Instructions on how to detect web shells | Traficom
Skip to main content
National Cyber Security Center
Report incidents
Report incidents
Report incidents

Instructions on how to detect web shells

Over the past few days, a considerable number of data breaches have been discovered in Microsoft Exchange email servers, with a web shell having been installed on the server. Installing web shells in the victim’s environment has been a common form of attack, especially in conjunction with data breaches targeting Exchange servers, already since last year.

The National Cyber Security Centre of Finland (NCSC-FI) requests all organisations that have an Exchange email server to at least carry out the measures defined in these instructions to detect any web shells. Eliminating vulnerabilities by installing updates alone is not enough to remove any web shells installed by an attacker. The recent data breaches do not concern Microsoft’s email servers provided as cloud services, such as Exchange Online and Microsoft 365 Business.

These instructions aim to provide a few simple tips on how to detect web shells on servers. Attackers also have a number of other tools in their arsenal. However, these are not discussed in these instructions. Traces of attempted exploitations of the CVE-2021-26855, CVE-2021-26857, CVE-2021-27065 and CVE-2021-2685 vulnerabilities, fixed at the beginning of March, should be sought from the Exchange email server’s logs following Microsoft’s instructions.

The simplest way to detect web shell files is to check the email server’s directories available in the public network for any files that should not be there.

  • \inetpub\wwwroot\aspnet_client\
  • \inetpub\wwwroot\aspnet_client\system_web\
  • \<exchange install path>\FrontEnd\HttpProxy\owa\auth\
  • \<exchange install path>\FrontEnd\HttpProxy\ecp\
  • \<exchange install path>\ClientAccess\Owa\auth\
  • \<exchange install path>\ClientAccess\ecp\

Most web shell files have any of the following file extensions:

  • .aspx, .asmx, .asax, .ashx, .js, .php, .jsp, .cfm, .shtml

\inetpub\wwwroot\aspnet_client\

any .aspx file in this directory or its sub-directory

\<exchange install path>\FrontEnd\HttpProxy\owa\auth\

any file not included in the basic installation

 

\<exchange install path>\FrontEnd\HttpProxy\owa\auth\Current\

any .aspx file in this directory or its sub-directory

 

\<exchange install path>\FrontEnd\HttpProxy\owa\auth\(version number)\

any .aspx file in this directory or its sub-directory

 

\<exchange install path>\FrontEnd\HttpProxy\ecp\auth\

any file other than TimeoutLogout.aspx

A more comprehensive way to detect additional harmful files is to compare the email server’s current directory structure with the basic installation (golden image).

Examples of files in each of the listed directories included in the basic installation of the Exchange 2013 email server installed on Windows Server 2012 are given below.

\<exchange install path>\FrontEnd\HttpProxy\owa\auth\

  • errorFE.aspx
  • ExpiredPassword.aspx
  • getidtoken.htm
  • logoff.aspx
  • logon.aspx
  • OutlookCN.aspx
  • RedirSuiteServiceProxy.aspx
  • signout.aspx
  • SvmFeedback.aspx

    <exchange install path>\ClientAccess\Owa\auth\

    • error.aspx
    • error2.aspx
    • expiredpassword.aspx
    • exppw.dll
    • logoff.aspx
    • owaauth.dll
    • signout.aspx

    \<exchange install path>\ClientAccess\ecp\

    (Several sub-directories)

    • About.aspx
    • CloseWindow.aspx
    • CommonMaster.Master
    • CrossPremise.aspx
    • default.aspx
    • error.aspx
    • Global.asax
    • Hybrid.aspx
    • HybridLogoutHelper.aspx
    • Microsoft.Office.CsmSdk.Resources.xml
    • Resources.xml
    • SDKMaster.Master
    • web.config
    • web.config.bak
    • Web.sitemap

    In the Exchange 2016 and Exchange 2019 server versions, the basic installation of the director

    \<exchange install path>\FrontEnd\HttpProxy\owa\auth\

    also includes the following file:

    • frowny.aspx

    Another way to detect web shells is to search for certain character sets used often in web shell files at least from files located in the aforementioned directories. Suspicious character sets include:

    • %eval
    • eval(
    • {eval
    • Request.Item[
    • Request.Form[

    In some cases, the attacker has modified their .aspx files to make new .ashx web shells in the C# programming language. These types of suspicious character sets include:

    • StartInfo.FileName="cmd.exe";
    • StartInfo.FileName= "cmd" + "." + "exe";

    Character sets can also be searched for from the email server using the following types of PowerShell commands by running them in the directory in which the Exchange server is installed:

    • Get-ChildItem -Path .\FrontEnd\HttpProxy\ -Recurse | Select-String -Pattern "%eval|eval\(|{eval|Request\.Item|Request\.Form" -CaseSensitive
    • Get-ChildItem -Path .\FrontEnd\HttpProxy\ -Recurse | Select-String -Pattern "StartInfo\.Filename" -CaseSensitive

    If any traces of web shells are detected, the situation must be handled as a data breach. As a result, it is vital to identify whether the attacker has been able to access the organisation’s other data systems more broadly. Tips on how to detect data breaches are available in the data breach detection guidelines published by NCSC-FI (in Finnish). As the investigation of a data breach requires extensive technical expertise and resources, assistance should be acquired from providers of information security services.

    NCSC-FI is interested in all observations related to data breaches, and it provides victims with guidance in the investigation process. Contact the NCSC-FI Coordination Centre by emailing cert@traficom.fi.

    Also remember to report any detected data breaches to the police and to submit any statutory report to the supervisory authority.

    Page was last updated