One tool that bad guys use to go after your web servers is a web shell. A web shell is a malicious script that masquerades as a legitimate file and provides a backdoor into your server. Recent guidance from the US National Security Agency (NSA) and the Australian Signals Directorate (ASD) offers techniques to detect and prevent web shell malware from affecting web servers. The NSA document describes web shell malware as a long-standing, pervasive threat that continues to evade many security tools.
Detection may be difficult. Web shells target existing applications and files. Because they mimic proper files on your system, it’s often difficult to determine that an attack has occurred. Here’s how to best detect and prevent web shell attacks on a Windows network.
1. Compare files
Begin by comparing the files on the machine to known good files. Compare date and time stamps and especially SHA-2 hash values. You can also use Windiff to compare to files to determine if the attacker has replaced them with similar ones.