A web shell is a command shell (a program or script for controlling a device through commands) that allows remote control of a web server. A web shell can be used for legitimate tasks, but is most often deployed in cyberattacks. One of the best-known and widely used web shells is China Chopper.
A web shell can be written in any of the programming languages that the target server supports. These are usually common languages, such as PHP.
How and why cybercriminals use web shells
Typically, attackers deliver a web shell to the target server through vulnerabilities in the server itself, or in the sites or web applications linked to it. Once launched, the shell works like a backdoor: it provides the attackers with access to the server’s file system and databases, and allows them to sniff traffic and execute commands remotely.
Cybercriminals use web shells for various purposes, including the following:
- Data theft
- Building botnets and carrying out DDoS attacks
- Further penetration into the victim’s network, in particular onto devices that are inaccessible from the internet but accessible from the infected server
- Infecting devices of visitors to the compromised web resource (the watering-hole strategy)
Types of web shells
There are several types of web shells, which differ in terms of how the attackers’ device connects with the compromised server:
- Bind shell. The attackers initiate a connection with the attacked server from their own device. To connect and run a bind shell, the attackers must know the IP address of the server.
- Reverse shell (or connect-back shell). The target server itself connects to the attackers’ device. The target’s IP address is not required for a successful connection.
- Double reverse shell. Like with a single reverse shell, the infected server initiates the connection. However, unlike a single reverse shell, incoming and outgoing traffic is split into two channels, creating two parallel connections with the attackers’ device instead of just one.
Detecting web shells
Indicators of a malicious web shell in the system can be the following:
- Unknown files on the server — especially in directories accessible from the internet
- Files with unusual creation or download times (for example, more recent than the latest updates of installed applications)
- Suspicious log entries (for example, regarding an image sending requests to the server)
- Long periods of heavy server load
- Suspicious commands from a web-server process
Note that legitimate activity on the server may also cause some of these indicators to appear.