Track web shell file

release/20240425
English

Track web shell file

Article Summary

Share feedback

Thanks for sharing your feedback!

Available in VPC

Refer to the following when finding web shell files in the case of a security incident caused by web shells.

If suspicious files can be found in the console
The list of suspected web shell files collected along with detected web shell behaviors is based on various conditions at the time of the web shell behavior's occurrence. It calculates the weight by comparing various conditions such as a file's access history, file creation time, and file owner at the time of web shell behavior occurrence. It is relatively likely that there will be web shell files in the list of suspicious files. So, if you check the list of suspicious files first, you can respond quickly.

If suspicious files can't be found in the console
It is possible that you can't see the list of suspicious files in the console, depending on your server environment or situation. In this case, you can find suspected web shell files from the WAS access log by referring to the time when the web shell behavior was detected. Refer to the following conditions.

You can suspect files accessed at the time a web shell was detected as web shells.
If the extension of the file accessed is an extension that can be executed in WAS, but the access was unintentional, then it could be a web shell.
If there is access history to a file in the path where the file can be uploaded, then you may suspect it to be a web shell.
If the command executed by the web shell remains in the URL query string, then it can be suspected as a web shell.
Example: webshell.php?cmd=cat%20/etc/hosts

Check if the extension of the file can be executed in the server
If a file has an extension recognized to be executed in WAS (.php, .jsp, etc.), then it can be a web shell file.

However, depending on the service or the hacker, files with an extension generally not executed in WAS may be executed through certain settings. Make sure to check the server settings to identify and check extensions recognized to be executed in WAS.

Example of setting the extension .ppp to be recognized as .php:

AddType application/x-httpd-php .php .ppp

Check if the file is developed for the service
You should check the file's name, creation date, etc., to judge if it's a normal file developed for the service. If it's a file you didn't create, then it can be a web shell.

Even if you've created the file, if you find any traces of tampering upon checking the creation date, modification date, or file content, it may still be a web shell.

Check the file owner
Web shells are generally uploaded or created through vulnerabilities of web services, so the owner of a web shell file often matches the web service's execution permission.

Note

Web shell file owner and permission examples:

If the httpd process is executed as nobody, then the owner of the web shell file is nobody
If the WAS process is executed as apache, then the owner of the web shell file is apache
If the WAS process is executed as root, then the owner of the web shell file is root

If the owner of the file is the same as the WAS process execution permissions, then it can be a file created by the web service. Such files can be the files that are not directly created by you, so they are likely to be web shells.

Check the file creation date
If the date of file creation is close to the time when a web shell behavior occurred, then the file may be a web shell. Even files created a long time ago may still be web shells. Check files by referring to the following circumstances.

The web shell was uploaded long time ago and has been constantly attacking, but was only recently detected
The file was uploaded by someone long time ago, and a new attacker found and accessed it to use it for attacking

Check if the file was created using server side-scripting
If the file is created using the server-side scripting, then it can be a web shell. This possibility is higher if it is a language that can be executed by WAS operating in the server.
Use a file editor to check the file's content to prevent the suspicious file from being executed.

If a file created by server-side scripting exists in an unintended path, such as an upload directory, then it may be a web shell.

Check if the file content has a pattern generally used in web shell files
Web shell files are typically configured to receive the attacker's command through the web service and execute system commands. Functions that can execute system commands are used for this. So, if these functions exist in a file, it can be a web shell.

Note

Examples of functions that can execute system commands or that are used to execute and obfuscate code:

Runtime.getRuntime().exec()
shell_exec, passthru, system, exec, popen
eval, assert, call_user_func,base64_decode, gzinflate, gzuncompress, gzdecode, str_rot13, ...

Functions that can execute system commands may not exist if a file is a type of web shell that carries out malicious behaviors such as ransomware without receiving attacker's command. In addition, there are cases where attackers obfuscate the file or encrypt communication to make it difficult to analyze web shells.
security-17-192_en

These cases can be difficult to analyze directly. You may request the help of specialists or respond by referring to various methods mentioned above.

If you are sure that the file is not created intentionally to provide the web service, is not necessary for servicing, and there's enough evidence for it to be a web shell, then you can regard it as a web shell and respond accordingly.

Caution

You can also check if it is a web shell by accessing it through the web service. However, this requires caution since there's no way of knowing what kind of traps the attacker may have set. This method is not recommend.
Example: Delete the web shell file or server file/DB to make it difficult to analyze and track in case of access by non-attacker

Was this article helpful?

What's Next

Track web shell attacker's IP