Detecting web shells with network monitoring tools

In Part 1 of the series, we explored what web shells are, why they are a growing concern for security teams, and practical methods to detect and mitigate them through threat hunting.

In this blog, we take a closer look at one of the most effective methods of web shell detection—network monitoring. We’ll also explore a real-world example: the China Chopper web shell, and share tools, indicators of compromise (IOCs), and detection rules that can help identify and stop such threats.

What is network monitoring?

Network monitoring is one of the most effective techniques for detecting web shells, as it allows organizations to observe network traffic for suspicious activity that may signal the presence of a web shell.

It involves capturing and analyzing network traffic in real-time or in near real-time. This can be done using a variety of network monitoring tools, including Intrusion Detection and Prevention Systems (IDPS), Security Information and Event Management (SIEM) systems, and Network Traffic Analysis (NTA) platforms.

Network monitoring can be particularly effective in detecting web shells in cases where the attacker is using a command-and-control (C2) server to remotely control the web shell. In these cases, the web shell will often initiate a connection to the C2 server to receive commands from the attacker. By monitoring network traffic for connections to known C2 servers or traffic that matches the characteristics of web shell traffic, organizations can identify potential indicators of compromise (IOCs) that may indicate the presence of a web shell.

Example: China Chopper

One notable example of a web shell that could be detected using network monitoring techniques is the China Chopper web shell. China Chopper is a compact and lightweight web shell that is commonly employed by threat actors to gain remote access and control over web servers. It is typically delivered via a malicious email attachment or by exploiting a vulnerability in a web application. Once installed, China Chopper allows an attacker to execute arbitrary commands and steal sensitive data from the target system.

China Chopper communicates with its C2 server over HTTP, making it possible to detect its activity using network monitoring tools. Network traffic to and from known C2 servers associated with China Chopper can be monitored and analyzed to detect potential IOCs that may indicate the presence of the web shell. Additionally, network traffic analysis tools can be used to identify suspicious patterns of traffic or anomalous behavior that may indicate the presence of a web shell, even if the C2 server is not known.

In summary, network monitoring is an effective technique for detecting web shells, particularly in cases where the web shell communicates with a remote C2 server. By monitoring network traffic for suspicious activity, organizations can identify potential IOCs and take proactive measures to prevent further damage. Network monitoring solutions can discover recent web shells such as China Chopper by identifying abnormal traffic patterns or tracking connections to known command and control (C2) servers.

Tools, indicators and detection rules

Here are some specific details, tools or rules that can be used, and potential examples on how to detect the China Chopper web shell:

The China Chopper web shell establishes communication with its command-and-control server via the HTTP protocol. Hence, examining network traffic for any associations with established China Chopper C2 servers or traffic that exhibits the attributes of China Chopper traffic can aid in identifying its existence.

Some network traffic analysis tools that can be used to detect China Chopper are:

• Wireshark: A network protocol analyzer that can capture and analyze network traffic in real-time.
• Zeek (formerly Bro): A powerful network security monitoring framework that can be used to capture and analyze network traffic.
• Suricata: An open-source intrusion detection and prevention system that can detect and alert on China Chopper traffic.

Indicators of compromise (IOCs)

IOCs can be used to detect the presence of China Chopper in a compromised network. Some common IOCs associated with China Chopper are:

• File names: China Chopper is often delivered as a file named "chopper" or "asp.aspx". Therefore, searching for files with these names can help detect the presence of China Chopper.
• User-agent strings: China Chopper uses a distinctive user-agent string in its HTTP requests. The user-agent string contains the phrase "China Chopper" and can be used to detect its presence.
• HTTP headers: China Chopper uses a unique HTTP header in its requests, which can also be used to identify its presence.

Rules can be created for intrusion detection systems (IDS) and intrusion prevention systems (IPS) to detect and block China Chopper traffic. Here are some examples of rules that can be used:

Suricata rule

Snort rule

Summary

Detecting the China Chopper web shell can be done using various techniques such as network traffic analysis, IOCs, and rules. Network traffic analysis can be done using tools like Wireshark, Zeek, and Suricata to capture and analyze traffic to and from known China Chopper C2 servers.

Indicators of compromise such as file names, user-agent strings, and HTTP headers can also be used to identify its presence. Finally, IDS/IPS rules can be created to detect and block China Chopper traffic.

In Part 3, we’ll explore all about Log Analysis, and how application logs can help detect web shell behavior that often slips past traditional security controls.

If you want to know more about CPX's approach to threat hunting and detection, get in touch with our experts at ContactUs@cpx.net.