How Command Injection Webshell Attacks Are a Rising Threat to Networks
Understanding the webshell game How command injection webshell attacks are a rising threat to networks
IBM X-Force® Research
Click here to start ▶ ◀ Previous Next ▶ Contents Executive overview Our focus here is a recent development in the command injection attack arena. According to IBM Web servers and web applications are often a Executive overview Managed Security Services (MSS) data, one of weak point in an organization’s infrastructure, 1 • 2 • 3 the most prolific methods of command injection and malicious actors have always targeted them. exploitation this year has been facilitated by the They still do. The Open Web Application Security PHP webshells: flavor of injection of webshells.2 In fact, IBM MSS data the year Project’s most recent study of web application analyzed between January 1, 2016 and September security risks ranks “injection” at number one on 30, 2016 showed webshell attacks accounting for The many features and its top ten list.1 One such attack type, command more than 20 percent of the command injection varieties of webshells injection, allows attackers to inject shell commands attacks we detected (see Figure 1). into the host operating system running the Focused on content website. They might for instance figure out the management systems directory where an app is installed and run a script in that directory. Mitigation
Protect your enterprise while reducing cost and complexity
About IBM Security About X-Force The IBM X-Force research team studies and monitors the About the author latest threat trends including vulnerabilities, exploits, active attacks, viruses and other malware, spam, phishing, and Appendix A malicious web content. In addition to advising customers and the general public about emerging and critical threats, Appendix B IBM X-Force also delivers security content to help protect IBM customers from these threats. Threat intelligence References content is delivered directly via the IBM X-Force Exchange collaborative platform, available at xforce.ibmcloud.com
2 ◀ Previous Next ▶
Contents Webshell attacks as a percentage of There’s nothing inherently malicious about a command injection attacks webshell, which is a script that can be uploaded Executive overview to a web server to enable remote administration 1 • 2 • 3 Webshell 21% Command of the machine. They are useful for system or injection 79% web administrators who want to perform remote PHP webshells: flavor of management without having to employ an the year application such as cPanel or Plesk, two of the most popular commercial web administration The many features and 3 varieties of webshells tools. In the hands of an attacker, however, they become a cyber threat. Focused on content management systems Our analysis shows an increase in webshell attacks this year, most notably in Q2 and the beginning Mitigation of Q3 (see Figure 2), and we expect to see that Figure 1. Webshell attacks as a percentage of command trend continue in 2017. Almost all the attacks, Protect your enterprise injection attacks. Source: IBM Managed Security Services approximately 95 percent, were written in PHP, while reducing cost data (January 1, 2016 – September 30, 2016). a widely used open source scripting language. and complexity Although not readily apparent, the number of command injection attacks resulting from malicious About IBM Security PHP webshells is relatively significant. No other single command injection attack type was seen to About the author be as prevalent, or as persistent, for as long.
Appendix A
Appendix B Although they can be a useful tool for web References administrators, in the hands of a malicious actor webshells can be a very effective attack vector.
3 ◀ Previous Next ▶
Contents Webshell attacks
Executive overview 1,000 1 • 2 • 3
800 PHP webshells: flavor of the year 600 The many features and varieties of webshells 400
Focused on content management systems 200
Mitigation 0 15 15 15 16 16 16 16 16 16 v 2015 b 2016 y 2016 Jul 20 Protect your enterprise Sep 20 Oct 20 No Dec 20 Jan 2016 Fe Mar 20 Apr 20 Ma Jun 20 Aug 20 Sep 20 while reducing cost and complexity Figure 2. Webshell attacks September 2015 through September 2016. Source: IBM Managed Security Services data (September 1, 2015 – September 30, 2016). 1000 About IBM Security
800 About the author
Appendix A 600
Appendix B 400
References 200
0
4 ◀ Previous Next ▶ Contents PHP webshells: flavor of the year The many features and varieties Analysis of IBM MSS data from 2016 revealed over of webshells Executive overview 120 unique types of PHP webshell scripts (see Third-party webshell scripts are freely available on Appendix A). The great majority were observed in PHP webshells: flavor of the Internet and can be downloaded from many the year attack attempts to plant them in remote servers via openware distributors. command injection, in order to ultimately breach The many features and the servers and gain unauthorized access to the Administrators like ease of access, so performing varieties of webshells data they host. One nefarious PHP webshell, management tasks without having to add another 1 • 2 • 3 • 4 “C99Shell,” was the most common variety, application can often be a favored solution. With accounting for nearly nine percent of the attacks webshells, all management activities can take Focused on content recorded in 2016. place within a web browser by simply pushing the management systems core code to the web server’s HTML directory Webshells are one of the tools most consistently and then calling it in a URL. The problem is that Mitigation 4 used by Advanced Persistent Threat (APT) groups this convenience creates an attack vector. Using to breach organizations. The Emissary Panda webshells also means that anyone can modify Protect your enterprise APT group, for example, has reportedly used the while reducing cost the code and add extra features, malevolent and complexity ChinaChopper webshell to gain access to targeted features included. organizations.5 Another APT group, TG-3390, About IBM Security has been found using the OwaAuth webshell to System administrators can use webshells compromise systems.6 Security teams must legitimately to perform actions on the server: About the author take preventive steps to keep these groups out create a user, read system logs, restart a service. of their networks. Classic webshells do not require a communications Appendix A socket and are simply run over HTTP. Basically, they’re backdoors that run from the browser. This Appendix B does not apply to reverse shells, which require a secondary program, such as Netcat, to run on a References victim’s machine.
5 ◀ Previous Next ▶ Contents Feature-rich webshells essentially enable one- The ability of webshells to maintain long-term stop shopping for an attacker. Once a webshell is persistence in the organization is of even greater Executive overview planted, the attacker can virtually treat the victim concern. Once called on by the attacker, webshell host as if he owns it personally. Table 1 lists some scripts don’t usually make any network “noise” PHP webshells: flavor of of the features of most webshell applications and are considered to be an Advanced Persistent the year that an attacker can exploit to compromise a Threat tool. An APT is a network attack in which The many features and vulnerable system. an unauthorized person gains access to a network varieties of webshells and stays there, undetected, for a long time. One 1 • 2 • 3 • 4 All of the features described in Table 1 are included report indicates that APT attacks in 2015 managed in most malicious webshell scripts—all in only one to remain undetected for over 200 days before Focused on content file, no special installation requirements! Once being discovered by the targeted organization.7 The management systems attackers have access to the remote server they intention of an APT attack is to continually steal plan to breach, all they have to do is place the file data, not to damage the network or organization. Mitigation in a web-facing directory and call the script from the comfort of a web browser. Hence, relatively little Protect your enterprise skill is required to execute webshell attacks. There while reducing cost and complexity are also plenty of injection tools available to assist a motivated actor, making this attack vector more About IBM Security dangerous and potent.
About the author
Appendix A
Appendix B Attackers take advantage of existing References vulnerabilities in a web application to upload malicious webshells.
6 ◀ Previous Next ▶
Contents Feature Malicious use
Executive overview File management This feature allows the attacker to upload virtually any file type, including The file manager allows the user to copy, move, delete, malware that would cause the website to become a watering hole. search and rename files and directories in a home directory The attacker could also plant specific software known as reverse shell, such on the server. It may also be used to upload, download, PHP webshells: flavor of as Netcat, which allows the target machine to communicate back to the compress and decompress files, as well as preview them in attacking machine. The attacking machine has a listener port on which it the year the browser. receives the connection, allowing the attacker to achieve command execution. The many features and Connect to DBMS This makes it possible to access sensitive data, including personally varieties of webshells Webshells can provide access to database management identifiable information (PII) as well as financial data and credentials. systems (DBMS ) such as mysql, mssql, Oracle, sqlite, 1 • 2 • 3 • 4 postgresql and others using the Open Database Connectivity (ODBC) API or the PHP Data Objects (PDO) interface. Focused on content Server-side management A malicious intruder could create and launch a command and control (C&C) management systems Webshells allow access to server-side services and bot that runs as an additional process on the web server. The victim machine processes such as “start” and “stop.” can then be used as a central communication point for a large botnet. Proxy or relay An attacker can compromise other servers in a network once he gains full Mitigation Proxies or relays serve as a hub through which Internet access to a company’s website. Those hosts can be used as proxy or relay requests are processed. points that disguise his true origin when performing attacks within the parent victim network. Protect your enterprise Command execution This ability could allow an attacker to launch arbitrary commands on the while reducing cost Webshells allow the execution of shell commands. host operating system via a command shell environment. and complexity Script execution An attacker could run scripts using a variety of languages: PHP, ASP.NET, Webshells allow the execution of scripts. Perl, Python, Ruby, Java, Node.js, C). These scripts could contain malicious instructions capable of overtaking the host and in some cases contain built- About IBM Security in services that could, upon execution, allow further avenues of access via other protocols. About the author Packet crafter An attacker could find entry points into a targeted system or network, which A packet crafter allows network administrators to create may target the firewall, intrusion detection system (IDS), TCP/IP stack, router packets for the purpose of probing firewall rule-sets. or any other component of the network. Appendix A Process list or Task Manager access An attacker could harvest and exfiltrate data. Webshells allow access to system monitoring programs used to provide information about both the processes and Appendix B programs running on a computer and its general status. Some implementations can also be used to terminate processes References and programs as well as change the processes priority. Local email server access An attacker can gain access to the mail gateway, attach local files to an Webshells allow access to the local email server. email and send them via SMTP/POP3 from within the victim’s network. The attacker can also use these email resources to send phishing emails.
Table 1. The features of webshells and how attackers can exploit them.
7 ◀ Previous Next ▶ Contents Attack entry points There are many ways malicious webshells can be Web applications are often developed in-house installed on the enterprise’s web server. The United Executive overview using scripting languages such as PHP, Python, States Computer Emergency Readiness Team Ruby and Perl. Because these languages are (US-CERT) lists several8: PHP webshells: flavor of considered relatively complex, in-house developers the year who may not be as experienced in every • Cross-site scripting The many features and programming language, or in application security • SQL injection varieties of webshells for that matter, can unknowingly open security • Command injection 1 • 2 • 3 • 4 holes in their applications, possibly allowing the • Vulnerabilities in applications or services (e.g., execution of arbitrary scripting code. Furthermore, WordPress or other content management Focused on content web application code is often deployed, then system applications) management systems forgotten and unmaintained. This code naturally • File processing vulnerabilities (upload filtering or deteriorates over time due to lack of updating assigned permissions) Mitigation and patching, creating inevitable holes in the • Remote File Include (RFI) and Local File Include organization’s network and ultimately making it (LFI) vulnerabilities Protect your enterprise • Exposed administrative interfaces while reducing cost much more vulnerable to cyber attacks. and complexity When malicious attackers identify one of these Note that webshells are considered “post About IBM Security "holes," they may attempt to deploy harmful exploitation” tools. To carry out an attack, the webshell code in order to exploit it and gain access actor must first find a vulnerability on a target web About the author to the network. Using customized scripts, attackers application. One way to do this is by first uploading can further create “virtual” shells accessible via the webshell through a file upload page, for Appendix A the web server that, if successful, allow total control example a submission form on a company website, of the organization’s web environment—possibly and then using an LFI weakness in the application Appendix B leading to additional compromise. to include the webshell in one of the pages.
References
8 ◀ Previous Next ▶ Contents Focused on content Recommendations for mitigating risks to management systems CMS can be found in the IBM X-Force report Executive overview titled “Understanding the risks of content According to IBM MSS data, one of the most management systems.” PHP webshells: flavor of popular PHP webshells used for nefarious the year purposes is a variant of the C99 webshell called C99Shell as a percentage of total C99Shell (see Figure 3). The data shows a distinct webshell activity The many features and upward trend in attacks tied specifically to this C99Shell 9% varieties of webshells variant, accounting for close to nine percent of All other webshell attacks in 2016, since we began detecting webshells 91% Focused on content it in February 2016. A detailed look at this particular management systems variant can be found in Appendix B.
Mitigation C99Shell is focused on vulnerabilities in the WordPress content management system Protect your enterprise while reducing cost (CMS). Usually such webshell entry points in and complexity content management systems result either from vulnerabilities within third party plug-ins About IBM Security that haven’t undergone a security review during development, or from bugs in the parent application Figure 3. C99Shell attack volume vs all other webshell About the author that haven’t been patched by the administrator. activity. Source: IBM Managed Security Services data According to IBM X-Force, the largest percentage (February 1, 2016 – September 30, 2016). Appendix A of CMS vulnerabilities occurs in plug-ins or modules written by third-party sources.9 Appendix B
References
9 ◀ Previous Next ▶ Contents Mitigation Prevent your web applications from being the means by which a webshell is installed. Never Malicious webshell exploitation is one of the easiest Executive overview assume that critical systems are operating without ways attackers can gain unauthorized access to security flaws. Unpatched systems will always be an organization’s network, but strengthening your PHP webshells: flavor of the prime target of malicious attackers. the year network protections can go a long way in limiting your exposure to attacks that begin this way. The • Employ user input validation. The best way The many features and following recommendations from IBM MSS experts of handling user input is with a white-listing varieties of webshells can help your team mitigate the threat: approach. Use the most restrictive rule by default and allow special characters only by Focused on content • Edit your php.ini file to disallow base64_decode exception. This will greatly reduce the attack management systems functionality. Find the line that states disable_ surface for many vectors. functions = and change it to “disable_functions • Scan web applications and identify and fix Mitigation = eval, base64_decode, gzinflate”. 1 • 2 vulnerabilities prior to deployment using • Scan all files during attachment uploading with testing software such as IBM Security ModSecurity. Attackers can take advantage of Protect your enterprise AppScan® software. your excluded content to hide their code, which while reducing cost • Employ penetration testing services to identify is why excluding certain file types such as .jpg and complexity systems vulnerabilities, validate existing controls and .gif is no longer an option. Attackers know and provide a roadmap for remediation. About IBM Security these files may evade scans and can use • Consider deploying a demilitarized zone (DMZ) them to hide malicious PHP code within the between your web-facing systems and the About the author images’ headers. corporate network. This helps prevent an • If your website becomes compromised, anything attacker from breaching a server and getting Appendix A that requires validation—such as SSL, FTP, SQL access to data or even internal systems. and a router or firewall command line interface— Appendix B is also compromised, including your customers’ credentials. You must change all your passwords References and advise your customers to do the same as soon as you find out about the breach.
10 ◀ Previous Next ▶ Contents Also, since a notable percentage of malicious • Change all WordPress defaults to customize webshells target CMS vulnerabilities—particularly your install as much as possible. Executive overview WordPress vulnerabilities, as seen in the C99Shell • Install a good security plug-in such as the activity—the following recommendations are Wordfence WordPress plug-in. PHP webshells: flavor of specific to WordPress website installations: • Use a CMS security scanner such as Acunetix the year Vulnerability Scanner or WordPress Security • Change the name of your “uploads” folder. Scanner to test for vulnerabilities in a The many features and WordPress allows write access to this folder WordPress installation. varieties of webshells through the media uploader, which makes Focused on content it easier for attackers to upload PHP files With easy exploitation and a plethora of unpatched management systems containing shell scripts. If you leave this folder as vulnerabilities to target, malicious PHP webshells the default, an attacker with limited knowledge will continue to be popular among attackers. Mitigation can guess the file path. Changing the name By applying the recommendations outlined in 1 • 2 of the folder can also help avoid automated this report, organizations can go a long way in exploitation routines that run on entire mitigating this threat. Protect your enterprise WordPress site servers. while reducing cost and complexity
About IBM Security
About the author
Appendix A
Appendix B Strengthening your network and References application protections can go a long way towards preventing attacks by webshells.
11 ◀ Previous Next ▶ Contents Protect your enterprise while About IBM Security reducing cost and complexity IBM Security offers one of the most advanced Executive overview From infrastructure, data and application protection and integrated portfolios of enterprise security PHP webshells: flavor of to cloud and managed security services, IBM products and services. The portfolio, supported the year Security Services has the expertise to help by world-renowned IBM X-Force research and safeguard your company’s critical assets. We development, provides security intelligence to The many features and protect some of the most sophisticated networks help organizations holistically protect their people, varieties of webshells in the world and employ some of the best minds in infrastructures, data and applications, offering the business. solutions for identity and access management, Focused on content database security, application development, management systems IBM offers services to help you optimize your endpoint management, network security and more. security program, stop advanced threats and IBM operates one of the world’s broadest security Mitigation respond to critical security incidents. Security research, development and delivery organizations, Intelligence Operations and Consulting Services monitors billions of security events per day in more Protect your enterprise than 130 countries, and holds more than 3,500 while reducing cost can assess your maturity against best practices security patents. and complexity in security. Penetration Testing from IBM X-Force Red can help you determine weakness in your About IBM Security IT systems and strengthen your defenses. With IBM Managed Security Services you can take About the author advantage of industry-leading tools, security intelligence and expertise that will help you improve Appendix A your security posture—often at a fraction of the cost of in-house security resources. Appendix B
References
12 ◀ Previous Next ▶ Contents About the author David became interested in security in the 1980s, when he owned and operated one of the first David McMillen, Senior Threat Executive overview companies to offer penetration and vulnerability Researcher, IBM Managed testing. As the Internet’s footprint grew, it became Security Services. David brings PHP webshells: flavor of clear to him that there was a new challenge on the more than 25 years of network the year horizon: protecting data. David next worked with security knowledge to IBM. IBM Business Partner WheelGroup (later acquired The many features and David began his career at IBM over 15 years ago by Cisco), where he helped develop the NetRanger varieties of webshells as a member of the core team that created the IDS intrusion detection system and NetSonar, a IBM Emergency Response Service, which vulnerability scanner. David also assisted with the Focused on content eventually grew and evolved into IBM Internet development of the very first IBM intrusion detection management systems Security Systems. system, BillyGoat. David has subsequently developed several other security-based methods Mitigation As an industry-recognized security expert and and systems that have been patented by IBM. thought leader, David has a rich background in Protect your enterprise IT security. He thrives on identifying threats and while reducing cost Contributors and complexity developing methods of solving complex problems. His specialties are intrusion detection and Michelle Alvarez – Threat Researcher, IBM Security About IBM Security prevention, ethical hacking, forensics, and analysis of malware and advanced threats. As a member For more information of the IBM Managed Security Services Threat About the author To learn more about the IBM Security portfolio, Research Team, David takes the intelligence he has please contact your IBM representative or IBM gathered and quickly produces tangible remedies Appendix A Business Partner, or visit: that can be implemented within a customer’s ibm.com/security Appendix B network or on IBM’s own proprietary threat detection engines. For more information on security services, visit: References ibm.com/security/services
Follow @IBMSecurity on Twitter or visit the SecurityIntelligence blog
13 ◀ Previous Next ▶ Contents Appendix A Analysis of IBM MSS data from 2016 revealed over 120 unique types of PHP webshell scripts. Some of the Executive overview more common are listed below. PHP webshells: flavor of the year Ajax_ Command Shell CTT Shell JspWebshell 1.2 AK-74 Web Shell Cyber Shell KA_uShell 0.1.6 The many features and Antichat Shell CyberSpy5.Asp. Kadot webshell varieties of webshells Antichat Shell v1.3 dC3 Security Crew Shell klasvayv.asp. Ayyildiz Tim -AYT- Shell Dive Shell 1.0 Team Loaderz WEB Shell Focused on content aZRaiL v1.0 DTool Pro MyShell management systems b374k Dx NFM 1.8 b374k-mini-shell DxShell v1.0 NGH Mitigation c0derz shell Gamma Web Shell NIX REMOTE WEB SHELL C2007Shell GFS web-shell nsTView v2.1 Protect your enterprise c99_locus7s GFS Web-Shell NTDaddy v1.9 while reducing cost and complexity c99_madnet gfs_sh PHVayv c99_PSych0 go-shell Predator About IBM Security c99_w4cking GRP WebShell 2.0 r57shell C99Shell h4ntu shell Sincap 1.0 About the author CasuS 1.5 hiddens shell v1 Spy Ver 2006 ChinaChopper iMHaBiRLiGi STNC WebShell Appendix A CmdAsp.asp. iMHaPFtp Web-shell (c)ShAnKaR Crystal indexer.asp. ZyklonShell Appendix B Crystal shell ironshell
References
14 ◀ Previous Next ▶ Contents Appendix B
Executive overview A focused look at a typical webshell
PHP webshells: flavor of What follows is a detailed look at an attack using the C99Shell webshell. the year
The many features and varieties of webshells
Focused on content management systems
Mitigation
Protect your enterprise while reducing cost and complexity
About IBM Security
About the author
Appendix A
Appendix B 1 • 2 • 3 • 4 • 5 • 6
References Figure 4. Screenshot of C99Shell Interface.
15 ◀ Previous Next ▶ Contents The request The following GET request is issued for this In the C99Shell attack, there is one common particular variant: Executive overview URL and file name, pagat.txt, that contains an hxxp://www.victim.com/wp-content/themes/ obfuscated PHP script. Attackers will purposely twentythirteen/pagat.txt PHP webshells: flavor of hide their malicious code by obfuscating it, in an (the abbreviation “wp” in the request stands for the year effort to evade detection and assist in bypassing WordPress). any Web application firewall that may be protecting The many features and varieties of webshells the website. The text file pagat.txt contains the obfuscated code shown in Figure 5, which has been purposely Focused on content truncated in this example. management systems
Mitigation
Appendix A Figure 5. Obfuscated PHP code found in C99Shell attack. Source: IBM Managed Security Services data. Appendix B 1 • 2 • 3 • 4 • 5 • 6
References
16 ◀ Previous Next ▶ Contents This obfuscated PHP code would be passed to the The mechanism eval() function only after it is de-obfuscated using The PHP module on the victim server will decode Executive overview one of these three methods: the obfuscated strings and execute the script. Once decoded, the script shows its true intent PHP webshells: flavor of • Gzinflate inflates a deflated string. This function (see Figure 6). The examples below are purposely the year takes data compressed by gzdeflate() and truncated for security reasons. returns the original uncompressed data. The many features and • Rot13 is a simple letter-substitution cipher that varieties of webshells First, an email is sent to the target victim at replaces a character with whatever comes 13 [email protected] (actual email obfuscated) Focused on content letters after it in the alphabet. confirming the target has been compromised: management systems • Base64 features binary-to-text encoding mail("[email protected]", "$body", "Hasil schemes that represent binary data in an ASCII Bajakan hxxp://$web$inj Mitigation string format by translating it into radix-64. Next, the script creates a Form page on the victim’s Protect your enterprise All three of these methods can be used to decipher website. Web forms enable entering input and while reducing cost obfuscated code at once by simply using an online credentials via web interface, affecting activity on and complexity PHP decoding tool. the server linked to them (see Figure 6).
About IBM Security Next, the attacker will call the new web form from the browser. This will enable the attacker to About the author execute shell commands on the server, as well as push additional files to it that can be used for other Appendix A nefarious actions. Attackers can choose from a wide array of options to breach and control a server Appendix B or resource they have no authorization to access. 1 • 2 • 3 • 4 • 5 • 6
References
17 ◀ Previous Next ▶ Contents echo ' < formmethod = "POST"action = "" > < fontsize = 2color = Executive overview #888888>Command
'; PHP webshells: flavor of echo '
About IBM Security
About the author
Appendix A
Appendix B 1 • 2 • 3 • 4 • 5 • 6
References
18 ◀ Previous Next ▶ Contents Identification Refer to the associated X-Force Exchange As of April 12, 2016, a Google search for the file collection for more information. Executive overview name pagat.txt returned more than 32,000 results. Only 21 of 54 antivirus products identify this This specific webshell variant we reviewed is one PHP webshells: flavor of malicious php script, according to VirusTotal at of many reportedly being used by a mass web the year the time of analysis.10 More information about the defacer known as Hmei7, an actor who claims script follows: to have defaced more than 5,000 WordPress The many features and websites over a two-day period a few years ago.11 varieties of webshells MD5 6b58157d69de0fc2663a0765e1d9c5b5 Hmei7 automates the use of backdoors with a SHA1 0a027b75243f8e6230991c8e58520c7e7799 file uploading feature and changes critical site Focused on content c5cf files like index.php or configuration.php, which management systems SHA256 c0134d499451bff03335523c9f435f are essentially the keys to the kingdom. Hmei7 5bce408401d0a042881838d4f309cf8844 Mitigation is known to have defaced an ever-rising number ssdeep24: FMojOrnQLqFlTuOnAtau89M+2XUS MrL1//5ZOcKVrNVkQYfEVhS2/KDZPep30VLg: of websites, over 1,500 of which appear on Protect your enterprise KGOr6Y0OAgu8SiLtrKTVI6hS2/3p30Vc lists tracked by Zone-H, an archive of defaced while reducing cost File size 1.5 KB (1515 bytes) websites12 (see Figure 7). and complexity File type PHP
About IBM Security
About the author
Appendix A
Appendix B 1 • 2 • 3 • 4 • 5 • 6
References
19 ◀ Previous Next ▶ Contents
Executive overview
PHP webshells: flavor of the year
The many features and varieties of webshells
Focused on content management systems
Mitigation
Protect your enterprise while reducing cost and complexity
About IBM Security
About the author Figure 7. Hmei7’s defacement activity using the C99Shell. Source: Zone-H. Appendix A
Appendix B 1 • 2 • 3 • 4 • 5 • 6
References
20 ◀ Previous Next ▶ Contents References 1 https://www.ibm.com/developerworks/library/se-owasptop10/ Executive overview 2 https://www.us-cert.gov/ncas/alerts/TA15-314A PHP webshells: flavor of 3 https://hostadvice.com/blog/plesk-vs-cpanel/ the year 4 https://www.us-cert.gov/ncas/alerts/TA15-314A
5 https://threatpost.com/apt-group-gets-selective-about-data-it- The many features and steals/114103/ varieties of webshells 6 https://www.secureworks.com/research/threat-group-3390- targets-organizations-for-cyberespionage
Focused on content 7 http://www.infosecurity-magazine.com/news/hackers-spend- management systems over-200-days-inside/
8 https://www.us-cert.gov/ncas/alerts/TA15-314A Mitigation 9 https://securityintelligence.com/media/xforce-tir-2016/
10 https://virustotal.com/en/file/c0134d499451bff03335523c9f435f Protect your enterprise 5bce408401d0a042881838d4f309cf8844/analysis/ while reducing cost and complexity 11 http://www.ehackingnews.com/2013/01/Indonesian-top-defacer- hmei7.html
12 http://www.zone-h.org/archive/notifier=Hmei7?zh=2 About IBM Security
About the author
Appendix A
Appendix B
References
21 ◀ Previous Next ▶ Contents © Copyright IBM Corporation 2016
Executive overview IBM Security Route 100 Somers, NY 10589 PHP webshells: flavor of the year Produced in the United States of America November 2016 The many features and varieties of webshells IBM, the IBM logo, ibm.com, AppScan and X-Force are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other Focused on content companies. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at management systems ibm.com/legal/copytrade.shtml This document is current as of the initial date of publication and may be changed by IBM at any time. Not all Mitigation offerings are available in every country in which IBM operates.
Protect your enterprise THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR while reducing cost IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR and complexity PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided. About IBM Security Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access About the author can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely Appendix A secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or Appendix B services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT References OF ANY PARTY.
SEL03114-USEN-00