Backdoor Detection
High Web Application Scanning Plugin ID 98097
Synopsis
Backdoor Detection
Description
Nessus was able to determine that a possible web backdoor or web shell
exists on the remote web server by utilizing the same methods as
cyber-criminals.
If a server has been previously compromised, there is a high
probability that the cyber-criminal has installed a backdoor so that
they can easily return to the server if required.
One method of achieving this is to place a web backdoor or web shell
within the web root of the web server. This will then enable the
cyber-criminal to access the server through an HTTP/S session.
Although extremely bad practice, it is possible that the web backdoor
or web shell has been placed there by an administrator so they can
perform administrative activities remotely.
During the initial reconnaissance stages of an attack, cyber-criminals
will attempt to locate these web backdoors or shells by requesting the
names of the most common and well known ones.
By analyzing the response, they are able to determine if a web
backdoor or web shell exists. These web backdoors or web shells can
then provide an easy path for further compromise of the server.
Solution
If manual confirmation reveals that a web backdoor or web shell does exist on the server, then it should be removed.
It is also recommended that an incident response investigation be conducted on the server to establish how the web backdoor or web shell came to exist on the server.
Depending on the environment, investigation into the compromise of any other services or servers should be conducted.