Throughout my web applications vulnerability testings sessions from higher-risk vulnerabilities to low-risk, I always encounter things that might be useful to other penetration testers while scanning or replicating attacks on systems.

I came across a small piece of script that is able to detect web shells on servers if ever you think your server has been penetrated or compromised. At first, I advise to check what can be done within your reach and then, if not, contact your hosting provider.

“No system is unhackable, unless it’s disconnected from the internet and secured with a 50 metres wall on its perimeter.”

Demo

http://www.emposha.com/demo/shelldetect/shelldetect.php

Download

https://github.com/emposha/PHP-Shell-Detector/archive/master.zip

Requirements

PHP 5.x, OpenSSL (only for secure file submission)

Usage

To activate Web Shell Detector:

  1. Upload shelldetect.php and shelldetect.db to your root directory
  2. Open shelldetect.php file in your browser (Example: http://www.website.com/shelldetect.php)
  3. Inspect all strange files, if some of files look suspicious, send them to http://www.websecure.co.il team. After submitting your file, it will be inspected and if there are any threats, it will be inserted into a “web shell detector” web shells signature database.
  4. If any web shells found and identified use your ftp/ssh client to remove it from your web server (IMPORTANT: please be careful because some of shells may be integrated into system files!).