One of the most common methods used to compromise websites and gain administrative control is a hidden backdoor shell.

What is a Backdoor Shell and why do they exist?

A backdoor shell is malicious software uploaded to a website without the knowledge of the website owner, allowing a hacker to remotely control functions of an infected site. Backdoor shells are usually standalone files, meaning there is no installation process making them easy to upload, and compromise a website. Initially designed for security purposes, backdoor shells were used by internet security researchers to test vulnerabilities in websites.

What is the purpose of a Backdoor Shell?

The original function behind backdoor shells has been manipulated by hackers, who use them to infect webpages, and gain control of various site functions. The purpose of the attack can involve a number of malicious activities using a hosting account, including;

  • Installing phishing pages
  • Sending spam emails
  • Uploading malware with a view to infecting website visitors
  • Defacing the homepage of your website
  • Obtaining your personal and financial information

How do they get on your sites?

There are several methods hackers use to install a backdoor shell, and the most common are an indication of the importance of understanding and implementing good online security practices.

Password Compromise – Weak passwords are a killer when it comes to this kind of malware. A brute force attack can crack a basic password very quickly, meaning a hacker can log onto your website and upload an infected file.

CMS Exploitation – Outdated Content Management System (CMS) versions are also vulnerable to a backdoor shell attack. Hackers can gain control of your administrative rights through security holes which may have been patched in more updated versions of your CMS.

Remote File Inclusion (RFI) – This is an attack technique which targets poorly written web applications. A hacker can trick the web application, allowing them to include a remote file with malicious code. In a worst case scenario, this can be used to completely compromise a server.

How do I recover from a backdoor shell?

Due to the nature of the backdoor shell, once it has been uploaded it is very difficult to find as they are often masked by encryption, and are invisible to standard scans. MySiteGuard’s Hack Removal service will access your site as a system administrator and search for uploaded and modified files in order to identity the malicious file. They will then perform an automated scan identify any vulnerabilities which may have allowed the backdoor shell to be uploaded.

 The best way to protect yourself from a malicious attack is to ensure that you are running the latest version of your CMS, particularly open source applications. Ensure you are running a virus scanning application such as ClamAV, which will scan for modified files or file that shouldn’t be there. MySiteGuard offers a Website Monitoring Service featuring automated scans to detect and block any attempts by hackers to upload a backdoor shell on your site.