One insidious threat that has garnered attention from cybersecurity professionals worldwide is the web shell. In this comprehensive guide, we will explore what a web shell is, the various types that exist, how they are installed, and real-world examples of web shell attacks. We will also delve into how attackers leverage web shell exploits, the frequency of their use in cyber attacks, detection mechanisms, and, most importantly, strategies to defend against them.

What is a Web Shell?

Web shells are malicious scripts that allow cybercriminals to maintain persistent access on compromised web servers and execute terminal commands, brute-forcing passwords, access the file system, and more. Most often, scammers exploit vulnerabilities in the website code or use brute force to deliver the malicious script.

Common types of Web Shells

There are several variations of web shells programmed in different languages, each designed to exploit specific vulnerabilities and environments. However, the most common languages are PHP, Python, Ruby, Perl, ASP, and ASP.NET

Understanding the types of web shells is key to developing strong detection and mitigation strategies.

PHP Web Shells

PHP is one of the most common scripting languages used in web development, making PHP-based web shells a prevalent threat. These scripts are often uploaded via vulnerable file upload forms and can be executed to perform various tasks such as file management, executing system commands, and modifying server configurations.

ASP and ASP.NET Web Shells

For servers running Microsoft’s Internet Information Services (IIS), web shells written in ASP or ASP.NET are common. Attackers take advantage of misconfigured servers or outdated software to upload these malicious scripts, which then enable them to control the server remotely.

Perl and Python Web Shells

Although less common than PHP or ASP-based shells, Perl and Python web shells can be used in environments where these scripting languages are active. Their presence is usually an indicator of a deeper compromise, as attackers often utilize them for advanced persistence and stealth operations.

Each type of web shell may be used in a web shell attack and can also be classified as web shell malware when bundled with other malicious code. Cybersecurity professionals must remain vigilant in monitoring and detecting any anomalies associated with these tools.

How are Web Shells installed?

A wide range of vulnerabilities are exploited to deliver web shells. The most common ways to infect web servers are:

  • SQL injections: An attack vector that uses malicious SQL code for backend database manipulation to access confidential information.
  • Exploiting server administrative and control features misconfigurations
  • Cross-Site Scripting (XSS): It manipulates vulnerable websites to share malicious scripts with the users. When these scripts are executed, they can compromise communication between the user and the website application.
  • File processing and uploading vulnerabilities: Attackers can upload a malicious file that includes a web shell, which can be executed on the server.
  • Remote code execution vulnerabilities
  • Local and Remote File Inclusion (LFI, RFI) vulnerabilities: Arise when a web application allows the user to upload input files to the server. In LFI, the file can be accessed on the local machine whereas RFI lets the hacker execute the malware remotely.
  • Vulnerabilities in applications and services

However, web shells may become more complicated while additional features like detection prevention (encryption), user-friendly interface, etc. Once a web shell is installed on a web server, it can be used to perform malicious activities – such as stealing sensitive data, initiating secondary attacks, and maintaining persistent access to the server.

Real-world example of Web Shell attacks

In early 2021, Microsoft observed a significant spike in web shell attacks targeting its Exchange Servers. Cyber adversaries exploited zero-day vulnerabilities to upload compact yet powerful malicious scripts, often written in PHP, ASP, or .NET, which provided them with persistent, remote access to the compromised servers. These web shells, sometimes referred to as “China Copper” due to their lightweight nature, enabled attackers not only to execute system commands but also to install additional malware and pivot deeper into corporate networks.

The attackers leveraged these vulnerabilities to bypass traditional security measures, gaining the ability to read, write, and execute files on the servers through a simple web browser interface. This allowed them to harvest sensitive emails, access critical enterprise data, and maintain a long-term foothold even after initial detection. Microsoft’s blog post highlighted that the sheer ease of authoring and deploying these web shells was a major factor behind their rapid proliferation, emphasizing the urgent need for prompt patch management and continuous security monitoring. This incident served as a wake-up call for organizations to adopt layered defense strategies and robust intrusion detection systems to mitigate such threats effectively.

Web Shell exploits: how attackers leverage them

Once a web shell is successfully deployed, attackers have a powerful tool at their disposal. It enables threat actors to gain access to confidential data. In fact, as per the annual report published by Group-IB, there has been an increase in corporate access sale by 15%. Here’s how these exploits are typically used:

Command Execution and File Manipulation

With a web shell, cyber attackers can execute arbitrary commands on the server. This capability enables them to create, modify, and delete files at will. It can also facilitate the installation of additional malware, turning the server into a launching pad for further attacks.

Data Exfiltration

Attackers can use a web shell to extract sensitive data from compromised systems. This process often involves compressing and encrypting data before transmitting it to external servers, making it difficult for defenders to detect the breach in progress.

Lateral Movement

A particularly dangerous aspect of web shell attack scenarios is lateral movement. Once inside a network, attackers can use the access gained via the web shell to pivot to other critical systems. This tactic is a hallmark of sophisticated adversaries who aim to compromise entire networks rather than a single endpoint.

Persistence and Backdoor Installation

Persistence is a key goal for attackers. A web shell often acts as a permanent backdoor, allowing attackers to re-enter the system even after initial vulnerabilities are patched. This is why implementing an effective anti webshell strategy is critical to long-term network security.

For a broader perspective on these exploit strategies and related defensive tactics, see our article on cloud security solutions.

How often are web shells used in cyber attacks?

Web shells are one of the most efficient ways to induce a cyber attack, which is why they are commonly used. Web shells, in recent years, are one of the top-most detected malware.

Cybercriminals do not need supplementary programs to execute a web shell attack.

To deploy an attack, the threat actor needs to find a target system that contains vulnerabilities. Once a web shell is installed, attackers can use it to perform a variety of malicious activities, escalate their privileges on the target system, and maintain persistent access to the server even if the initial vulnerability that allowed them to install the web shell is patched.

Web shells are often used in conjunction with other attack techniques, such as phishing, to gain initial access to a target system.  Once access is gained, the web shell can serve as a main point to issue commands to hosts located inside the network. It can also be used as a command-and-control server for botnets or other networks.

Cybercriminals use web shells for various attack scenarios:

  • Exfiltrating and collecting sensitive data and credentials
  • Installing malware that could create a path for further infection
  • Defacing websites
  • Redirecting traffic to advertising materials
  • Placing links to third-party resources on compromised websites for profit for SEO and other purposes
  • Using scripts for crypto mining on the devices of users visiting the website or crypto mining on the hosting server
  • Redirecting users to special exploit kits in order to infect their computer
  • Injecting JavaScript sniffers (JS sniffers) into a payment gateway in order to collect any payment information that the user enters

How are web shells detected?

Web shells are difficult to detect because they can be hidden within normal files, such as media files, videos, audio files, etc, which become malicious post-execution upon request from a web browser. Finding a web shell, post the attack is easier than before it happens, and it is mainly done through:

  • File and network analysis: web shells are typically uploaded to the server as files. By monitoring file uploads and changes on the server, security teams can detect the presence of web shells. Similarly, network monitoring can detect web shell activity by analyzing network traffic for anomalous behavior, such as suspicious external connections and frequent requests.
  • Log analysis: web server logs can provide information about web shell activity to help detect and take down network intrusions. Web server logs can help identify IP addresses used to access the server and the commands executed by the attacker, and provide trails about the attacker’s TTPs and motivations.
  • Automated content analysis: an automated system look at the contents of newly uploaded or changed files and check if they match the existing web shell. This works with an existing web shell but not with a custom web shell.
  • Pattern matching: this technique is used to scan code fragments that match a familiar pattern used in a web shell. However, this isn’t a very effective approach as the cybercriminals are aware about the technique and can overcome it by producing complex codes.
  • Endpoint Detection and Response: web shells cause the webserver to show behavior anomalies. Endpoint detection and response can help detect web shells based on system call and process lineage anomalies.

How to defend against web shell attacks?

Here are a few concrete mitigation recommendations by our cybersecurity experts:

  • Regularly update the applications and the host server’s operating system to ensure immunity from known bugs
  • Deploy a demilitarized zone (DMZ) between the web-facing servers and the internal networks
  • Secure configuration of the web server
  • Close or block ports and services which are not used
  • Use user input data validation to limit local and remote file inclusion vulnerabilities
  • Use a reverse proxy service to restrict the administrative URLs to known legitimate ones
  • Deploy frequent vulnerability scans to detect areas of risk and conduct regular scans using web security software (this does not prevent zero-day attacks).
  • Deploy a firewall
  • Disable directory browsing [citation needed]
  • Avoid the use of default passwords

Overall, detecting and mitigating web shell attacks requires a comprehensive approach that includes network monitoring, behavioral analysis, and threat intelligence. Cyber threat intelligence helps organizations with information on previously-known web shells and their characteristics. This can guide the teams to track web shells and curb damage.

Group-IB Threat Intelligence solution is able to track and hunt for hundreds of various web shells, including popular public and highly-sophisticated private ones, which belong to Advanced Persistent Threat (APT) groups. Once a web shell is discovered in the client’s network, the system immediately informs the client and supports with all required information on how to mitigate/remove and respond to threats. Learn how you can enable Group-IB’s proprietary Threat Intelligence to protect your business against web shell attacks.