This section describes a web shell that can be installed via a vulnerability in WordPress.
What is a webshell?
A webshell is a malicious program that is installed over a network and runs at the server software level.
For example, WordPress runs in the following framework
(1) Apache (server software) → MYSQL (database software) → PHP (server site scripting language) → WordPress
Malware that runs malware at the server software level in (1) is called a web shell.
The functions shell_exec and exec are often used to run web shells at the server software level via PHP, so if a web shell is created in PHP, it is likely to contain this function.
Examples of unauthorized web shell activity
The web shell performs a variety of activities.
Installs malicious software on the server
Executing server commands
Sending and receiving e-mail and creating server-level users
Leakage of information by retrieving or transmitting databases
Installing or creating backdoors
Rewriting DNS
and so on.
However, since many site servers are shared servers, the execution of software on the server is often restricted, and in the case of shared servers, most of what can be done with a web shell cannot be implemented and is limited.
The most dangerous type of server where a web shell could be installed would be on your own server, or if you have a server subscription that allows you to control the server at the root privilege level, such as VPS or AWS.
Web Shell Detection and Removal
PHP-based webshells installed in the WordPress directory can be detected and removed with the [Free] WordPress: Malware Scanning & Security Plug-in [Malware and Virus Detection and Removal].
However, webshells that are installed outside of the server’s website directory cannot be detected by the above plugin.
If you wish to search and disinfect webshells outside of the server’s website directory, you will need to perform investigation and disinfection at the server level.
If you are using your own server, VPS, AWS, etc., you will need specialized software or manual detection that can detect webshells in all files on the server.
Although such cases are very rare, a larger man-hour is expected to remove the web shell, and it is likely to be faster and more reliable to reinstall the OS and server-side software in the server and rebuild the server.