This blog describes briefly what WebShells are, and how attackers can use WebShells to gain powerful shell level/system level access to a server. WebShells have been used in attacks for quite a long time now, but with changes in attack trends, cyber criminals are getting more sophisticated with deployment techniques and methods to circumvent detection. With the help of our Websense® ThreatSeeker® Intelligence Cloud, we came across a few examples in which attackers have used different techniques. These are elaborated on further in this blog.
Many mass compromises are accomplished in an automated fashion: vulnerabilities are enumerated, and after one is found, exploits are automatically deployed. The takeover process usually involves downloading a remote administration tool for the compromised website. One common tool deployed by attackers once they compromise a website is a WebShell.
The above diagram shows an attack where the attacker finds a vulnerability in a hosted web application and manages to upload a malicious application backdoor in one of the server supported languages. This gives him control over the entire web server.
What is a WebShell?
A WebShell is a script/code (written in scripting languages such as PHP, Perl, or Python) that runs on the system and can remotely administer a machine. Although WebShells are used as a Remote Administration Tool for many legitimate reasons, they can still be abused by malware authors to compromise websites. Once the attacker gets a web server to execute the script, he gains shell-level access to the host operating system running with the same privileges as the web server. To avoid detection by firewalls or antivirus technologies, the attacker usually employs evasion techniques such as code obfuscation and encryption. To thwart this aspect of the WebShell's propagation, a full content inspection approach can reveal, and intercept, a wide variety of common obfuscation techniques and even decrypt the script to expose its real intent. Let's look at an example.
In the following example, we see a custom WebShell called "oRb". The actual WebShell body is obfuscated to avoid detection, using a preg_replace function with the "e" modifier. Hex encoding has been used to conceal eval(gzinflate(base64_decode( .
The URL that serves the WebShell further tries to confuse or mislead security tools by declaring in the header that thecontent type is animage file, as you can see below:
With its real-time scanning capability, Websense ACE™ (our Advanced Classification Engine) detects the obfuscation methods and techniques discussed above.
Let's now look at a second example to see the type of functionality that WebShells encompass. In this case we see a non-obfuscated version of "RC Shell v2.0", which is similar to our previous example in that it also tries to hide as an image:
A working WebShell
Once the WebShell script is run, it provides a web interface for remote operations on the server, including, but not limited to:
- Server Information
- File manager (access to file system)
- Access to execute commands
- SQL manager
- PHP code execution
- Bruteforce FTP, MySQL, PgSQL
- Search files, search text in files
- Malicious content upload
- Mass code injection
This animated image shows how it would look when run (click the image to open; the animation loops):
Websense ThreatSeeker Intelligence Cloud processes approximately up to 5 billion web requests per day, and out of those requests, just yesterday we found 1400 unique examples of threats using WebShells in different countries. Here is an example of how one obfuscated WebShell is spread around the globe.
How does Websense protect against WebShells?
The animated graphic above shows how powerful the access can be for an attacker.
ACE will block access to this malicious WebShell script/page if your end users locate such a script. In addition to preventing access to the malicious WebShell script/page, we monitor outbound content to prevent sensitive data from leaving an organization via shell commands even if the abused channel is SSL-encrypted - which is a common advanced malware technique. With the help of web telemetry we can generalize to the tune of 85,000,000+ compromised websites and thus learn from them, including what we have discussed here about WebShells.