This section describes a web shell that can be installed via a vulnerability in WordPress.

What is a webshell?

A webshell is a malicious program that is installed over a network and runs at the server software level.

For example, WordPress runs in the following framework

(1) Apache (server software) → MYSQL (database software) → PHP (server site scripting language) → WordPress

Malware that runs malware at the server software level in (1) is called a web shell.
The functions shell_exec and exec are often used to run web shells at the server software level via PHP, so if a web shell is created in PHP, it is likely to contain this function.

Examples of unauthorized web shell activity

The web shell performs a variety of activities.

Installs malicious software on the server
Executing server commands
Sending and receiving e-mail and creating server-level users
Leakage of information by retrieving or transmitting databases
Installing or creating backdoors
Rewriting DNS

and so on.

However, since many site servers are shared servers, the execution of software on the server is often restricted, and in the case of shared servers, most of what can be done with a web shell cannot be implemented and is limited.

The most dangerous type of server where a web shell could be installed would be on your own server, or if you have a server subscription that allows you to control the server at the root privilege level, such as VPS or AWS.

Web Shell Detection and Removal

PHP-based webshells installed in the WordPress directory can be detected and removed with the [Free] WordPress: Malware Scanning & Security Plug-in [Malware and Virus Detection and Removal].

However, webshells that are installed outside of the server’s website directory cannot be detected by the above plugin.

If you wish to search and disinfect webshells outside of the server’s website directory, you will need to perform investigation and disinfection at the server level.

If you are using your own server, VPS, AWS, etc., you will need specialized software or manual detection that can detect webshells in all files on the server.
Although such cases are very rare, a larger man-hour is expected to remove the web shell, and it is likely to be faster and more reliable to reinstall the OS and server-side software in the server and rebuild the server.

Related Posts:

  1. What is a web shell, a type of WordPress malware?
    There have been an increasing number of cases of web shells, a type of WordPress malware, becoming more sophisticated in recent years. We will explain about web shells....
  2. Can WordPress malware infect the server itself (Apache)?
    We would like to explain from our experience whether WordPress malware can infect the server itself (Apache)....
  3. Reasons for repeated hacker defacement and malware infection on WordPress sites
    Once a WordPress site has been defaced by hackers, embedded malware, or infected with a virus, the site may be repeatedly defaced even after you think you have removed the malware. We will explain how to deal with such cases....
  4. If you do not know where the malware infected malware is located or if you cannot find it
    This section explains what to do if you do not know the location of infected malware or if you cannot find it....
  5. WordPress: How the Malware Scan & Security plugin can detect malware with high accuracy.
    The following is a partial introduction to the highly accurate malware detection mechanism in the [Free] WordPress: Malware Scanning & Security Plug-in [Malware and Virus Detection and Removal] released by WordPress Doctor....
  6. Free WordPress:Best Malware Scan & Security Plug-in, made in Japan [Malware and Virus Detection and Removal].
    24-hour protection for your WordPress site. Plug-in that checks (detects and confirms) and removes defacement, hijacking, hacking, malware, backdoors, and virus infection of your WordPress site, and restores your WordPress site. Plug-in that checks and detects WordPress site code from patterns of malicious code (malware, viruses, defacement, hacking damage) ranging from patterns from sites restored by WordPress Doctor. WordPress Doctor...