Table of Contents [TOC]
WordPress is by far the most popular CMS (Content Management System). This popularity is due in particular to the great personalization offered by themes and extensions. This customization is also a door open for backdoors? .
Backdoors? are pieces of code or mechanisms specifically designed to provide a subsequent access point to a site (or system). When malicious code is executed on a system, it can indeed open “doors” to facilitate access to the hacker and thus bypass the usual authentication. These “doors” open can be very different depending on the system or site targeted:
In the case of a WordPress backdoor hack, it is, possible for an attacker to log in as an administrator but also to edit/delete/add articles on the fly, and remotely of course.
A web shell can be written in any language supported by the target web server. The most usually observed web shells are written in widely supported languages, such as PHP and ASP. Perl, Python, Ruby, and Unix shell scripts are also used.
A web–shell itself cannot attack or exploit a remote vulnerability, so it is always the second step of an attack.? – [us-cert.gov alerts TA15-314A]
Using network discovery tools, an adversary can identify vulnerabilities that can be exploited and result in the installation of a web shell. For example, these vulnerabilities may exist in content management systems (CMS) or Web server software.
Once the download is successful, an opponent can use the web shell to exploit other operating techniques to scale privileges and issue commands remotely.
These commands are directly related to the privileges and features available on the Web server and may include the ability to add, execute, and delete files, also has the ability to execute shell commands, additional executable scripts.
Web shells are frequently used in trade offs because of the combination of remote access and features.
Even simple web hulls can have a huge impact and often maintain a minimal presence.
A web shell exploit usually contains a backdoor that allows an attacker to remotely access and possibly control a server at any time. This would prevent the attacker from having to exploit a vulnerability whenever access to the compromised server is required.
An attacker can also choose to repair the vulnerability themselves, to ensure that no one else exploits this vulnerability. In this way, the attacker can keep a low profile and avoid any interaction with an administrator, while obtaining the same result.
It should also be noted that many popular Web shells use password authentication and other techniques to ensure that only the attacker downloading the web shell has access to it.
These techniques include locking the script on a custom HTTP header, specific IP addresses, specific cookie values, or a combination of these techniques.
Most web shells also contain code to identify and prevent search engines from listing the shell and, therefore, blacklisting the domain or server hosting the web application.
Unless a server is misconfigured, the web shell will run under the Web server’s user permissions, which are (or at least should be) limited.
Using a web shell, an attacker can attempt to perform elevation of privilege attacks by exploiting local system vulnerabilities to assume root privileges, which under Linux and other UNIX-based operating systems is the “superuser”.
With access to the root account, the attacker can essentially do everything on the system, including, changing WordPress file and folder permissions, installing software, adding and removing users, stealing passwords, reading e-mails, etc.
Useful Resource: Getting shell after admin access in WordPress site
Another use of Web-Shells is to integrate servers into a botnet. A botnet is a network of arbitrated systems that an attacker would control, either to use oneself or to be rented to other criminals. The web shell or backdoor is connected to a command and control (C & C) server from which it can take commands on the instructions to be executed.
This configuration is commonly used in distributed denial of service (DDoS) attacks, which require significant bandwidth. In this case, the attacker has no interest in harming or stealing anything from the system on which the web shell was deployed. Instead, they will simply use their resources whenever necessary.
Although a web shell is not normally used for WordPress DDoS attack, it can serve as a platform for downloading other tools, including the DoS feature.
Web shells can be delivered through a number of Web application exploits or configuration weaknesses, including:
The tactics above can be combined regularly. For example, an exposed administration interface also requires a file download option, or another method of explanation mentioned above, for successful distribution.
Also Read – Disable Directory Browsing in WordPress Via .htaccess & Plugins
The opponents frequently choose web shells such as China Chopper, WSO, C99 and B374K. However, this is only a small number of Web shells used.
Find complete list of web shell here at github. https://github.com/Wphackedhelp/php-webshells
Collection of PHP backdoor Web shells. https://github.com/Wphackedhelp/PHP-backdoors
WSO is a favorite hacker web shell because of its particularly powerful features.
Once installed on a Web site, web hulls are notoriously difficult to remove, largely because hackers often place multiple copies of a web shell on one site in an attempt to retain access even if some of their programs malicious ones are removed.
Also Read – WordPress Arbitrary File Deletion Vulnerability Exploit
A web shell is a type of malicious file that is uploaded to a web server. Potential infection methods include SQL injection or the inclusion of remote files through vulnerable Web applications. Web shells typically contain a Remote Access Tool (RAT), or backdoor functionality, which allows attackers to retrieve information about the infected host and forward commands to the primary server through HTTP requests.
This module uses unauthenticated versions of the “STUNSHELL” web shell. This module works when safe mode is disabled on the Web server. This shell is widely used in automated RFI payloads.
Module name
exploit / multi / http / stunshell_exec
References: OSVDB -91842
Snapshot of a PHP Web Shell with following Capabilities : [Source – secured.org a-php-web-shell-sold-in-dark-forums]
To get access of your Web server, hackers sometimes installs a backdoor (PHP web Shell) designed to allow them to find the same entry after you have cleaned the site, fixed the security hole which allowed the hack and also to circumvent the measures to lock future hacker attempts that you could put in place to improve the security of the site.
A backdoor script can be called from a browser just like any other web page. It gives its user a web interface where the hacker can upload, upload, view or modify files, create directories, and otherwise manage the site using PHP’s ability to read and write files and place system commands through the operating system.
Backdoors can be hard to find because they are usually hidden in files that are already part of the site or downloaded as new files with innocent names, most often placed in a directory with many files.
Also Read – eval base64_decode Php Hack in WordPress
There are a couple of ways of doing Web Shell Detection.
One approach is to have an automated system look at the contents of newly uploaded or changed files and see if they match a known web shell, just as antivirus software does with other forms of malware. You can use our WordPress security scanner here.
Backdoors scripts often need to use non-legitimate PHP commands, so you can look for these commands in the files on your server. There are search programs that you can use to search for text in files. The two described below are the ones you run from a command line (prompt), and therefore without a GUI.
Also Read – WordPress Malware Redirect Hack – How To Detect & Fix It
To prevent web shell upload vulnerabilities, search your application code for calls to move_uploaded_files() and strengthen each piece of code that uses that function. I recommend creating a spreadsheet that enumerates all code that can be used to upload files in the application to keep track of the application hardening process.
The following defences can be used to defend against web shell upload vulnerabilities:
Some new websites implemented the advanced security settings of WordPress and decided to remove anything that could be considered unneeded in their website.
They also decided to block search engines from being able to display their content, by removing it from robots.txt files. The two settings they were thinking about were the ones related to post revisions, post revisions was turned off and revisions were set to none in order to totally remove any unwanted data that might be stored on the site or even modified by hackers.
Note: – Manual removal requires high skills as it is really difficult and risky process. If you are not aware of where its malicious files are really hiding, it is mandatory for you to make use of this powerful automatic website scanner, WP Hacked Help as it will make it easier for you to save your time and hassle. Get help fixing hacking wording site
We sincerely recommend you to use WP Hacked Help to secure your WordPress site from hackers.