Web Backdoor Shell Detection on Servers

**b0nd** · 06-09-2011, 08:00 AM

Hi Guys,

I found couple of good scripts which could be helpful for system admins to detect the presence of web backdoor shells on their servers. So just sharing them here:

1. Web Shell Detection Using NeoPI - A python Script
(https://github.com/Neohapsis/NeoPI)

2. PHP Shell Scanner - A perl Script

3. PHP script to find malicious code on a hacked server - A PHP Script
(http://25yearsofprogramming.com/blog/2010/20100315.htm)

I've tested the 1st and 2nd and found them good. 3rd one probably needs some customization.

Btw for a quick one, the following grep command can also be used:

Code:

grep -RPl --include=*.{php,txt,asp} "(passthru|shell_exec|system|phpinfo|base64_decode|chmod|mkdir|fopen|fclose|readfile) *\(" /var/www/

The command says:
1. Check files with extensions php or txt or asp only. You can add in more.
2. The pattern matching strings would be "passthru", shell_exec and so on. You can add/remove patterns.
3. The directory from where a recursive search has to be started. In this case it is /var/www/

Rgds

**materaj** · 06-10-2011, 06:55 AM

Great post, I will share this in my blog. Thank you for this post.

**Anant Shrivastava** · 06-10-2011, 03:32 PM

either the top post is copied or this article is coped to pentestit without any credit

http://www.pentestit.com/2011/06/10/...shell-servers/

**b0nd** · 06-13-2011, 08:28 AM

Originally Posted by Anant Shrivastava

either the top post is copied or this article is coped to pentestit without any credit

http://www.pentestit.com/2011/06/10/...shell-servers/

err...

1. No question of copying in the top post as I said I found something over net and shared here. Would I copy without giving credit?
2. Yes, the post has been copied as such from here and posted on pentest.it but I can see the credit has been given to me there. "Fast and easy thanks to B0nd for sharing it."

Probably you overlooked that part or the author edited it later on.

Rgds

**Anant Shrivastava** · 06-13-2011, 08:50 AM

Originally Posted by b0nd

err...

1. No question of copying in the top post as I said I found something over net and shared here. Would I copy without giving credit?
2. Yes, the post has been copied as such from here and posted on pentest.it but I can see the credit has been given to me there. "Fast and easy thanks to B0nd for sharing it."

Probably you overlooked that part or the author edited it later on.

Rgds

might have overlooked.... Well the dates of posting already said that this was original...

**AnArKI** · 06-13-2011, 09:38 AM

I think pentestit picked it from our twitter feeds.

**Punter** · 06-13-2011, 11:42 AM

dont u think pentestit could have included g4g post link has the reference

Laurel421 · 07-16-2011, 05:46 PM

either the top post is copied

**b0nd** · 07-16-2011, 06:52 PM

Enough is enough. Anyone utter a single word me copying the top post and will find himself landing in ban list.
First and last warning to you Laurel421. Just seen couple of more sense less posts by you.

**AnArKI** · 07-16-2011, 07:28 PM

@Laurel421 watch ur words

Thread: Web Backdoor Shell Detection on Servers

LinkBack

Thread Tools

Search Thread

Display