Web shells can be used to obtain unauthorized access and can lead to wider network compromise. Consistent use of web shells by Advanced Persistent Threat (APT) and criminal groups has led to a significant number of cyber incidents. This alert describes the frequent use of web shells as an exploitation vector and Check Point’s IPS guidance and relevant IPS protections addressing these threats.

A web shell is a script that can be uploaded to a web server to enable remote administration of the machine. It can be written in any language that the target web server supports. The most commonly observed web shells are written in languages that are widely supported, such as PHP and ASP. Perl, Ruby, Python, and Unix shell scripts are also used. Using network reconnaissance tools, an adversary can identify vulnerabilities that can be exploited and result in the installation of a web shell. For example, these vulnerabilities can exist in content management systems (CMS) or web server software. Once successfully uploaded, an adversary can use the web shell to leverage other exploitation techniques to escalate privileges and to issue commands remotely. These commands are directly linked to the privilege and functionality available to the web server and may include the ability to add, delete, and execute files as well as the ability to run shell commands, further executables, or scripts.


Check Point protects its customers from various Web Shells with the following IPS protections:



  • Check Point recommends activating high confidence protections in Prevent mode.
  • The protection “PHP Web Shells Malicious Known Variables” (Medium confidence) detects many web shells as well and should also be in prevent mode.
  • In order to find additional protections which can detect Web Shell upload (per product), search the IPS Protections in SDB for:
    • “File Upload”
    • “File Inclusion”
    • “Shell Upload”


Reference: https://www.us-cert.gov/ncas/alerts/TA15-314A