Cybersecurity Insights

Benjamin Hosack

Website Data Compromise – What is a WEB SHELL?

02/03/15 16:13

Digital forensics in the small-medium online business is usually a busy part of our business – the start to this year has been no exception.  In fact, we have had the busiest start to a forensic year ever! 

This week there have been a few cases that are very similar – all having been compromised by “WEB SHELLS”.

What is a WEB SHELL?

A Web Shell is a piece of code that is loaded into the website, which allows the attacker to make modifications to the files in the web root directory of the server – this includes full access to the database.

In laymans terms – a Web Shell on your website means that your website is essentially fully accessible – including all the internal, private information and access – to the attacker.  It has been fully hacked and compromised and you can assume that anything you have on that website and in the databases behind your website, will have been stolen.  In fact it is highly likely that the attacker is accessing your website to collect new credit card data on a frequent basis.

How is a WEB SHELL put on your website?

Web Shells are usually installed by compromising legitimate applications on a webserver, using techniques such as SQL Injection, Remote File Inclusion, an unsecured file upload facility, or brute forced user credentials. 

Are WEB SHELLS a regular form of attack?

Over 90% of the investigations that our forensic team carry out on small-medium online businesses have had some kind of WEB SHELL installed and used to extract data. They are highly prevalent.

What’s the risk?

Well, most of the online businesses that call us for help have some kind of API/store & forward type of arrangement with their payment processor.  In these cases, the attackers have been after the credit and debit cardholder data – and by the time we have been called to help, they have usually stolen everything in the database.

We also get online businesses who assume that because they have a re-direct to a hosted payment page on their payment processor’s servers, that they are secure.  The WEB SHELL is usually used to steal other customer data in these cases, such as names, addresses, passwords etc.  However, the attackers can also modify the website to route transaction data through a different path – i.e. their own servers – while at the same time passing through to the hosted payment page.  This is less frequently seen, but certainly on the rise as hosted payment pages become more prevalent.  The myth that the website is secure by outsourcing the payment process is easily undone when an attacker has the ability to change how the website works.

How do you prevent WEB SHELLS from being installed on your website?

There are a number of ways that you can protect your website:

  1. Regularly test the web applications on your website – get a security testing team to conduct a web application security test on your website.  This will tell you if you have vulnerable applications.
  1. Install a protective solution like FGX-Web Protect – the dual layer defence provides website file change monitoring and alerting, while also ensure that any attacks on your website are filtered out before they hit your website.
  1. Ensure that your developers are releasing secure code through secure coding practices.
  1. Maintain complex passwords that are changed regularly.

You can find out more about Website Security at