Advisory on Good Security Practices Against Web Shell Attacks

Published on 04 May 2020

Updated on 04 May 2020

Cyber attackers have increased the use of web shell attacks to exploit computer networks. A web shell is a script that is implanted in a web server by exploiting web application vulnerabilities or configuration weaknesses to enable remote access and code execution to server functions. A web shell can be programmed in any language such as PHP, ASP, Python, and Unix shell scripts.

 

Successful exploitation could allow an attacker to issue commands remotely, to upload, delete, download or execute any files on the web server.

 

The following are some security measures to prevent the installation of a web shell:

  • Perform regular or automatic update of applications and the host operating system to protect against known vulnerabilities
  • Use a least-privilege policy on the web server to manage the creation and execution of files, particularly in website root directories, to reduce the attacker's ability to escalate privileges or pivot laterally to other hosts
  • Consider implementing a demilitarised zone (DMZ) between the external Internet-facing servers and the internal networks; this will limit interaction between the two networks and also provides traffic logs that can help to identify possible malicious activities
  • Configure the web servers securely:
    • Disable/block all unnecessary listener services and open ports
    • Disable directory listing
    • Block external access to the Administration panel
    • Change default credentials and use strong passwords
  • Performs strict user input validation to limit any local and remote file inclusion vulnerabilities
  • Perform proper system and application vulnerability scans to detect areas of risk
  • Consider deploying a web application firewall or a reverse proxy to increase security, performance, and reliability
       

More information is available at:

https://www.nsa.gov/News-Features/News-Stories/Article-View/Article/2159419/detect-prevent-cyber-attackers-from-exploiting-web-servers-via-web-shell-malware/

https://media.defense.gov/2020/Apr/22/2002285959/-1/-1/0/DETECT%20AND%20PREVENT%20WEB%20SHELL%20MALWARE.PDF

https://nakedsecurity.sophos.com/2020/04/27/web-shell-warning-issued-by-us-and-australia/

https://www.zdnet.com/article/nsa-shares-list-of-vulnerabilities-commonly-exploited-to-plant-web-shells/