Web Shell: What it is, How it Works and How to Protect Your Systems

Web applications are booming. Millions of users use them daily to entertain, study and work. Despite the fact that traditional applications are still in force and many people also use them, the trend of using their web versions continues. They are light, efficient and consume much less resources in general. However, are we adequately protecting servers? This guide will explain everything about one of the great threats: web shells .

What is a web shell?

It is a malicious script that is introduced on the systems that are attacked. In most cases, web servers are part of the target. Once these systems have the web shell, the cybercriminal can have remote control of it. Consequently, you will have persistent access to the system and be able to manage it however you want. This means that web shells have the ability to create backdoors on compromised systems to have some control and even full control.

Web Shell

Also, web shells have a much greater reach. They can also violate network device management interfaces. So it is extremely important to have good practices in secure network management. Above all, if it is those that have hundreds and thousands of devices connected daily. The rise of teleworking brings with it security risks, which, although they are already known, these deserve special attention, because, obviously, working in a “secure” network environment of a company is not the same as working from home. However, you might wonder if it is not enough to use VPN services so that we can connect with total security to our organization resources, that is only part of what a network administrator should do.

Detection of a web shell

The main difficulty in detecting this type of malware is that attackers can apply encryption methods to cover up their malicious activity. This is a direct consequence of the ease in which scripts can be entered. As we know, for cyber attacks there are infinite possibilities and the protection shield of the networks must be reinforced more and more. Some of the effective detection methods are as follows:

  • Compare a different version of the web application to the one in production. The latter refers to the application that is available to users. This comparison will serve to analyze the differences at any sign of unusual activity.
  • Find anomalies in web application traffic using monitoring tools.
  • Apply signature-based detection, that is, verify all web shells that have been modified. Although these have undergone a minimal modification.
  • Find traffic flows on the network that have unusual characteristics.

What tools and what procedures should I apply for the detection process of these malicious scripts? Below, we share key recommendations to protect you effectively.

How to protect your systems and networks from web shells

This type of malware is introduced through vulnerabilities present in:

  • Web applications
  • Bad practices for server security configurations

As we have previously commented, these web shells are also introduced directly to the systems and networks that are victims, this occurs mainly because the web applications (mostly) and their vulnerable infrastructure have permissions to make modifications directly to a web directory accessible, or to pieces of web code. However, this type of permission should not be granted.

Consequently, the systems themselves open the door without any problem for cybercriminals to carry out the attacks. So it is recommended to block modification permissions. Now, if there is no such possibility, there is an alternative.

IDS / IPS systems and web application firewall

This alternative is to implement an integrity monitoring scheme for the files that are hosted in the application infrastructure. In this way, administrators will have the necessary visibility to any eventual changes that may occur in web directories and pieces of code.

On the other hand, a special firewall for web applications. It is aimed at those HTTP-based applications. Apply a series of rules when an HTTP conversation occurs. An additional and very notable benefit is that these rules specific to these firewalls can also protect against other more deadly attacks such as Cross-Site Scripting and SQL injections, among others. According to the OWASP organization, this type of firewall is oriented towards server protection. Just as proxies protect hosts (users). In fact, Web Application Firewalls are also considered as a type of reverse proxy .

NSA Resources

This well-known US agency has made a complete repository available on Github . In this repository we can find a wide list of methods and tools that will help your system to be protected from web shell malware. An interesting point is that it will not be necessary to make major investments in terms of security solutions.

We give Microsoft PowerShell as an example. In the shared repository, you will find support for detecting web shells using a “Known Good” comparison scheme. In addition, you can detect suspicious requests in the logs of web servers.

As we see, it is important to be aware of the main vulnerabilities that are presented not only to web application servers, but also those that are linked to traditional applications and even the data networks themselves. As for cyber attacks, there are endless possibilities and the protection shield must be as robust as possible. Fortunately, highly accessible online resources and tools can help us as administrators to prevent more than one tragedy.