Weevely is an advanced web shell, whereby shell instances can be 'managed' as an agent instance. The initial PHP script creates a functional backdoor for dynamic remote administration and utilizes obfuscated request traffic to avoid detection. Separate modules for the framework allow for a wide range of functionality and extension opportunities. Weevely should be considered significantly more complex and refined than other popular web shells.
- The attacker discovers a pre-compromise exploit vector (vulnerability, insecure code practice).
- The attacker uploads a shell to the web server.
- A successful upload allows navigation to the resource (target infrastructure dependent), whereby further post-compromise activity can occur on the operating system via the command-line Weevely tool.
The attacker must be able to send crafted packets to the target system.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.
Recommendations for Mitigation
Upgrade to a non-vulnerable version to mitigate this vulnerability.