A Web Shell is a piece of code that is loaded into the website, which allows the attacker to make modifications to the files in the web root directory of the server – this includes full access to the database.
In laymans terms – a Web Shell on your website means that your website is essentially fully accessible – including all the internal, private information and access – to the attacker. It has been fully hacked and compromised and you can assume that anything you have on that website and in the databases behind your website, will have been stolen. In fact it is highly likely that the attacker is accessing your website to collect new credit card data on a frequent basis.
Web Shells are usually installed by compromising legitimate applications on a webserver, using techniques such as SQL Injection, Remote File Inclusion, an unsecured file upload facility, or brute forced user credentials.
Over 90% of the investigations that our forensic team carry out on small-medium online businesses have had some kind of WEB SHELL installed and used to extract data. They are highly prevalent.
Well, most of the online businesses that call us for help have some kind of API/store & forward type of arrangement with their payment processor. In these cases, the attackers have been after the credit and debit cardholder data – and by the time we have been called to help, they have usually stolen everything in the database.
We also get online businesses who assume that because they have a re-direct to a hosted payment page on their payment processor’s servers, that they are secure. The WEB SHELL is usually used to steal other customer data in these cases, such as names, addresses, passwords etc. However, the attackers can also modify the website to route transaction data through a different path – i.e. their own servers – while at the same time passing through to the hosted payment page. This is less frequently seen, but certainly on the rise as hosted payment pages become more prevalent. The myth that the website is secure by outsourcing the payment process is easily undone when an attacker has the ability to change how the website works.
There are a number of ways that you can protect your website:
You can find out more about Website Security at http://info.foregenix.com/website-security-whats-the-deal