3. whatis
~$ whatis webshell
Malicious script uploaded by an attacker
Often used as RAT
Problem: hard to detect. Scan at upload time is
not sufficient
~$ whatis webshell-detector
Goal: propose a new detection system not only
based on signatures
5. cd detectors
~$ ls -w 1
Entropy
Dangerous_routines
Obfuscation
Signatures
Fuzzy_hashing
~$ cat Entropy
Based on the formula:
Information viewed as the unexpectedness of a
signal
−∑
i=0
n
f i×log2(f i)
∑
i=0
n
f i
6. cd detectors
~$ cat Dangerous_routines
System commands: exec, passthru, system…
Anonymous routines
Variables functions:
$var = “phpinfo”;
$var();
~$ cat Obfuscation
Longest string
Decoding routines: base64_decode, gzuncompress…
Non-ASCII characters
/! Not always relevant by itself!
∑
i=0
n
f i
7. cd detectors
~$ cat Signatures
Signature: based on a portion of file
Identify known webshells.
Easily bypassed by obfuscation or new webshells
~$ cat Fuzzy_hashing
Similar files → similar bit sequences
The longer they are, the closer the hashes will be
Spamsum algorithm + Levenshtein distance
Computed by removing blanck spaces and carriage
returns
∑
i=0
n
f i
8. man webshell-detector
- as a Composer library
$ composer require rucd/webshell-detector
- as a command line tool
Uses the library Symfony Console
$ webshell-detector.phar analyze:file <file>
$ webshell-detector.phar analyze:directory -t
<threshold> <dir>
∑
i=0
n
f i