How Do Web Shell Attacks Affect Your Web Servers?

A web shell is a malicious script used by an attacker to maintain persistent access to an online application that has already been compromised. A web shell must always be the second phase of an attack because it is unable to attack or exploit a remote vulnerability (this stage is also referred to as post-exploitation).

Web Shell Attacks occur when a malicious user is able to inject their own file to the web server's directory so they can easily execute the action instructed by simply requesting from their web browser.

In order to send commands to computers inside the network that don't have a direct Internet connection, a web shell can act as a relay point. Web shells are able to take part in command-and-control networks; for instance, they can be used to breach a host and add it to a botnet. Attackers can compromise more resources by infecting other systems on the network with the web shell.

Hackers use a variety of web application flaws and exploits, such as SQL injection (SQLi) and cross-site scripting, to provide web shells (XSS). Additionally, attackers use flaws in services and programs, flaws in file processing, exposed admin interfaces, and flaws in local file inclusion (LFI) and remote file inclusion (RFI).

Hackers employ web shells in a variety of situations, including −

  • Collecting and leaking personal data and credentials.

  • Uploading malware can serve as a springboard for additional infection and victim scanning.

  • Altering or including files on websites.

Web Shell Attack Examples

A few web shell models are used by hackers, including China Chopper, WSO, C99, and B374K. However, most web shells are brand-new, and only a small number of hackers are familiar with their web shell patterns.

  • China Chopper − It comprises numerous command and control capabilities and a small online shell with a password brute force capability.

  • Web Shell by Orb (WSO) − It can appear to be an error page while including concealed login forms.

  • C99 − It is WSO's more advanced version, which comes with extra features. It can show the server's security precautions and self-destruct options.

  • B374K − It was created using the PHP programming language and has basic features for reading data and doing commands.

How is the Web Shell Installed?

Finding a web server with a vulnerability is necessary for the hacker to install a web shell. To quickly identify servers vulnerable to cyberattacks, hackers use scanning services like They also use reports on recently discovered web server vulnerabilities to identify exposed servers quickly. Before applying patches, the web shell is installed on the affected websites.

By taking advantage of several web server flaws, including cross-site scripting (XSS), SQL injection, local file inclusion (LFI), and remote file inclusion (RFI), the web shell can be implemented.

  • Local File Inclusion (LFI) and Remote File Inclusion (RFI) − When a web application enables users to submit input files to the server, specific vulnerabilities appear. Thanks to this, the hacker can also view and use the victim's computer files. In RFI, the hacker can run the code hosted on their computer, whereas in LFI, only the local system can access the file.

  • Cross-Site Scripting (XSS) − It uses weak websites to trick users into downloading malicious scripts that, when run, jeopardize user-website application connection. The hacker poses as the user to gain access to the user account and obtain the data.

  • SQL Injection − It makes it easier for hackers to decipher communications between applications and servers that carry sensitive data, including user information, application information, and more. The attacker may be able to change or remove data that affects how the program functions.

How to Detect Web Shells?

Web shells can be concealed within seemingly innocent files, making them difficult to discover. For instance, a web shell script may be uploaded to the target web server and embedded within a picture. Since this upload is merely a photo, nothing suspicious is found upon analysis. However, because web servers refer to media files for server-side execution, a web browser may request the image, activating the malicious code.

Security measures must be put in place at the point where servers connected to the internet and the internet meet to track every process execution and script file written.

Another method with a high degree of accuracy is comparing corrupted files to a database of known web shell syntax. Shell Detector can help with this.

How Does a Web Shell Work?

In this section, let's see how a Web Shell Works −

Persistent Remote Access

Web shell scripts offer a backdoor that lets attackers remotely access a vulnerable server. Persistent attackers do not need to exploit a new vulnerability for each bad conduct. Some attackers go so far as to patch the flaw they use to avoid being discovered and stop others from using them. Several online shells employ strategies like password authentication to ensure that only certain attackers can access them. Most web shells obfuscate their code to prevent search engines from blacklisting the website where the shell is installed.

Pivoting and Launching Attacks

Attackers can use Web shells to switch to other targets both inside and outside the network. Enumeration can take weeks which involves sniffing network traffic to find live hosts, firewalls, or routers. During this time, attackers will maintain a low profile to avoid being discovered. A persistent attacker on a network will advance slowly and may even use a compromised system to attack more targets. This enables the attacker to stay anonymous, and switching between multiple computers can make it nearly hard to identify the origin of attacks.

Privilege Escalation

Web shells typically operate with the user's limited permissions. Attackers can get root access through web shells and escalate privileges by taking advantage of system flaws. Attackers with root account access can do practically anything, including install software, modify permissions, add or remove users, read emails, steal passwords, and more.

Bot Herding

Servers can be linked to a botnet via web shells (a network of systems controlled by the attacker). The compromised servers carry out instructions sent by attackers via a command and control server linked to the web shell. This is a typical strategy for DDoS attacks that use a lot of bandwidth. Attackers use the web shell's resources to attack more valuable targets instead of directly going after the system where the web shell is installed.

How to Protect Your Device from Web Shell?

You can take the following measures to protect your device from Web Shell attacks −

File Integrity Monitoring

Solutions for file integrity monitoring (FIM) are made to prevent file changes on folders accessible via the web. When a modification is discovered, FIM tools notify administrators and security personnel. Implementing FIM can assist in real-time problem detection as soon as files are saved to a directory. Security personnel may detect and eliminate web shells more rapidly as a result. Integrity monitoring programs can be configured to permit some file modifications while prohibiting others. The integrity monitoring system can prevent uploads that do not have the ".pdf" extension if, for instance, your online application only ever works with PDF files.

Web Application Permissions

The least privilege notion should be used when designing permissions for web apps. The fundamental idea underlying this idea is to grant users only those privileges necessary to carry out their assigned duties. The intention is to ensure that no user has access to resources they shouldn't have and that hacked accounts are limited in what they can do.

Threat actors can be stopped from uploading a web shell to weak applications by following the least privilege concept. You can change it by disabling the ability for web applications to directly write to or change code that is available on the web. In this approach, the actor is prevented from accessing the web-accessible directory by the server.

Intrusion Prevention and Web Application Firewalls

An intrusion prevention system (IPS) is a type of network security technology that guards against threats by keeping track of network traffic. By filtering, monitoring, and restricting HTTP traffic going to and coming from online services, web application firewalls (WAF) defend against threats. When implementing intrusion protection, organizations should use a variety of technologies. IPS and WAF systems can track traffic patterns and stop known malicious uploads. Each security appliance added to the ecosystem should ideally be customized to meet the enterprise's unique requirements.

Endpoint Detection and Response (EDR)

Web shell attacks can be defended against with the aid of specific host logging and endpoint detection and response (EDR) solutions. These tools track system calls and looks for process history irregularities and malicious behavior patterns to find web shells. All processes running on endpoints, including system calls that have been invoked, can be seen by EDR solutions with web shell protection features. The solution detects when web shells lead to unusual activity in a web server process. For instance, most web servers don't typically start the "ip config" tool. Web shells frequently use this kind of reconnaissance tactic, which can be identified by behavioral analysis.

Network Segmentation

A style of design known as network segmentation divides the network into independent subnetworks. Each segment has its own secured network, with each subnetwork being regarded as a segment. A network segmentation architecture prevents connections between unrelated parts. This division can halt web shell proliferation. There are several different network segregation methods. For instance, a simple way that may be used to quarantine servers that are accessible via the internet is isolating a demilitarized zone (DMZ) subnet. Additionally, more sophisticated network segmentation methods, including software-defined networking (SDN), can aid in implementing a zero-trust architecture.