Purpose
Identify web shells (stand-alone|injected)
Data Required
Web server logs (apache, IIS, etc.)
Collection Considerations
Collect from all webservers, and ensure that parameters are collected.
POST data should be collected.
- For apache consider using
mod_securityormod_dumpio - For IIS use Failed Request Tracing / Custom Logging
Analysis Techniques:
Stack counting
String matching
Description
- Stack by page hits -- pages with few hits are a typical sign
- Add more fidelity by combining views from below (none if the above is giving higher fidelity, one, two or all):
- No referer from client
- Stack by unique visits per IP -- most only visit the webshell (no other page hits, no js, no images, etc.)
- this isn't true of injected webshells (where they are injected into an existing page)
- Stack by UA uniqueness. This is not always rock solid, but good, because many webshells have client software that sets the UA and many don't change the default
- Add more fidelity by combining views from below (none if the above is giving higher fidelity, one, two or all):
- Look for parameters passed to image files (e.g.,
/bad.png?zz=ls) - More specific to inject webshells that inject into an existing page:
- Stack by parameter counts per page -- webshells that create new params on an existing page
- Again, you can look if referer is missing, UA uniqueness
- Stack by parameter counts per page -- webshells that create new params on an existing page
Other Notes
Endpoint detection strategies:
- Look for creation of processes whose parent is the webserver (e.g., apache, w3wp.exe); these will come from functions like:
- PHP functions like
exec(),shell_exec(), etc. - asp(.net) functions like
eval(),bind(), etc.)
- PHP functions like
- Looking for file additions or file changes (if you have a change management process and schedule to easily differentiate 'known good') -- (using something like inotify on linux (or FileSystemWatcher in .NET), to monitor the webroot folder(s) recursively)
There are a few webshell hunt techniques located in other hunts:
It's important to realize that injected webshells may not be written to disk (e.g., SSJI, XSS, etc.) It is not common to find obfuscated code. If one conducts periodic analysis to determine the randomness of deployed software, obfuscated code will be easily apparent. It is not common to find code which executes OS commands. Searching for popular programming languages' OS commands lead to a high signal ratio. For instance, OS.exec or import pty, pty.spawn ....
More Info
None