Exploitation of Web Servers Using Web Shells
Date: 24 February 2017
The purpose of this Information Note is to bring attention to the use of web shells in the exploitation of web servers.
A command shell is a user interface which allows users to input commands to an operating system. A web shell is a script designed to allow for command shell access on a web server via a web browser. Technically, web shells can be used to execute legitimate commands by authorized users; however this is not typical or recommended.
To install a web shell on a web server, a malicious actor could scan a web server for relevant exploitable vulnerabilities. These vulnerabilities are commonly found in legitimate web applications, including web content management systems. When discovered, a vulnerability could be exploited to upload a web shell. Once installed, a web shell will inherit the privileges of the web server which could be used to exploit the system. A malicious actor could leverage this access for a variety of activities, including but not limited to:
- performing external attacks and other malicious activities (including denial-of-service attacks, host scanning, and exploitation);
- stealing information and credentials;
- escalating privileges within the compromised host
- compromising the integrity of the content offered by the web server, including installing exploit kits and other malware; and
- pivoting within a network to gain access to more resources
CCIRC recommends that organizations review the following mitigation suggestions and consider their implementation in the context of their network environment:
- Regular scanning and monitoring for non-standard or suspicious code/files/folders on hosts. Malicious code is often obfuscated. The use of rule/signature based detection tools (ex. NeoPI, Yara, etc.) can assist with scanning.
- Employ anti-malware and other security tools on your assets and/or infrastructure. Tools which can both detect/identify and remediate/remove infections should be sought. Anti-malware and other security tools should be maintained and kept up-to-date, and all executables downloaded to organizations’ infrastructure should be scanned before executing/opening.
- Review network and system logs for any suspicious activity and/or traffic which may indicate potential compromise. By nature, the behaviour surrounding the installation and activity of malicious web shells can vary significantly, and this can cause them to be difficult to identify. CCIRC suggests investigating any non-typical network/system activity or usage metrics including:
- Extended periods of high load/traffic/usage.
- Files with an unusual timestamp.
- Presence of suspicious files/folders.
- Files containing references or suspicious keywords such as cmd.exe or eval.
- Non-standard network connections (ex. traffic outside of typical operating hours, use of unusual ports/protocols, or traffic to/from foreign countries/regions not typically associated with operations, etc.).
- Any evidence of suspicious shell commands.
- Developers/vendors of web applications often provide software specific security documents (ex. best practices, checklists, guides, manuals, etc.) which should be reviewed and actioned as deemed required.
- Employ a data backup and recovery plan for all critical information. Perform and test regular backups to limit the impact of data or system loss and to expedite the recovery process. Since network storage can also be affected, this data should be kept on a separate device, and backups should be stored offline.
- Keep your operating system and software up-to-date with the latest patches. Vulnerable applications and operating systems are the target of most attacks. Ensuring these are patched with the latest updates greatly reduces the number of exploitable entry points available to an attacker.
Organizations who detect activity related to this Information note are encouraged to contact CCIRC.
CCIRC TR11-002: Mitigation Guidelines for Advanced Persistent Threats
CCIRC TR13-001: Content Management Systems Security and Associated Risks
US-CERT: TA15-314A - Compromised Web Servers and Web Shells - Threat Awareness and Guidance
Australian Signals Directorate: Securing Content Management Systems
Drupal: Securing your site
Joomla! Security Checklist
WordPress – Hardening WordPress
Note to Readers
In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.
Please note, CCIRC PGP key has recently been updated.
For general information, please contact Public Safety Canada's Public Affairs division at:
Telephone: 613-944-4875 or 1-800-830-3118
- Date modified: