Reverse shell attacks are one of the most common ways that hackers gain control over a computer. It may seem like a strange concept, but it’s fairly simple: a reverse shell is created when someone manages to get into a computer and create a connection back to them.
The goal of a reverse shell attack is usually to steal important data or install malware on the victim’s machine. As with most forms of cybercrime, however, any damage by these attacks can be hard to trace back to the source. That creates a challenge for law enforcement and data security experts, who often rely on forensic evidence to track down the perpetrators.
Let’s take a look at reverse shell attacks and what companies can do to protect themselves from them.
What Are Reverse Shell Attacks?
Reverse shell attacks are a common threat to web servers, especially those running PHP. PHP reverse shell attacks happen when an attacker creates a backdoor into a server through some means of remote access. The attacker uses that backdoor to gain access to the server and execute commands as if they were logged in on the server itself.
Hackers execute reverse shell attacks using Python, Java, or Node.js to create a connection from the attacker’s computer back to their victim’s computer. It’s called a reverse shell because it allows the attacker to “shell out” of their current process on their computer and connect back to their victim’s computer via an established connection. At this point, they can connect to their victim’s machine as though they were operating that machine directly and knew its credentials.
Understanding the Mechanics of Reverse Shell Attacks
Underneath the hood, many reverse shell attacks involve the execution of commands like exec bin sh or the use of scripts in languages such as Perl — giving rise to techniques known as perl reverse shell. These techniques exploit file descriptors to manipulate data flow and maintain control over the targeted system.
To facilitate connection between the attacker’s machine and the target, TCP/IP sockets, symbolized by terms such as inet sock stream getprotobyname and sock stream getprotobyname tcp, are used. A socket is an endpoint for sending or receiving data across a computer network. In the context of a reverse shell attack, the attacker uses commands like socket s pf inet to create a socket and set the protocol family to PF_INET, which is indicative of the IPv4 Internet protocol.
The attacker then connects this socket to the victim’s machine using commands such as connect s sockaddr. The ‘sockaddr_in p inet’ argument indicates the internet protocol address to be used for the connection. If the connection is successful, this socket can be used to send and receive data from the victim’s machine.
Once a connection is established, attackers often execute a command such as bash i dev, which opens a bash shell on the victim’s computer, allowing them to execute commands. To handle input and output, the attacker often employs methods to open the standard I/O channels, stdin, stdout, and stderr — with commands such as stdin s open stdout, stdout s open stderr, and open stderr s exec bin.
In essence, understanding these underlying processes helps in decoding the way reverse shell attacks function. More importantly, by being familiar with these techniques, system administrators and security professionals can better anticipate, detect, and mitigate such attacks.
The Method of a Reverse Shell Attack
An employee receives an email with an attachment or link in it. They then click on the attachment or link and instantly download some malicious software onto their computer. That’s how the attacker gets their reverse shell connection. The attacker can then execute commands on the machine and do whatever they want with it.
Once the hacker has access, they can:
• Access company files
• Steal sensitive client or proprietary information
• Use it as a zombie to launch attacks against other machines in the network
That’s why it’s imperative to protect the network against data breaches that come in the form of reverse shell attacks.
Why Hackers Use Reverse Shell Attacks
This is a common tactic for hackers because it allows them to control computers and steal information without being physically present. It’s also hard to detect and stop.
Reverse shells are often part of a larger attack, such as ransomware or phishing scams. Hackers who have already gained access to a system through another method — and want to get deeper into the system without being detected — can use a reverse shell attack. Hackers who use reverse shell attacks are often very skilled at coding, as well as being able to identify weaknesses in their targets’ systems.
Best Practices for Preventing Reverse Shell Attacks
The most common way for hackers to use reverse shell attacks is by sending malware through phishing emails or other social engineering tactics. They then wait until the victim logs into their account and executes the code. The hacker can then gain control of the account and steal whatever data they want.
The only real way to prevent this type of attack is to have a robust security solution installed and ready to go across the entire network. However, there are some things companies can do to protect themselves:
Use Strong Passwords
Strong passwords are the first line of defense against reverse shell attacks, as they protect a system against brute force attacks by requiring more than one guess for each character typed in. Companies can use a password manager to generate strong passwords, or they can use a combination of random words that is easy to remember but hard for others to guess.
Strong passwords should be long and complex (at least 12 characters long); contain numbers and symbols; and never include personal information like names, addresses, phone numbers, or birthdays. They should also be unique for every account on a given computer.
Audit and Update Software Regularly
Static Application Security Testing (SAST) is a method of detecting security issues in applications before they are deployed. It’s a software-testing strategy that analyzes code for vulnerabilities that can be exploited before the application is used in production. Companies use SAST to identify and fix vulnerabilities before cybercriminals can exploit them.
In addition, system administrators need to have all necessary updates installed. They should also be using a firewall and updating it regularly. Consider installing an intrusion detection system (IDS), which can help to alert when someone is trying to access a system in an unauthorized manner.
Patches and upgrades should be applied as soon as possible after they’re released, since these patches are often the result of known vulnerabilities in a piece of software or hardware. Updating software regularly is critical for security.
Be Careful Opening Email Attachments
Email attachments are a common way for hackers to infect computers. Opening an attachment can allow a hacker to take over a computer and steal personal information or harm others.
Even if an email looks like it’s from a friend or a legitimate company, that doesn’t mean the attachment is safe to open. Some cybercriminals use false emails to trick others into opening their malicious files. Inform employees that if they don’t recognize the sender, they shouldn’t open the attachment! If they’re not sure whether an attachment is actually from the source it appears to be from, they should check with the apparent sender or with the security team before clicking or downloading anything.
Use a Firewall
Using firewalls can help prevent reverse shell attacks as well. Firewalls block traffic coming from outside networks. If there are no open ports on the system, it can’t be accessed by someone else using a reverse shell attack method.
A good firewall can:
• Block incoming connections that aren’t allowed by policy
• Block outgoing connections unless they’re explicitly allowed by policy
• Monitor inbound and outbound traffic so that admins know when someone is trying to access the system without authorization
For reverse shell attacks, this can mean knowing if someone is trying to access the system from an IP address that’s not on the allowed list. It’s a good way to detect an attack before it succeeds.
Stopping Reverse Shell Attacks in Their Tracks
Cybersecurity is an ongoing concern, not only for individual businesses but for large corporations and governments as well. Mitigating the risks is the best option companies have to protect themselves from this type of vulnerability. The good news is that there are tools out there that can help do just that.
Kiuwan’s software security solutions, for instance, can help companies monitor and detect reverse shell attacks in their early stages. We help businesses conduct Software Composition Analysis (SCA) that can help them stay ahead of the curve when it comes to reverse shell attacks. Be sure to check out our managed application security services for more information on how we can help keep computers safe from threats like these.