DescriptionThe scanner was able to determine that a possible web backdoor or web shell exists on the remote web server by utilizing the same methods as cyber-criminals. If a server has been previously compromised, there is a high probability that the cyber-criminal has installed a backdoor so that they can easily return to the server if required. One method of achieving this is to place a web backdoor or web shell within the web root of the web server. This will then enable the cyber-criminal to access the server through an HTTP/S session. Although extremely bad practice, it is possible that the web backdoor or web shell has been placed there by an administrator so they can perform administrative activities remotely. During the initial reconnaissance stages of an attack, cyber-criminals will attempt to locate these web backdoors or shells by requesting the names of the most common and well known ones. By analyzing the response, they are able to determine if a web backdoor or web shell exists. These web backdoors or web shells can then provide an easy path for further compromise of the server.
SolutionIf manual confirmation reveals that a web backdoor or web shell does exist on the server, then it should be removed.
It is also recommended that an incident response investigation be conducted on the server to establish how the web backdoor or web shell came to exist on the server.
Depending on the environment, investigation into the compromise of any other services or servers should be conducted.