Web shell

What is a web shell?

A web shell is a malicious script placed on a web server to give an adversary remote access to the server and, in many cases, maintain persistence. It's typically installed by exploiting vulnerabilities in web applications or content management systems (CMS). Once deployed, a web shell may allow attackers to execute system commands, steal data, move laterally within a network, and upload additional malware.

How does a web shell work?

A web shell is commonly deployed by exploiting vulnerabilities in web applications, plugins, or server configurations. Common exploitation methods include remote code execution (RCE), file upload vulnerabilities, remote file inclusion (RFI), command or code injection, Structured Query Language (SQL) injection in some attack chains, stolen credentials, and unpatched software vulnerabilities.

Once installed, the web shell script resides on the server and accepts commands from the attacker via HTTP requests. The attacker sends requests to the shell's URL, and the server returns responses as part of normal web traffic. This can allow malicious activity to blend in with legitimate communications, though the web shell’s capabilities depend on the server’s permissions and configuration. Typical web shell attack process.

Types of web shells

Web shells are categorized by the programming language in which they are written, which determines the server environments they target:

Hypertext Preprocessor (PHP) web shells: Among the most commonly observed types. Deployed on servers running PHP, often through vulnerable file upload forms or unpatched CMS. May allow file management, system command execution, and other server-side actions.
Active Server Pages (ASP) and ASP.NET web shells: Target Microsoft Internet Information Services (IIS) servers. Often deployed through vulnerable, misconfigured, or outdated web applications. Provide remote access and control similar to PHP shells.
Jakarta Server Pages (JSP) web shells: Target servers running Java-based web applications. Commonly deployed on enterprise application servers and used in targeted attacks.
Perl, Python, and Unix shell scripts: Less common variants that run on servers with support for these languages. Functionality aligns with other web shell types.

Web shell attack impact

A web shell is a major indicator of server compromise and can enable persistent attacker access. Operating over standard HTTP or HTTPS, it often bypasses perimeter defenses and supports data theft, lateral movement, and broader infrastructure compromise.

Common targets include vulnerable CMS installations, shared hosting environments, public-facing enterprise applications, and misconfigured admin panels. Risks include exposure of sensitive data, credential theft, malware delivery from trusted domains, and long-term, undetected persistence.

Preventing web shell attacks

Prevention centers on patching vulnerabilities, applying least privilege, and segmenting networks with a demilitarized zone (DMZ) to isolate public-facing servers. Secure configurations include disabling unnecessary services, avoiding default credentials, and deploying web application firewalls (WAFs). Strict input validation blocks file inclusion and injection attacks, while file integrity monitoring and regular vulnerability scans help detect unauthorized changes and exposed weaknesses.

FAQ

What is the difference between a web shell and a backdoor?

A web shell is a script that provides remote command access through a web interface and blends with normal web traffic. A backdoor is a broader category of hidden, unauthorized access mechanisms used to maintain access. A web shell is a specific type of backdoor focused on web servers.

How do attackers install web shells?

Attackers install web shells by exploiting technical vulnerabilities in web applications, plugins, or server configurations. Common exploitation methods include remote code execution, file upload vulnerabilities, remote file inclusion (RFI), command or code injection, Structured Query Language (SQL) injection in some attack chains, stolen credentials, and unpatched software vulnerabilities. Once the attacker gains the ability to create or modify files, the web shell script is placed on the server to enable remote operations.

Are web shells always malicious?

In the context of security incidents and threat research, web shells are generally treated as malicious tools used by adversaries to gain unauthorized access. Their presence on a production server, unless clearly authorized, is a strong indicator of compromise and requires immediate investigation.

Some web shells are developed and distributed by malicious actors. These tools often include hidden access mechanisms, callbacks, or other functionality that allows another party to regain access, even when the web shell appears protected, such as with a password.

How can I detect a web shell?

Detection relies on identifying anomalous activity. Indicators include unusual file timestamps, suspicious filenames in web-accessible directories, references to system commands, such as cmd.exe, within script files, and abnormal patterns in server logs, such as repeated requests from the same IP address, user agent, or URL path. Suspicious files should be reviewed alongside other indicators.

How do I remove a web shell safely?

Safe removal begins with isolating the affected server from the network to prevent further attacker activity. Suspicious files should be preserved for investigation where possible, then deleted or replaced as part of a controlled recovery. The system may need to be restored or rebuilt from a verified clean backup. Passwords, keys, and access permissions should be reviewed and reset, and the exploited vulnerability should be patched to prevent reinfection. A full system scan can help identify additional malware.