Question

I am investigating a potential web shell attack on a web server and need guidance on how to analyze and detect malicious uploads. Specifically:

• What are the common web shell file signatures and obfuscation techniques?
• How can I manually inspect logs and file system changes to identify web shells?
• What automated tools (e.g., ClamAV, YARA) can assist in detecting web shells?
  Any best practices for preventing such attacks in PHP, Apache, or NGINX would also be helpful.

Answer 1

Analyzing potential web shell uploads on a web server involves understanding their characteristics, detection methods, and implementing preventive measures. Here's a comprehensive guide to assist you:

1. Common Web Shell File Signatures and Obfuscation Techniques

Web shells are malicious scripts that provide attackers with unauthorized remote access to a server. They can be written in various languages, including PHP, ASP, JSP, and others. Attackers often employ obfuscation techniques to conceal the malicious code:

• Minimalistic Code: Some web shells consist of a single line of code that executes commands received via HTTP requests.

  Example:

<?php system($_GET['cmd']); ?>

• String Obfuscation: Using functions like base64_encode and base64_decode to encode the payload, making the code less readable.

  Example:

<?php eval(base64_decode('c3lzdGVtKCRfR0VUWydjbWQnXSk7')); ?>

• Variable Function Names: Defining function names dynamically to evade signature-based detection.

  Example:

<?php $func = 'sys' . 'tem'; $func($_GET['cmd']); ?>

These techniques aim to bypass security filters and make manual analysis more challenging.

2. Manual Inspection: Logs and File System Changes

To identify potential web shells:

• File System Monitoring:

  • Check for Unusual Files: Look for files with uncommon names or extensions in web-accessible directories.

  • Analyze Timestamps: Identify files with creation or modification times that don't align with regular deployment schedules.

• Log Examination:

  • Web Server Logs: Review access logs for irregular HTTP requests, especially those accessing unexpected files or containing suspicious parameters.

  • Authentication Logs: Monitor for unauthorized login attempts or access from unfamiliar IP addresses.

Regularly auditing these logs can help in early detection of malicious activities.

3. Automated Tools for Web Shell Detection

Several tools can assist in identifying web shells:

• ClamAV: An open-source antivirus engine that can detect known web shells through signature-based scanning.

  • Usage:

    clamscan -r /var/www/html/

• YARA: A tool aimed at helping researchers identify and classify malware by creating descriptions of malware families based on textual or binary patterns.

  • Example Rule:

    rule WebShellDetection {
      strings:
        $php_tag = "<?php"
        $cmd_var = "_GET['cmd']"
      condition:
        $php_tag at 0 and $cmd_var
    }
    

  • Usage:

    yara -r WebShellDetection /var/www/html/

• ShellSweepPlus: An open-source web shell detection tool that employs advanced methods like entropy analysis and heuristic analysis to identify obfuscated web shells.

  • Usage:

    python shellsweepplus.py /var/www/html/

These tools can be integrated into regular security scans to automate the detection process.

4. Best Practices for Prevention in PHP, Apache, and NGINX

Preventing web shell attacks involves securing the server environment:

• Input Validation and File Upload Controls

  • Restrict File Types: Allow only necessary file types to be uploaded.

  • Set Secure Permissions: Ensure uploaded files do not have execute permissions.

  • Rename Files: Change uploaded file names to prevent execution of malicious scripts.

• Web Server Configuration

  • Disable Unnecessary Script Execution: Configure the server to prevent execution of scripts in directories intended for file storage.

    • Apache (.htaccess):

      <Directory "/var/www/uploads"> php_flag engine off </Directory>

    • NGINX:

      location /uploads/ { location ~ \.php$ { deny all; } }

  • Implement Web Application Firewalls (WAFs): Use tools like ModSecurity to filter and monitor HTTP traffic for malicious patterns.

• Regular Updates and Patching

  • Keep Software Updated: Regularly update the operating system, web server software, and applications to patch known vulnerabilities.

  • Remove Unused Applications and Plugins: Eliminate unnecessary software that could introduce vulnerabilities.

By combining vigilant monitoring with robust preventive measures, the risk of web shell attacks can be significantly reduced.