1. webshell-detector
~$ whoami
Enzo Borel
~$ date
31 Mai 2018

2. tree -L 2 webshell-detector
webshell-detector
├── Introduction
│ ├── Statement
│ └── Goal
├── Structure_of_the_system
│ ├── Overview
│ └── detectors
└── usage_and_project_continuation

3. whatis
~$ whatis webshell
Malicious script uploaded by an attacker
Often used as RAT
Problem: hard to detect. Scan at upload time is
not sufficient
~$ whatis webshell-detector
Goal: propose a new detection system not only
based on signatures

4. cd Structure_of_the_system
~$ eog overview.png

5. cd detectors
~$ ls -w 1
Entropy
Dangerous_routines
Obfuscation
Signatures
Fuzzy_hashing
~$ cat Entropy
Based on the formula:
Information viewed as the unexpectedness of a
signal
−∑
i=0
n
f i×log2(f i)
∑
i=0
n
f i

6. cd detectors
~$ cat Dangerous_routines
System commands: exec, passthru, system…
Anonymous routines
Variables functions:
$var = “phpinfo”;
$var();
~$ cat Obfuscation
Longest string
Decoding routines: base64_decode, gzuncompress…
Non-ASCII characters
/! Not always relevant by itself!
∑
i=0
n
f i

7. cd detectors
~$ cat Signatures
Signature: based on a portion of file
Identify known webshells.
Easily bypassed by obfuscation or new webshells
~$ cat Fuzzy_hashing
Similar files → similar bit sequences
The longer they are, the closer the hashes will be
Spamsum algorithm + Levenshtein distance
Computed by removing blanck spaces and carriage
returns
∑
i=0
n
f i

8. man webshell-detector
- as a Composer library
$ composer require rucd/webshell-detector
- as a command line tool
Uses the library Symfony Console
$ webshell-detector.phar analyze:file <file>
$ webshell-detector.phar analyze:directory -t
<threshold> <dir>
∑
i=0
n
f i