8/31/2016

1

Web Shells:

Hidden Access to Your Network

Tim Slaybaugh

CyberBrink

2

What is a Web Shell?

» Shells can be written in any scriptable web language that the site supports, ASP, ASPX,PHP, JSP, CFM, PY, PL, etc.

» OS Platform Independent

» Add, delete, modify and execute files.

» Run shell commands and scripts.

» Establish persistence on a network

3

8/31/2016

2

Web Shells are Freely Available!

Web Shell Usage

» Harvest and exfiltrate data

» Upload malware to create a Watering Hole

» Internet Relay

» Mass Mailer

» Network Reconnaissance

» Database Access

Are You Vulnerable?

» Cross site scripting

» SQL Injection

» Remote File, Local File inclusion vulnerabilities

» Open Admin interface

» Vulnerabilities in third party plugins and

content management applications

8/31/2016

3

Are You Vulnerable?

Are You Vulnerable?

www.infosecurity-magazine.com, 7 April 2016

Gaining Access

» Once a shell is established, additional tools will be uploaded.

» Larger tools maybe echoed in line by line.

» Newly uploaded tools can be hidden anywhere, even in the

Recycler.

» The first objective is PRIVILEGE ESCALATION, tools like

WCE.exe or Mimikatz will be uploaded to steal credentials.

8/31/2016

4

Webshell Capability

This shell will check for Antivirus and other security tools before installing all of its

features. If any of the tools from the default list are found, the site is reported back

to the controller as ‘Dangerous’.

Webshell Capability

A GIF header was added to this shell to bypass file checking by the server.

Webshell Capability

This shell checks the User-agent string of the connecting IP address. If the string belongs

to one of the listed web crawlers, the shell returns ‘HTTP 404 Not Found’.

8/31/2016

5

Detection Challenges

» No Beaconing Activity.

» No Autorun key, or unusual running services.

» Small Footprint.

» Code is often obfuscated.

» Designed to hide from Web Crawlers and scanning services.

» Connections can be initiated from any source IP.

Detection Challenges

This simple shell from Deep Panda will execute anything passed

to it.

This could be found as its own file, or embedded in another

Internet accessible file.

Identifying Suspicious Files

» Files with odd time stamps

» Suspicious files in Web root or other Internet accessible locations:

• Files that contain any of the keywords listed below.

• Files that are out of place, e.g. a PHP file in an image folder.

8/31/2016

6

Common Paths» /var/lib/tomcat7/webapps/files

» /var/cache/tomcat7/Catalina/localhost/files/org/apache/jsp

» /var/www/files/

» /webroot/

» /inetpub/wwwroot/

» /inetpub/logs/LogFiles/

» C:/Windows/System32/LogFiles

» /var/log/httpd/

» /var/log/apache

Network Activity

This shell looks for the string, ‘jexboss’ as part of the user-agent before it allows a

connection.

Network Activity

» High site usage during abnormal periods.

» Unexpected connections in the logs.

» Log entries missing a Referer.

» Log entries for newly accessed URIs.

» .htaccess in your HTTP logs.

» filemanager in your HTTP logs.

» Suspicious GETs or POSTs with odd parameter names.

8/31/2016

7

Network Activity

• Suspicious .war file installation

• Deployment time is 2:32:55 AM.

Network Activity

• GET Request with an unusual URI

Network Activity

• Suspicious User-Agent string

8/31/2016

8

Network Logs

Event Logs

Event Logs

8/31/2016

9

Keywords

Keywords

Keywords

This shell used code pages for the Cyrillic and Ukrainian alphabet.

8/31/2016

10

Pagefile.sys

On a busy server multi-threaded processes are often pushed to the pagefile

or swap

Pagefile.sys

Regex Searching

» egrep –re ‘[<][?]php\s\@eval[(]\&_POST\[.+][)];[?][>]’*.php

» egrep –re ‘[<]\%\@\sPage\sLanguage=.Jscript.\%[>][<]\%eval.Request\.

» Regular expressions can be written to identify webshells based on the syntax of the scripting language.

8/31/2016

11

Indicators of Compromise (IOCs)

» Unplanned deployment events, e.g. pushing out a .war file in a Java base application.

» Modification of user accounts.

» Creation or editing of scheduled tasks or maintenance events.

» Unplanned configuration updates or backup operations.

» Failed or non-standard login events.

Mitigation

» Regular updates.

» Set up a DMZ between the Internet facing servers and the internal corporate network.

» Limit traffic to/from DMZ to internal network.

» Least Privilege Policy (for web server and application user context).

• Attacker cannot escalate privileges

• Attacker cannot create files and access certain directories

Mitigation

» Limit Trust Relationships between domains.

» Keep known good versions of the server.

» User Input Validation (to stop remote file inclusion vulnerability).

» Vulnerability scans.

» Monitor changes to web content; Tripwire, Samhain, etc.

» Ask your hosting provider for the logs.

8/31/2016

12

Mitigation

» Update that legacy application.

» Keep good network logs.

» Secure configuration of Internet facing servers:

• Close ports

• Turn off services

• Use a whitelist application

Mitigation

» Hide server information by turning off ServerSignature in Apache, or server_tokens in Nginx.

» Change the default name for the Admin account.

» Disable unused PHP functions and HTTP verbs.

» Be sure that shell history and timestamps are enabled on .nix servers.

File Stacking

» Sort by common extensions such as asp, aspx, php, jsp, cfm, etc.

» Sort by accessible directories, %systemdrive, %Inetpub/www/root, %Program Files, etc.

» Sort by creation time

» Sort by unique paths or directories not common across the network

8/31/2016

13

Detection Tools

» Online web shell analyzers

Online analyzers like

www.shellray.com or

www.shelldetector.com can

be used to identify suspicious

files. These tools may be

limited to specific scripting

languages.

NeoPI

» Originally developed by Ben Hagen and Scott Behrens at NeoHapsis.

» Open source (GitHub) so a user can customize their searches.

» Ranks files by predetermined characteristics.

» Very little development since NeoHapsis was acquired by Cisco in 2014.

NeoPI

8/31/2016

14

MalSpider

» Web spidering framework developed by James Sheppard at Cisco.

» Searches a web site for any changes.

» Detects vbscript injection, email address disclosure and hidden iframes.

» Malspider can be run through a proxy.

» User agent strings can be customized.

Thank You

Tim Slaybaugh

solidstateforensics@gmail.com