An official website of the United States government
Here's how you know
A .gov website belongs to an official government organization in the United States.
A lock (lock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

News | April 22, 2020

Detect & Prevent Cyber Attackers from Exploiting Web Servers via Web Shell Malware

Malicious cyber actors have increasingly leveraged web shells to gain or maintain access on victim networks. Web shell malware is software deployed by a hacker, usually on a victim’s web server, that can execute arbitrary system commands, commonly sent over HTTPS. To harden and defend web servers against this threat, NSA and the Australian Signals Directorate have issued a dual-seal Cybersecurity Information Sheet (CSI). This product contains valuable information on how to detect and prevent web shell malware from affecting Department of Defense and other government web servers, though the guidance would likely also be useful for any network defenders responsible for maintaining web servers.

Web shell malware has been a threat for years and continues to evade detection from most security tools. Malicious cyber actors are increasingly leveraging this type of malware to get consistent access to compromised networks while using communications that blend in well with legitimate traffic. This means attackers might send system commands over HTTPS or route commands to other systems, including to your internal networks, which may appear as normal network traffic.

This CSI contains detection techniques, along with links to signatures and lists maintained on GitHub. This report also highlights prevention techniques and recovery guidance. NSA encourages network defenders who maintain web servers to review this technical guidance and apply the mitigations as appropriate.

To read more, check out NSA's Cybersecurity Advisories & Technical Guidance at