A PHP web shell named Alfa-Shell has been in circulation since 2013, appearing to originate in Iran. The shell has a plethora of features, such as SQL connection, port scanner, fake mail, hidden shell (WSO), CMS hijacker, mass defacer, etc. A remote attacker can install the shell via arbitrary file upload vulnerability. Upon installation, an attacker can systematically compromise the victim's server.
- A malicious user exploits a vulnerability in a server to upload the Alfa-Shell to the victim’s system.
- The server responds indicating that the upload has been successful.
- The malicious user executes commands on the server via the Alfa-Shell.
The attacker must have utilized some other vulnerability or exploit to inject the malicious payload onto the victim host.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.
Recommendations for Mitigation
The attacker must have exploited some other entry vector to allow the malicious files to become resident on the victim machine. Ensure that all patches for the software are applied on hosts exposed to the internet.