Looking over some weblogs on my way back from class in Baltimore, I feel a reminder is appropriate that (a) weblogs are still a thing and (b) what some of the common webshells are that attackers are looking for.

Attackers often deploy web shells via file upload or remote code execution vulnerabilities. Standard webshells are available for a wide range of web development environments. The advantage to the attacker is that followup exploits are easily disguised as "regular" HTTP requests.

Here are some of the web shells I have observed recently:

teorema505
upl.php
/download/powershell/
alive.php

Look at your server to see if you can find any odd files (not just the files above). Web shells are easily overlooked if you do not have a good code promotion procedure. The list above is nothing but a "first guess," and there are many more.

Also, make sure not to install your own unauthenticated web shells. We still see many development tools like '/struts/webconsole.html' being used to attack sites.

Got any webshell related URL that you see hit a lot?

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|