A web shell is a malicious program that is used to access a web server remotely during cyberattacks. It is a shell-like interface that is used by hackers to access an application that has been hacked via some predefined phishing methods. A web shell in itself isn’t capable of attacking the entire server, hence it is always used in conjunction with some other technique during the post-exploitation stage.

It can be written in any server-side programming language like PHP etc. Web shells are increasingly being used these days because they are difficult to trace and can be used for a lot of purposes.

Working

To access a remote server, the attacker finds a location for the delivery of the web shell. The attacker looks for the vulnerabilities in the system that can act as host sites and delivers the web shell at that location.

Once a web shell has been delivered successfully, it can be used to issue shell commands to perform the required tasks. The attacker might be able to upload, delete, download, and execute files.

Web shells are commonly used in:

• Infecting website users with malware using the watering hole approach, which is a computer attack strategy in which an attacker guesses or observes which websites an organization often visits and infects one or more of them.
• Brand defacement by modifying files inappropriately.
• Distributed denial of service (DDoS) attack.
• To transmit commands within the network that isn’t accessible via the Internet.
• Acting as a command and control base to be used for attacking other external networks.

Types of Web Shells

1. Bind Shell: Bind Shell is a type of shell that is installed on the target device. It gets binded to a certain port on the host and listens for incoming connections to the device. The hacker can then access this web shell remotely and use it to execute scripts on the target host. 
 

2. Reverse Shell: A reverse shell is also known as a ‘Connect-Back Shell’. The hackers are required to look for a remote command execution vulnerability and exploit it for the delivery of the web shell. Unlike bind shell, the target host connects back to the hacker’s device which it listens for an incoming connection.

3. Double Reverse Shell: A double reverse shell is a special case of the reverse shell. The target host connects back to the hacker’s device which was already listening for an incoming connection. However, in this case, there are two different ports that connect back to the hacker’s device. The input and output traffic is separated into two different channels.

How do hackers use web shells?

In order to use a web shell, the attacker first finds out a vulnerable point in the system where a web shell can be delivered. They are usually installed by exploiting the vulnerabilities of the server or server configurations. This may include:

• Vulnerabilities in applications, file systems, and services.
• Vulnerabilities in remote file inclusion (RFI) and local file inclusion (LFI).
• Remote code execution.
• Exposed administration interfaces.

Once a web shell is successfully installed, the attacker can use it to run scripts remotely on the target host which can provide him access to the sensitive information stored in the organization’s servers.

Detection

The following indicates that a web shell might be present in the system –  

• Very high server usage (happens because the hacker usually uploads and downloads a very large amount of data )
• The wrong timestamp on the files.
• Presence of alien files at the server.
• Files having suspicious names.
• Presence of unknown connections at the server-side logs.

Prevention and Mitigation

To avoid the installation of a web shell, the following precautions could be stepped out:

• Prompt patching of web server and plugin vulnerabilities: The idea is to fix the vulnerabilities of the system by patching it as soon as possible. This will reduce the attack surface for the hackers to exploit.
• Reduce the use of plug-ins:  This will reduce the vulnerabilities of the system. Reducing the number of plugins would reduce the number of potential attack surfaces present at the server.
• File Integrity Monitoring: This continuously monitors the files stored at the server-side and removes the ones that are unrecognized. Since, a web shell needs to reside in the code directory of the webserver, therefore, deleting the file would render it useless.
• Malware scanning/endpoint protection software: Scan the stored server-side files using malware detection software to discover malware stored. However, this method is not very reliable as a web shell script looks like a genuine script.
• Republish the Application from the source:  A thorough check of the application’s codebase is not possible at the server-side without developer aid. Hence, in order to detect unexpected files in the codebase, republish them after wiping them entirely from the development environment.
• Network segmentation prevents lateral movement: Avoid hackers from accessing the whole network by lateral traversal by segregating the network segments.
• Server configuration review and hardening: Identify and rectify vulnerabilities in both the application server and the operating systems by running a full server configuration check.
• Mitigate Remote file inclusion (RFI) and local file inclusion (LFI) vulnerabilities: Validate user input data before sending it to mitigate Remote file inclusion (RFI) and local file inclusion (LFI) vulnerabilities.
• Deploy a firewall: Use specialized firewalls like Web Application Firewall (WAF) that are designed specifically for the prevention of injection of web shells in the system.