Web Shell Detector: Find webshell on server

Web Shell Detector – is a php script that helps you find and identify php/cgi(perl)/asp/aspx shells. Web Shell Detector has a “web shells” signature database that helps to identify “web shell” up to 99%. By using the latest javascript and css technologies, web shell detector has a light weight and friendly interface.

Feature

• Protect & Secure
  Proctect your servers from hackers. Our signature database that helps to identify “web shell” up to 99%
• Super Fast
  With modern technologies and latest javascript and css, web shell detector has a light weight and friendly interface.
• Support Team
  We have a dedicated team that will manually inspect suspicious files.
• Simple use

  Simple download Web Shell Detector from github. And then upload shelldetect.php and shelldetect.db to your root directory. Open shelldetect.php file in your browser or execute it under command line.

• Manual examination
  In case file was indicated as “suspicious” you may submit it to shelldetector.com team to manual examination, after carefull analysis, you will get report.
• Settings control
  With wide range of settings. You able to create needed behavior.
• Requirements – PHP/Python
  PHP 5.x, Python 2.x, OpenSSL (only for secure file submission)

Detection

Number of known shells: 604

Installation

Requirement: 

PHP 5.x, OpenSSL (only for secure file submission)



git clone https://github.com/emposha/PHP-Shell-Detector.git

Usage

Options

extension - extensions that should be scanned

showlinenumbers - show line number where suspicious function used

dateformat - used with access time & modified time

langauge - if I want to use other language

directory - scan specific directory

task - perform different task

report_format - used with is_cron(true) file format for report file

is_cron - if true run like a cron(no output)

filelimit - maximum files to scan (more then 30000 you should scan specific directory)

useget - activate _GET variable for easy way to recive tasks

authentication - protect script with user & password in case to disable simply set to NULL

remotefingerprint - get shells signatures db by remote

To activate Web Shell Detector:

1. Upload shelldetect.php and shelldetect.db to your root directory
2. Open shelldetect.php file in your browserExample: http://www.website.com/shelldetect.php
3. Use default username & passwordUsername: admin Password: protect
4. Inspect all strange files, if some of files look suspicious, send them to http://www.shelldetector.com team. After submitting your file, it will be inspected and if there are any threats, it will be inserted into a “web shell detector” web shells signature database.
5. If any web shells found and identified use your ftp/ssh client to remove it from your web server (IMPORTANT: please be careful because some of shells may be integrated into system files!).

Source: PHP-Shell-Detector