Arama Yap Mesaj Gönder
Biz Sizi Arayalım
+90
X

Select Your Country

Turkey (Türkçe)Turkey (Türkçe) Germany (German)Germany (German) Worldwide (English)Worldwide (English)
X

Select Your Currency

Türk Lirası $ US Dollar Euro
X

Select Your Country

Turkey (Türkçe)Turkey (Türkçe) Germany (German)Germany (German) Worldwide (English)Worldwide (English)
X

Select Your Currency

Türk Lirası $ US Dollar Euro

Knowledge Base

Homepage Knowledge Base General Shell Uploaded! How Do I Find the S...

Bize Ulaşın

Konum Halkalı merkez mahallesi fatih cd ozgur apt no 46 , Küçükçekmece , İstanbul , 34303 , TR
Telefon +90 850 888 83 42
WhatsApp +90 850 307 34 58
E-posta [email protected]

Shell Uploaded! How Do I Find the Shell on My Site?

What is a Shell and Why Shouldn't It Be on My Site?

A shell is a malicious script that allows remote access and control of a web server. Attackers can use this script to upload files to your server, access the database, modify system settings, and even take over the entire server. Shells are often uploaded to the server through vulnerable applications or weak passwords. Having a shell on your site can lead to serious security breaches and data loss. Therefore, it is extremely important to detect and remove shells.

Important Note: Shells are usually written in PHP, Python, Perl, or other server-side languages. However, they can be created using any scripting language.

How Do I Know If There Is a Shell on My Site?

Here are some signs to look for to determine if there is a shell on your site:

  • Unexpected files and folders: Files and folders on your server that you have not seen or created before (especially in web directories).
  • Modified files: Unexpected changes in the last modified dates of your files.
  • High server load: Your server consuming more resources than usual (CPU, memory, etc.).
  • Strange traffic: Suspicious traffic coming to or going from your site.
  • Error messages: Unexpected error messages or warnings on your site.
  • Security alerts: Your security software or hosting provider sending security alerts.
  • User complaints: Your users reporting strange behavior or errors on your site.

If you notice any of these symptoms, there is a high probability that there is a shell on your site and you need to take immediate action.

What Methods Can I Use to Find Shells?

There are several methods you can use to find shells:

  1. Manual Review: You can search for suspicious files and folders by manually reviewing the files on your server. This method can be time-consuming, but it can be effective in some cases. It may be helpful to focus on files that have changed recently.
  2. Security Scan: You can automatically scan your site using web application security scanners or server-side security scanners. These scanners can detect known shell signatures and malicious code.
  3. Log Analysis: You can detect suspicious activity by analyzing your server logs (access logs, error logs, etc.). For example, requests from unknown IP addresses or faulty file accesses may be indicative of shell activity.
  4. File Integrity Monitoring: You can track changes to your files using file integrity monitoring tools (e.g., AIDE or Tripwire). These tools alert you when unauthorized changes are made to your files.
  5. Code Analysis: You can analyze your site's source code using code analysis tools. These tools can detect potential security vulnerabilities and malicious code.
  6. Shell Detection Tools: There are tools specifically designed to detect shells. These tools can detect suspicious files using the characteristic features of shells (e.g., base64 encoded code, eval functions).

Step-by-Step Instructions (Manual Review):

  1. Access the server: Access your server using a method such as SSH or FTP.
  2. Go to the web directory: Go to the web directory where your site's files are located (usually named public_html, www, or similar).
  3. List the files: Sort the files by last modified date using the ls -lart command.
  4. Examine suspicious files: Carefully examine files that have been modified recently or that you have not seen before.
  5. Check the file content: Open the contents of suspicious files with a text editor and look for malicious code. Pay particular attention to functions such as eval, base64_decode, exec.

Shell Detection Tools and Command Line Examples

Shell detection tools allow you to perform a faster and more comprehensive scan compared to manual review. Here are some popular tools and command line examples:

  • ClamAV: It is an open-source antivirus software. It can scan files on your site for malware. 
    clamscan -r /path/to/your/website
  • rkhunter (Rootkit Hunter): It is a tool used to detect rootkits and potential malware. 
    rkhunter --check
  • LMD (Linux Malware Detect): It is a malware detection tool designed for Linux systems. 
    lmd -c -m /path/to/your/website
  • find command: It can be used to search for files based on specific criteria via the command line. For example, to find PHP files modified in the last 24 hours: 
    find /path/to/your/website -name "*.php" -mtime -1
  • grep command: It can be used to search for specific text within files. For example, to find files containing the expression "eval(base64_decode": 
    grep -r "eval(base64_decode" /path/to/your/website

Important Note: Before using these tools, make sure your system is up to date and the tools are configured correctly.

How to Perform Log Analysis?

Server logs keep a record of events that occur on your site. By analyzing these logs, you can identify suspicious activity. Here are some tips for log analysis:

  • Which logs should you examine? The most important logs are:
    • Access logs: Keeps a record of all requests made to your site. Includes information such as IP addresses, requested URLs, user agents, and HTTP status codes.
    • Error logs: Keeps a record of errors that occur on your site. Includes information such as PHP errors, database errors, and other server errors.
  • What should you pay attention to?
    • Unknown IP addresses: Requests from IP addresses that have never accessed your site before or appear suspicious.
    • Faulty file accesses: Non-existent or unauthorized access attempts.
    • Abnormal requests: Requests containing long URLs, strange parameters, or suspicious user agents.
    • High number of requests: An excessive number of requests from a specific IP address (may be a sign of a DDoS attack).
    • Error codes: Frequent occurrence of error codes such as 404 (Not Found), 500 (Server Error).
  • Log analysis tools: You can use various tools to facilitate log analysis. For example:
    • AWStats: A tool that analyzes web server logs and generates statistics.
    • GoAccess: Real-time web log analyzer.
    • ELK Stack (Elasticsearch, Logstash, Kibana): A powerful platform used to analyze and visualize large amounts of log data.

Real-Life Example: An e-commerce site noticed a large number of POST requests from unknown IP addresses in its server logs. These requests were attempts to add products to the site and place orders. As a result of log analysis, it was determined that these requests were made by an automated bot and that the site was being attempted to be filled with fake orders. The attack was prevented by taking security measures.

What Should I Do When a Shell Is Found?

When you find a shell on your site, you should follow these steps:

  1. Delete the Shell: Immediately delete the shell file you found from your server.
  2. Close the Vulnerability: Investigate how the shell was uploaded to the server and close this vulnerability. This could be a vulnerability in your application, a weak password, or outdated software.
  3. Change Passwords: Change the passwords of all user accounts (especially administrator accounts), database accounts, and FTP accounts.
  4. Scan the System: Thoroughly scan your server and site to check for other shells or malware.
  5. Restore Data (If Necessary): If attackers have modified or deleted your data, restore the data from your last backup.
  6. Configure Firewall: Protect your site from future attacks by using a web application firewall (WAF).
  7. Apply Security Updates: Install the latest versions of all your software (operating system, web server, applications, etc.).
  8. Report the Incident: If there is a breach of personal data, report the incident to the relevant authorities (e.g., the Personal Data Protection Authority).

Case Study: A news site was hacked due to a shell uploaded to their servers. The attackers accessed the site through the shell, changed the homepage, and published fake news. After detecting the shell, the site administrators immediately deleted it, closed the vulnerability, and restored the site from its last backup. They also changed the passwords of all user accounts and installed a web application firewall on the site.

Measures to Take to Protect Against Shell Attacks

There are several measures you can take to protect against shell attacks:

  • Use Strong Passwords: Use strong and unique passwords for all your accounts.
  • Keep Your Software Up to Date: Regularly update all your software, including the operating system, web server, applications, and plugins.
  • Patch Security Vulnerabilities: Regularly scan and patch security vulnerabilities in your applications.
  • Remove Unnecessary Software: Remove software you don't use from your server. This reduces the attack surface.
  • Set File Permissions Correctly: Set the permissions for your files and folders correctly. Do not grant write permissions unnecessarily.
  • Validate Inputs: Always validate and sanitize user inputs (forms, URL parameters, etc.). This is important to prevent attacks like SQL injection and cross-site scripting (XSS).
  • Restrict File Uploads: If you allow file uploads, restrict file types and sizes. Prevent the upload of executable files (e.g., .php, .exe).
  • Use a Firewall: Protect your site against malicious traffic by using a web application firewall (WAF).
  • Perform Regular Backups: Regularly back up your site and database. This way, you can easily restore your data in the event of an attack.
  • Perform Security Monitoring: Regularly monitor your server and site for security. Use log analysis to detect suspicious activity.
  • Use Two-Factor Authentication: If possible, use two-factor authentication (2FA) for all your accounts.

Important Note: Security is not a one-time job. It is a continuous process. You can protect your site from shell attacks by regularly taking security measures and monitoring your system.

Types of Security Vulnerabilities and Their Relationship to Shells

There are various security vulnerabilities that can lead to the installation of shells on a server. Here are the most common types of vulnerabilities and their relationship to shells:

Vulnerability Type Description Relationship to Shell
File Upload Vulnerabilities Occur in applications that allow users to upload files to the server but do not adequately control the file type and content. Attackers can exploit this vulnerability to upload a malicious shell script to the server.
SQL Injection A vulnerability that occurs when user inputs are directly embedded into database queries. Attackers can use SQL injection to steal information from the database, modify data, or even execute commands on the server (which can lead to shell upload).
Cross-Site Scripting (XSS) A vulnerability that occurs when malicious JavaScript code is injected into a website. Although XSS does not directly lead to shell upload, attackers can use XSS to steal users' session cookies and gain access to administrator accounts. This can indirectly lead to shell upload.
Remote File Inclusion (RFI) A vulnerability that allows the application to execute a remote file. Attackers can exploit this vulnerability to execute a malicious shell script hosted on their own servers within the application.
Local File Inclusion (LFI) A vulnerability that allows the application to execute a local file. Attackers can exploit this vulnerability to read sensitive files on the server or inject shell code into log files.
Weak Passwords Occurs when users use easily predictable passwords. Attackers can crack weak passwords using brute-force or dictionary attack methods and gain access to the server. This can lead to shell upload.
Outdated Software If software (operating system, web server, applications, etc.) is not up to date, known vulnerabilities can be exploited by attackers. Attackers can exploit vulnerabilities in outdated software to gain access to the server and upload a shell.

Shell Types and Features

There are different types of shells, and each has its own unique features. Here are some common shell types:

Shell Type Description Features Detection Methods
Web Shell A shell that is uploaded to a web server and accessed through a web browser. Typically written in PHP, ASP, JSP, or other server-side languages. May provide a user interface or command-line interface. File names, file contents, access logs, web application firewall (WAF)
Reverse Shell A shell that connects back to the attacker's server. Allows the attacker to bypass firewalls and gain access to internal networks. Network traffic analysis, process monitoring, system calls
Bind Shell A shell that opens a port on the server and listens for incoming connections. Allows the attacker to connect directly to the server. Open port scanning, firewall rules
Meterpreter An advanced shell used by the Metasploit Framework. Has a wide range of features (file management, process management, network traffic sniffing, keylogging, etc.). Memory analysis, network traffic analysis, system calls
PHP Shell A shell written using the PHP language. Frequently uses functions such as eval(), system(), exec(). File contents, PHP logs, security scans

Important Note: Shell types and features are constantly evolving. Therefore, it is important to regularly update your security measures and be prepared for new threats.

 

Can't find the information you are looking for?

Create a Support Ticket
Did you find it useful?
(1361 times viewed / 134 people found it helpful)

Categories

Server/VPS/VDS (67)SSH (13)Domain Name Registry (15)General (566)Reseller Hosting (1)

Most Recently Added Topics

What is VMware DRS? Resource Management and OptimizationBest Virtualization Alternatives After VMwareWindows Server 2025: What's New, Features, and PricingHow to Configure Different DNS Settings in Windows 11VMware vSphere DRS: Resource Management and OptimizationIs Exchange EWS Being Retired? A Preparation GuideWordPress Error Solutions: 70 Most Common Errors & SolutionsWooCommerce Visual and Description Gap Issue SolutionYouTube Video Lag in WordPress Slider: The SolutionJetEngine Popup Gallery Issues and Solutions

Call now to get more detailed information about our products and services.

Top