Infosec Security News Tutorials

Web Shells in PHP – Detection and Prevention Part 2

In our previous tutorial, we saw how easily we could craft a simple yet powerful web shell in PHP. And, you may be surprised to know that many web servers are configured in such a way that even a simple web shell can cause significant damage to your system.

Impact: A successfully uploaded shell script may allow a remote attacker to bypass security restrictions and gain unauthorized system access.

 

In this tutorial, we shall see how we can detect and prevent such web shells. One thing to note is due to the potential simplicity and ease of modification of web shells, they can be difficult to detect by anti-virus products sometimes.

 

Before we can set out to detect web shells, I think it is important to understand the behaviors /indicators of your system that has been infected by a web shell. I have taken the excerpt from us-cert.gov.
  • Abnormal periods of high site usage (due to potential uploading and downloading activity);
  • Files with an unusual timestamp (e.g., more recent than the last update of the web applications installed);
  • Suspicious files in Internet-accessible locations (web root);
  • Files containing references to suspicious keywords such as cmd.exe or eval;
  • Unexpected connections in logs. For example:
    • A file type generating unexpected or anomalous network traffic (e.g., a JPG file making requests with POST parameters);
    • Suspicious logins originating from internal subnets to DMZ servers and vice versa.
  • Any evidence of suspicious shell commands, such as directory traversal, by the web-server process.

Detection

Method 1:  Web Shell Detector is a PHP script that helps you find and identify PHP/CGI(Perl)/asp/aspx shells. The creators of this tool claim that the web shell detector has a “web shell” signature database that helps to identify “web shell” up to 99%. It has a signature database of about 603 web shells as of today.

As they instruct in the README.MD, I have placed the shelldetect.db and shelldetect.php files in the root of the directory which in my case is /var/www/html.

Now I am adding a simple web shell that we created together in the previous tutorial.

Now I would check if the Web Shell Detector tool could detect the web-shell I have placed under the name –simple-web-shell.php. And, to do so, I shall go to my-domain-name.com/shelldetect.php and log in with the default username and password that is admin and protect respectively. (If you are using this tool in production, please keep a difficult password. You can easily edit shelldetect.php to change the password.)

As you can see above, you get a lot of information about the web shell we created. Remember, this script won’t remove the web shell automatically, you have to remove it yourself once it has been identified.

Method 2: You must always search for common strings in files or filenames inside the webserver root directory.

grep -RPn "(passthru|exec|eval|shell_exec|assert|str_rot13|system|phpinfo|base64_decode|chmod|mkdir|fopen|fclose|readfile) *\("

Don’t forget to monitor the network traffic. It may give you a hint if anything has gone wrong.

Prevention

  • Never trust user input.
  • Avoid using code snippets/files you find on the web. It is important to have an in-depth understanding of the working of code. Web shell can be shared through online plugins, code files, etc.
  • As we have talked about some of the dangerous functions in the first tutorial, if you don’t use them, disable such as exec()shell_exec()passthru()system()show_source()proc_open()pcntl_exec()eval(), and assert()
  • Deploy a web application firewall and conduct regular virus signature checks, application fuzzing, code reviews, and server network analysis.

Further Reading

Leave a Comment

Your email address will not be published.

You may also like