SlideShare a Scribd company logo

Web shell detector

Thibault Debatty, profile picture
Thibault Debatty

The document describes a webshell detector system that analyzes files and directories for malicious webshells. It uses multiple detection techniques including entropy analysis, checking for dangerous system routines, obfuscation detection, signature matching, and fuzzy hashing. The system is implemented as a Composer library that can also be run as a command line tool to analyze files and directories and detect webshells.

Software
1 of 8
Download to read offline
1
2
3
4
5
6
7
8
webshell-detector ~$ whoami Enzo Borel ~$ date 31 Mai 2018
tree -L 2 webshell-detector webshell-detector ├── Introduction │ ├── Statement │ └── Goal ├── Structure_of_the_system │ ├── Overview │ └── detectors └── usage_and_project_continuation
whatis ~$ whatis webshell Malicious script uploaded by an attacker Often used as RAT Problem: hard to detect. Scan at upload time is not sufficient ~$ whatis webshell-detector Goal: propose a new detection system not only based on signatures
cd Structure_of_the_system ~$ eog overview.png
cd detectors ~$ ls -w 1 Entropy Dangerous_routines Obfuscation Signatures Fuzzy_hashing ~$ cat Entropy Based on the formula: Information viewed as the unexpectedness of a signal −∑ i=0 n f i×log2(f i) ∑ i=0 n f i
cd detectors ~$ cat Dangerous_routines System commands: exec, passthru, system… Anonymous routines Variables functions: $var = “phpinfo”; $var(); ~$ cat Obfuscation Longest string Decoding routines: base64_decode, gzuncompress… Non-ASCII characters /! Not always relevant by itself! ∑ i=0 n f i
cd detectors ~$ cat Signatures Signature: based on a portion of file Identify known webshells. Easily bypassed by obfuscation or new webshells ~$ cat Fuzzy_hashing Similar files → similar bit sequences The longer they are, the closer the hashes will be Spamsum algorithm + Levenshtein distance Computed by removing blanck spaces and carriage returns ∑ i=0 n f i
man webshell-detector - as a Composer library $ composer require rucd/webshell-detector - as a command line tool Uses the library Symfony Console $ webshell-detector.phar analyze:file <file> $ webshell-detector.phar analyze:directory -t <threshold> <dir> ∑ i=0 n f i

More Related Content

PPTX
Hunting for APT in network logs workshop presentation
OlehLevytskyi1
 
ODP
Metasploit Framework Executable Encoding
technology_flow
 
PPT
Backdoor coding
abdesslem amri
 
PDF
Spark Day 2017- Spark 의 과거, 현재, 미래
Moon Soo Lee
 
PPTX
Metasploit for Web Workshop
Dennis Maldonado
 
PDF
Laura Garcia - Shodan API and Coding Skills [rooted2019]
RootedCON
 
PDF
PuppetDB: A Single Source for Storing Your Puppet Data - PUG NY
Puppet
 
PDF
Introduction to base shell scripting
Zeeshan Iqbal
 
Hunting for APT in network logs workshop presentation
OlehLevytskyi1
 
Metasploit Framework Executable Encoding
technology_flow
 
Backdoor coding
abdesslem amri
 
Spark Day 2017- Spark 의 과거, 현재, 미래
Moon Soo Lee
 
Metasploit for Web Workshop
Dennis Maldonado
 
Laura Garcia - Shodan API and Coding Skills [rooted2019]
RootedCON
 
PuppetDB: A Single Source for Storing Your Puppet Data - PUG NY
Puppet
 
Introduction to base shell scripting
Zeeshan Iqbal
 

More from Thibault Debatty (15)

PDF
An introduction to similarity search and k-nn graphs
Thibault Debatty
 
PPTX
Blockchain for dummies
Thibault Debatty
 
ODP
Building a Cyber Range for training Cyber Defense Situation Awareness
Thibault Debatty
 
PDF
Design and analysis of distributed k-nearest neighbors graph algorithms
Thibault Debatty
 
PDF
A comparative analysis of visualisation techniques to achieve CySA in the mi...
Thibault Debatty
 
PDF
Cyber Range
Thibault Debatty
 
PDF
Easy Server Monitoring
Thibault Debatty
 
PDF
Data diode
Thibault Debatty
 
PDF
USB Portal
Thibault Debatty
 
PDF
Smart Router
Thibault Debatty
 
PDF
Graph based APT detection
Thibault Debatty
 
ODP
Multi-Agent System for APT Detection
Thibault Debatty
 
ODP
Building k-nn Graphs From Large Text Data
Thibault Debatty
 
PDF
Determining the k in k-means with MapReduce
Thibault Debatty
 
ODP
Parallel SPAM Clustering with Hadoop
Thibault Debatty
 
An introduction to similarity search and k-nn graphs
Thibault Debatty
 
Blockchain for dummies
Thibault Debatty
 
Building a Cyber Range for training Cyber Defense Situation Awareness
Thibault Debatty
 
Design and analysis of distributed k-nearest neighbors graph algorithms
Thibault Debatty
 
A comparative analysis of visualisation techniques to achieve CySA in the mi...
Thibault Debatty
 
Cyber Range
Thibault Debatty
 
Easy Server Monitoring
Thibault Debatty
 
Data diode
Thibault Debatty
 
USB Portal
Thibault Debatty
 
Smart Router
Thibault Debatty
 
Graph based APT detection
Thibault Debatty
 
Multi-Agent System for APT Detection
Thibault Debatty
 
Building k-nn Graphs From Large Text Data
Thibault Debatty
 
Determining the k in k-means with MapReduce
Thibault Debatty
 
Parallel SPAM Clustering with Hadoop
Thibault Debatty
 
Ad

Recently uploaded (20)

PPTX
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
PDF
Digital Systems & Binary Numbers (comprehensive )
fyfhqfhtv2
 
PDF
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
PDF
Product Update: Alluxio AI 3.7 Now with Sub-Millisecond Latency
Alluxio, Inc.
 
PDF
System and Network Administraation Chapter 3
jaramharo
 
PDF
medical staffing services at VALiNTRY
Tiyan Grayson
 
PDF
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 
PDF
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
PDF
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
PPTX
Why Generative AI is the Future of Content, Code & Creativity?
Webuters Technologies Pvt. Ltd
 
PDF
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
PPTX
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
PPTX
assetexplorer- product-overview - presentation
nonameist3434
 
PDF
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
PDF
Upgrade and Innovation Strategies for SAP ERP Customers
Virendra Rai, PMP
 
PDF
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
PPTX
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
PDF
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
PDF
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
PDF
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
Digital Systems & Binary Numbers (comprehensive )
fyfhqfhtv2
 
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
Product Update: Alluxio AI 3.7 Now with Sub-Millisecond Latency
Alluxio, Inc.
 
System and Network Administraation Chapter 3
jaramharo
 
medical staffing services at VALiNTRY
Tiyan Grayson
 
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
Why Generative AI is the Future of Content, Code & Creativity?
Webuters Technologies Pvt. Ltd
 
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
assetexplorer- product-overview - presentation
nonameist3434
 
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
Upgrade and Innovation Strategies for SAP ERP Customers
Virendra Rai, PMP
 
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
Ad

Web shell detector

  • 2. tree -L 2 webshell-detector webshell-detector ├── Introduction │ ├── Statement │ └── Goal ├── Structure_of_the_system │ ├── Overview │ └── detectors └── usage_and_project_continuation
  • 3. whatis ~$ whatis webshell Malicious script uploaded by an attacker Often used as RAT Problem: hard to detect. Scan at upload time is not sufficient ~$ whatis webshell-detector Goal: propose a new detection system not only based on signatures
  • 5. cd detectors ~$ ls -w 1 Entropy Dangerous_routines Obfuscation Signatures Fuzzy_hashing ~$ cat Entropy Based on the formula: Information viewed as the unexpectedness of a signal −∑ i=0 n f i×log2(f i) ∑ i=0 n f i
  • 6. cd detectors ~$ cat Dangerous_routines System commands: exec, passthru, system… Anonymous routines Variables functions: $var = “phpinfo”; $var(); ~$ cat Obfuscation Longest string Decoding routines: base64_decode, gzuncompress… Non-ASCII characters /! Not always relevant by itself! ∑ i=0 n f i
  • 7. cd detectors ~$ cat Signatures Signature: based on a portion of file Identify known webshells. Easily bypassed by obfuscation or new webshells ~$ cat Fuzzy_hashing Similar files → similar bit sequences The longer they are, the closer the hashes will be Spamsum algorithm + Levenshtein distance Computed by removing blanck spaces and carriage returns ∑ i=0 n f i
  • 8. man webshell-detector - as a Composer library $ composer require rucd/webshell-detector - as a command line tool Uses the library Symfony Console $ webshell-detector.phar analyze:file <file> $ webshell-detector.phar analyze:directory -t <threshold> <dir> ∑ i=0 n f i