Backdoor Detection

High Web Application Scanning Plugin ID 98097


Backdoor Detection


Nessus was able to determine that a possible web backdoor or web shell
exists on the remote web server by utilizing the same methods as

If a server has been previously compromised, there is a high
probability that the cyber-criminal has installed a backdoor so that
they can easily return to the server if required.

One method of achieving this is to place a web backdoor or web shell
within the web root of the web server. This will then enable the
cyber-criminal to access the server through an HTTP/S session.

Although extremely bad practice, it is possible that the web backdoor
or web shell has been placed there by an administrator so they can
perform administrative activities remotely.

During the initial reconnaissance stages of an attack, cyber-criminals
will attempt to locate these web backdoors or shells by requesting the
names of the most common and well known ones.

By analyzing the response, they are able to determine if a web
backdoor or web shell exists. These web backdoors or web shells can
then provide an easy path for further compromise of the server.


If manual confirmation reveals that a web backdoor or web shell does exist on the server, then it should be removed.
It is also recommended that an incident response investigation be conducted on the server to establish how the web backdoor or web shell came to exist on the server.
Depending on the environment, investigation into the compromise of any other services or servers should be conducted.

See Also

Plugin Details

Severity: High

ID: 98097

Type: remote

Family: Web Servers

Published: 2017/03/31

Modified: 2017/10/16

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS v3.0

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Reference Information