Detecting And Mitigating Webshell Attacks On Linux Servers

Introduction

Webshell attacks remain a persistent threat to web servers, particularly those running Linux without endpoint detection (EDR) or antivirus (AV) protection. Attackers often disguise malicious scripts as legitimate files, such as in the recent SAP Visual Composer exploitation where a GitHub-sourced webshell was hidden within an SAP installation path. This article explores detection techniques, hardening measures, and actionable commands to secure Linux systems against such threats.

Learning Objectives

Detect webshells using YARA rules and Velociraptor.
Harden Linux servers against unauthorized script execution.
Analyze file integrity to identify disguised malicious payloads.

1. Hunting Webshells with YARA Rules

Command:

yara -r /var/www/html webshell.yar

Steps:

Download Florian Roth’s curated YARA rule for webshell detection here.
Run the command above to scan web directories recursively.
Investigate matches for files with suspicious PHP/JavaScript code (e.g., dynamic class loading via base64_decode).

Why It Works: YARA scans file contents for patterns matching known webshell signatures, such as AntSwordProject’s encoded payload delivery.

2. Velociraptor for Live Forensics

Command:

SELECT  FROM Artifact.Yara.Scan(SearchFilesGlob="/var/www/html/.php")

Steps:

1. Deploy Velociraptor on the server.

Use the Yara artifact to scan active web directories.
Flag files executing system commands (e.g., exec(), passthru()).

Why It Works: Velociraptor provides real-time scanning and integrates with threat intelligence feeds.

3. File Integrity Monitoring with AIDE

Command:

aide --check

Steps:

1. Install AIDE (`sudo apt install aide`).

2. Initialize the database (`sudo aideinit`).

Schedule daily checks to detect unauthorized changes (e.g., new files in /opt/sap).

Why It Works: AIDE alerts on file modifications, including webshells dropped in trusted paths.

4. Restrict PHP Execution in Sensitive Directories

Command:

<Directory /opt/sap>
php_admin_flag engine off
</Directory>

Steps:

1. Edit the Apache/Nginx configuration.

Disable PHP execution in non-web directories (e.g., SAP installation paths).
Restart the web server (sudo systemctl restart apache2).

Why It Works: Prevents PHP-based webshells from executing outside designated web roots.

5. Log Analysis for Anomalous Activity

Command:

grep -r "base64_decode" /var/log/apache2/access.log

Steps:

Audit logs for HTTP requests containing `base64_decode` (common in webshells).
Correlate with IPs and user agents using tools like fail2ban.

Why It Works: Webshells often use `base64` to obfuscate payloads, leaving detectable traces in logs.

6. Disable Unused PHP Functions

Command:

disable_functions = exec,passthru,shell_exec,system

Steps:

1. Edit `php.ini` and add the above line.

2. Restart PHP-FPM (`sudo systemctl restart php-fpm`).

Why It Works: Limits the attacker’s ability to execute shell commands via PHP.

7. Network Isolation for Critical Servers

Command:

sudo ufw deny out from 192.168.1.100 to any

Steps:

Use UFW or iptables to restrict outbound traffic from servers.

2. Allow only whitelisted IPs/ports for updates.

Why It Works: Blocks C2 callbacks from webshells to attacker-controlled servers.

What Undercode Say

Key Takeaway 1: Linux servers without EDR/AV are prime targets for webshell attacks. Proactive hunting with YARA and Velociraptor is critical.
Key Takeaway 2: Layered defenses—file integrity checks, PHP hardening, and network controls—reduce exploit success.

Analysis: The SAP exploitation case highlights attackers’ reliance on open-source tools (e.g., AntSwordProject) and weak server hardening. Enterprises must prioritize Linux security parity with Windows, including EDR deployment and strict file/network policies. Future attacks will likely leverage AI-generated obfuscation, making static detection insufficient. Behavioral analysis (e.g., Velociraptor) and Zero Trust file execution will become mandatory.

Prediction: Webshells will evolve to use AI-driven polymorphism, bypassing signature-based tools. Organizations must adopt runtime protection (e.g., eBPF) and automated patching to mitigate risks.

IT/Security Reporter URL:

Reported By: Stephan Berger – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Listen to this Post

Introduction

Learning Objectives

1. Hunting Webshells with YARA Rules

Command:

Steps:

2. Velociraptor for Live Forensics

Command:

Steps:

1. Deploy Velociraptor on the server.

3. File Integrity Monitoring with AIDE

Command:

Steps:

1. Install AIDE (`sudo apt install aide`).

2. Initialize the database (`sudo aideinit`).

4. Restrict PHP Execution in Sensitive Directories

Command:

Steps:

1. Edit the Apache/Nginx configuration.

5. Log Analysis for Anomalous Activity

Command:

Steps:

6. Disable Unused PHP Functions

Command:

Steps:

1. Edit `php.ini` and add the above line.

2. Restart PHP-FPM (`sudo systemctl restart php-fpm`).

7. Network Isolation for Critical Servers

Command:

Steps:

2. Allow only whitelisted IPs/ports for updates.

What Undercode Say

IT/Security Reporter URL:

Join Our Cyber World:

Related Posts: