Shell detector app detects webshells (aspx, php)

Shell detector app detects webshells (aspx, php)

Shell detector is a great little application to, like the name suggests, detect (malicious) shells.

I recently had the misfortune of having to deal with a so called web shell. Basically it created a backdoor by uploading a malicious file and its client application uses this file to send commands to be executed on the server. Looking at the capabilities of this malware I couldn’t believe what was possible. In short they owned the server.

Now I know that the only good solution to this is a reinstall and using a backup to restore data and this is what we have done, but to give you some breathing space this “little” program could help.
For the python version just clone the repository and after you install python run it by executing the following command:

python shelldetect.py -r True -d ./

Options

  • -d (–directory) – specify directory to scan
  • -e (–extension) – specify file extensions that should be scanned, seperate by comma
  • -l (–linenumbers) – show line number where suspicious function used
  • -r (–remote) – get shells signatures db from github

There is also a php version, please refer to the instructions on how to use that version. A demo of it can be found here.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.