Web shells can be used to obtain unauthorized access and can lead to wider network compromise. Consistent use of web shells by Advanced Persistent Threat (APT) and criminal groups has led to a significant number of cyber incidents. This alert describes the frequent use of web shells as an exploitation vector and Check Point’s IPS guidance and relevant IPS protections addressing these threats.
A web shell is a script that can be uploaded to a web server to enable remote administration of the machine. It can be written in any language that the target web server supports. The most commonly observed web shells are written in languages that are widely supported, such as PHP and ASP. Perl, Ruby, Python, and Unix shell scripts are also used. Using network reconnaissance tools, an adversary can identify vulnerabilities that can be exploited and result in the installation of a web shell. For example, these vulnerabilities can exist in content management systems (CMS) or web server software. Once successfully uploaded, an adversary can use the web shell to leverage other exploitation techniques to escalate privileges and to issue commands remotely. These commands are directly linked to the privilege and functionality available to the web server and may include the ability to add, delete, and execute files as well as the ability to run shell commands, further executables, or scripts.
CHECK POINT IPS PROTECTIONS
Check Point protects its customers from various Web Shells with the following IPS protections:
- Web Servers Suspicious File Upload
- A remote attacker can upload a malicious file to a web server. Successful exploitation could result in the execution of arbitrary code in the security context of the web server.
- PHP Web Shell Generic Backdoor
- An attacker might upload a web shell backdoor to a PHP server. A successful exploitation might allow the attacker to run arbitrary code, or use the server as a bot for further attacks.
- PHP print Remote Shell Command Execution
- A remote command execution vulnerability has been reported in PHP. A remote attacker can exploit this issue by sending a specially crafted HTTP request to an affected server.
- PHP GLOBALS Remote File Inclusion
- A remote File Inclusion vulnerability has been reported in chumpsoft phpQuestionnaire. The vulnerability is due to lack of sanitization for user-supplied data. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system. This protection was previously known as PHP Remote File Inclusion.
- OpenX Ad Server Backdoor PHP Code Execution
- A Code Execution vulnerability has been reported in OpenX Ad Server. The vulnerability is due to the existence of a backdoor within the flowplayer-3.1.1.min.js library. A remote attacker could exploit this vulnerability by sending a malicious request to the server. Successful exploitation could result in code execution on the server.
- PhpMyAdmin SESSION Superglobal Remote Variable Manipulation
PhpMyAdmin SERVER Superglobal Remote Variable Manipulation
PhpMyAdmin REQUEST Superglobal Remote Variable Manipulation
PhpMyAdmin ENV Superglobal Remote Variable Manipulation
PhpMyAdmin GLOBALS Superglobal Remote Variable Manipulation- A remote variable manipulation vulnerability has been reported in PhpMyAdmin. The vulnerability is due to insufficient validation of request parameters. A remote attacker could exploit this vulnerability by sending a malicious request to the server. Successful exploitation could result in modification of superglobal variables.
- PHP Web Shells Malicious Known Variables
- There are known Variables of an attempt to upload a web shell backdoor to a PHP server. A successful exploitation might allow the attacker to run arbitrary code, or use the server as a bot for further attacks.
- Multiple PHP Servers WeevelyShell Backdoor Command Execution
Multiple PHP Servers B374kshell Backdoor Command Execution
Multiple PHP Servers R57shell Backdoor Command Execution
Multiple PHP Servers C99shell Backdoor Command Execution
Multiple PHP Servers DQ99shell Backdoor Command Execution
Multiple PHP Servers C100shell Backdoor Command Execution
Multiple PHP Servers SyrianShell Backdoor Command Execution- A command execution vulnerability has been reported in multiple PHP servers. The vulnerability is due to the existence of a backdoor file on the PHP server within a specific library. A remote attacker can exploit this vulnerability by sending a request to the malicious backdoor file.
- FTP ftpchk3.php File Upload
- A file upload vulnerability has been reported in FTP servers. The uploaded file is ftpchk3.php which contains a virus. This virus changes all web files, PHP, HTML, Javascript and TPL files in CMS systems to add a malicious script into the site. Successful exploitation of this vulnerability could allow a remote attacker to execute PHP code on a website if the PHP-infected code is running on the affected system.
- Horde FTP Server Backdoor Arbitrary PHP Code Execution
- An arbitrary PHP code execution vulnerability has been reported in Horde FTP server. The vulnerability is due to a backdoor vulnerability in Horde 3.3.12 and Horde Groupware. A remote attacker can exploit this vulnerability via a specially http request. Successful exploitation would allow an attacker to execute arbitrary PHP code on the target.
- Web Servers CryptoPHP Backdoor
- Some free themes for Joomla, WordPress and Drupal CMS include a backdoor to the service. By installing these
themes the system administrator installs the CryptoPHP backdoor.
- Some free themes for Joomla, WordPress and Drupal CMS include a backdoor to the service. By installing these
CHECK POINT GUIDANCE
- Check Point recommends activating high confidence protections in Prevent mode.
- The protection “PHP Web Shells Malicious Known Variables” (Medium confidence) detects many web shells as well and should also be in prevent mode.
- In order to find additional protections which can detect Web Shell upload (per product), search the IPS Protections in SDB for:
- “File Upload”
- “File Inclusion”
- “Shell Upload”
Reference: https://www.us-cert.gov/ncas/alerts/TA15-314A