Exploitation of Web Servers Using Web Shells

Number: IN17-001
Date: 24 February 2017

Purpose

The purpose of this Information Note is to bring attention to the use of web shells in the exploitation of web servers.

Assessment

A command shell is a user interface which allows users to input commands to an operating system. A web shell is a script designed to allow for command shell access on a web server via a web browser. Technically, web shells can be used to execute legitimate commands by authorized users; however this is not typical or recommended.

To install a web shell on a web server, a malicious actor could scan a web server for relevant exploitable vulnerabilities. These vulnerabilities are commonly found in legitimate web applications, including web content management systems. When discovered, a vulnerability could be exploited to upload a web shell. Once installed, a web shell will inherit the privileges of the web server which could be used to exploit the system. A malicious actor could leverage this access for a variety of activities, including but not limited to:

Suggested Action

CCIRC recommends that organizations review the following mitigation suggestions and consider their implementation in the context of their network environment:

Organizations who detect activity related to this Information note are encouraged to contact CCIRC.

References:

CCIRC TR11-002: Mitigation Guidelines for Advanced Persistent Threats    
http://www.publicsafety.gc.ca/cnt/rsrcs/cybr-ctr/2011/tr11-002-eng.aspx

CCIRC TR13-001: Content Management Systems Security and Associated Risks
https://www.publicsafety.gc.ca/cnt/rsrcs/cybr-ctr/2013/in13-001-en.aspx

US-CERT: TA15-314A - Compromised Web Servers and Web Shells - Threat Awareness and Guidance
https://www.us-cert.gov/ncas/alerts/TA15-314A

Australian Signals Directorate: Securing Content Management Systems
http://asd.gov.au/publications/protect/securing-cms.htm

Drupal: Securing your site
https://www.drupal.org/security/site-configuration

Joomla! Security Checklist
https://docs.joomla.org/Security_Checklist

WordPress – Hardening WordPress
https://codex.wordpress.org/Hardening_WordPress

Note to Readers

In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.

Please note, CCIRC PGP key has recently been updated.
http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/_fl/CCIRCPublicPGPKey.txt

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: ps.communications-communications.sp@canada.ca

Date modified: