#3760 - Scanning for web shells
-
By Chris Graham
- Added
- 5 views
| Identifier | #3760 |
|---|---|
| Issue type | Feature request or suggestion |
| Title | Scanning for web shells |
| Status | Completed |
| Tags |
Type: Security (custom) |
| Handling member | Chris Graham |
| Addon | health_check |
| Description | Add a security checker to scan for web shells in the webroot or base directory. |
| Steps to reproduce | |
| Additional information | Here's some code that works well (based on an analysis of real web shells)...
function scan_for_webshells($dir) { $positives = array(); $negatives = array(); $dh = opendir($dir); while (($f = readdir($dh)) !== false) { if (strtolower(substr($f, -4)) == '.php') { if (is_likely_webshell(file_get_contents($dir . '/' . $f))) { $positives[] = $f; } else { $negatives[] = $f; } } } closedir($dh); return array('positives' => $positives, 'negatives' => $negatives); } function is_likely_webshell($c) { $triggers = array( '[^\w]system\(', '[^\w]exec\(', '[^\w]shell_exec\(', '[^\w]passthru\(', '[^\w]popen\(', '[^\w]proc_open\(', '[^\w]eval\(', '[^\w]move_uploaded_file\(', '\$\w+\(', '\$_FILES', '/etc/passwd', '(require|include)(_once)?\([\'"]https?://', ); foreach ($triggers as $trigger) { if (preg_match('#'. $trigger . '#i', $c) != 0) { return true; } } return false; } |
| Funded? | No |
The system will post a comment when this issue is modified (e.g., status changes). To be notified of this, click "Enable comment notifications".
Comments
There have been no comments yet