According to research published by Microsoft’s Detection and Response Team, the number of attacks that planted web shells is up to an average of 140,000 incidents per month between August 2020 and January 2021, which is almost double the average of 77,000 per month that Microsoft observed one year ago. A web shell is a small active web page, usually written in PHP, ASP, or JSP languages, that attackers upload to a victim web server in order to remotely control the server, steal files and passwords from the company that maintains the server, attack other internal systems from the web server, and upload malware files to distribute to other victims. Attackers typically implant web shells by taking advantage of security vulnerabilities in Internet-facing servers, often through out-of-date Content Management Systems (CMS) and plug-ins that allow uploading of arbitrary files without proper filtering.
It can be difficult for defenders to detect web shells because there are so many ways that code might be executed on a web server, and file uploads may be a frequent occurrence in normal operation. Complicating traffic analysis is the fact that web servers frequently have high traffic volume, and it is impractical to inspect every packet, so web shell traffic can blend in easily. One way that analysts can attempt to detect unusual activity is through anomaly analysis of web requests that were successful (server code 200). If the normal function of the web server provides a pattern of the paths from which resources are normally served, and if it is unusual to see successful requests for PHP, ASP, or JSP resources from a directory normally used for uploads, that pattern analysis may lead to the discovery of web shells. Another useful technique is to monitor the processes on the web server and note unusual parent-child relationships. For example, if the web server process does not normally spawn a command shell, it is useful to raise an alert whenever it does, and carefully inspect the commands that were executed. Web shells often run command shells (e.g. Bash on Linux, cmd.exe, or PowerShell on Windows). Whatever security alerts are in place must be monitored 24 hours a day by skilled security staff in order to be effective as a defense and allow a quick response. Binary Defense provides managed security monitoring services through our Security Operations Task Force and Threat Hunting team.