An Introduction to Web-Shells – Final Part(Detection and Prevention)
Detection
If an administrator suspects that a web-shell is present on their system (or during a routine check), the following are some things to examine.
Firstly, the server access and error logs must be filtered for common keywords that are being used by web shells. This includes filenames and/or parameter names. The example below looks for the string ‘file’ in URLs in Apache HTTP Server’s access log
[email protected]:/var/www/html# cat /var/log/apache2/access.log | awk -F\" ' { print $1,$2 } ' | grep "file"
--> 192.168.5.26 - - [30/Apr/2016:08:30:53 +0100] GET /demo/shell.php?file=/etc/passwd
The filesystem (usually the web server root) must be searched for common strings in files or filenames.
[email protected]:/var/www/html/demo# grep -RPn "(passthru|exec|eval|shell_exec|assert|str_rot13|system|phpinfo|base64_decode|chmod|mkdir|fopen|fclose|readfile) *\("
--> Shell.php:8: eval($string);
eval.php:1:?php system($_SERVER['HTTP_USER_AGENT']); ?>
Ad.php:9: eval($string);
Search for very long strings which may indicate encoding. Some backdoors have thousands of lines of code.
[email protected]:/var/www/html/demo# awk 'length($0)>100' *.php
--> eval(gzinflate(base64_decode('HJ3HkqNQEkU/ZzqCBd4t8V4YAQI2E3jvPV8/1Gw6orsVFLyXefMcFUL5EXf/yqceii7e8n9JvOYE9t8sT8cs//cfWUXldLpKsQ2LCH7EcnuYdrqeqDHEDz+4uJYWH3YLflGUnDJ40DjU/AL1miwEJPpBWlsAxTrgB46jRW/00XpggW00yDI/H1kD7UqxI/3qjQZ4vz7HLsfNVW1BeQKiVH2VTrXtoiaKYdkT4o/p1E8W/n5eVhagV7GanBn0U7OCfD7zPbCQyO0N/QGtstthqJBia5QJsR6xCgkHpBo1kQMlLt6u++SBvtw5KSMwtG4R2yctd0mBNrlB3QQo4aQKGRgRjTa0xYFw1vVM9ySOMd44sSrPe…
Search for modified files in the last X day/s. In the following example we searched for *.php
files changed within the last day but it is recommended to search for any file change as a web-shell can also be embedded into an image or any other file.
[email protected]:/var/www/html/# find -name '*.php' -mtime -1 -ls
--> [email protected]:/var/www/html/# find -name '*.php' -mtime -1 -ls
2885788 4 drwxrwxr-x 2 secuser secuser 4096 Apr 30 06:590 /demo/shell.php
2886629 4 -rw-rw-r-- 1 secuser secuser 260 Apr 29 11:25 /demo/b.php
2897510 4 -rw-r--r-- 1 root root 35 Apr 29 13:46 /demo/source.php
2883635 4 -rw-r--r-- 1 www-data www-data 1332 Apr 29 12:09 ./ma.php
Monitor network for unusual network traffic and connections.
[email protected]:/var/www/html/demo# netstat -nputw
--> Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 192.168.5.25:37040 192.168.5.26:8181 ESTABLISHED 2150/nc
tcp 0 0 192.168.5.25:22 192.168.5.1:52455 ESTABLISHED 2001/sshd: secuser
tcp6 1 0 ::1:46672 ::1:631 CLOSE_WAIT 918/cups-browsed
tcp6 0 0 192.168.5.25:80 192.168.5.26:39470 ESTABLISHED 1766/apache2
tcp6 1 0 ::1:46674 ::1:631 CLOSE_WAIT 918/cups-browsed
Analyze .htaccess
files for modifications. The following are examples of changes an attacker might make to .htaccess
files.
# The AddType directive maps the given filename extensions onto the specified content type
AddType application/x-httpd-php .htaccess
AddType application/x-httpd-php .jpg
Prevention
The following is a non-exhaustive list of preventive measures to take in relation to web-shells.
- If not used, disable potentially dangerous PHP functions such as
exec()
,shell_exec()
,passthru()
,system()
,show_source()
,proc_open()
,pcntl_exec()
,eval()
andassert()
- If it’s an absolute necessity to have those commands enabled, make sure that unauthorized users do not have access to these scripts. Additionally, use
escapeshellarg()
andescapeshellcmd()
to ensure that user input can not be injected into shell commands, resulting in command execution vulnerabilities. - If your web application is using upload forms make sure they are secure and that they only allow whitelisted file types to be uploaded.
- Never trust user input
- Do not blindly use code that you may find on online forums or websites.
- In the case of WordPress, try to avoid installing third-party plugins if you do not need them. If you need to make use of a plugin, ensure it is reputable and frequently updated.
- Disable PHP execution in sensitive directories like images or uploads
- Lock-down web server’s user permissions