{{Short description|Interface enabling remote access to a web server}}

A '''web shell''' is a shell-like interface that facilitates remote access to a web server, commonly exploited for cyberattacks.<ref name="techtarget.com">{{cite web|url=https://searchsecurity.techtarget.com/answer/How-can-web-shells-be-used-to-exploit-security-tools-and-servers|title=How can web shells be used to exploit security tools and servers?|website=SearchSecurity|access-date=2018-12-21|archive-url=https://web.archive.org/web/20190328065900/https://searchsecurity.techtarget.com/answer/How-can-web-shells-be-used-to-exploit-security-tools-and-servers|archive-date=2019-03-28|url-status=live}}</ref> Unlike traditional shells, it is accessed via a web browser, making it a versatile tool for malicious activities.<ref name="us-cert.gov">{{cite web|url=https://www.us-cert.gov/ncas/alerts/TA15-314A|title=Web Shells – Threat Awareness and Guidance|author=US Department of Homeland Security|website=www.us-cert.gov|date=9 August 2017|access-date=20 December 2018|archive-url=https://web.archive.org/web/20190113062745/https://www.us-cert.gov/ncas/alerts/TA15-314A|archive-date=13 January 2019|url-status=live}}{{PD-notice}}</ref><ref name="auto">{{cite web|url=https://malware.expert/general/what-is-a-web-shell/|title=What is a Web shell?|last=admin|date=3 August 2017|website=malware.expert|access-date=20 December 2018|archive-url=https://web.archive.org/web/20190113003907/https://malware.expert/general/what-is-a-web-shell/|archive-date=13 January 2019|url-status=live}}</ref>

Web shells can be coded in any programming language supported by a server, with PHP being the most prevalent due to its widespread use in web applications. Other languages, such as Active Server Pages, ASP.NET, Python, Perl, Ruby, and Unix shell scripts, are also employed.<ref name="techtarget.com"/><ref name="us-cert.gov"/><ref name="auto"/>

Attackers identify vulnerabilities often in web server application using network monitoring tools, which can be exploited to deploy a web shell.<ref name="us-cert.gov"/>

Once installed, a web shell allows attackers to execute shell commands, perform privilege escalation, and manage files by uploading, deleting, downloading, or executing them on the server.<ref name="us-cert.gov"/>

==General usage== Web shells are favored in cyberattacks for their versatility and elusiveness.<ref name="us-cert.gov1">{{cite web|url=https://www.us-cert.gov/ncas/alerts/TA18-074A|title=Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors – US-CERT|website=www.us-cert.gov|date=16 March 2018|access-date=20 December 2018|archive-url=https://web.archive.org/web/20181220172706/https://www.us-cert.gov/ncas/alerts/TA18-074A|archive-date=20 December 2018|url-status=live}}</ref> Common applications include: * Data theft<ref name="us-cert.gov1"/> * Infecting visitors through watering hole attacks<ref>{{cite web|url=https://fixmywp.com/security/what-are-web-shell-backdoors.php|title=The Definitive Guide about Backdoor Attacks - What are WebShell BackDoors|first1=Makis Mourelatos|last1=WordPress Security Engineer at FixMyWPWC Athens 2016|first2=W. P.|last2=Support|first3=Security|last3=Aficionado|first4=Wannabe|last4=Kitesurfer|date=16 October 2017|website=fixmywp.com|access-date=20 December 2018|archive-url=https://web.archive.org/web/20190113003929/https://fixmywp.com/security/what-are-web-shell-backdoors.php|archive-date=13 January 2019|url-status=live}}</ref> * Website defacement by altering files with malicious intent * Launching DDoS attacks<ref name="us-cert.gov"/> * Relaying commands to inaccessible network segments<ref name="us-cert.gov"/> * Serving as a command and control hub, such as in botnet systems or to compromise external networks<ref name="us-cert.gov"/>

Web shells enable hackers to extract data, corrupt systems, and deploy more damaging malware. The threat intensifies when compromised servers are used to infiltrate additional systems. They are also employed in cyber espionage targeting sectors like government, finance, and defense. A notable example is the "China Chopper" web shell.<ref>{{Cite journal|last1=Hannousse|first1=Abdelhakim|last2=Yahiouche|first2=Salima|date=2021-09-01|title=Handling webshell attacks: A systematic mapping and survey|url=https://www.sciencedirect.com/science/article/pii/S0167404821001905|journal=Computers & Security|volume=108|article-number=102366|doi=10.1016/j.cose.2021.102366|issn=0167-4048|url-access=subscription}}</ref>

==Delivery of web shells== Web shells are deployed by exploiting vulnerabilities in web applications or weak server configurations, including:<ref name="us-cert.gov"/><ref name="us-cert.gov1"/> * SQL injection * Flaws in applications and services (e.g., web server software like NGINX or content management systems like WordPress)<ref>{{cite web|url=https://securityintelligence.com/got-wordpress-php-c99-webshell-attacks-increasing/|title=Got WordPress? PHP C99 Webshell Attacks Increasing|date=14 April 2016|access-date=21 December 2018|archive-url=https://web.archive.org/web/20181229190535/https://securityintelligence.com/got-wordpress-php-c99-webshell-attacks-increasing/|archive-date=29 December 2018|url-status=live}}</ref><ref name="techcrunch.com">{{cite web|url=https://techcrunch.com/2018/12/10/equifax-breach-preventable-house-oversight-report/|title=Equifax breach was 'entirely preventable' had it used basic security measures, says House report|date=10 December 2018|access-date=21 December 2018|archive-url=https://web.archive.org/web/20181220232937/https://techcrunch.com/2018/12/10/equifax-breach-preventable-house-oversight-report/|archive-date=20 December 2018|url-status=live}}</ref> * File processing and upload vulnerabilities (mitigated by restricting file types)<ref name="techcrunch.com"/> * Remote file inclusion (RFI) and local file inclusion (LFI) vulnerabilities * Remote code execution * Exposed administration interfaces<ref name="us-cert.gov"/>

Attackers may also spoof the <code>Content-Type</code> header during file uploads to bypass weak file validation, enabling shell deployment.

==Example== The following is a basic PHP web shell that executes a shell command and displays the output:

<syntaxhighlight lang="php"><?=`$_GET[x]`?></syntaxhighlight>

With a filename of <code>example.php</code>, the command to display the <code>/etc/passwd</code> file could be:

<nowiki>https://example.com/example.php?x=cat%20%2Fetc%2Fpasswd</nowiki>

This executes the command <code>cat /etc/passwd</code>. Such risks can be mitigated by disabling PHP shell functions to prevent arbitrary command execution.

==Prevention and mitigation== Preventing web shell installation requires addressing server vulnerabilities. Key measures include:<ref name="us-cert.gov"/><ref name="auto"/> * Regularly updating applications and the host server's operating system to patch known bugs * Implementing a demilitarized zone (DMZ) between web-facing servers and internal networks * Securing web server configurations<ref name="us-cert.gov"/> * Closing unused ports and services<ref name="us-cert.gov"/> * Validating user input to limit local and remote file inclusion vulnerabilities<ref name="us-cert.gov"/> * Using a reverse proxy to restrict administrative URLs to legitimate sources<ref name="us-cert.gov"/> * Conducting frequent vulnerability scans (though ineffective against zero-day attacks)<ref name="us-cert.gov"/> * Deploying a firewall<ref name="us-cert.gov"/> * Disabling directory browsing{{Citation needed|date=April 2021}} * Avoiding default passwords<ref name="us-cert.gov"/>

==Detection== Web shells are challenging to detect due to their modifiability, often evading antivirus software.<ref name="us-cert.gov"/><ref name="fireeye.com">{{cite web|url=https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html|title=Breaking Down the China Chopper Web Shell - Part I|website=FireEye|access-date=20 December 2018|archive-url=https://web.archive.org/web/20190113182308/https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html|archive-date=13 January 2019|url-status=live}}</ref>

Indicators of a web shell include:<ref name="us-cert.gov"/><ref name="auto"/> * Unusually high web server activity from downloading/uploading<ref name="us-cert.gov"/><ref name="fireeye.com"/> * Files with abnormal timestamps (e.g., newer than last modification)<ref name="fireeye.com"/> * Unknown files on the server * Suspicious references (e.g., <code>cmd.exe</code> or <code>eval</code>) * Unusual connections in server logs

For instance, a PNG file with POST parameters or dubious logins between DMZ servers and internal subnets may signal a web shell.<ref name="us-cert.gov"/><ref>{{Cite web|url=https://ws680.nist.gov/publication/get_pdf.cfm?pub_id=901146|title=Intrusion Detection and Prevention Systems|access-date=2018-12-22|archive-url=https://web.archive.org/web/20190113003930/https://ws680.nist.gov/publication/get_pdf.cfm?pub_id=901146|archive-date=2019-01-13|url-status=live}}</ref><ref>{{cite web|url=https://www.networkworld.com/article/952495/five-signs-an-attacker-is-already-in-your-network.html|title=Five signs an attacker is already in your network|author=Kasey Cross|date=16 June 2016|website=Network World|access-date=22 December 2018|archive-url=https://web.archive.org/web/20190113003925/https://www.networkworld.com/article/3085141/network-security/five-signs-an-attacker-is-already-in-your-network.html|archive-date=13 January 2019|url-status=live}}</ref><ref>{{Cite web|url=https://insights.sei.cmu.edu/sei_blog/2016/09/traffic-analysis-for-network-security-two-approaches-for-going-beyond-network-flow-data.html|title=Traffic Analysis for Network Security: Two Approaches for Going Beyond Network Flow Data|date=15 September 2016|access-date=2018-12-22|archive-url=https://web.archive.org/web/20161114084537/https://insights.sei.cmu.edu/sei_blog/2016/09/traffic-analysis-for-network-security-two-approaches-for-going-beyond-network-flow-data.html|archive-date=2016-11-14|url-status=live}}</ref>

Web shells may include disguised login forms, such as fake error pages.<ref name="us-cert.gov"/><ref>{{cite web|url=https://www.bleepingcomputer.com/news/security/hackers-hiding-web-shell-logins-in-fake-http-error-pages/|title=Hackers Hiding Web Shell Logins in Fake HTTP Error Pages|website=BleepingComputer|access-date=21 December 2018|archive-url=https://web.archive.org/web/20180726011308/https://www.bleepingcomputer.com/news/security/hackers-hiding-web-shell-logins-in-fake-http-error-pages/|archive-date=26 July 2018|url-status=live}}</ref><ref>{{cite web|url=https://threatravens.com/hackers-hiding-web-shell-logins-in-fake-http-error-pages/|title=Hackers Hiding Web Shell Logins in Fake HTTP Error Pages|date=24 July 2018|website=ThreatRavens|access-date=17 February 2019|archive-url=https://web.archive.org/web/20190113062731/https://threatravens.com/hackers-hiding-web-shell-logins-in-fake-http-error-pages/|archive-date=13 January 2019|url-status=live}}</ref><ref>{{cite web|url=https://cyware.com/news/hackers-hiding-web-shell-logins-in-fake-http-error-pages-f9f1b47e|title=Hackers Hiding Web Shell Logins in Fake HTTP Error Pages|website=cyware.com|access-date=22 December 2018|archive-url=https://web.archive.org/web/20190113003916/https://cyware.com/news/hackers-hiding-web-shell-logins-in-fake-http-error-pages-f9f1b47e|archive-date=13 January 2019|url-status=live}}</ref>

Attackers can modify the .htaccess file (on Apache HTTP Server) to redirect search engine queries to malware or spam pages, often tailoring content based on user-agent detection. Identifying the shell may require altering the crawler's user-agent, after which it can be easily removed.<ref name="us-cert.gov"/>

Analyzing server logs can pinpoint the web shell's location, as legitimate users typically have diverse user-agents and referers, while attacker access is more uniform.<ref name="us-cert.gov"/>

==See also== * Backdoor (computing) * Cyberwarfare * Internet security * Network security * China Chopper * Privacy * Web-based SSH

==References== {{reflist}}

{{Information security}} {{Malware}} {{Authority control}}

Category:Web shells Category:Web security exploits Category:Hacking (computer security)