How to Detect and Mitigate Webshell Attacks on Compromised Servers

By /

Listen to this Post

Featured Image
Mustafa Adam Qamar El-Din discovered a compromised server through a custom wordlist scan, revealing a `shell.php` webshell and unauthorized internal IP access. Below are critical steps to detect and mitigate such attacks.

Steps to Investigate a Compromised Server

1. Isolate the Server

  • Disconnect from the network to prevent lateral movement. 
    ifconfig eth0 down  Linux 
netsh interface set interface "Ethernet" disable  Windows

2. Audit Running Processes & Cron Jobs

ps aux | grep -i "php|sh|perl|python|wget|curl" 
crontab -l  Check scheduled tasks

3. Search for Webshells & Backdoors

find /var/www/ -type f -name ".php" -o -name ".ico" -o -name ".inc" -o -name ".phtml" | grep -i "shell|backdoor|r57|c99" 
grep -r "eval(" /var/www/  Detect obfuscated PHP

4. Analyze Logs for Intrusions

tail -100 /var/log/apache2/access.log | grep -E "POST \/..php" 
grep -i "shell" /var/log/apache2/error.log

You Should Know: Proactive Security Practices

1. Custom Wordlist for Directory Bruteforcing

  • Download Mustafa’s updated wordlist: GitHub/Sensitive-Disclosure-Wordlist
  • Use `dirsearch` with custom filters: 
    cat live-subs.txt | python3 dirsearch.py -i 200 -e php,bak,old,zip,tar.gz,txt,log,conf,json,asp,jsp,aspx,yml,yaml,rar --stdin

2. Detect Suspicious Files Automatically

 Find recently modified files (last 3 days) 
find /var/www/ -type f -mtime -3 -exec ls -la {} \;

Check for hidden files 
find / -name "." -type f ! -path "/proc/" -exec ls -la {} \;

3. Harden Apache/Nginx

  • Disable directory listing: 
    Options -Indexes
  • Restrict PHP execution in uploads: 
    location ~ /uploads/..php$ { deny all; }

4. Monitor Network Connections

netstat -tulnp | grep -E "php|python|perl" 
ss -tulwnp | grep -i "suspicious-ip"

What Undercode Say

Webshell attacks remain a critical threat. Regular audits, log monitoring, and restricting file uploads are essential. Automation tools like OSSEC or Chkrootkit can help detect anomalies.

Expected Output:

  • Suspicious PHP files (shell.php, c99.php).
  • Unauthorized IPs in access logs (192.168.x.x).
  • Modified system binaries (/usr/bin/sshd).

Prediction

AI-driven attack detection will soon replace manual log analysis, but custom wordlists and proactive scanning will remain vital for uncovering hidden vulnerabilities.

(Relevant How to Detect Webshells on Linux Servers)

IT/Security Reporter URL:

Reported By: Wadgamaraldeen Tips – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: