WEB shells remain a popular method for attackers to maintain persistence on a compromised web server, with attackers often dropping small files via arbitrary file write and remote code execution vulnerabilities for later payload execution.
The diary notes an initial probe for the well-known turkshell[.]php on four IPs—20.48.232[.]178, 20.215.65[.]23, 51.12.84[.]116 and 51.103.130[.]249—which, on that day, appear to be assigned to Microsoft, raising the possibility of an attacker targeting systems inside Microsoft’s cloud environment or of a single compromised organisation using multiple addresses, according to SANS[.]edu.
A query of the ISC database yielded 287 hits for other URLs these IPs probed, with the top targets including wp-content, ms-edit[.]php, av[.]php and a number of wp- related paths, suggesting a pattern aimed at WordPress sites. The list of potential webshell indicators was acknowledged as incomplete, and the author warned that scanning for exact filenames often yields false positives.
The piece concludes with practical steps: eradicate remote code execution or file upload vulnerabilities, restrict document-root file uploads, and monitor for filesystem changes, noting that scanning for specific filenames is not reliably effective.