Identify harmful Web Shell with PHP Shell Detector

webshell php

A web shell is a script, commonly written in PHP, which can provide access as the root user to a web server compressed. Trojan also renamed PHP can be very harmful if used correctly by an attacker, it is therefore important to periodically analyze the platform's web in search of intruders.
 
Through a Web Shell you can perform various functions including:
 
[adsense:block:adcontenuto]
 
  • Enumerating Server (OS version, PHP, Apache, MySql and free space);
  • Viewing files on the server;
  • Run remote commands;
  • Upload and Download files;
  • Sending eMail;
  • Dump Database;
  • Running SQL Query;
  • DoS attacks.
 
In this article we will analyze the scanner free and open source "PHP Shell Detector" able to search our web threats, once identified will be back in a simple report in Italian.
 
The analysis of the file is based on an internal database in constantly growing and able to analyze the signature of a vulnerability or to identify any suspicious code that will bring us back.
 
In the log file we can see how many files have been analyzed, identified threats or any suspicious files, in which case you can send the suspect file to websecure.co.il Team who will free them to analyze and bring us the results.
 
PHP Shell Detector is available on GitHub once I download the file and proceed to the extraction we analyze the content. Proceed initially to configure the scanner using the file "shelldetect.ini" we will open the text editor you prefer more, we will find within it a number of parameters, in particular, we're going to edit the following:
 
  • Extension: to indicate the extension of the file to be analyzed (eg extension [] = php);
  • Showlinenumbers: To see which line in the file is the threat;
  • Language: to specify the language of the report (eg, language = "Italian");
  • Directory to specify which directory to analyze, if not specified will be analyzed the entire root;
  • Report_Format: to indicate which file to save the report (eg report_format = "report.htm");
  • Authentication: an authentication request to start scanning.
[adsense:block:adcontenuto]
 
For example, our shelldetect.ini file will contain the following parameters:
 
extension[]=php
extension[]=txt
showlinenumbers=true
langauge="italian"
directory=""
report_format="report.htm"
authentication=false
 
When the configuration is to proceed to upload the interior file in our website, in the root folder through FTP or whatever you prefer. Now we access the file shelldetect.php through the Web browser you prefer, by typing:
 
 
It will automatically scan our website, we can immediately appreciate the number of shell known in the database, the number of files that will be analyzed and then we will see step by step the progress of the scan. PHP Shell Detector us back the items suspected or discovered vulnerabilities.
 
php shell detection
 
In the example we learn that the scanner knows shell 431, has identified 8 rows to be analyzed, one of which turns out to be suspicious (secure-wordpress.php) while the second (file.php) has a positive sign and is therefore a Web Shell type r57.
 
php shell min
 
If a suspicious file is detected we can send it to the team websecure.co.il which shall carry out an audit to determine whether it is an unfounded suspicion or a real threat not only to the file, you can specify an address in which we receive the eMail ' outcome of the analysis.
 
 
If you want updates on IDENTIFY WITH HARMFUL PHP WEB SHELL SHELL DETECTOR enter your e-mail in the box below:

 

Development: 

Similar Content

Anonymous condemn and leave WikiLeaks

anonymousThere was a time in which the site of counter-information WikiLeaks had as its best ally the hacktivist group Anonymous, and now a recent message written by the spokesman of the latter - "Have you lost your last allies. You must die I hope in a fire "- suggests that the time is finally concluded.
News Magazine: 

Set image, title and description of the preview on Google Plus Snippets: Tips and Tricks

google plus snippetWhen you click on the Google +1 button happen two main things: the post is added between the +1 on your profile, and you have the option to instantly share on Google+ with the circles you want, the post itself. The article will appear with a "preview", said Snippet + (but + put it on all sides?), which inspire or not users to go read the post!
Social Network: