Web shells are malicious files uploaded to compromised web servers to perform attacker-specified actions such as downloading files on the server, providing directory listings or making files on the server available for download for the attacker. On April 22nd, the NSA tweeted out a link to a 17-page document on detecting and preventing web shells. Because web shells are often deployed as scripts using a language such as PHP, they can be difficult to detect due to the ease of obfuscation and ability to change the script each time it is deployed. To help organizations put the document into practice, the NSA has a GitHub repository dedicated to web shell detection and mitigation as well.
Analyst Notes
Binary Defense highly recommends following the advice being given by the NSA to protect web servers. Both the PDF and the GitHub repository offer several ways of detecting web shells. While the GitHub repository is geared more towards the detection side, the PDF document is separated into categories for detection, prevention and mitigation. For a non-exhaustive list of recent and frequently exploited applications and CVEs used to install web shells, check out Appendix H in the PDF document.
Source: https://twitter.com/NSAGov/status/1252945913980608512
https://media.defense.gov/2020/Apr/22/2002285959/-1/-1/0/DETECT%20AND%20PREVENT%20WEB%20SHELL%20MALWARE.PDF
https://github.com/nsacyber/Mitigating-Web-Shells
