PHP Web Shell Detection (China Chopper)

high Nessus Network Monitor Plugin ID 9487

Synopsis

NNM detected suspicious Command and Control (CnC) activity.

Description

NNM detected suspicious activity that indicates a remote client interacting and issuing commands on the server via a remote web shell. Once uploaded, an attacker can use other techniques to escalate privileges and issue commands remotely. The remote commands issued have the same privilege and functionality available to the web server and may include the ability to add or delete files, run shell commands, and execute additional exploitation methods.

Solution

Search for PHP scripts containing the 'eval()' function and conduct a forensic examination to determine how the vulnerable PHP payload was installed on the server. Also, check for any additional unauthorized changes.

See Also

http://www.nessus.org/u?f8f16a4c

http://www.nessus.org/u?6ced9fad

http://www.nessus.org/u?91bfe369

http://www.nessus.org/u?56ab9d03

Plugin Details

Severity: High

ID: 9487

Family: Backdoors

Published: 9/2/2016

Updated: 1/16/2019