Webshells Hiding in .well-known Places

    Published: 2025-09-25. Last Updated: 2025-09-25 14:24:49 UTC
    by Johannes Ullrich (Version: 1)
    0 comment(s)

    Ever so often, I see requests for files in .well-known recorded by our honeypots. As an example:

    GET /.well-known/xin1.php?p
    Host: [honeypot host name]
    

    The file names indicate that they are likely looking for webshells. In my opinion, the reason they are looking in .well-known is that this makes a decent place to hide webshells without having them overwritten by an update to the site.

    The .well-known directory is meant to be used for various informational files [1], and for example, for ACME TLS challenges. As a result, it is the only directory or file starting with "." that must be accessible via the web server. But it is also "hidden" to Unix command line users. I have written about the various legitimate users of .well-known before [2]. 

    We also see some requests for PHP files in the acme-challenge subdirectory, as well as the pki-challenge subdirectory:

    Here are some of the more common, but not "standard" URLs in .well-known hit in our honeypots:

    /.well-known/pki-validation/about.php
    /.well-known/about.php
    /.well-known/acme-challenge/cloud.php
    /.well-known/acme-challenge/about.php
    /.well-known/pki-validation/xmrlpc.php
    /.well-known/acme-challenge/index.php

     

     

    [1] https://datatracker.ietf.org/doc/html/rfc8615
    [2] https://isc.sans.edu/diary/26564

     --
    Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
    Twitter|image of an http request to .well-known/xin1.php?p

    Keywords: wellknown webshells
    0 comment(s)
    ISC Stormcast For Thursday, September 25th, 2025 https://isc.sans.edu/podcastdetail/9628

      Comments


      Diary Archives