What Is Web Shell Attack? Explanation, Causes, Working and Risks

This article explains what a web shell attack is, how it works, and why such attacks are increasing. It covers the scripting languages and types used, known examples like China Chopper and C99, and detection methods including file integrity monitoring and EDR. It also outlines how to defend against web shells using WAFs, IPS, and Zero Trust, and details the risks such attacks pose to server security and compliance.  

What is a web shell attack? 

A web shell is a malicious script or program uploaded to a web server to provide an attacker with remote access and administrative control. Once deployed, it enables the threat actor to execute arbitrary commands, manipulate server files and directories, and potentially pivot to other internal systems.  

Key characteristics of a web shell:

• Typically written in languages supported by the web server software (e.g., PHP, ASP, JSP) 
• Functions as a backdoor allowing continuous access 
• Enables the attacker to bypass standard authentication and authorization mechanisms 
• Is often designed to be difficult to detect, especially when obfuscated or embedded within legitimate web directories 

According to CISA Alert AA20-106A, web shells were present in nearly 60% of investigated cyber incidents in 2020 involving exploited web servers.  

Why are web shell attacks increasing? 

The rise in web shell attacks can be attributed to multiple converging factors: 

• Abundance of Vulnerable Web Applications: Many legacy and third-party web applications lack robust security, making them easy targets. A 2023 report by IBM X-Force noted that over 37% of publicly facing web applications contained at least one exploitable vulnerability. 
• Widespread Use of Common Programming Languages: Languages like PHP are extensively used in web development, making PHP web shells prevalent and effective. 
• Remote Work and Cloud Adoption: Increased reliance on web services and external interfaces has expanded the attack surface. 
• Evasion Capabilities: Web shells are difficult to detect, especially when encrypted or encoded to mimic legitimate code directories. 
• Low Barrier to Entry: Pre-packaged web shells (e.g., China Chopper) are publicly available and require minimal technical expertise. 
• Profitability: Web shells enable access to sensitive data and infrastructure, which can be monetized via data breaches, ransomware, or access resale. 

How does a web shell attack work? 

A web shell attack follows a structured sequence where the attacker exploits a web application vulnerability to upload and execute a malicious shell script. 

A successful web shell attack generally proceeds through the following stages:  

• Reconnaissance: The attacker identifies a vulnerable web application or server software by scanning for outdated plugins, misconfigurations, or exposed endpoints. 
• Initial Access: A malicious script—disguised as an image, file upload, or form input—is injected into the target web server via a known vulnerability (e.g., file upload bypass, LFI, or RCE). 
• Web Shell Deployment: The malicious file (e.g., PHP, ASPX, JSP) is written to the server's web directory, allowing persistent access via HTTP/S. 
• Command Execution: The attacker uses the web shell to execute arbitrary system commands, read/write files, and move laterally across the network. 
• Persistence and Control: The shell is modified to evade detection and ensure resilience against reboots or remediation attempts. 
• Exfiltration or Further Exploitation: Data is extracted, additional malware may be dropped, or the server is added to a botnet.

What are common scripting languages used in web shells? 

Web shells are developed in scripting languages supported by the target web server. The most widely used languages include:  

1. PHP web shells

PHP web shells are among the most widely used in real-world cyber attacks due to the ubiquity of PHP in web development and web application servers. Threat actors frequently exploit vulnerabilities in web applications to upload a malicious .php script that acts as a command interface. 

• A PHP web shell allows attackers to execute system commands remotely, upload or download files, and manipulate the server’s file system. 
• These scripts typically run with the privileges of the compromised web server's process, enabling access to sensitive directories and application code. 
• Common vectors for PHP shell injection include local file inclusion (LFI), remote file inclusion (RFI), and insecure file upload mechanisms. 
• Since PHP is a server-side language, malicious activities via PHP shells often remain hidden from standard web traffic monitoring tools unless advanced threat detection is deployed.

2. ASP and ASP.NET web shells

ASP and ASP.NET web shells are crafted in Microsoft’s server-side frameworks and target IIS-based web servers. They exploit web application vulnerabilities or misconfigured server settings to deploy malicious .asp or .aspx files. 

• These shells allow attackers to execute arbitrary commands via Windows command prompt or PowerShell, often resulting in privilege escalation or lateral movement within enterprise networks. 
• They can also be used to read or write files, harvest credentials, or inject malicious code into legitimate web pages. 
• ASP.NET web shells are often embedded with encryption or obfuscation routines, making detection by basic scanning tools ineffective. 

3. Python and Perl-based web shells

Python and Perl web shells are less common but remain effective in environments running older or niche web server technologies, especially Unix-based systems. 

• These shells typically exploit web services that execute scripts via CGI (Common Gateway Interface), allowing shell access through .py or .pl files. 
• They are often used in targeted attacks where custom tooling is preferred to evade signature-based detection. 
• Attackers use these shells to perform remote code execution, collect system information, and pivot to other endpoints within the network.

4. File-based And Command-based web shells

Web shells can be categorized based on their operational mechanism: file-based or command-based. 

• File-based web shells: These rely on uploading malicious scripts (e.g., .php, .asp) to the server’s directories. Once deployed, they serve as persistent backdoors and are triggered via HTTP requests. These are easier to deploy in poorly configured web application servers. 
• Command-based web shells: These shells operate by injecting commands directly through vulnerable input fields or parameters, such as those vulnerable to RFI, SQLi, or XSS. They often don’t require a physical file to be stored on the server, making them harder to find and remove. 

What are some examples of known web shells? 

Several known web shells are widely documented in cybersecurity research and have been used in sophisticated attacks. Each is optimized for specific server environments and objectives. 

• China Chopper: A compact and powerful web shell widely used in APT campaigns. It features command execution, file management, and GUI control. It can run on both Windows and Linux systems and is notoriously difficult to detect. 
• C99: A PHP-based shell with extensive features, including file browsing, MySQL control, and mass mailing. Often embedded into web pages to exploit outdated server software. 
• WSO (Web Shell by Orb): Common in compromised WordPress installations. Offers encrypted communications, backdoor installation, and integration with various payloads. 
• B374K: Another PHP shell used to perform code execution, directory traversal, and upload malware. It provides a user-friendly interface to manage remote systems. 

How Are Web Shells Detected? 

Following are the ways a web shell is detected:  

• Web shells are detected by spotting unusual system command executions, file changes in web directories, odd HTTP request patterns, and suspicious user-agent strings. 
• File Integrity Monitoring (FIM) alerts on unauthorized changes in source code, web directories, and configuration files—key for detecting injected malicious scripts. 
• EDR solutions identify web shell activity by monitoring for unknown binaries, lateral movement, and matching behavior to known web shell indicators like China Chopper. 
• Traffic analysis detects web shell activity by flagging abnormal HTTP methods, encoded POST data, irregular response sizes, and repetitive external communication. 
• Pattern matching compares server activity to known malicious signatures, such as dangerous PHP functions, obfuscated payloads, or known web shell file names. 
• Deobfuscation techniques decode base64, XOR, and embedded payloads in web shell scripts using tools like CyberChef or custom reverse engineering scripts. 
• Automated detection tools such as WAF scanners, SIEMs, and static analyzers monitor for malicious activity, enabling early identification of web shell attacks. 

How to prevent Web Shell Attack? 

Defending against web shell attacks requires a multi-layered approach that includes firewalls, WAFs, IPS, and strict network architecture. A Web Application Firewall (WAF) helps detect and block malicious payloads, preventing web shell injection by analyzing HTTP requests for known patterns and anomalies. Intrusion Prevention Systems (IPS) further strengthen defenses by monitoring network traffic for exploit attempts, while network segmentation restricts lateral movement from compromised web servers. Adopting a Zero Trust model enforces least-privilege access and continuous verification, reducing the risk of unauthorized script execution within web applications. According to Gartner, organizations using layered defenses that include EDR, WAF, and behavioral analytics reduced web shell dwell time by up to 62%. 

Continuous monitoring and Endpoint Detection and Response (EDR) are critical for identifying stealthy web shell activity that often bypasses traditional security tools. Real-time file integrity checks, log analysis, and abnormal traffic detection help uncover malicious commands and backdoor access attempts. EDR provides visibility into command execution, user behavior, and process anomalies, allowing rapid containment of compromised hosts. Together, these controls mitigate the impact of web shell attacks and protect your web server infrastructure with precision. 

What Are Some Recent Examples of Web Shell Attacks in 2025? 

Web shell attacks remain a serious cybersecurity threat in 2025, with major incidents reported across South Korea, France, and the United States. These attacks involve uploading malicious scripts to compromised servers, enabling remote code execution, persistent access, and data exfiltration. Here's a look at recent and widely publicized events that highlight the evolving danger of web shells: 

1. CISA Flags Actively Exploited Web Shell Vulnerability (CVE‑2019‑9621)

Date Added to KEV List: July 8, 2025
Location: United States 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE‑2019‑9621 to its Known Exploited Vulnerabilities (KEV) catalog after observing real-world exploitation. The vulnerability—commonly associated with Zimbra Collaboration Suite—is known to allow attackers to plant web shells and deploy Cobalt Strike payloads. CISA attributed the campaign to the Earth Lusca threat actor group and recommended immediate patching due to active exploitation in federal and enterprise environments. 

2. Zero-Day Exploits in Ivanti CSA Used for Web Shell Deployment

Date Disclosed: July 3, 2025
Initial Intrusions Traced Back To: September 2024
Location: France
Targeted sectors: government, telecom, media, finance) 

A Chinese nation-state group exploited previously unknown zero-day vulnerabilities in the Ivanti Cloud Services Appliance (CSA) to infiltrate critical infrastructure in France. Affected sectors included government, telecommunications, media, and finance. Post-compromise analysis revealed the use of encrypted web shells and tunneling techniques to maintain stealthy, long-term access. The campaign represents a serious escalation in state-sponsored cyber espionage targeting edge appliances. 

3. South Korean Web Servers Breached via File Upload Vulnerabilities

Date Reported: June 30, 2025
Location: South Korea 

A coordinated campaign targeted Linux-based web servers across South Korea by exploiting insecure file upload mechanisms. Once inside, attackers deployed advanced remote access tools including MeshAgent and SuperShell, establishing persistent access through web shells. The attack demonstrated a multi-stage strategy combining traditional web server flaws with modern post-exploitation tooling. Investigations confirmed that the threat actors used obfuscated payloads to bypass detection. 

4. JSP Web Shells Dropped Through SAP NetWeaver Exploit

Date Reported: April 25, 2025
Location: Global (affecting SAP-based enterprises)
Target: SAP-Based Enterprise

A high-severity vulnerability in SAP NetWeaver was exploited in the wild to deploy JSP web shells via remote file inclusion (RFI). This allowed attackers to execute arbitrary commands on enterprise servers running Java-based applications. The exploit bypassed authentication controls and enabled full server compromise. The SAP advisory emphasized the need for immediate patching and rigorous input validation across all custom web modules.  

5. Telecom Breach via Long-Term Web Shell Access

Date Uncovered: March 24, 2025
Location: Asia (specific country undisclosed) 

An advanced persistent threat (APT) group known as Weaver Ant was found to have maintained covert access to a major Asian telecom provider for several years. Web shells were used to establish and manage encrypted tunnels for data exfiltration and surveillance. The attackers evaded detection by using living-off-the-land techniques and custom web shells designed to blend into legitimate traffic patterns.  

What Are the Risks of Web Shell Attacks? 

Web shell activity directly violates key cybersecurity compliance frameworks. Following are the major risks of Web shell attacks:  

• Web shells enable exfiltration of source code, credentials, database content, user files, system configurations, and PII, often bypassing antivirus detection.  
• Attackers escalate privileges by exploiting OS vulnerabilities, misconfigured permissions, scheduled tasks, and environment variables to execute commands with admin rights. 
• Web shells allow compromised servers to launch DDoS attacks, join botnets, act as C2 nodes, and propagate malware while evading detection through normal web traffic. 
• Persistent access via web shells leads to repeated compromises, silent data harvesting, credential theft, supply chain attacks, and pivoting to internal systems. 
• Web shells undermine compliance by violating GDPR, HIPAA, PCI-DSS, erasing logs, bypassing access controls, and exposing gaps in WAF, FIM, and endpoint protection. 

The Equifax breach (2017) involved web shell-like access to unpatched Apache Struts servers, compromising over 145 million records.