Web Shells: Types, Mitigation & Removal

Summary

Web shells are malicious scripts deployed on compromised web servers to provide attackers persistent remote access and command execution capabilities. They exploit vulnerabilities such as SQL injection, XSS, RFI, and file upload flaws to gain entry, and serve as backdoors for data theft, defacement, and lateral movement. Sucuri's 2024 scans detected publicly accessible web shell interfaces 16,978 times, highlighting the prevalence and critical need for detection and removal strategies.

Full text

Web shells are malicious scripts that give attackers persistent access to compromised web servers, enabling them to execute commands and control the server remotely. These scripts exploit vulnerabilities like SQL injection, remote file inclusion (RFI), and cross-site scripting (XSS) to gain entry.Once deployed, web shells allow attackers to manipulate the server, leading to data theft, website defacement, or serving as a launchpad for further attacks. They are especially dangerous because they are also a post-compromise access mechanism (backdoor) rather than a standalone infection. In other words, when you find a web shell, you should assume the attacker may already have established persistence, tampered with legitimate files, or harvested credentials from the environment. Given their stealth and versatility across various programming languages (PHP, Python, Ruby, ASP, Perl, Bash), web shells pose a significant threat to a website’s security.In fact, in 2024, our scans identified the publicly accessible interfaces of known web shells on 16,978 occasions. This data clearly demonstrates how understanding and mitigating the risks associated with web shells is critical for website owners and administrators.This article aims to provide a comprehensive overview of web shells, highlighting how they operate, the risks they introduce, and best practices for detection and prevention. By familiarizing yourself with web shells, you can better protect your website and visitors against this complex threat.What is a web shell?A web shell is a piece of malicious code or script that is uploaded to a compromised web server to enable remote administration by an attacker. It acts as a backdoor, giving attackers the ability to execute server commands, manipulate files, and access databases ⁠— essentially providing unauthorized access to the underlying system.How does a web shell get on my website or server?Although many people picture a web shell as a suspicious standalone file, defenders should also watch for malicious code appended to otherwise legitimate application files, tampered plugins or themes, malicious server modules, and altered configuration files that reload the attacker’s access after a restart.Web shells are often planted within a server after an attacker has gained unauthorized access. Some common methods that attackers use to infiltrate web servers include:Cross-Site Scripting (XSS): Vulnerable websites are tricked into delivering malicious scripts to users. When executed, these scripts can hijack the interaction between the user and the site, leading to breaches.SQL Injections: This technique involves injecting malicious SQL statements into a database to manipulate it, execute arbitrary commands on the underlying server, and potentially access sensitive data.Server Misconfigurations: Attackers exploit incorrect configurations in server management tools and features to gain unauthorized access.File Processing and Upload Vulnerabilities: These allow attackers to upload files containing web shells to a server, where they can be executed to gain control.Remote Code Execution Vulnerabilities: Flaws that let attackers run arbitrary malicious code on the server.File Inclusion Vulnerabilities (Local and Remote – LFI, RFI): These occur when a web application improperly allows file uploads, enabling attackers to execute malicious files locally (LFI) or from a remote location (RFI).Exploited Services and Application Vulnerabilities: Flaws in applications and third-party services attached to the website can also serve as entry points for web shells.Stolen or reused credentials and exposed admin interfaces: Attackers don’t always need an exploit. In some cases they simply log in through a CMS admin panel, hosting control panel, VPN web management interface, or file manager and upload the shell directly.Insecure deserialization and SSRF chains: Modern intrusions often involve chained flaws rather than a single bug. Unsafe deserialization can lead to remote code execution, and SSRF can sometimes be combined with other weaknesses to reach internal services or privileged paths that help attackers gain server-side execution.Once embedded, web shells might possess sophisticated features like encryption for evasion or user-friendly interfaces for easier execution of malicious activities.How do web shells work?Once a web shell is successfully uploaded to a server, it resides there as a seemingly benign file. This file, however, is a masked gateway; when accessed by the attacker through a web browser, it activates a user interface or a simple command line tool that allows the execution of commands directly on the server.This setup allows attackers to perform a wide range of actions from the relative safety of their remote location: they can steal sensitive data, create new administrator accounts for continued access, modify server configurations, launch denial of service attacks, or use the server as a stepping stone for further attacks.Here’s an example workflow for attacks against vulnerable compromised websites:Attacker compromises a misconfigured server or exploits a known software vulnerability to gain unauthorized access.Attacker installs a web shell within the compromised environment.Attacker uses the web shell to carry out actions like stealing stored account information and customer dataBackdoor is used to infect other files with other kinds of malware, including credit card skimmers, SEO spam, or remote access trojansWeb shell attempts to move laterally to infect other websites that are within its reachWeb shell remains in the website environment to be used as a persistent backdoor and maintain unauthorized access. Because the shell typically runs in the context of the web service, its initial privileges are often tied to the web server process. Attackers can then try to expand that access by reading secrets, abusing weak permissions, spawning system utilities, or moving laterally to other systems.Web shells can sometimes be difficult to detect, as they often mimic legitimate files and employ various obfuscation techniques to evade security measures. Its capability for entire server control makes it an especially dangerous tool in the attackers arsenal.Types of web shellsWeb shells vary in complexity and functionality, ranging from rudimentary interfaces for executing basic commands to sophisticated systems that allow full remote control over a compromised server. Understanding the differences among these types can help in identifying and neutralizing threats more effectively.To make this malware easier to understand, we’ve broken them down into three main categories:SimpleComplexPersistentThese categories can overlap. A minimal one-line shell can still be used for long-term access, while a feature-rich shell may only be deployed briefly during a specific phase of an attack. To better understand how attackers operate and how to detect them, web shells can be broadly grouped based on their functionality, level of complexity, and role within a compromised environment.Simple web shellsSimple web shells are essentially minimalist interfaces that provide attackers with the capability to execute shell commands on the server. These web shells are typically small, easy to upload, and hard to detect. They lack advanced features but can be just as dangerous, allowing attackers to escalate privileges, manipulate files, or launch scripts. Given their basic nature, simple web shells are often used for initial reconnaissance or as a quick way to gain foothold on a server.For example, the following script is a simple web shell that may be found on compromised websites. The script is designed to be run from the compromised environment. Any commands that are made to it are executed directly, effectively serving as a backdoor and allowing the attacker to run arbitrary commands in the environment.Although small, these scripts are usually easier to detect as they rely on functions

Indicators of Compromise

• mitre_attack — T1190
• mitre_attack — T1505.003
• mitre_attack — T1505.004
• mitre_attack — T1652
• mitre_attack — T1592