WebShells WebShells on the Web Server

This blog describes briefly what WebShells are, and how attackers can use WebShells to proceeds powerful beat level/system level access to a server. WebShells take been used in attacks for quite a long time now, but with changes in attack trends, cyber criminals are getting more sophisticated with deployment techniques and methods to circumvent detection. With the help of our Websense® ThreatSeeker® Intelligence Cloud, we came across a few examples in which attackers have used different techniques.  These are elaborated on further in this web log.

Many mass compromises are accomplished in an automated fashion: vulnerabilities are enumerated, and subsequently i is found, exploits are automatically deployed. The takeover process usually involves downloading a remote administration tool for the compromised website. One common tool deployed by attackers one time they compromise a website is a WebShell.

The in a higher place diagram shows an attack where the assaulter finds a vulnerability in a hosted web awarding and manages to upload a malicious awarding backdoor in one of the server supported languages.  This gives him control over the entire web server.

What is a WebShell?

A WebShell is a script/code (written in scripting languages such as PHP, Perl, or Python) that runs on the system and can remotely administer a machine. Although WebShells are used as a Remote Administration Tool for many legitimate reasons, they can nevertheless exist abused by malware authors to compromise websites.  Once the aggressor gets a web server to execute the script, he gains beat out-level admission to the host operating system running with the same privileges as the spider web server. To avoid detection by firewalls or antivirus technologies, the attacker usually employs evasion techniques such as code obfuscation and encryption. To thwart this aspect of the WebShell’due south propagation, a total content inspection approach tin can reveal, and intercept, a wide diverseness of mutual obfuscation techniques and fifty-fifty decrypt the script to betrayal its existent intent. Permit’s look at an example.

In the post-obit example, we encounter a custom WebShell called “oRb”. The actual WebShell body is obfuscated to avoid detection, using a preg_replace function with the “e” modifier.  Hex encoding has been used to conceal eval(gzinflate(base64_decode( .

The URL that serves the WebShell farther tries to confuse or mislead security tools past declaring in the header that thecontent blazon is animage file, every bit you can see below:

With its real-time scanning capability, Websense ACE™ (our Avant-garde Classification Engine) detects the obfuscation methods and techniques discussed higher up.

Let’due south now look at a 2nd instance to see the type of functionality that WebShells encompass. In this case we see a non-obfuscated version of “RC Crush v2.0”,  which is similar to our previous example in that it also tries tohibernate as animage:

A working WebShell

Once the WebShell script is run, it provides a web interface for remote operations on the server, including, but not limited to:

  • Server Information
  • File manager (access to file system)
  • Access to execute commands
  • SQL manager
  • PHP lawmaking execution
  • Bruteforce FTP, MySQL, PgSQL
  • Search files, search text in files
  • Malicious content upload
  • Mass code injection

This blithe paradigm shows how it would look when run (click the image to open; the animation loops):

Websense ThreatSeeker Intelligence Cloud processes approximately upward to 5 billion web requests per day, and out of those requests, just yesterday we found 1400 unique examples of threats using WebShells in unlike countries. Here is an example of how one obfuscated WebShell is spread around the world.

How does Websense protect against WebShells?

The animated graphic above shows how powerful the access can be for an assailant.

ACE volition block admission to this malicious WebShell script/page if your end users locate such a script.  In addition to preventing admission to the malicious WebShell script/page, nosotros monitor outbound content to prevent sensitive data from leaving an organization via beat commands fifty-fifty if the abused channel is SSL-encrypted – which is a common advanced malware technique.  With the help of web telemetry we can generalize to the tune of 85,000,000+ compromised websites and thus larn from them, including what we have discussed hither about WebShells.  Have a read of our Threat Report to find out more.

Source: https://www.forcepoint.com/blog/x-labs/webshells-webshells-web-server

Check Also

Will Dogecoin Go Up In Value

Will Dogecoin Go Up In Value

On Dec. 6, 2013, Billy Markus and Jackson Palmer decided to combine their dearest of …