Troj/WebShel

Troj/WebShel indicates that Sophos has detected a malicious webshell.

Webshells are malicious scripts or tools which are placed on a webserver by a threat actor as part of an attack, often as a backdoor to enable access in the future.

Webshells can be written in a variety of languages and target a variety of servers. For example, there could be a web shell on IIS using ASP.NET or a web shell written in PHP that targets Apache on Linux.

Webshells typically target servers accessible on the public internet such as web or email servers. Attackers can often use this as a “front door” to get a foothold they can use to penetrate deeper into an organization’s internal network.

Usually, attackers deploy webshells by attacking weak passwords or unpatched vulnerabilities in the Internet-facing server. Both ProxyShell and Log4Shell were webshells deployed by attackers exploiting unpatched vulnerabilities.

The exact functionality of different webshells may differ, but they typically provide a threat actor with a means to remotely execute code on the infected webserver.

One use of webshells is to deploy malware on the infected website to infect others. This is a "reputation hijacking" in which a malicious page or payload gets hosted on a legitimate, trusted website.

Another use of webshells is to provide “persistence,” which is ongoing access to the network for the attackers. This is one way attackers are able to apparently “re-infect” networks even after steps have been taken to try and eject them.

When a webshell is detected, it’s not enough to remove the webshell.  If the underlying vulnerability or security weakness is not addressed as well, attackers can very easily redeploy the same or another webshell.

Similarly, webshells deployed in attacks that exploit vulnerabilities are not automatically removed when the vulnerability is patched; the webshell must also be detected or removed. Otherwise the now-patched system is still compromised.

You can find information about webshell attacks on the Sophos X-Ops blog here.

If you believe this detection is incorrect, please report this file to Sophos Support.