How to detect a Webshell of hackers on your server



Web Shell is a script developed mostly in PHP, ASP and allows an hacker to execute remote commands on the server attacked as C99 or R57.


Once the shell web uploaded on the server target from a file injection flaw, the hacker can remotely connect to this server and manage files, run commands, manage MySQL ... etc. It is as if he had a SSH under the eyes.
So how to know if a shell running on our web server?


In most cases, using a PHP web shell leaves traces on many levels and is easily reached to detect its suspicious traces in the Apache access log file, example:


But sometimes it is very tiring to read all the lines of the log file.

Fortunately there is PHP Shell Detector, a php script that allows you to find and identify the shell web. It also has a signature database that identifies them.
Its main function is to scan your server for precisely these dangerous web shells. For this, it is based on a number of criteria to determine a signature for each shell.

How to use PHP Shell Detector?

To use it, it's simple:

First download the PHP Shell Detector tool on the following link:
https: //github.com/emposha/PHP-Shell-Detector
Place the shelldetect.php file on the root of your site
Run the script and enter the username: admin and password: protect
After some minutes, the script will output the scan result and it for you to do the cleaning!


CONCLUSION:

After using the PHP Detector Shell and other tools of the same kind, I can only conclude that these scripts detect classic shell web, there are more sophisticated techniques to make a shell web virtually undetectable by these tools, as use a HTTP header quieter, use of mod_rewrite, base64 encoding and other methods that we will see in a future post.

Remember that the best support for this blog is to like and share our articles! 😉

Previous
Next Post »