How to detect and prevent web shells

One of the most powerful tools in a threat actor’s arsenal is a web shell, used to infect servers — including those that aren’t internet-facing — to maintain persistent network access. Easily modified, they’re hard to detect by system administrators.

To give them some help, the U.S. National Security Agency and the Australian Signals Directorate — their respective countries’ electronic spy agencies — have issued a detailed 17-page report on detecting and preventing web shells from being installed on systems.

“Preventing web shells should be a priority for both internet-facing and internal web servers,” according to the partners. “Good cyber hygiene and a defence-in-depth approach based on the mitigations below provide significant hardening against web shells.

“While some web shells do not persist, running entirely from memory, and others exist only as binaries or scripts in a web directory, still others can be deeply rooted with sophisticated persistence mechanisms. Regardless, they may be part of a much larger intrusion campaign. A critical focus once a web shell is discovered should be on how far the attacker penetrated within the network.

“Packet capture (PCAP) and network flow data can help to determine if the web shell was being used to pivot within the network, and to where. If such a pivot is cleaned up without discovering the full extent of the intrusion and evicting the attacker, that access may be regained through other channels either immediately or at a later time.”

Their practical advice includes scripts that can be used to compare the directory of an active website against a known-good image of that site, how to use Splunk queries for detecting anomalous URIs in web traffic; scripts for using Microsoft’s Powershell to analyze  Internet Information Services (IIS) logs for suspicious activity; scripts for analyzing Apache logs; network signatures of traffic for common web shells and more.

Web shells are difficult to detect as they are easily modified by attackers and often employ encryption, encoding, and
obfuscation, the report notes. Detection techniques include

  • comparing a verified benign version of the web application (i.e., a “known-good”) against the production version
  • web traffic anomaly detection
  • watching for unexpected network flows

In addition, some endpoint detection and remediation (EDR) solutions and enhanced host logging solutions may be able to detect web shells. Snort rules can be used to detect common web shell files.

Prevention strategies come down to defence-in-depth and include:

  • making patching of web applications a priority. Attackers sometimes target vulnerabilities in these applications within 24 hours of a patch release
  • limiting web app permissions. Web applications should not have permission to write directly to a web-accessible directory or modify web-accessible code
  • installing Intrusion Prevention Systems (IPS) and Web Application Firewalls (WAF);
  • network segregation
  • and hardening web servers by blocking access to unused ports or services and performing vulnerability scans can help to identify unknown weaknesses

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now