The US National Security Agency (NSA) and the Australian Signals Directorate (ASD) have published a security advisory this week warning companies to search web-facing and internal servers for common web shells.
Web shells are one of today’s most popular forms of malware. The term “web shell” refers to a malicious program or script that’s installed on a hacked server.
Web shells provide a visual interface that hackers can use to interact with the hacked server and its filesystem. Most web shells come with features to let hackers rename, copy, move, edit, or upload new files on a server. They can also be used to change file and directory permissions, or archive and download (steal) data from the server.
Hackers install web shells by exploiting vulnerabilities in internet-facing servers or web applications (such as CMS, CMS plugins, CMS themes, CRMs, intranets, or other enterprise apps, etc.).
Web shells can be written in any programming language, from Go to PHP. This allows hackers to hide web shells inside any website’s code under generic names (like index.asp or uploader.php), which makes detection by a human operator almost impossible without the aid of a web firewall or web malware scanner.
In a report published in February this year, Microsoft said it detects around 77,000 active web shells on a daily basis, making this web shells one of today’s most prevalent malware types.
Web shells can act as backdoors into internal networks
However, many companies don’t fully understand the danger of having a web shell installed on their systems. Web shells, basically, act as backdoors, and need to be treated with the utmost importance and urgency.
In a security advisory published this week, the NSA and ASD raised awareness towards this often ignored attack vector.
“Web shells can serve as persistent backdoors or as relay nodes to route attacker commands to other systems,” the two agencies said. “Attackers frequently chain together web shells on multiple compromised systems to route traffic across networks, such as from internet-facing systems to internal networks.”
The two agencies have now published a joint 17-page report [PDF] that contains tools to help system administrators detect and deal with these types of threats. The advisory includes:
- Scripts to compare a production website to a known-good image
- Splunk queries for detecting anomalous URLs in web traffic
- An Internet Information Services (IIS) log analysis tool
- Network traffic signatures for common web shells
- Instructions for identifying unexpected network flows
- Instructions for identifying abnormal process invocations in Sysmon data
- Instructions for identifying abnormal process invocations with Auditd
- HIPS rules for blocking changes to web-accessible directories
- A list of commonly exploited web application vulnerabilities
Some of the tools mentioned in the advisory are also available on the NSA’s GitHub profile.
While all the advice and free tools included in the joint advisory are great, it’s preferred and recommended that system administrators patch systems before moving to search already-compromised hosts. The NSA and ASD’s list of commonly exploited server software is a good place to start patching, as these systems have been heavily targeted in recent months.
The list includes vulnerabilities in popular tools like Microsoft SharePoint, Microsoft Exchange, Citrix, Atlassian Confluence, WordPress, the Zoho ManageEngine, and Adobe ColdFusion.
“This list is not intended to be exhaustive, but it provides insight on some frequently exploited cases,” the NSA and ASD said.
“Organizations are encouraged to patch both internet-facing and internal web applications rapidly to counter the risks from ‘n-day’ vulnerabilities.”