Web Shells

Webshell Compilation ArtifactsSWolfSecurity

Log Locations

• C:\inet\publogs\LogFiles (IIS)

• C:\Windows\System32\LogFiles (IIS)

• C:\Inetpub\vhosts\WEBSITENAME\logs\iis\W3SVC97\u_ex220901.log (IIS)

• /var/log/httpd/ (Apache)

• /var/log/apache/ (Apache)

GitHub - mIcHyAmRaNe/wso-webshell: 🕹 wso php webshellGitHub

Most Common Webshell

Apache Logging Basics - The Ultimate Guide To LoggingLog Analysis | Log Monitoring by Loggly

Apache Logs

How to parse apache log files with AwkVidyut Luther's Website

Useful Awk Queries

Example Logs to Practice

Hunting WebShells with Apache Logs

Logs are crucial to tracking TAs activity, using them effectively will save time to stop the bleeding. Nginx logs are the same format as Apache logs, so these work for both.

Get Specific Date/Time

Filter logs by date and then use later commands to narrow down search.

grep '\[23/Dec/2020:22:59:[0-2][0-2]' /var/log/apache2/access.log

Commonly Requested Webpage/File

cat /var/log/apache2/access.log | cut -d ' ' -f 7 | sort | uniq -c | sort -n

Filter by IP

Lots of traffic from a specific IP could be indicative of recon/scanning or follow-on activity.

cat /var/log/apache2/access.log | cut -d ' ' -f 1 | sort | uniq -c | sort -n

HTTP Response Code by IP

If TA is enumerating, they'll have lots of 404 or 302 request types. Lots of 200 response could be indicative of TA communicating with WebShell.

cat /var/log/apache2/access.log | grep IP | cut -d ' ' -f 9 | sort | uniq -c | sort -n

Filter what IP has most of specific response type.

» awk '($9 ~ /RESPONSE/)' /var/log/apache2/access.log | awk '{print $1,$7}' | uniq -c | sort -r

Find the ips that are causing the most number of 403s

This is tells me that a lot of requests are being made to xmlrpc.php by different ip addresses. Now I want to know what those ip addresses are.

awk '($9 ~ /403/)' /var/log/apache2/access.log | awk '{print $1,$7}' | uniq -c | sort

Find Modified Files of Interest

Identify recently modified/created files that are stored in web accessible areas (php, .asp, .aspx, .jsp, .png, .jpg, .zip, .py).

find . -mtime -1 | grep -ie 'php' -e 'asp' -e 'aspx' -e 'jsp' -e 'png' -e 'jpg' -e 'zip' -e '.py'

Suspicious User Agents

Security scanning tools commonly have identifying user agents. These can be edited within the tool itself so don't rely on it too much. It's good for catching low hanging fruit.

cat /var/log/apache2/access.log | grep -oie 'nessus' -e 'nmap' -e 'burp' -e 'bot' -e 'sqlmap' -e 'sql' -e 'nikto' -e 'vuln' -e 'exploit' | sort | uniq -c | sort -n

Print count all user agents

cat /var/log/apache2/access.log | cut -d ' ' -f 12 | sort | uniq -c | sort -n

Finding WebShell Interaction

For the majority of web traffic, the server requests will be in the form of GET requests. So, you can identify potentially malicious traffic by filtering web server access logs to look for the highest POST traffic and then searching for calls to URLs that include one of the common web shell file types (.php, .asp, .aspx, .jsp).

// Some code

Identifying Exfil/Database Dumping

Creating ZIP files and SQL dump commands could be IOAs for data exfiltration.

// Some code

Searching for SQL Injection/Queries/Dumps

SQL commands should be a very rare occurrence in standard web logs. Search for commands often passed during SQL injection such as ‘, %27, –, SELECT, INSERT, UNION, CREATE, DECLARE, CAST, EXEC, and DELETE (this is only a subset and should be tailored to your environment). Regular expression searching with grep or PowerShell can lead to quick wins.

cat /var/log/apache2/access.log | grep -ie 'select' -e 'dump' -e 'from' -e 'tables' -e 'databases' -e 'union' -e '%27' -e 'create' -e 'declare' -e 'cast' -e 'exec' -e 'delete' -e 'cmd' -e 'null'

Directory Enumeration

Enumerating the web server file system is a common way for an adversary to identify the type of scripting language a web server is running and what scripts can be used to further escalate privileges. Directory enumeration is a noisy technique, and one of the easiest to spot.

// Some code

Recon Commands using Command Injection

TAs will want to probe the target for vulnerabilities and look for files of interest once the WebShell has been established. Identification of 'Which' commands can lead to WebShell discovery.

// Some code

AWK Versions

awk '{print $1}' combined_log         # requester ip address (%h)
awk '{print $2}' combined_log         # (%l) (the virtualhost being requested)
awk '{print $3}' combined_log         # userid (%u) (if basic auth was used)
awk '{print $4,5}' combined_log         # date/time (%t)
awk '{print $6}' combined_log         # Request Type (GET, POST, etc..)
awk '{print $7}' combined_log         # URL Requested (/about, or /blog or /xmlrpc.php) etc
awk '{print $8}' combined_log         # HTTP version 

awk '{print $9}' combined_log         # status code (%>s)
awk '{print $10}' combined_log        # size (%b)

awk '{print $11}' combined_log        # http referer 
awk '{print $12}' combined_log        # User Agent

awk -F\" '{print $2}' combined_log    # request line (%r)
awk -F\" '{print $4}' combined_log    # referer
awk -F\" '{print $6}' combined_log    # user agent