# Web shell

> Mediated Wiki article. Canonical URL: https://mediated.wiki/source/Web_shell
> Markdown URL: https://mediated.wiki/source/Web_shell.md
> Source: https://en.wikipedia.org/wiki/Web_shell
> Source revision: 1315059835
> License: Creative Commons Attribution-ShareAlike 4.0 International (https://creativecommons.org/licenses/by-sa/4.0/)

Interface enabling remote access to a web server

A **web shell** is a [shell-like interface](/source/Shell_(computing)) that facilitates remote access to a [web server](/source/Web_server), commonly exploited for [cyberattacks](/source/Cyberattack).[1] Unlike traditional shells, it is accessed via a [web browser](/source/Web_browser), making it a versatile tool for malicious activities.[2][3]

Web shells can be coded in any [programming language](/source/Programming_language) supported by a server, with [PHP](/source/PHP) being the most prevalent due to its widespread use in [web applications](/source/Web_application). Other languages, such as [Active Server Pages](/source/Active_Server_Pages), [ASP.NET](/source/ASP.NET), [Python](/source/Python_(programming_language)), [Perl](/source/Perl), [Ruby](/source/Ruby_(programming_language)), and [Unix shell](/source/Unix_shell) scripts, are also employed.[1][2][3]

Attackers identify [vulnerabilities](/source/Vulnerability_(computing)) often in web server application using [network monitoring tools](/source/Network_monitoring#Notable_network_monitoring_tools), which can be exploited to deploy a web shell.[2]

Once installed, a web shell allows attackers to execute shell commands, perform [privilege escalation](/source/Privilege_escalation), and manage files by uploading, deleting, downloading, or executing them on the server.[2]

## General usage

Web shells are favored in cyberattacks for their versatility and elusiveness.[4] Common applications include:

- [Data theft](/source/Data_theft)[4]

- Infecting visitors through [watering hole attacks](/source/Watering_hole_attack)[5]

- [Website defacement](/source/Website_defacement) by altering files with malicious intent

- Launching [DDoS](/source/Denial-of-service_attack#Distributed_attack) attacks[2]

- Relaying commands to inaccessible network segments[2]

- Serving as a [command and control](/source/Botnet#Command_and_control) hub, such as in [botnet](/source/Botnet) systems or to compromise external networks[2]

Web shells enable hackers to extract data, corrupt systems, and deploy more damaging [malware](/source/Malware). The threat intensifies when compromised servers are used to infiltrate additional systems. They are also employed in cyber espionage targeting sectors like government, finance, and defense. A notable example is the "[China Chopper](/source/China_Chopper)" web shell.[6]

## Delivery of web shells

Web shells are deployed by exploiting vulnerabilities in web applications or weak server configurations, including:[2][4]

- [SQL injection](/source/SQL_injection)

- Flaws in applications and services (e.g., [web server](/source/Web_server) software like [NGINX](/source/Nginx) or [content management systems](/source/Content_management_system) like [WordPress](/source/WordPress))[7][8]

- File processing and upload vulnerabilities (mitigated by restricting file types)[8]

- [Remote file inclusion](/source/File_inclusion_vulnerability) (RFI) and [local file inclusion](/source/File_inclusion_vulnerability#Local_File_Inclusion) (LFI) vulnerabilities

- [Remote code execution](/source/Arbitrary_code_execution)

- Exposed administration interfaces[2]

Attackers may also spoof the Content-Type header during file uploads to bypass weak file validation, enabling shell deployment.

## Example

The following is a basic PHP web shell that executes a shell command and displays the output:

<?=`$_GET[x]`?>

With a filename of example.php, the command to display the [/etc/passwd](/source/Passwd#Password_file) file could be:

https://example.com/example.php?x=cat%20%2Fetc%2Fpasswd

This executes the command cat /etc/passwd. Such risks can be mitigated by disabling PHP shell functions to prevent arbitrary command execution.

## Prevention and mitigation

Preventing web shell installation requires addressing server vulnerabilities. Key measures include:[2][3]

- Regularly updating applications and the host server's [operating system](/source/Operating_system) to patch known [bugs](/source/Software_bug)

- Implementing a [demilitarized zone](/source/DMZ_(computing)) (DMZ) between web-facing servers and internal networks

- Securing web server configurations[2]

- Closing unused [ports](/source/Port_(computer_networking)) and services[2]

- Validating user input to limit [local and remote file inclusion vulnerabilities](/source/File_inclusion_vulnerability)[2]

- Using a [reverse proxy](/source/Reverse_proxy) to restrict administrative URLs to legitimate sources[2]

- Conducting frequent vulnerability scans (though ineffective against [zero-day attacks](/source/Zero-day_(computing)))[2]

- Deploying a [firewall](/source/Firewall_(computing))[2]

- Disabling directory browsing[*[citation needed](https://en.wikipedia.org/wiki/Wikipedia:Citation_needed)*]

- Avoiding default passwords[2]

## Detection

Web shells are challenging to detect due to their modifiability, often evading [antivirus software](/source/Antivirus_software).[2][9]

Indicators of a web shell include:[2][3]

- Unusually high web server activity from downloading/uploading[2][9]

- Files with abnormal timestamps (e.g., newer than last modification)[9]

- Unknown files on the server

- Suspicious references (e.g., cmd.exe or [eval](/source/Eval))

- Unusual connections in server logs

For instance, a [PNG](/source/Portable_Network_Graphics) file with [POST](/source/POST_(HTTP)) parameters or dubious logins between DMZ servers and internal subnets may signal a web shell.[2][10][11][12]

Web shells may include disguised login forms, such as fake [error pages](/source/HTTP_error).[2][13][14][15]

Attackers can modify the [.htaccess](/source/.htaccess) file (on [Apache HTTP Server](/source/Apache_HTTP_Server)) to redirect [search engine](/source/Web_search_engine) queries to malware or [spam](/source/Spamming) pages, often tailoring content based on [user-agent](/source/User_agent) detection. Identifying the shell may require altering the crawler's user-agent, after which it can be easily removed.[2]

Analyzing server logs can pinpoint the web shell's location, as legitimate users typically have diverse [user-agents](/source/User_agent) and [referers](/source/HTTP_referer), while attacker access is more uniform.[2]

## See also

- [Backdoor (computing)](/source/Backdoor_(computing))

- [Cyberwarfare](/source/Cyberwarfare)

- [Internet security](/source/Internet_security)

- [Network security](/source/Network_security)

- [China Chopper](/source/China_Chopper)

- [Privacy](/source/Privacy)

- [Web-based SSH](/source/Web-based_SSH)

## References

1. ^ [***a***](#cite_ref-techtarget.com_1-0) [***b***](#cite_ref-techtarget.com_1-1) ["How can web shells be used to exploit security tools and servers?"](https://searchsecurity.techtarget.com/answer/How-can-web-shells-be-used-to-exploit-security-tools-and-servers). *SearchSecurity*. [Archived](https://web.archive.org/web/20190328065900/https://searchsecurity.techtarget.com/answer/How-can-web-shells-be-used-to-exploit-security-tools-and-servers) from the original on 2019-03-28. Retrieved 2018-12-21.

1. ^ [***a***](#cite_ref-us-cert.gov_2-0) [***b***](#cite_ref-us-cert.gov_2-1) [***c***](#cite_ref-us-cert.gov_2-2) [***d***](#cite_ref-us-cert.gov_2-3) [***e***](#cite_ref-us-cert.gov_2-4) [***f***](#cite_ref-us-cert.gov_2-5) [***g***](#cite_ref-us-cert.gov_2-6) [***h***](#cite_ref-us-cert.gov_2-7) [***i***](#cite_ref-us-cert.gov_2-8) [***j***](#cite_ref-us-cert.gov_2-9) [***k***](#cite_ref-us-cert.gov_2-10) [***l***](#cite_ref-us-cert.gov_2-11) [***m***](#cite_ref-us-cert.gov_2-12) [***n***](#cite_ref-us-cert.gov_2-13) [***o***](#cite_ref-us-cert.gov_2-14) [***p***](#cite_ref-us-cert.gov_2-15) [***q***](#cite_ref-us-cert.gov_2-16) [***r***](#cite_ref-us-cert.gov_2-17) [***s***](#cite_ref-us-cert.gov_2-18) [***t***](#cite_ref-us-cert.gov_2-19) [***u***](#cite_ref-us-cert.gov_2-20) [***v***](#cite_ref-us-cert.gov_2-21) [***w***](#cite_ref-us-cert.gov_2-22) [***x***](#cite_ref-us-cert.gov_2-23) US Department of Homeland Security (9 August 2017). ["Web Shells – Threat Awareness and Guidance"](https://www.us-cert.gov/ncas/alerts/TA15-314A). *www.us-cert.gov*. [Archived](https://web.archive.org/web/20190113062745/https://www.us-cert.gov/ncas/alerts/TA15-314A) from the original on 13 January 2019. Retrieved 20 December 2018. This article incorporates text from this source, which is in the [public domain](/source/Public_domain).

1. ^ [***a***](#cite_ref-auto_3-0) [***b***](#cite_ref-auto_3-1) [***c***](#cite_ref-auto_3-2) [***d***](#cite_ref-auto_3-3) admin (3 August 2017). ["What is a Web shell?"](https://malware.expert/general/what-is-a-web-shell/). *malware.expert*. [Archived](https://web.archive.org/web/20190113003907/https://malware.expert/general/what-is-a-web-shell/) from the original on 13 January 2019. Retrieved 20 December 2018.

1. ^ [***a***](#cite_ref-us-cert.gov1_4-0) [***b***](#cite_ref-us-cert.gov1_4-1) [***c***](#cite_ref-us-cert.gov1_4-2) ["Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors – US-CERT"](https://www.us-cert.gov/ncas/alerts/TA18-074A). *www.us-cert.gov*. 16 March 2018. [Archived](https://web.archive.org/web/20181220172706/https://www.us-cert.gov/ncas/alerts/TA18-074A) from the original on 20 December 2018. Retrieved 20 December 2018.

1. **[^](#cite_ref-5)** WordPress Security Engineer at FixMyWPWC Athens 2016, Makis Mourelatos; Support, W. P.; Aficionado, Security; Kitesurfer, Wannabe (16 October 2017). ["The Definitive Guide about Backdoor Attacks - What are WebShell BackDoors"](https://fixmywp.com/security/what-are-web-shell-backdoors.php). *fixmywp.com*. [Archived](https://web.archive.org/web/20190113003929/https://fixmywp.com/security/what-are-web-shell-backdoors.php) from the original on 13 January 2019. Retrieved 20 December 2018.{{[cite web](https://en.wikipedia.org/wiki/Template:Cite_web)}}: CS1 maint: numeric names: authors list ([link](https://en.wikipedia.org/wiki/Category:CS1_maint:_numeric_names:_authors_list))

1. **[^](#cite_ref-6)** Hannousse, Abdelhakim; Yahiouche, Salima (2021-09-01). ["Handling webshell attacks: A systematic mapping and survey"](https://www.sciencedirect.com/science/article/pii/S0167404821001905). *Computers & Security*. **108** 102366. [doi](/source/Doi_(identifier)):[10.1016/j.cose.2021.102366](https://doi.org/10.1016%2Fj.cose.2021.102366). [ISSN](/source/ISSN_(identifier)) [0167-4048](https://search.worldcat.org/issn/0167-4048).

1. **[^](#cite_ref-7)** ["Got WordPress? PHP C99 Webshell Attacks Increasing"](https://securityintelligence.com/got-wordpress-php-c99-webshell-attacks-increasing/). 14 April 2016. [Archived](https://web.archive.org/web/20181229190535/https://securityintelligence.com/got-wordpress-php-c99-webshell-attacks-increasing/) from the original on 29 December 2018. Retrieved 21 December 2018.

1. ^ [***a***](#cite_ref-techcrunch.com_8-0) [***b***](#cite_ref-techcrunch.com_8-1) ["Equifax breach was 'entirely preventable' had it used basic security measures, says House report"](https://techcrunch.com/2018/12/10/equifax-breach-preventable-house-oversight-report/). 10 December 2018. [Archived](https://web.archive.org/web/20181220232937/https://techcrunch.com/2018/12/10/equifax-breach-preventable-house-oversight-report/) from the original on 20 December 2018. Retrieved 21 December 2018.

1. ^ [***a***](#cite_ref-fireeye.com_9-0) [***b***](#cite_ref-fireeye.com_9-1) [***c***](#cite_ref-fireeye.com_9-2) ["Breaking Down the China Chopper Web Shell - Part I"](https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html). *FireEye*. [Archived](https://web.archive.org/web/20190113182308/https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html) from the original on 13 January 2019. Retrieved 20 December 2018.

1. **[^](#cite_ref-10)** ["Intrusion Detection and Prevention Systems"](https://ws680.nist.gov/publication/get_pdf.cfm?pub_id=901146). [Archived](https://web.archive.org/web/20190113003930/https://ws680.nist.gov/publication/get_pdf.cfm?pub_id=901146) from the original on 2019-01-13. Retrieved 2018-12-22.

1. **[^](#cite_ref-11)** Kasey Cross (16 June 2016). ["Five signs an attacker is already in your network"](https://www.networkworld.com/article/952495/five-signs-an-attacker-is-already-in-your-network.html). *Network World*. [Archived](https://web.archive.org/web/20190113003925/https://www.networkworld.com/article/3085141/network-security/five-signs-an-attacker-is-already-in-your-network.html) from the original on 13 January 2019. Retrieved 22 December 2018.

1. **[^](#cite_ref-12)** ["Traffic Analysis for Network Security: Two Approaches for Going Beyond Network Flow Data"](https://insights.sei.cmu.edu/sei_blog/2016/09/traffic-analysis-for-network-security-two-approaches-for-going-beyond-network-flow-data.html). 15 September 2016. [Archived](https://web.archive.org/web/20161114084537/https://insights.sei.cmu.edu/sei_blog/2016/09/traffic-analysis-for-network-security-two-approaches-for-going-beyond-network-flow-data.html) from the original on 2016-11-14. Retrieved 2018-12-22.

1. **[^](#cite_ref-13)** ["Hackers Hiding Web Shell Logins in Fake HTTP Error Pages"](https://www.bleepingcomputer.com/news/security/hackers-hiding-web-shell-logins-in-fake-http-error-pages/). *BleepingComputer*. [Archived](https://web.archive.org/web/20180726011308/https://www.bleepingcomputer.com/news/security/hackers-hiding-web-shell-logins-in-fake-http-error-pages/) from the original on 26 July 2018. Retrieved 21 December 2018.

1. **[^](#cite_ref-14)** ["Hackers Hiding Web Shell Logins in Fake HTTP Error Pages"](https://threatravens.com/hackers-hiding-web-shell-logins-in-fake-http-error-pages/). *ThreatRavens*. 24 July 2018. [Archived](https://web.archive.org/web/20190113062731/https://threatravens.com/hackers-hiding-web-shell-logins-in-fake-http-error-pages/) from the original on 13 January 2019. Retrieved 17 February 2019.

1. **[^](#cite_ref-15)** ["Hackers Hiding Web Shell Logins in Fake HTTP Error Pages"](https://cyware.com/news/hackers-hiding-web-shell-logins-in-fake-http-error-pages-f9f1b47e). *cyware.com*. [Archived](https://web.archive.org/web/20190113003916/https://cyware.com/news/hackers-hiding-web-shell-logins-in-fake-http-error-pages-f9f1b47e) from the original on 13 January 2019. Retrieved 22 December 2018.

v t e Information security Threats Adware Advanced persistent threat Arbitrary code execution Backdoors Bombs Fork Logic Time Zip Hardware backdoors Code injection Crimeware Cross-site scripting Cross-site leaks DOM clobbering History sniffing Cryptojacking Botnets Data breach Drive-by download Browser Helper Objects Viruses Data scraping Denial-of-service attack Eavesdropping Email fraud Email spoofing Exploits Fraudulent dialers Hacktivism Infostealer Insecure direct object reference Keystroke loggers Malware Payload Phishing Voice Polymorphic engine Privilege escalation Ransomware Rootkits Scareware Shellcode Spamming Social engineering Spyware Software bugs Trojan horses Hardware Trojans Remote access trojans Vulnerability Web shells Wiper Worms SQL injection Rogue security software Zombie vectorial version Defenses Application security Secure coding Secure by default Secure by design Misuse case Computer access control Authentication Multi-factor authentication Authorization Computer security software Antivirus software Security-focused operating system Data-centric security Software obfuscation Data masking Encryption Firewall Intrusion detection system Host-based intrusion detection system (HIDS) Anomaly detection Information security management Information risk management Security information and event management (SIEM) Runtime application self-protection Site isolation Related security topics Computer security Automotive security Cybercrime Cybersex trafficking Computer fraud Cybergeddon Cyberterrorism Cyberwarfare Electronic warfare Information warfare Internet security Mobile security Network security Copy protection Digital rights management

v t e Malware topics Infectious malware Computer virus Computer worm List of computer worms Timeline of computer viruses and worms Concealment Backdoor Clickjacking Man-in-the-browser Man-in-the-middle Rootkit Trojan horse Zombie computer Malware for profit Adware Botnet Crimeware Fleeceware Form grabbing Fraudulent dialer Infostealer Keystroke logging Malbot Pay-per-install Privacy-invasive software Ransomware Rogue security software Scareware Spyware Web threats By operating system Android malware Classic Mac OS viruses iOS malware Linux malware MacOS malware Macro virus Mobile malware Palm OS viruses HyperCard viruses Protection Anti-keylogger Antivirus software Browser security Data loss prevention software Defensive computing Firewall Internet security Intrusion detection system Mobile security Network security Countermeasures Computer and network surveillance Honeypot Operation: Bot Roast

---
Adapted from the Wikipedia article [Web shell](https://en.wikipedia.org/wiki/Web_shell) by Wikipedia contributors ([contributor history](https://en.wikipedia.org/wiki/Web_shell?action=history)). Available under [Creative Commons Attribution-ShareAlike 4.0 International](https://creativecommons.org/licenses/by-sa/4.0/). Changes may have been made.