If a web server is initiating suspicious outbound traffic to a low-reputation IP address, the most likely cause is that a web shell has been deployed to the server through an unauthenticated upload page. Learn how to identify and prevent web shell attacks.
Table of Contents
Question
A company web server is initiating outbound traffic to a low-reputation, public IP on non-standard pat. The web server is used to present an unauthenticated page to clients who upload images the company. An analyst notices a suspicious process running on the server hat was not created by the company development team. Which of the following is the most likely explanation for his security incident?
A. A web shell has been deployed to the server through the page.
B. A vulnerability has been exploited to deploy a worm to the server.
C. Malicious insiders are using the server to mine cryptocurrency.
D. Attackers have deployed a rootkit Trojan to the server over an exposed RDP port.
Answer
A. A web shell has been deployed to the server through the page.
Explanation
The most likely explanation for this security incident is that a web shell has been deployed to the server through the unauthenticated image upload page (Option A).
A web shell is a malicious script or program that attackers upload to a web server to gain remote access and control. Once deployed, a web shell allows the attacker to execute commands, steal data, upload additional malware, and pivot to other systems.
In this scenario, the company web server hosts an unauthenticated page where clients can upload images. This is a common attack vector, as attackers can craft a malicious image file containing the web shell code and upload it to the server. If the upload functionality is not properly secured and validated, the malicious file can be executed, deploying the web shell.
The suspicious outbound traffic to a low-reputation IP address on non-standard ports is likely the web shell communicating with the attacker’s command and control (C2) server. This allows the attacker to send commands to the compromised server and exfiltrate data.
The suspicious process running on the server that was not created by the development team is probably the web shell itself or additional malware deployed by the attacker after gaining initial access through the web shell.
The other options are less likely:
- A worm (Option B) is standalone malware that self-propagates, which doesn’t fit the scenario of a compromised upload page.
- Cryptocurrency mining (Option C) by malicious insiders would consume significant system resources and is unlikely to generate suspicious outbound traffic to external IPs.
- A rootkit trojan (Option D) deployed over RDP would require the RDP port to be exposed, which is not mentioned in the question. The suspicious traffic is more consistent with an uploaded web shell.
To prevent web shell attacks, it’s critical to secure all upload functionality by validating file types, scanning uploaded files for malware, and executing them in a sandboxed environment. Keeping all web applications and servers up-to-date and performing regular security monitoring are also important defenses.
CompTIA SY0-701 certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the CompTIA SY0-701 exam and earn CompTIA SY0-701 certification.