[unisog] WebShell4

Michael Holstein michael.holstein at csuohio.edu
Thu Sep 29 20:09:27 GMT 2005

> We’ve been having difficulty getting a lid on our students that are 
> bypassing our content filtering with proxy services such as proxify and 
> now…a service call WebShell4.  I’m curious, has anyone had an issue with 
> this sort of thing, and if so, would you mind talking with me about any 
> solutions you might have implemented?  Thanks…

It's impossible to implement technical solutions to what are management 
problems. That said ...

I'd use a Snort sig to identify proxied HTTP requests (there are some on 
bleedingsnort). Then I'd blackhole them on the firewall.

Since you mention two services specifically, install them yourself, 
figure out what networks they talk to, use whois to find out how big 
that netblock is, then block it.

You can even deal with the encrypted ones this way.

Personally .. I'd make a note of who's using them ahead of time .. then 
monitor those users specifically because they'll try to find other ways 
once you block the first. Knowing what they're trying will allow you to 
stay ahead of the game.


Michael Holstein CISSP GCIA
Cleveland State University

More information about the unisog mailing list