PHP-Webshell #11
Comments
Hey @sebnerz Thanks for reporting this evidence. We'd like to ensure the scanner can identify this behavior. I think right now we don't inspect the Also, are you willing to share the webshell? If you're not comfortable uploading it here, then you can also email me. I understand if this isn't an option. |
Hi @williballenthin, sorry, I tried to include the code of the webshell in the opening comment, but aparently it got filtered out. Trying again, otherwise I'll mail it to you.
Regarding further ideas for scanning - we tried to verify creation/modification date of PHP-file and search for PHP-files diff'd to a list of PHP-files in a clean installation. The problem with scanning specific locations is that writing PHP files would be possible in a variety of locations (e.g. /var/vpn/theme or in the default-theme folder). Thanks for the fast reply! |
? |
The original webshell posted above should be caught by the following pattern: As @sebnerz pointed out, the best way to handle this detection is via whitelist; unfortunately, we don't have access to a comprehensive list of expected files and their hashes across all versions. During initial development, we explored this option, but decided against it because we couldn't test against a large enough fleet of prod netscalers. This remains the case :-( |
Hello,
thanks for providing the scanner to the public.
In a customer projects regarding exploited netscalers, we found evidence of the creation of a PHP-webshell. The webshell was located at /var/vpn/themes/admin.php and simply eval'd $_POST[1]:
The attacker could thus simply POST commands to https://[server]/vpn/themes/admin.php.
Best regards
The text was updated successfully, but these errors were encountered: