Detecting Web Shells
Web Indicators
Unusual HTTP Methods & Request Patterns
- Repeated GET requests may indicate probing for upload locations.
- POST requests immediately after suspicious GET activity.
- Repeated GET/POST requests to the same file.
Request Methods to Watch
| Method | Normal Usage | Possible Abuse |
|---|
| GET | Retrieve a resource | Recon or interact with web shell |
| POST | Submit data | Upload or interact with shell |
| PUT | Upload/replace file | Upload shell |
| DELETE | Remove file | Cleanup |
| OPTIONS | Query supported methods | Reconnaissance |
| HEAD | GET without body | Probe for files |
Suspicious User-Agents & IP Addresses
- Altered or shortened User-Agents.
- Outdated browser strings (e.g., MSIE 6.0).
- Blacklisted tools like curl or wget.
- Unexpected external IP addresses.
Query Strings
- Suspicious parameters such as cmd= or exec=.
- Encoded payloads (Base64, URL encoded).
Missing Referrer
The referrer shows the URL the users visited before being linked to the current page.
A missing referrer can be potentially indicative of web shell activity. There are valid reasons why a referrer might be missing (e.g., browsers blocking them for privacy, if a URL is directly accessed).
Example of Suspicious Web Request
- Known malicious IP.
- Activity outside business hours.
- POST request to suspicious file.
- No referrer.
- Suspicious User-Agent.
Common Web Shell Locations
- Apache: /var/www/html/
- Nginx: /usr/share/nginx/html/
- Also: /uploads/, /images/, /admin/, /tmp
Suspicious or Random File Names
- Executable extensions (.php, .jsp)
- Double extensions (image.jpg.php)
- New or recently modified files
Network Traffic Analysis
- Unusual HTTP methods
- Suspicious User-Agents
- Encoded payloads
- Malicious commands
- Unexpected protocols
- High resource usage
- Web server spawning shells
Useful Wireshark Filters
http.request.method == "METHOD"
http.request.uri contains ".php"
http.user_agent
Apache Log Investigation
cat /var/log/apache2/access.log | grep "404"
cat /var/log/apache2/access.log | grep "200"
cat /var/log/apache2/access.log | grep "POST"
cat /var/log/apache2/access.log | grep "curl"
cat /var/log/apache2/access.log | grep "cmd"