Skip to the content.

DIVD-2023-00002 - Publicly Reachable Malicious Webshells

Our reference DIVD-2023-00002
Case lead Ralph Horn
Author Max van der Horst
Researcher(s)
CVE(s)
  • n/a
Product n/a
Versions n/a
Recommendation Remove the indicated file from your webserver and investigate your systems for compromise.
Status Closed
Last modified 03 Jul 2024 22:16 CEST

Summary

DIVD is currently scanning the Internet for commonly known malicious webshells. These webshells often serve as an initial access method and/or persistency measure for malicious actors and are usually exposed to the Internet. Having one of these web shells on your system (nearly) always means a system has been compromised. DIVD is researching ways to identify these webshells and notifying the owners of compromised servers.

What you can do

Remove the files associated to the webshell from your server as soon as possible and start an investigation on your infrastructure to determine how the how the web shell was installed and if the threat actor is still present inside your IT infrastructure.

What we are doing

DIVD is currently working to identify vulnerable parties and notifying these. We do this by scanning for paths that are commonly known to contain webshells and examining these pages to determine whether they are malicious. Owners of vulnerable instances receive a notification with the host information and remediation steps.

Timeline

Date Description
06 Jan 2023 DIVD starts sorting Project Observer data.
19 Jan 2023 DIVD starts indexing common webshell locations.
20 Jan 2023 DIVD starts investigating automatic recognition of malicious web shells.
20 Jan 2023 DIVD decided to close the case as there was no reliable enough fingerprint to determine malicious files. No notifications were sent.
gantt title DIVD-2023-00002 - Publicly Reachable Malicious Webshells dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2023-00002 - Publicly Reachable Malicious Webshells (40 days) :2023-01-06, 2023-02-15 section Events DIVD starts sorting Project Observer data. : milestone, 2023-01-06, 0d DIVD starts indexing common webshell locations. : milestone, 2023-01-19, 0d DIVD starts investigating automatic recognition of malicious web shells. : milestone, 2023-01-20, 0d DIVD decided to close the case as there was no reliable enough fingerprint to determine malicious files. No notifications were sent. : milestone, 2023-01-20, 0d

More information