On the IBM Security Intelligence site there's a new article posted talking about webshells. For those not familiar with webshells, they're scripts that can be used to control servers or work as a platform to access other systems put in place by attackers. In this article they introduce some of the basics around webshells and the rise they're seeing in their use.
The IBM X-Force Research team reported an increase in PHP C99 webshell attacks in April 2016. More recently, webshells dubbed b374k made their mark with attacks that the team has been tracking over the past few months.
Although this blog highlights some features of the b374k shell, the main objective is to call your attention to the fact that PHP applications are becoming an increasingly popular choice for attackers aiming to glean your data and deface your website without much hard work. This threat should be pushed to the top of your priority list — primarily because of the power of the tool used for this type of attack, but also because of the startling increase in this attack type this year.
They start off with some of the basics of webshells, more related to the PHP versions: what they are, what kind of functionality they commonly provide and an example of the UI of a shell. They then talk about some of the common delivery methods, potential entry points of these attacks and some of the "indicators of compromise" you can use to detect them. They also include mitigations you can perform to rid yourself of these webshells including adding additional plugins/software and locking down features of PHP itself.