Thibault Debatty, profile picture
Uploaded byThibault Debatty
PDF, PPTX302 views

Web shell detector

The document describes a webshell detector system that analyzes files and directories for malicious webshells. It uses multiple detection techniques including entropy analysis, checking for dangerous system routines, obfuscation detection, signature matching, and fuzzy hashing. The system is implemented as a Composer library that can also be run as a command line tool to analyze files and directories and detect webshells.

Embed presentation

Download as PDF, PPTX
webshell-detector ~$ whoami Enzo Borel ~$ date 31 Mai 2018
tree -L 2 webshell-detector webshell-detector ├── Introduction │ ├── Statement │ └── Goal ├── Structure_of_the_system │ ├── Overview │ └── detectors └── usage_and_project_continuation
whatis ~$ whatis webshell Malicious script uploaded by an attacker Often used as RAT Problem: hard to detect. Scan at upload time is not sufficient ~$ whatis webshell-detector Goal: propose a new detection system not only based on signatures
cd Structure_of_the_system ~$ eog overview.png
cd detectors ~$ ls -w 1 Entropy Dangerous_routines Obfuscation Signatures Fuzzy_hashing ~$ cat Entropy Based on the formula: Information viewed as the unexpectedness of a signal −∑ i=0 n f i×log2(f i) ∑ i=0 n f i
cd detectors ~$ cat Dangerous_routines System commands: exec, passthru, system… Anonymous routines Variables functions: $var = “phpinfo”; $var(); ~$ cat Obfuscation Longest string Decoding routines: base64_decode, gzuncompress… Non-ASCII characters /! Not always relevant by itself! ∑ i=0 n f i
cd detectors ~$ cat Signatures Signature: based on a portion of file Identify known webshells. Easily bypassed by obfuscation or new webshells ~$ cat Fuzzy_hashing Similar files → similar bit sequences The longer they are, the closer the hashes will be Spamsum algorithm + Levenshtein distance Computed by removing blanck spaces and carriage returns ∑ i=0 n f i
man webshell-detector - as a Composer library $ composer require rucd/webshell-detector - as a command line tool Uses the library Symfony Console $ webshell-detector.phar analyze:file <file> $ webshell-detector.phar analyze:directory -t <threshold> <dir> ∑ i=0 n f i

More Related Content

PPTX
Hunting for APT in network logs workshop presentation
byOlehLevytskyi1
 
ODP
Metasploit Framework Executable Encoding
bytechnology_flow
 
PPT
Backdoor coding
byabdesslem amri
 
PDF
Spark Day 2017- Spark 의 과거, 현재, 미래
byMoon Soo Lee
 
PPTX
Metasploit for Web Workshop
byDennis Maldonado
 
PDF
Laura Garcia - Shodan API and Coding Skills [rooted2019]
byRootedCON
 
PDF
PuppetDB: A Single Source for Storing Your Puppet Data - PUG NY
byPuppet
 
PDF
Introduction to base shell scripting
byZeeshan Iqbal
 
Hunting for APT in network logs workshop presentation
byOlehLevytskyi1
 
Metasploit Framework Executable Encoding
bytechnology_flow
 
Backdoor coding
byabdesslem amri
 
Spark Day 2017- Spark 의 과거, 현재, 미래
byMoon Soo Lee
 
Metasploit for Web Workshop
byDennis Maldonado
 
Laura Garcia - Shodan API and Coding Skills [rooted2019]
byRootedCON
 
PuppetDB: A Single Source for Storing Your Puppet Data - PUG NY
byPuppet
 
Introduction to base shell scripting
byZeeshan Iqbal
 

More from Thibault Debatty

PDF
An introduction to similarity search and k-nn graphs
byThibault Debatty
 
PPTX
Blockchain for dummies
byThibault Debatty
 
ODP
Building a Cyber Range for training Cyber Defense Situation Awareness
byThibault Debatty
 
PDF
Design and analysis of distributed k-nearest neighbors graph algorithms
byThibault Debatty
 
PDF
A comparative analysis of visualisation techniques to achieve CySA in the mi...
byThibault Debatty
 
PDF
Cyber Range
byThibault Debatty
 
PDF
Easy Server Monitoring
byThibault Debatty
 
PDF
Data diode
byThibault Debatty
 
PDF
USB Portal
byThibault Debatty
 
PDF
Smart Router
byThibault Debatty
 
PDF
Graph based APT detection
byThibault Debatty
 
ODP
Multi-Agent System for APT Detection
byThibault Debatty
 
ODP
Building k-nn Graphs From Large Text Data
byThibault Debatty
 
PDF
Determining the k in k-means with MapReduce
byThibault Debatty
 
ODP
Parallel SPAM Clustering with Hadoop
byThibault Debatty
 
An introduction to similarity search and k-nn graphs
byThibault Debatty
 
Blockchain for dummies
byThibault Debatty
 
Building a Cyber Range for training Cyber Defense Situation Awareness
byThibault Debatty
 
Design and analysis of distributed k-nearest neighbors graph algorithms
byThibault Debatty
 
A comparative analysis of visualisation techniques to achieve CySA in the mi...
byThibault Debatty
 
Cyber Range
byThibault Debatty
 
Easy Server Monitoring
byThibault Debatty
 
Data diode
byThibault Debatty
 
USB Portal
byThibault Debatty
 
Smart Router
byThibault Debatty
 
Graph based APT detection
byThibault Debatty
 
Multi-Agent System for APT Detection
byThibault Debatty
 
Building k-nn Graphs From Large Text Data
byThibault Debatty
 
Determining the k in k-means with MapReduce
byThibault Debatty
 
Parallel SPAM Clustering with Hadoop
byThibault Debatty
 

Recently uploaded

PDF
LogiNext Media Kit & Company Overview 2025
byswatishahz9031
 
PDF
Manual Testing Still Matters: 7 Areas Where Humans Beat Automation
byKiwiQA Services
 
PDF
Introducing MySQL HeatWave Migration Assistant
byAlexander Hitrov
 
PDF
LogiNext Media Kit & Company Overview 2025
bynidhisharmaq7184
 
PDF
LogiNext Media Kit & Company Overview 2025
bysmritipatil055
 
PDF
Figma systems development services
bydavidjohansen1597
 
DOCX
The Rise of Headless CMS in Modern Web Development.docx
bywork4noahmiller
 
PDF
Own Your Domain Before It Owns You - Domain Driven Design for Pragmaticians
byPosedio GmbH
 
PDF
GDG ON CAMPUS NETAJI SUBHASH ENGINEERING COLLEGE BUILDING INTELLIGENT WEB APP...
bydscnsecorg
 
PDF
Why I Volunteer at FOSDEM and You Should Too
byImma Valls Bernaus
 
PDF
Visualizing Your Data Lake with Grafana - Amsterdam
byImma Valls Bernaus
 
PPTX
Windows File System Monitoring Tool Using C and C++
byAkshay Muley
 
PDF
谷歌留痕技术教程[ 𝙩𝙤𝙥 𝟮𝟯𝟯. 𝙘 𝙤𝙢 ]
by6stynggfo
 
PPTX
Marketo API Deep Dive From Basics to AI-Ready Foundations - January 2026.pptx
bybbedford2
 
PDF
How to find your event photos instantly with a selfie using SnapSeek
bySnapSeek.app
 
PDF
Accelerating Data Validation with QuerySurge AI
byRTTS
 
PDF
LogiNext Media Kit & Company Overview 2025
bypriyajoshi2929
 
PDF
ChampionMATES – Compete With Friends. Predict Sports. Become the Champion.
byRafal Ksiazek
 
PDF
AI-native development: from Prompt to Platform
byMaxim Salnikov
 
PDF
LogiNext Media Kit & Company Overview 2025
bydhrutipatelk5617
 
LogiNext Media Kit & Company Overview 2025
byswatishahz9031
 
Manual Testing Still Matters: 7 Areas Where Humans Beat Automation
byKiwiQA Services
 
Introducing MySQL HeatWave Migration Assistant
byAlexander Hitrov
 
LogiNext Media Kit & Company Overview 2025
bynidhisharmaq7184
 
LogiNext Media Kit & Company Overview 2025
bysmritipatil055
 
Figma systems development services
bydavidjohansen1597
 
The Rise of Headless CMS in Modern Web Development.docx
bywork4noahmiller
 
Own Your Domain Before It Owns You - Domain Driven Design for Pragmaticians
byPosedio GmbH
 
GDG ON CAMPUS NETAJI SUBHASH ENGINEERING COLLEGE BUILDING INTELLIGENT WEB APP...
bydscnsecorg
 
Why I Volunteer at FOSDEM and You Should Too
byImma Valls Bernaus
 
Visualizing Your Data Lake with Grafana - Amsterdam
byImma Valls Bernaus
 
Windows File System Monitoring Tool Using C and C++
byAkshay Muley
 
谷歌留痕技术教程[ 𝙩𝙤𝙥 𝟮𝟯𝟯. 𝙘 𝙤𝙢 ]
by6stynggfo
 
Marketo API Deep Dive From Basics to AI-Ready Foundations - January 2026.pptx
bybbedford2
 
How to find your event photos instantly with a selfie using SnapSeek
bySnapSeek.app
 
Accelerating Data Validation with QuerySurge AI
byRTTS
 
LogiNext Media Kit & Company Overview 2025
bypriyajoshi2929
 
ChampionMATES – Compete With Friends. Predict Sports. Become the Champion.
byRafal Ksiazek
 
AI-native development: from Prompt to Platform
byMaxim Salnikov
 
LogiNext Media Kit & Company Overview 2025
bydhrutipatelk5617
 

Web shell detector

  • 1.
  • 2.
    tree -L 2webshell-detector webshell-detector ├── Introduction │ ├── Statement │ └── Goal ├── Structure_of_the_system │ ├── Overview │ └── detectors └── usage_and_project_continuation
  • 3.
    whatis ~$ whatis webshell Maliciousscript uploaded by an attacker Often used as RAT Problem: hard to detect. Scan at upload time is not sufficient ~$ whatis webshell-detector Goal: propose a new detection system not only based on signatures
  • 4.
  • 5.
    cd detectors ~$ ls-w 1 Entropy Dangerous_routines Obfuscation Signatures Fuzzy_hashing ~$ cat Entropy Based on the formula: Information viewed as the unexpectedness of a signal −∑ i=0 n f i×log2(f i) ∑ i=0 n f i
  • 6.
    cd detectors ~$ catDangerous_routines System commands: exec, passthru, system… Anonymous routines Variables functions: $var = “phpinfo”; $var(); ~$ cat Obfuscation Longest string Decoding routines: base64_decode, gzuncompress… Non-ASCII characters /! Not always relevant by itself! ∑ i=0 n f i
  • 7.
    cd detectors ~$ catSignatures Signature: based on a portion of file Identify known webshells. Easily bypassed by obfuscation or new webshells ~$ cat Fuzzy_hashing Similar files → similar bit sequences The longer they are, the closer the hashes will be Spamsum algorithm + Levenshtein distance Computed by removing blanck spaces and carriage returns ∑ i=0 n f i
  • 8.
    man webshell-detector - asa Composer library $ composer require rucd/webshell-detector - as a command line tool Uses the library Symfony Console $ webshell-detector.phar analyze:file <file> $ webshell-detector.phar analyze:directory -t <threshold> <dir> ∑ i=0 n f i