Web Shell Detection in WAS

Document created by Dave Ferguson Employee on Dec 3, 2019Last modified by Robert Dell'Immagine on Dec 4, 2019
Version 2Show Document
  • View in full screen mode

Recently, the WAS scan engine began testing for the presence of known web shells via QID 150239.  This QID is included in Core detection scope.  If a web shell is found, it means the scanned application has already been compromised and immediate action is required.  If you're unfamiliar with web shells, you can find more information at US-CERT Alert #TA15-314A.

 

Here is the list of known web shells that WAS tests for when QID 150239 is enabled:

 

  • c99.php
  • Antichat Shell.php
  • b374k.php
  • b374k_mini.php
  • c99madshell.php
  • PHP Shell.php
  • r57shell.php
  • JspWebShell.jsp
  • shell.jsp
  • zend.jsp
  • warn.jsp
  • JspSpy.jsp
  • Indexer.asp
  • NTDaddy.asp
  • RemExp.asp
  • zehir4.asp
  • Elmaliseker.asp
  • pouya.asp

 

Each of these files is tested at the specified base location of the web app's target URL and two directory levels deep inside the web app. If the response contains a match with a regular expression, then QID 150239 will be reported.

Attachments

    Outcomes