We would like to show you a description here but the site won’t allow us. In other ways it is the malware equivalent of PHPShell itself. C99 is often one of the utility programs that is either downloaded if a web server is vulnerable due to being misconfigured, or can be used in a remote file include attack to try and execute shell commands on a vulnerable server.
Web shells are an overlooked aspect of cyber crime and do not attract the level of attention of either phishing or malware. Nevertheless, Netcraft found more than 6,000 web shells during April 2017, which works out at around 1 new shell installation every 5 minutes. When web shells first appeared, the limit of their functionality was to transfer files and execute arbitrary shell commands. However, the best engineered web shells now provide well presented, sophisticated toolkits for diverse crimes, with facilities for password cracking, privilege elevation, network reconnaissance, phishing, spamming and DDoS, not solely available through a web based user interface but also accepting commands as part of a botnet.
An example of the hugely popular and feature-rich WSO (Web Shell by Orb) shell.
A number of shells offer the creation of a botnet in as little as a click, launching standalone processes that either connect to a command and control server or listen for commands over an insecure TCP connection. Some allow performing port scans to find potentially exploitable services. Others enable fraudsters to schedule denial of service attacks. There are shells dedicated to sending bulk spam emails, testing stolen credentials against popular websites (such as PayPal or Amazon), cracking passwords, and automatically defacing websites. With such a wide array of powerful features, it is unsurprising how popular web shells are with cyber criminals.
WSO offers both bind shell and back connect options. Selecting one of these options will launch a standalone process that will connect to or listen for a connection from a remote command and control server - an easy method for the creation of a botnet.
The prevalence of these backdoors allows easy—and potentially persistent—access to thousands of compromised machines. If the web shell is missed during the webmaster's cleanup after an attack, removing the original phishing or malware content will be in vain, as the fraudster can use the web shell to upload new malicious material, or re-purpose the machine as an accessory to alternative forms of cyber crime.
This shell allows a fraudster to port scan arbitrary hosts anonymously.
A web shell dedicated to sending spam emails in bulk.
Shell Detection Statistics
Phishing sites and web shells often go hand-in-hand. During April 2017, we detected that approximately 10% of IP addresses hosting phishing attacks were also home to web shells. This pairing is unsurprising, as many web shells give fraudsters an easy to use, all-in-one solution to deploy and spread their attacks. Some brands commonly targeted by phishing sites have significantly higher exposure to web shells than average, such as:
Organisation | Phishing Sites with Web Shells |
---|---|
SunTrust Bank | 41% |
OurTime | 39% |
Navy Federal Credit Union | 38% |
USAA | 35% |
NetEase | 33% |
Alibaba | 31% |
DHL | 31% |
Bank of America | 30% |
British Telecom | 30% |
NatWest | 30% |
Capital One | 29% |
Bank of Montreal | 28% |
Wells Fargo | 27% |
Yahoo | 25% |
Chase Bank | 25% |
Average (Large Brands) | 18% |
The variation in web shell usage according to the targeted organisation highlights the diversity of fraudsters and their preferred targets and methods. Netcraft has seen a number of web shells bundled as part of phishing kits, meaning that certain phishing campaigns will automatically include a web shell hidden alongside the phishing content. These organisations with the highest exposure to web shells should be particularly worried, as any anti-phishing efforts could be rendered ineffectual by persistent reinfections enabled by web shells.
Geographically, the number of web shells tends to follow the size of the web hosting market in any given country. Looking at all the web shells found by Netcraft in April, 49% of infected servers were located in the USA, putting it firmly into first place. Trailing behind at a distant second is Germany, responsible for just under 5% of affected IP addresses.
Website owners should be wary of using hosting companies with web shell infestations on their networks. With web shells being used to send spam and participate in DoS attacks, service quality can be affected as shared infrastructure has to handle the additional load. Compromised servers distributing malware and spam can lead to IP addresses being blacklisted, preventing legitimate emails from being delivered even after the malicious activity has been stopped. Netcraft looked at the hosting companies most responsible for hosting web shells, by counting the number of unique IP addresses with at least one web shell detection in April as a percentage of the total infected IP addresses seen – the top 10 are listed in the table below:
Rank | Hosting Company | Proportion of All Web Shell IPs |
---|---|---|
1 | Endurance International Group | 6.50% |
2 | GoDaddy | 6.09% |
3 | OVH | 3.96% |
4 | Hostinger | 3.12% |
5 | Hetzner Online | 2.09% |
6 | Amazon | 1.86% |
7 | Athenix | 1.52% |
8 | DigitalOcean | 1.37% |
9 | InMotion Hosting | 1.33% |
10= | Host Europe Group | 1.18% |
10= | LiquidWeb | 1.18% |
Protecting Shells
The criminal must defend his web shell against both the webmaster and other fraudsters seeking to usurp his position on the compromised machine. To this end, many shells offer password protection. Download tekken 7 for ppsspp. Passwords are usually hardcoded within the script, and are used without an accompanying username or email identifier.
The reality of this threat is evident when considering the existence of web shells offering ‘shell finders’ – these perform automated scans of websites, probing a long list of potential web shell file paths. The list of paths covers common shell names and directories, as well as paths used by commonly exploited web applications and plugins. Some shells perform this scan against a remote host, while others augment a search of the local filesystem with an overwrite option – allowing a fraudster to lock out others by overwriting their shells with a copy of their own.
The R57 Shell offers tools to probe the compromised server for other web shell installations, with the option to remove or overwrite them.
Unbeknownst to some fraudsters, these web shells sometimes contain backdoors of their own. Some allow bypass of access controls on the web interface, regardless of changes to the password. Others will automatically attempt to 'phone home', notifying the original shell authors of new installations which are then absorbed into larger bot nets. With the trend of remixing (or “recoding”) and rebranding web shells, there are many opportunities for web shell authors to introduce their own backdoors into entire families of related scripts.
Avoiding Detection
Web shell authors try a variety of tricks to avoid detection by other fraudsters, the webmaster himself, and by security companies like Netcraft. A particularly common ploy is that of fake error pages, used by some variants of the C99 web shell. These shells attempt to recreate the default Apache error pages, usually 404 Not Found or 403 Forbidden.
When viewed in a web browser, these fake pages can easily be mistaken for legitimate error messages. However, when compared side-by-side, discrepancies can be found by looking for incorrect or omitted version numbers, hostnames, URLs, and HTML titles. These fake error pages also contain hidden password fields, which provide access to the web shell: some variants simply set the background and border colours to match the page background, while others add JavaScript that reveals the password form when the port number is clicked.
Some shells disguise themselves as default Apache error pages. In this example, there is a password input centered on the page, made invisible by CSS. Typing characters into the input reveals its location.
Another notable method for avoiding detection is prefixing the web shell scripts with small excerpts of image file headers – most commonly those from the GIF89a specification. When processed by the PHP interpreter, these bytes are ignored and passed through to the web browser, displaying the text “GIF89a”. Automated tools such as the open-source utility
file
use these magic bytes as a fingerprint to identify the file type, mistaking the malicious PHP script for an image. The source code of this web shell is prefixed with GIF image file headers, to mask its identity. The
file
utility mistakenly identifies the script as a GIF image. With purported dimensions of 16,129 by 16,129 pixels, this image would require 250GB of memory to open!Fraudsters also attempt to disguise web shell scripts in directory listings by using filenames that could easily be mistaken for legitimate files. For example, Netcraft found a large number of shells masquerading as a WordPress configuration file, wp-config.php. Some shells use this filename verbatim, whilst others will make minor alterations (e.g. wp-configs.php) and hide themselves amongst legitimate WordPress files. By naming shells in this way, it is easy for webmasters to miss these files when examining their servers after compromise.
These countermeasures could mean that phishing or malware attacks may soon resurface, thus it is vital that organisations looking to remove such fraudulent content also seek to remove the web shells that enable it, and fix whatever vulnerabilities allowed the shells to be there in the first place.
How to Protect Yourself?
The onus is on hosting providers, system administrators, and webmasters to ensure that their servers are secured against vulnerabilities that may allow attackers to upload shells to their systems. They should also be on the lookout for unexpected modifications to their web root, paying close attention to popular software packages such as WordPress , where shell scripts are easily disguised amongst benign files.
Hosting providers can receive an alerting service from Netcraft which will notify them whenever phishing, malware, or web shells are detected on their infrastructure. Organisations targeted by high volume phishing administered via web shells may trial Netcraft's Countermeasures service.
Updated on
Web Shell PHP Exploit
Table of Contents [TOC]
- Web Shell PHP Exploit
- ? What is a PHP web shell?
- ? How Web Shell Exploits Are Used By Attackers?
- ? Web Shell Examples
- ? How to find a Web shell PHP backdoor on server?
WordPress is by far the most popular CMS (Content Management System). This popularity is due in particular to the great personalization offered by themes and extensions. This customization is also a door open for backdoors? .
? What is a Backdoor?
Backdoors? are pieces of code or mechanisms specifically designed to provide a subsequent access point to a site (or system). When malicious code is executed on a system, it can indeed open “doors” to facilitate access to the hacker and thus bypass the usual authentication. These “doors” open can be very different depending on the system or site targeted:
- It can be the opening of network ports on a server, to connect to it later.
- This may be authorized access only through a specific link.
- It can be a backdoor shell offering a variety of tools to take control of a remote machine.
- It can be a default password providing given privileges.
- It can be a hidden decryption key to decrypt normally confidential communications.
- etc.
In the case of a WordPress backdoor hack, it is, possible for an attacker to log in as an administrator but also to edit/delete/add articles on the fly, and remotely of course.
? What is a PHP web shell?
A web shell can be written in any language supported by the target web server. The most usually observed web shells are written in widely supported languages, such as PHP and ASP. Perl,Python, Ruby, and Unix shell scripts are also used.
![Webshell Webshell](/uploads/1/3/7/5/137538421/834015334.jpg)
A web–shell itself cannot attack or exploit a remote vulnerability, so it is always the second step of an attack.? – [us-cert.gov alerts TA15-314A]
Using network discovery tools, an adversary can identify vulnerabilities that can be exploited and result in the installation of a web shell. For example, these vulnerabilities may exist in content management systems (CMS) or Web server software.
Once the download is successful, an opponent can use the web shell to exploit other operating techniques to scale privileges and issue commands remotely.
These commands are directly related to the privileges and features available on the Web server and may include the ability to add, execute, and delete files, also has the ability to execute shell commands, additional executable scripts.
? How Web Shell Exploits Are Used By Attackers?
Web shells are frequently used in trade offs because of the combination of remote access and features.
Even simple web hulls can have a huge impact and often maintain a minimal presence.
To Gain Persistent Remote Access To Control Server
A web shell exploit usually contains a backdoor that allows an attacker to remotely access and possibly control a server at any time. This would prevent the attacker from having to exploit a vulnerability whenever access to the compromised server is required.
This entry was posted in AutoCAD 2015 and tagged 1703, 64bit, 64bit Windows, 64bit Windows 8.1, Creators Update, How to install 64bit AutoCAD 2015, How to install 64bit AutoCAD 2015 Windows 10, How to install 64bit AutoCAD 2015. Serial autocad 2015 64 bits.
An attacker can also choose to repair the vulnerability themselves, to ensure that no one else exploits this vulnerability. In this way, the attacker can keep a low profile and avoid any interaction with an administrator, while obtaining the same result.
It should also be noted that many popular Web shells use password authentication and other techniques to ensure that only the attacker downloading the web shell has access to it.
These techniques include locking the script on a custom HTTP header, specific IP addresses, specific cookie values, or a combination of these techniques.
Most web shells also contain code to identify and prevent search engines from listing the shell and, therefore, blacklisting the domain or server hosting the web application.
To Execute Privilege Escalation
Unless a server is misconfigured, the web shell will run under the Web server’s user permissions, which are (or at least should be) limited.
Using a web shell, an attacker can attempt to perform elevation of privilege attacks by exploiting local system vulnerabilities to assume root privileges, which under Linux and other UNIX-based operating systems is the “superuser”.
With access to the root account, the attacker can essentially do everything on the system, including, changing WordPress file and folder permissions, installing software, adding and removing users, stealing passwords, reading e-mails, etc.
Useful Resource: Getting shell after admin access in WordPress site
To Setup Zombie Botnet For DDOS attacks
Another use of Web-Shells is to integrate servers into a botnet. A botnet is a network of arbitrated systems that an attacker would control, either to use oneself or to be rented to other criminals. The web shell or backdoor is connected to a command and control (C & C) server from which it can take commands on the instructions to be executed.
This configuration is commonly used in distributed denial of service (DDoS) attacks, which require significant bandwidth. In this case, the attacker has no interest in harming or stealing anything from the system on which the web shell was deployed. Instead, they will simply use their resources whenever necessary.
Although a web shell is not normally used for WordPress DDoS attack, it can serve as a platform for downloading other tools, including the DoS feature.
Common Tactics Used to Execute Web Shell PHP Exploit
Web shells can be delivered through a number of Web application exploits or configuration weaknesses, including:
- SQL injection;
- Intersite script;
- WordPress vulnerabilities in applications/services;
- WordPress file processing vulnerabilities (for example, download filtering or assigned permissions);
- WordPress vulnerabilities included files (RFI) and local files included (LFI);
- Exposed administration interfaces (possible areas to find the vulnerabilities mentioned above).
The tactics above can be combined regularly. For example, an exposed administration interface also requires a file download option, or another method of explanation mentioned above, for successful distribution.
Also Read – Disable Directory Browsing in WordPress Via .htaccess & Plugins
? Web Shell Examples
The opponents frequently choose web shells such as China Chopper, WSO, C99 and B374K. However, this is only a small number of Web shells used.
- China Chopper – A small web shell with features. Has several command and control features, including brute force capability by password.
- WSO – means “Web Shell by orb” and can pose as an error page containing a hidden login form.
- C99 – A WSO shell version with additional features. Can display server security measures and contains a self-deletion feature.
- B374K – A PHP-based web shell with common features such as process visualisation and command execution.
Find complete list of web shell here at github. https://github.com/Wphackedhelp/php-webshells
Collection of PHP backdoor Web shells.https://github.com/Wphackedhelp/PHP-backdoors
What is “special” about WSO?
WSO is a favorite hacker web shell because of its particularly powerful features.
- Password protection
- Server information disclosure
- File management features such as downloading, downloading or editing files, creating directories, browsing directories and searching for text in files
- Command Line Console
- Database Administration
- Running PHP code
- Encoding and decoding of text input
- WordPress Brute force attacks against FTP or database servers
- Installing a Perl script to act as a more direct backdoor on the server
Once installed on a Web site, web hulls are notoriously difficult to remove, largely because hackers often place multiple copies of a web shell on one site in an attempt to retain access even if some of their programs malicious ones are removed.
Also Read – WordPress Arbitrary File Deletion Vulnerability Exploit
c99 web shell backdoor malware
A web shell is a type of malicious file that is uploaded to a web server. Potential infection methods include SQL injection or the inclusion of remote files through vulnerable Web applications. Web shells typically contain a Remote Access Tool (RAT), or backdoor functionality, which allows attackers to retrieve information about the infected host and forward commands to the primary server through HTTP requests.
STUNSHELL Web Shell
This module uses unauthenticated versions of the “STUNSHELL” web shell. This module works when safe mode is disabled on the Web server. This shell is widely used in automated RFI payloads.
Module name
exploit / multi / http / stunshell_exec
References: OSVDB -91842
Snapshot of a PHP Web Shell with following Capabilities : [Source – secured.org a-php-web-shell-sold-in-dark-forums]
- – Authorisation for the cookies.
- – Encryption shell of your password immediately upon downloading.
- – File manager
- group deleting, moving, copying, jump, and download files and directories.
- rename and create files and directories.
- edit, view, change file attributes.
- search for files and directories, text files.
? How to find a Web shell PHP backdoor on server?
To get access of your Web server, hackers sometimes installs a backdoor (PHP web Shell) designed to allow them to find the same entry after you have cleaned the site, fixed the security hole which allowed the hack and also to circumvent the measures to lock future hacker attempts that you could put in place to improve the security of the site.
A backdoor script can be called from a browser just like any other web page. It gives its user a web interface where the hacker can upload, upload, view or modify files, create directories, and otherwise manage the site using PHP’s ability to read and write files and place system commands through the operating system.
Backdoors can be hard to find because they are usually hidden in files that are already part of the site or downloaded as new files with innocent names, most often placed in a directory with many files.
Also Read – eval base64_decode Php Hack in WordPress
Ways To Detect Web Shell Exploits
There are a couple of ways of doing Web Shell Detection.
C99 Backdoor Web Shell Scripting
One approach is to have an automated system look at the contents of newly uploaded or changed files and see if they match a known web shell, just as antivirus software does with other forms of malware. You can use our WordPress security scanner here.
Another way is to use pattern matching to look for code fragments (down to the level of individual function calls) that are commonly malicious, such as calls out to the system to manipulate files or open connections.
Web Shell Detection by searching files with grep or findstr commands
Backdoors scripts often need to use non-legitimate PHP commands, so you can look for these commands in the files on your server. There are search programs that you can use to search for text in files. The two described below are the ones you run from a command line (prompt), and therefore without a GUI.
Also Read – WordPress Malware Redirect Hack – How To Detect & Fix It
? Tips To Prevent Web Shell Upload Vulnerabilities in PHP
To prevent web shell upload vulnerabilities, search your application code for calls to move_uploaded_files() and strengthen each piece of code that uses that function. I recommend creating a spreadsheet that enumerates all code that can be used to upload files in the application to keep track of the application hardening process.
The following defences can be used to defend against web shell upload vulnerabilities:
- require authentication to upload files
- store uploaded files in a location not accessible from the web
- don’t eval or include uploaded data
- scramble uploaded file names and extensions,
- define valid types of files that the users should be allowed to upload.
- Installing a web shell is typically done through web application vulnerabilities or configuration weaknesses. Therefore, identifying and closing these vulnerabilities is crucial to avoid potential trade-offs. The following suggestions specify good security and web shell-specific practices:
- Use regular updates to applications and the host operating system to protect against known vulnerabilities.
- Reduce opponents’ ability to elevate their privileges.
- Control the creation and execution of files in particular directories.
- Use a reverse proxy or alternative service, such as mod_security, to limit the URL paths accessible to known legitimate addresses.
- Establish and save offline a “good” version of the affected server and a regular change management policy to monitor changes to server content .
- Use user input validation to limit local and remote file inclusion vulnerabilities.
- Perform regular vulnerability scans of systems and applications to determine areas of risk.
- Deploy a firewall for a web application and perform regular virus signature checks
Note: – Manual removal requires high skills as it is really difficult and risky process. If you are not aware of where its malicious files are really hiding, it is mandatory for you to make use of this powerful automatic website scanner, WP Hacked Help as it will make it easier for you to save your time and hassle.
C99 Backdoor Web Shell Shockers
We sincerely recommend you to use WP Hacked Help to secure your WordPress site in 2020.