The SWRCCU are currently investigating a website defacement and network intrusion whereby a large amount of data has been compromised.
- During the investigation it has been identified that access was gained to the webserver of the company through a vulnerability in an unpatched file upload plugin.
- The attackers were able to place two shells on the webserver for access at a later date.
What is a shell?
- A web shell is a script that can be uploaded to a webserver to enable remote access and control of the machine.
- A web shell can be written in any language that the target webserver supports. The most common languages are PHP and ASP however Perl, Ruby, Python and Unix shell scripts are also used.
- Once a web shell is uploaded, suspects can escalate privileges and issue commands remotely enabling them to upload further malware or to use the infected machine as a command and control server for a bot net or malware.
Due to the simplicity and ease of modification of a web shell they can be difficult to detect by anti virus software.
Installation of a web shell is commonly done through web application vulnerabilities or configuration weaknesses. Therefore, identification and closure of these vulnerabilities is crucial in avoiding potential compromise.
- Regularly update applications and the host operating system to ensure that known vulnerabilities are plugged.
- Implement a “least privileges“ policy on the web server to reduce the ability of the hackers to escalate privileges.
- Consider employing a Demilitarised Zone (DMZ) between your web facing system and corporate network.
- Configure your webserver correctly. All unnecessary services and ports should be disabled and blocked.
- Ensure you have a “known good” version of the relevant server as back up for use in the event of access being gained and files being changed or deleted.
If you want to learn about Cyber Security, check out our new Cyber Security & Privacy Essentials course below.
Thanks to the Gloucestershire Police for alerting us to this information.
Action Fraud is the UK’s national fraud and internet crime reporting centre, providing a central point of contact for information about fraud and financially motivated internet crime