date=2016-04-14|website=Security Intelligence|language=en-US|access-date=2019-02-25}}
45. ^{{Cite web|url=https://www.securityweek.com/c99-webshell-increasingly-used-wordpress-attacks|title=C99 Webshell Increasingly Used in WordPress Attacks {{!}} SecurityWeek.Com|website=www.securityweek.com|access-date=2019-03-21}}

External links

{{Malware}}{{Authority control}}

4 : Web security exploits|Hacking (computer security)|Command shells|Computer security exploits
随便看

 

开放百科全书收录14589846条英语、德语、日语等多语种百科知识,基本涵盖了大多数领域的百科知识,是一部内容自由、开放的电子版国际百科全书。

 

Copyright © 2023 OENC.NET All Rights Reserved
京ICP备2021023879号 更新时间:2024/11/17 21:15:08