A PHP web shell named Alfa-Shell has been in circulation since 2013, appearing to originate in Iran. The shell has a plethora of features, such as SQL connection, port scanner, fake mail, hidden shell (WSO), CMS hijacker, mass defacer, etc. A remote attacker can install the shell via arbitrary file upload vulnerability. Upon installation, an attacker can systematically compromise the victim’s server. The author has consistently been updating the tool since 2013, releasing three further versions. Each version contains some subtle difference to the original implementation.
- A malicious user exploits a vulnerability in a server to upload the Alfa-Shell to the victim’s server.
- The server responds indicating that the upload has been successful.
- The malicious user executes commands on the server via the Alfa-Shell.
The attacker must be able to send crafted packets to the target system.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.
Recommendations for Mitigation
The attacker must have exploited some other entry vector to allow the malicious files to become resident on the victim machine.