AhnLab EPP

Subscribe
Download 352
Last updated Dec 2, 2025

Web Shell Detected

Detects web shell files in AhnLab EPP V3 malware alert logs.

Query

The AhnLab V3 antivirus engine detects web shell files using signatures such as WebShell/JSP.Generic.S1910. Therefore, alerts containing the string WebShell/ in the signature field are extracted.

| search signature == "WebShell/*"

Message

  • AhnLab EPP V3 Web Shell Detected: Host $host_ip, Malware $signature

Field Order

  • _log_time, hostname, host_ip, emp_name, dept_name, signature, file_path, file_status, md5

Threat Analysis

  • A web shell is a type of malicious script that attackers upload to a server to perform remote command execution, file manipulation, and deployment of additional malware.
  • Detection of a web shell indicates that the server may already be compromised or that an attacker has successfully attempted to upload a malicious script, potentially establishing persistence.
  • Web shells are commonly installed through web server vulnerabilities or abuse of file upload functionalities, so immediate investigation is required.

False Positive

  • Rare false positives may occur when internally developed or operational tools containing JSP or PHP scripts are misidentified.
  • However, files matching the WebShell/ signature should not normally exist in a legitimate environment, so the false-positive likelihood is very low.

Response Actions

  • Review the file path and contents of the detected file to determine whether it is an actual web shell.
  • If a web shell is present, isolate the server and investigate the scope of compromise using web logs, firewall session logs, and process creation records.
  • Check for additional malicious scripts uploaded to the same server and verify whether unauthorized administrative accounts have been created.
  • Conduct a web application vulnerability assessment to close or secure upload paths or vulnerable functionalities, and strengthen web server access control and web firewall policies.

MITRE ATT&CK