Imagine that one day you discover that a burglar has broken into your home and attempted to make off with your big-screen TV.ย Fearing for your safety, you immediately contact local law enforcement, and theyย promptly apprehend the criminal. But to your horror, as they drag the burglar away in handcuffs, they have an additional shocking revelation: the burglar has not only been living in the basement of your home for months, entirely undetected by you,ย but heโs alsoย converted your basement into an elaborate base for all of hisย criminal operations.
You, of course, are both shocked and appalled! How could you not have noticed a nefarious criminal had hijacked your whole residence right under your nose? And how much damage have they already done, unbeknownst to you, all while secretly living under your own roof?
Thatโs a lot like what itโs like when an attacker compromises your website and quietly installs a malicious web shell, taking over and executing all kinds of malicious scripts and behavior: your website has been broken into, hackers have made themselves at home on your server, your bandwidth and storage space haveย been stolen, and youโre none the wiser.
The Wordfence team has seen thousands of malicious scripts from hackers attempting to compromise theย millions of sites that we protect. But thereโs one particularly invasive script that, once it makes its way onto your website, acts exactly like the burglar in the above scenario, living in your siteโs โbasementโ and allowing the attacker to wreak havoc almost completely undetected indefinitely: the WSO web shell.
What Is a Web Shell?
A web shell is a script that runs on a web server, much like WordPress or any other PHP code. It allows the user to do things as if they were logged in to the server directly. Itโs like a server administration tool: it lets the user view or edit files, work with databases, and even run programs. Web shells created by hackers usually have additional malicious features, such as sending spam or automatically defacing a website.
Web shells are not inherently a type of attack or an exploit. Rather, theyโre a tool used to manipulate a site after itโs already been broken into. We talk a lot about the different kinds of exploits and why they put your site at risk, but the truth is that security vulnerabilities and exploits are merely the first step in any successful hack. The goal is to break into your website, and then use a script to take over your site and wreak all sorts of havoc via your server.
That, in a nutshell, is exactly what the WSO web shell does. It takes over your site for the hackerโs own purposes without you ever realizing itโs there.
Whatโs โSpecialโ About WSO?
WSO is a favorite web shell among hackers because of its particularly powerful set of features.
- Password protection
- Server information disclosure
- File management features like uploading, downloading, or editing files, creating directories, browsing through directories, and searching for text in files
- Command-line console
- Database administration
- PHP code execution
- Encoding and decoding text input
- Brute-force attacks against FTP or database servers
- Installation of a Perl script to act as a more direct backdoor on the server
Once theyโre installed on a website, web shells are notoriously difficult to remove, in large part because hackers often place multiple copies of a web shell all over a site to try to retain access even if some of their malware is removed.
WSO is designed to be used via a web browser, and it has a pretty simple user-friendly interface, making it very easy for any would-be hacker to learn and put to use.
It seems to strike a good balance between simplicity and capability, since itโs one of the most popular web shells out there. In fact, despite the simple browser interface, we see a lot of hackers using it simply to execute malicious PHP code on websites. In theory, thatโs something that a hacker could accomplish more easily with a very small amount of code:
ย
But hackers seem to like and trust WSO so much that they want it on their compromised websites anyway.
A whole ecosystem has sprung up in the hacker community around WSO shell, with hackers developing secondary tools that support its execution and use. For example, thereโs a tool to build a customized version of the shell with only the features you want.
Weโve also seen a tool to manage multiple sites infected with it, making it that much easier for even entry-level hackers to take over a large number of websites relatively easily.
History
For such a ubiquitous tool, WSOโs origins remains something of an unsolved mystery.
WSO apparently stands for โweb shell by oRb.โ It was first seen in hacker communities between 2008 and 2009. The earliest mention we could find was a thread in a Russian hacking forum in January of 2009 by a user named oRb, which the script has since been named after.
That thread was used to announce a major update to the script, though, so that probably wasnโt the first release of WSO. But Google searches for โWSO Shellโ started to pick up soon after.
oRb continued to post updates and new versions of the script until late 2010, when theyย released version 2.5. That remains the most popular version, though some hackers have released variations since then (and not always out of altruism toward other hackers โ some releases include hidden code to notify the author where theyโre installed, thereby causing multiple levels of infiltration and damage).
The WSO shell is widely used by countless hackers all over the world, with the community of users who prefer it as a web shell growing every day.
In January of this year, for example, we published research about the ChickenKiev or โCKโ botnet which uses WSO as part of its operation.
Each new iteration is intended to make it easier and easier for hackers to take over websites and do whatever they want after that. The laziness of hackers in this regard canโt be overstated. For example, one of the first lines in the WSO shell sets the password required to use it:
$auth_pass = "63a9f0ea7bb98050796b649e85481845";
Specifically, this sets the password to the word โroot.โย Our WAF has blocked hundreds of attempts to upload WSO to websites we protect โ all trying to execute with this simple no-brainer default password.
How Wordfence Blocks WSO
We have been monitoring and blocking WSO shell hijacking attempts for some time, and as a direct result, weโve developed a few powerful ways of making sure every website we protect is safe from this aggressive invasion.
Wordfence protects your site from exploitation using WSO shell in the following ways:
- Wordfence will detect and block any attempt to upload WSO shell. The Wordfence WAF scans all requests to your website to look for malicious code using our custom-designed malware signatures, which are continuously updated. The WAF, once installed on your site, will detect any attempt to upload WSO shell โ and immediately block it.
- Wordfenceโs malware scanner will detect the presence of WSO shell on your filesystem if an attacker manages to find some other way to install it. You will be instantly alerted if WSO shell is found lurking anywhere on your server.
- Wordfence also blocks attempts to run WSO shell commands, so that even if a hacker manages to get past the first two defenses, itโs a moot point: WSO shell commands simply wonโt work on your site.
How to Tell If WSO Shell Is Lurkingย on Your Website
We have two incredibly easy ways that you can use to determine if WSO shell is secretly lying in wait on your website:
- If you have Wordfence installed, simply run a scan. If the results come back clean, you almost certainlyย donโt have WSO shell on your site.
- If you donโt have Wordfence installed, or if you use another content management system like Joomla or Drupal, simply use Gravityscan to scan your website. (Important: make sure you have the Gravityscan Accelerator installed.) Gravityscan will scourย yourย websiteโs entire filesystem, and your scan results shouldย let you know if you have WSO shell installed anywhere.
Conclusion
Because of its low barrier of entry, WSO shell isย one of the most popular and most malicious tools used by hackers to infect websites. Having WSO shell installed on your website can a dangerous liability for you and your business.
Of course, the best defense is a good offense, and using Wordfence or Gravityscan, you can not justย block and easily detect its presence and keep your site safe from any would-be attackers โ you can also make certain that they never break into your โhomeโ on the web in the first place.
The post WSO Shell: The Hack Is Coming From Inside The House! appeared first on Wordfence.