Hunting Webshells
Santhosh Baswa
Security @ TikTok | PEP - No Sponsorship Required | Leadership | Architect | Speaker | Python | DFIR | Threat Hunting | SIEM | Security Automation (SOAR) | R&D
Hey Security Ninja's, everyday we need to investigate on phishing email-campaigns, malware C&C, on infected/compromised hosts or web servers. So many end users are infected through accessing compromised web servers. Many smart hackers are spawn their web-shells into compromised web servers and connect back to their C&C Servers. By using command-line access, they will modify the web server's source code (put some malicious executable's and files) share those malicious file links into phishing emails etc.
When we start investigation on compromised web server (Webshells) in your client environment.We need to focus on below things.
Purpose:
- We need to identify web shells (stand-alone or injected) .
Data Required:
- Web server logs (Apache, IIS, etc)
Data Collection:
- First we need to collect logs from all web servers, and ensure that parameters are collected.
- POST data should be collected.
Example:
Apache: Consider using mod_security or mod_dumpio.
IIS: Consider use Failed Request Tracing/Custom Logging. (Reference)
Analysis Techniques:
I'm following these two techniques: (i). Stack Counting (ii). String matching
- We need to analyze the page hits (accessed file locations - time-stamp with accessed IP) from server logs.
- After that, we take all accessed ip's and try to find unique visits per IP -- (most only visit the web-shell).
- Next step, is review the source code and check any obfuscated strings are found or not.
- Smart guys injected shell code into images, and spawn their web shell. That's why try to look into parameters passed to image files (Ex: /shit.png?aa=ls)
End-point Detection Strategies:
- First look for creation of processes whose parent in the web server (apache, w3wp.exe). these will come from functions like.
- PHP functions like exec(), shell_exec() etc.
- Asp.net functions like eval(), bind(), etc.
- Then, we need to look on file additions or file changes (md5sum changes, file integrity checks etc).
(Note: Please use these tools like inotify tool on Linux (or FileSystemWatch in .NET), to monitor the webroot folder(s) recursively those logs may helpful.