marrakeshh - Fotolia

Get started Bring yourself up to speed with our introductory content.

How can web shells be used to exploit security tools and servers?

A web shell from the JexBoss security tool was used to exploit servers through an unpatched JBoss vulnerability. Expert Michael Cobb explains how to prevent similar attacks.

The unpatched JBoss vulnerability that affected millions of servers was apparently exploited using a web shell...

from JexBoss, an open source tool for testing the security of JBoss' application server. How was a security tool like JexBoss used for malicious purposes, and should enterprises be concerned about similar exploits using web shells?

Web shells are small programs or scripts that can be uploaded to a vulnerable server and then opened by a remote user using a browser to gain administrative access to the machine -- a malicious backdoor accessed via a browser. A web shell can be written in any language that the targeted web server supports, so for example a PHP web server will execute a web shell written in PHP. Web shells are popular with hackers as they provide remote access, a web-based interface to run commands, and maintain minimal presence, meaning they're hard for the victim to find. As the web shell runs with the same privileges as the interpreter engine, the attacker may well be able to add, delete and execute files, as well as execute various system commands.

Before an attacker can use his web shell, he needs to identify a configuration weakness or vulnerability on a server that can be exploited, and which will allow him to upload the web shell. Such vulnerabilities exist in many content management systems and web frameworks such as WordPress and Joomla! or the actual web server software. According to the Cisco Talos Security Intelligence and Research Group, over 3 million computers running unpatched versions of the JBoss middleware software are thought to be vulnerable to hackers wanting to install malicious web shells. They discovered over 2,100 backdoors already installed on different systems, some with more than one, indicating they had been compromised several times by different attackers.

Like the exploit development framework Metasploit, the JexBoss web shell can be used to test the vulnerability of a computer system, for both legitimate and unauthorized activities. The flaw in JBoss that is being exploited, CVE-2010-0738, was found and patched in 2010, but clearly many system administrators have failed to install the patch or upgrade to a nonvulnerable version.

Malicious web shells are a major security concern, as a compromised web server can be used to target other servers or move laterally throughout a network. The U.S. Computer Emergency Readiness team published an advisory regarding web shells, with advice on detection and mitigation measures. Whenever possible, a compromised host should be taken offline immediately to deny the attacker's continued remote access. Depending on the server's role and criticality, it should be either reimaged and the software updated, or restored from a precompromise backup and then updated, before being put back online.

The reason many servers continue to run vulnerable software is that administrators often don't have a full inventory of all the software and their associated libraries that are installed on internet-facing computers. Some libraries may be embedded in many different applications, with each instance needing to be patched before a vulnerability is fully eradicated. Apart from a comprehensive software asset register and a robust patch management and update program, administrators should implement a least-privileges policy on all servers. All redundant services and ports should be disabled or blocked, and unnecessary software removed.

There are various tools available that make securely configuring or hardening most types of operating systems and applications a lot easier. They provide the information and guidance needed to bring a device's configuration up to industry best practice and prevent the majority of simple attacks from succeeding. The free Benchmark and Scoring Tools from the Center for Internet Security cover a wide range of operating systems, middleware and software applications and network devices. Microsoft-based organizations can use Microsoft's Baseline Security Analyzer to detect common security misconfigurations and missing security updates on Windows-based computer systems and Office applications. Finally, always keep a backup of a known uncompromised version of each server offline, in case a full restore is required following an attack.

Next Steps

Learn how the Shellshock Bash bug influenced shell security improvements

Find out how to detect and prevent backdoor threats

Read about three security tools to protect servers

This was last published in August 2016

Dig Deeper on Web Server Threats and Countermeasures