Hello and welcome to the Wednesday, April 8,

2006 edition of the Sands Internet Storms Centers.

Stormcast, my name is Johannes Ulrich, recording you today from Jacksonville, Florida.

And this episode is brought you by the Sands.edu graduate certificate program in cyber defense operations.

Now, today I did as the title of today's diary states a little bit of pivoting, looking for web shells.

I noticed four distinct IP addresses all associated interestingly with Microsoft's cloud

services that scanned our sensors for a specific web shell, turkshell.php.

Nothing that sort of fancy or special about this particular webshell, but web shells are sort

of the backdoor, the type of persistent mechanisms being deployed against vulnerable web applications, either with remote code execution or with an arbitrary file upload vulnerability.

And then they're not just used by the original attacker, but they're also parasitic attackers.

And that's apparently

what we have here that are looking for pre-installed web shells and are trying to exploit them,

because attackers often don't pick strong passwords either. And that's what I then looked in.

Further looked at those four IP addresses and what other URLs they were scanning and turned

out, well, it was over 200 different URLs they looked for. All of them apparently associated

with web shells. There were a couple in there where I think they looked for war on abilities

or really just did some fingerprinting

on the site to see maybe what particular web shell may be present.

One of the things here, one of the themes in the file names was also that many of them

tried to sort of fit in with WordPress websites.

And well, that's no surprise with all the WordPress vulnerabilities around these days.

And of course, that being sort of a favorite attacker target.

...