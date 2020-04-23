Image: ZDNet

The U.S. National Security Agency (NSA) and the Australian Signal Directorate (ASD) have released a security advisory this week warning companies looking for internal and internal servers to search for shells. common web.

Web shells are one of the most popular forms of malware today. The term “web shell” refers to a malicious program or script installed on a hacked server.

Web shells provide a visual interface that hackers can use to interact with the hacked server and its file system. Most web pages have features that allow hackers to rewind, copy, move, edit, or upload new files to a server. They can also be used to change file and directory permissions, or to archive and download (steal) data from the server.

Hackers install web shells by exploiting vulnerabilities on servers or Internet-oriented web applications (such as CMS, CMS plugins, CMS themes, CRM, intranets, or other business applications, etc.).

Web shells can be written in any programming language, from Go to PHP. This allows hackers to hide web shells inside the code of any website with generic names (such as index.asp or uploader.php), which makes detection by a human operator almost impossible without the help of a web firewall or web malware scanner.

In a report released in February this year, Microsoft said it detects about 77,000 active shells on the web daily, making it one of the most prevalent types of malware today.

Web shells can act as backgrounds in internal networks

However, many companies do not fully understand the dangers of installing a web shell on their systems. Web shells basically act as indoor spaces and should be treated with the utmost importance and urgency.

In a security advisory released this week, the NSA and ASD raised awareness about this often ignored attack vector.

“Web shells can serve as persistent backdoors or as relay nodes to direct attack commands to other systems,” the two agencies said. “Attackers often link web shells into various systems compromised to route traffic across networks, such as from internet systems to internal networks.”

The two agencies have now released a joint 17-page report (PDF) containing tools to help system administrators detect and deal with such threats. The advice includes:

Scripts to compare a production website with a known image

Complex queries to detect abnormal URLs in web traffic

An Internet Information Services (IIS) Log Analysis Tool

Network traffic signatures for regular web shells

Instructions for identifying unexpected network flows

Instructions for identifying abnormal invocations to the process in Sysmon data

Instructions for identifying invocations of abnormal processes with Auditd

HIPS rules to block changes to web-accessible directories

List of commonly used web application vulnerabilities

Some of the tools mentioned in the advice are also available on the NSA’s GitHub profile.

While all the free tips and tools included in the joint advice are excellent, it is preferable and recommended that system administrators forward the systems before moving on to already committed hosts. The list of server programs commonly used by NSA and ASD is a good place to start shuffling, as these systems have been very objective in recent months.

The list includes vulnerabilities in popular tools such as Microsoft SharePoint, Microsoft Exchange, Citrix, Atlassian Confluence, WordPress, Zoho ManageEngine, and Adobe ColdFusion.

“This list is not intended to be exhaustive, but it does provide information on some often exploited cases,” the NSA and ASD noted.

“It is recommended that organizations track internal and internal web applications quickly to counteract the risks of ‘n-day’ vulnerabilities.”

