Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
55 lines (36 sloc) 2.38 KB

Finding Web Shells

Purpose

Identify web shells (stand-alone|injected)

Data Required

Web server logs (apache, IIS, etc.)

Collection Considerations

Collect from all webservers, and ensure that parameters are collected.
POST data should be collected.

Analysis Techniques:

Stack counting
String matching

Description

  • Stack by page hits -- pages with few hits are a typical sign
    • Add more fidelity by combining views from below (none if the above is giving higher fidelity, one, two or all):
      • No referer from client
      • Stack by unique visits per IP -- most only visit the webshell (no other page hits, no js, no images, etc.)
        • this isn't true of injected webshells (where they are injected into an existing page)
      • Stack by UA uniqueness. This is not always rock solid, but good, because many webshells have client software that sets the UA and many don't change the default
  • Look for parameters passed to image files (e.g., /bad.png?zz=ls)
  • More specific to inject webshells that inject into an existing page:
    • Stack by parameter counts per page -- webshells that create new params on an existing page
      • Again, you can look if referer is missing, UA uniqueness

Other Notes
Endpoint detection strategies:

  • Look for creation of processes whose parent is the webserver (e.g., apache, w3wp.exe); these will come from functions like:
    • PHP functions like exec(), shell_exec(), etc.
    • asp(.net) functions like eval(), bind(), etc.)
  • Looking for file additions or file changes (if you have a change management process and schedule to easily differentiate 'known good') -- (using something like inotify on linux (or FileSystemWatcher in .NET), to monitor the webroot folder(s) recursively)

There are a few webshell hunt techniques located in other hunts:

It's important to realize that injected webshells may not be written to disk (e.g., SSJI, XSS, etc.)

More Info

None