As we briefly mentioned in the previous article, a webshell is a command-based web page (script), that enables remote administration of a machine. It is called a webshell due to the fact that it is accessed using a URL and is written with a web script.
In this article we will discuss how websites get infected with such backdoors, as well as mention two real-world scenarios of such backdoors. Then, we will explain further about how webshell backdoors work. After that, we will go over the detection mechanisms you can use to identify such backdoors on your server. Finally, we will mention some protective measures that you can take which will help protect your site from such backdoors.
The websites which become infected by these types of backdoors generally have vulnerabilities within the websites themselves. Two of the most common types of vulnerabilities that could be used to get a webshell are unrestricted file uploads, and command injections.
Many web servers have a feature that allows you to upload files to the server. The files uploaded are usually pictures or pdf files. Failure to restrict the uploaded files to only the intended file types, could allow the attacker to upload an arbitrary code (ex, PHP script) to the web server.
Let’s see the following example. As you can see, this is a fairly simple web page with a file upload function.
The first step to exploiting this is to upload any image in order to see where the files get stored at.
As we can see, it is stored in : /uploads/ folder and we were successful in accessing the image directly.
Now, we will try to upload our webshell. The following is the code we used. (Note: the following code will be explained in the next section)
As we notice from the screenshot below, our cmd.php file got uploaded with no problems. That means there are no file restrictions on the types of files allowed to be upload.
Now, let’s access our webshell and execute the command, "whoami"
So, as you can notice, our shell takes a GET argument "cmd", executes it and displays it on the screen. So, let's try and execute the following two commands, "pwd" and "ls" in order to know the current directory and to list all the files in the directory.
Therefore, the hacker can come back anytime to the URL http://website.url/free/uploads/cmd.php and execute any command he wants.
The simplest fix which you can apply to this vulnerability is by validating the type of the file the user uploads before accepting it. Here is an example to start from: http://www.w3schools.com/php/php_file_upload.asp
All the code are available as following:
The second type of vulnerabilities that could lead to a webshell backdoor is a command injection. It's an attack which aims to execute a command on the host’s operating system through exploiting a vulnerable application (the web application in this case). This vulnerability can come in many different forms, so we will talk about one of them as an example.
Let’s assume there is an application that pings other systems based on your request. So in this case, you will give the application the IP address of a system, and the application will try to ping the system and display the ping result for you.
As we can see in the coming picture, the ping results are shown.
Now, since the application doesn't validate the input, we can manipulate the command. Using the semicolon ";", we can enter multiple Linux commands to be executed. You can try it out yourself. Open a shell on any Linux machine, and enter "ping -c 2 8.8.8.8 ; pwd ; ls ;" and see what you get:
As you can see, all the commands get executed one by one.
Now, let’s try the same concept on the ping field:
As we can see, the result was the ping, then the other commands’ results:
The hacker can now execute any number of commands on the system directly even though he didn’t upload any new files. This type of backdoor is difficult to detect, as it is the result of a system vulnerability and no malicious files were placed on the server’s files.
The best solution is input validation. That means, in this case, not allowing any type of input but an IP address. So, the web application should check the input first before executing the command.
All the code are available as following:
ping.html : https://paste.fixmywp.support/?b280053ab7d47572#Wpxrtd90kBWHXTtlOrF+SuQzaviSQD288sNQE96wAbA=
ping.php : https://paste.fixmywp.support/?e92a4a177d809eec#AN05rOBZgtpmUmTJXv0+j3Ss0+5/j7iGVLTiIyCf1uo=
As we have seen, the webshell that we used was fairly simple; it takes a command argument and returns back the result. Of course there are much more complicated webshells out there that contain more fancy features like uploading a file and establishing a reverse shell. But for now, let’s understand how a simple webshell works.
The code syntax is fairly simple:
$_GET["cmd"] : the cmd GET parameter. Ex, http://127.0.0.1/free/uploads/cmd.php?cmd=hi $_GET["cmd"] = "hi"
shell_exec() : a function that takes an argument and executes it in the local system. So, shell_exec("ls") will return the output of the ls command.
echo : this is to echo out (print) the output coming from the execution of the supplied command.
So, we used an existing PHP function shell_exec() to execute commands on the server. However, there are more complicated webshells that exist. As an example, the following github repository has a lot of php webshells. You may try out some of them.
https://github.com/JohnTroony/php-webshells
For shells in other languages too:
https://github.com/BlackArch/webshells
https://github.com/malwares/WebShell
NOTE: Please NEVER host a webshell in your server or any publicly accessible machine.
Discovering a webshell backdoor can be as simple as looking for a malicious file in your upload folders, or it can be as complicated as reviewing the source code for vulnerabilities and the logs for abnormal behavior. However, one free tool that can detect a majority of the webshells is called "webshell Detector" and it is easy to use.
For more information, you may visit their github page:
https://github.com/emposha/PHP-Shell-Detector
Another way to discover a webshell is by checking the logs. Here are some helpful tips:
You will often hear a lot of advises about how to keep your website safe. We’ll try to be as simple as possible by mentioning the most important steps needed to be taken, which are as following:
Finally, you are always welcome to contact us for help. Our professional security services at FixMyWP.com can help you protect your website.
In the upcoming blog post, we will talk more about another type of backdoor which is a network shell backdoor. In addition, we will show how a professional hacker can turn a simple webshell backdoor into a network shell, so stay tuned.
WordPress is a widely popular Content Management System (CMS) that powers over 40% of all…
WordPress is a popular platform that empowers more than 60 million websites worldwide. Millions of…
In this article, we will cover ten crucial WordPress site maintenance tasks that every website…
In this blog article, we will explore the various WordPress security solutions you can implement…
Plugins are an integral part of WordPress, as they offer countless benefits and features that…
In this article, we will explore various strategies that can help you enhance your WordPress…