The Accesson.php web shell is a simple web shell with two main functions: execution of PHP code and arbitrary file upload. After the attacker has successfully uploaded the web shell to the target system, they can execute PHP code via scripted commands to the shell. This lightweight shell has been observed to be used to upload more robust shells with more functionality.
- A remote, unauthenticated attacker uploads the Accesson web shell to a vulnerable server.
- The server responds successfully indicating that the shell has been uploaded.
- The attacker can either execute PHP code via the ‘id’ parameter or upload files via the ‘up’ parameter.
The attacker must have exploited some other entry vector to allow the malicious files to become resident on the victim machine.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.
Recommendations for Mitigation
Ensure that all internet-facing hosts have the most up-to-date patches applied.