When hacking into Web Applications, Attackers will usually attempt to find vulnerable accounts or identify vulnerabilities that can be exploited on a targeted web server. To protect themselves, Security administrators will usually engage in server patching and attempt to remediate any identified vulnerabilities and accounts. When these vulnerabilities are resolved, Attackers will usually change their targets, search for new vulnerabilities or attempt to re-exploit vulnerable account information etc. For the Attacker, this requires much time and effort. Because of this, attackers will often install backdoors called “Webshells” in order to maintain their control of compromised servers. Once this backdoor is set up, attackers can then steal information from these servers at anytime, as well as use these servers as stepping-stones to attack other targets within the same environment. Webshells have been used for a long time and companies have typically relied on signature-based anti-virus to defend themselves. However in recent years, webshells have used obfuscated code to evade signature-based detections thus making them increasingly more difficult to detect. Due to this trend, anti-virus vendors have prioritized their focus on protecting against Ransomware and other common malware, rather than webshells.
Webshell detection software have typically been very resource intensive. This proves problematic as performance is key on servers hosting critical web applications. Over the years, there have also been countless variants of webshells thus rendering signature-based detections ineffective. Regardless, once a webshell backdoor has been set up, the damage can be catastrophic. A compromised server could easily be infected with additional viruses, data and confidential information could be leaked and compromised servers could be used as a stepping-stone to attack other servers. Thus, in order to protect companies from data leakage and to ensure the reputational confidence of the company brand, the developers of AntiShell have been trying to find a way to detect WebShells without relying on conventional signature-based detections. AntiShell is a unique program that can detect webshells and generate real time reports – It is the “Webshell hunter”.
AntiShell Web Shell Hunter (Anti Shell Web Shell Hunter)
Shell programs that run on Web Servers. Can be written in various languages (PHP, Perl, Python). Once installed, they function as backdoors, allowing arbitrary execution of OS commands and leading to leakage of information or shutdown of critical web services. These backdoors could also lead to the introduction of additional malware such as Ransomware, distribution of viruses to end-users, as well as being used as a stepping-stone to attack other servers etc. Recently, webshells have even evolved to hide themselves and are known to contain self-removal functionality along with other features.
|General functions of webshells||Summary|
|Collection of server information||Ability to collect server information (CPU type, installed memory size, hard disk capacity, OS type), installed software versions (Apache and PHP versions), running process information, etc.|
|File operations||Ability to upload, download, delete and change contents of files. In some cases, webshells even feature the ability to modify files through a simple editing interface.|
|OS command execution assistance||Webshells feature the ability to execute OS level commands through a simple web management page. They mimic the capability of Terminal Console access.|
|Database connection||A web interface that connects to the database hosted on the infected server. Can also connect to databases hosted on other servers on the same network.|
|FTP connection||Web interface that connects to the FTP service hosted on the infected server, and to other FTP servers on the same network.|
|Brute-Force attack to other hosts||The ability to Brute force attack public services hosted on servers(SSH, TELNET etc.)|
|Operation tool of character string||A function used to do URL encoding/decoding, and encoding/decoding of BASE64, MD5 and SHA1 hash strings etc.|
|Self-removal functionality||Ability for the webshell to delete itself as required.|
Webshells typically feature the ability to administer management sessions. When an unauthorized user tries to access the webshell, access to its main functions are generally restricted. The webshell may send harmless content to the requesting User-Agent (e.g. web crawlers) or present a "404 Not Found" to any unauthorized users. Webshells are typically designed to only respond and execute commands based on specific request parameters, thus increasing the difficulty of webshell detection. Attackers may also design their own webshells or existing webshells may be obfuscated to evade detection.
Webshell detection is difficult as they can be written in many languages and further obfuscated or modified by attackers. AntiShell is able to detect webshells regardless of language. It is designed to uncompress all files in a specified directory and examine them line per line. It supports numerous file types, such as php, asp, Perl, Python, java, txt, image files etc. When AntiShell discovers dangerous code, it will report them to the AntiShell master server, rank them based on risk level, and notify administrators on the AntiShell administration page.
As the AntiShell scanning system uses “differential-checking”, it will not scan the same file again as long as the file has not been changed. This saves time and performance resources on the server side. When AntiShell detects unknown webshells on a server, it will immediately report its detailed findings to the master server. When unknown webshells have been detected on servers elsewhere, the same process will be performed. The information is automatically sent to the master server hosted on the cloud, and will immediately be shared with all AntiShell agents.
Since files are checked line by line, large files may take some time to complete scanning.
* Additional file scans will only be performed when files are changed. Administrators can additionally set a schedule to perform scans in advance through the AntiShell management interface. When scanning is complete, email notifications are automatically sent to administrators. Scans can be set daily weekly, or monthly at specified times as required.
|Level||manage server hosts||manage administrators||scan execution||viewing reports||support|
Users and privileges can easily be managed on the administration page. Each user can be assigned access privileges on the console based on role. For example, Management level users would be able to view reports but unable to manage (add/remove) agent hosts. In any case, when a webshell is detected, we will provide support in handling the incident.
AntiShell is a specialized service for webshell detection and is the only product focusing exclusively in this space. Vendors may provide webshell detection as an “additional optional service” on top of existing antivirus software. However these typically rely on signature-based detections which are limited in effectiveness. These services may also only provide detection capabilities with additional fees required for webshell removal
On the other hand, AntiShell has the ability to detect and show the files hosting webshell code and provide important and precise information such as date/time of file creation, file ownership and privileges etc. At the same time, this information is reported to our customer center so we can provide full support in handling and investigating the incident.
1) Users who have privileges to execute the targeted folders and files can initiate the scan. Scanning is possible in real-time as well as through the scheduler. Scanning is typically executed on each server individually and a schedule can be set for weekly or monthly scanning. Scans can be applied to entire folder hierarchies
2) Scan on the selected server.
3) After successful completion of the scan, AntiShell will upload the scan results to the management server. Scan results and identified files can also be viewed through the management console. File exceptions can be applied on known good files.
4) While reviewing the scan results, identified files can additionally be submitted for Sandbox Analysis directly from the management console
5) Submitted files will go through analysis on the Sandbox. Recommended remediation actions may vary depending on the importance of the submitted file
Apache configuration files: Recommendation to remove malicious source code from the file and attempt to preserve the file itself.
Highly dangerous files: Recommendation to deleting the file immediately.Recommended remediation actions and additional contextual information are also provided (paid service)
Since there are various attack patterns, various kinds of webshells, the signature format can’t handle them.
"How to judge webshell" Is the core part of this system and some parts are the top secret, so we can not tell you the details.
Here are some explanations about what AntiShell does.