Backdoor Detection

critical Web Application Scanning Plugin ID 98097
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

Backdoor Detection

Description

The scanner was able to determine that a possible web backdoor or web shell exists on the remote web server by utilizing the same methods as cyber-criminals. If a server has been previously compromised, there is a high probability that the cyber-criminal has installed a backdoor so that they can easily return to the server if required. One method of achieving this is to place a web backdoor or web shell within the web root of the web server. This will then enable the cyber-criminal to access the server through an HTTP/S session. Although extremely bad practice, it is possible that the web backdoor or web shell has been placed there by an administrator so they can perform administrative activities remotely. During the initial reconnaissance stages of an attack, cyber-criminals will attempt to locate these web backdoors or shells by requesting the names of the most common and well known ones. By analyzing the response, they are able to determine if a web backdoor or web shell exists. These web backdoors or web shells can then provide an easy path for further compromise of the server.

Solution

If manual confirmation reveals that a web backdoor or web shell does exist on the server, then it should be removed.
It is also recommended that an incident response investigation be conducted on the server to establish how the web backdoor or web shell came to exist on the server.
Depending on the environment, investigation into the compromise of any other services or servers should be conducted.

See Also

https://www.blackhat.com/presentations/bh-usa-07/Wysopal_and_Eng/Presentation/bh-usa-07-wysopal_and_eng.pdf

Plugin Details

Severity: Critical

ID: 98097

Type: remote

Family: Web Servers

Published: 3/31/2017

Updated: 9/7/2021

Scan Template: api, scan, pci

Risk Information

CVSS v2

Risk Factor: Critical

Base Score: 10

Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS v3

Risk Factor: Critical

Base Score: 10

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Reference Information