Both Australia & USA government security agencies have released Security – Web Shell malware prevention guidance & best practices as shared bel0w

https://www.us-cert.gov/ncas/current-activity/2020/04/22/nsa-asd-release-guidance-mitigating-web-shell-malware

https://media.defense.gov/2020/Apr/22/2002285959/-1/-1/0/DETECT%20AND%20PREVENT%20WEB%20SHELL%20MALWARE.PDF

WHAT ARE WEB SHELL ATTACKS — Cyber actors have increased the use of web shell malware for computer network exploitation. Web shell malware is software deployed by a hacker, usually on a victim’s web server. It can be used to execute arbitrary system commands, which are commonly sent over HTTP or HTTPS. Web shell attacks pose a serious risk to DoD components.  Attackers often create web shells by adding or modifying a file in an existing web application. Web shells provide attackers with persistent access to a compromised network using communication channels disguised to blend in with legitimate traffic. Web shell malware is a long-standing, pervasive threat that continues to evade many security tools.

1. “Known-Good” Comparison — Comparison tools that look for recent unusual changes
2. Web Traffic Anomaly Detection — Software that looks for abnormal network transactions & possible manipulations
3. Signature Based Detection — Malware authors may use out-of-normal web shell attack resources where AV or other signatures might be detectable (e.g., China Chopper, WSO, C99, B374K, R57)
4. Unexpected Network Flows — Special ports, Remote Access Tools, command-and-control, and other attacks may also be detected thru active monitoring