Recently, the U.S. FBI was given court authorization to delete web shells from Microsoft Exchange servers. Web shells are a rising menace. They let attackers hide an entry point in your network that’s hard to get rid of. You don’t generally let the FBI go scanning for web shells if it’s an easy fix. Why all the angst? Here are five things to know about web shells.
SEE: How to manage passwords: Best practices and security tips (free PDF) (TechRepublic)
- Their use is accelerating. According to Microsoft, the average number of web shells installed from August 2020 to January 2021 was 144,000—that’s almost double the same period from 2019 to 2020.
- You can write one in almost any web programming language. Web shells are written in PHP, JSP and ASP among others. They’re easy to slip in if there’s a vulnerability in any web app or internet-facing server. The attacker can find it with Wireshark or by doing a Shodan search. One example was an image that, when requested by a web client, executed code server side to install the shell.
- They’re web shells are easy to use once you install them. The command interfaces are instantly usable from any browser—even on a phone.
- They let an attacker do anything a legitimate administrator can do. You can use a web shell to run commands and execute code, from crypto mining to malware, and collect system information that can enable lateral movement within the network.
- They’re hard to detect. Because they use the language of the web, it’s easy to hide commands inside normal exchanges with a website. Patching a vulnerability doesn’t get rid of a web shell. If you don’t delete it, it remains as a persistent backdoor into your network.
How do you stop web shells? All the usual methods apply. Firewalls, log audits, credential hygiene, network segmentation and patch, patch, patch. The U.S. NSA offers tools for detection and removal on Github as well.
Subscribe to TechRepublic Top 5 on YouTube for all the latest tech advice for business pros from Tom Merritt.