DIVD-2023-00002 - Publicly Reachable Malicious Webshells
| Our reference | DIVD-2023-00002 |
| Case lead | Ralph Horn |
| Author | Max van der Horst |
| Researcher(s) |
|
| CVE(s) |
|
| Product | n/a |
| Versions | n/a |
| Recommendation | Remove the indicated file from your webserver and investigate your systems for compromise. |
| Status | Closed |
| Last modified | 03 Jul 2024 22:16 CEST |
Summary
DIVD is currently scanning the Internet for commonly known malicious webshells. These webshells often serve as an initial access method and/or persistency measure for malicious actors and are usually exposed to the Internet. Having one of these web shells on your system (nearly) always means a system has been compromised. DIVD is researching ways to identify these webshells and notifying the owners of compromised servers.
What you can do
Remove the files associated to the webshell from your server as soon as possible and start an investigation on your infrastructure to determine how the how the web shell was installed and if the threat actor is still present inside your IT infrastructure.
What we are doing
DIVD is currently working to identify vulnerable parties and notifying these. We do this by scanning for paths that are commonly known to contain webshells and examining these pages to determine whether they are malicious. Owners of vulnerable instances receive a notification with the host information and remediation steps.
Timeline
| Date | Description |
|---|---|
| 06 Jan 2023 | DIVD starts sorting Project Observer data. |
| 19 Jan 2023 | DIVD starts indexing common webshell locations. |
| 20 Jan 2023 | DIVD starts investigating automatic recognition of malicious web shells. |
| 20 Jan 2023 | DIVD decided to close the case as there was no reliable enough fingerprint to determine malicious files. No notifications were sent. |