The Ironshell PHP web shell consists of a web interface that allows a malicious user to compromise a target system. With the shell installed, an attacker can execute OS commands, execute PHP code, alter files, access MySQL databases, and upload other files to further compromise the system. The web shell could be uploaded to the target system through a vulnerability or misconfigured application.
- The attacker uploads the Ironshell PHP web shell to a vulnerable web server.
- The web server responds indicating that the upload has been successful.
- The attacker acts on their objectives by executing arbitrary code on the target system.
The attacker must have exploited some other entry vector to allow the malicious files to become resident on the victim machine.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.
Recommendations for Mitigation
Ensure that all public internet-facing hosts have available patches applied and are sufficiently hardened for public access.