Locate PHP Web Shells on a Linux Web Server

Published by Torry Crass on

A while ago I had put together a quick script to check files in a web directory for possible web shells. I was in a training class and looking for my information on this last week and it seems I've lost it. As such, it's time to put it up again for reference.

Over the past few years web shells have gained significant prevalence, especially those that leverage PHP and various CMS instances. As such, if you run a web server, at some point, you might be the unlucky recipient of one of these types of shells. To my point, I was trying to look up material to validate my method was correct and found dozens of sites either currently infected, or previously infected with shells. Very sad to see…

Anyhow, there are a few schools of thought on how to track these down. The first, is to look for base64 encoding. The problem with this approach is that it requires a lot of manual evaluation because there are lot of legitimate uses for base64 encoding in sites. Regardless, one of the best methods for this is to grep for base64_decode calls in all php files as shown below.

find . -name *.php -exec grep -i "base64_decode" '{}' \; -print

You can pipe this to more or redirect to a file if you like, either way, this will get you all the base64 decode calls but it could be quite a bit of data, especially if you're looking at multiple websites. One slightly more targetted way is to look for the eval function just before the base64 call as this is common in exploits and much less so in legit files.

You could also expand this to include eval(gzinflate(base64_decode or just make a better grep statement that would cover it, especially since there could be other functions included between eval and base64_decode.

find . -name *.php -exec grep -i "eval(base64_decode(" '{}' \; -print

Again, you can pipe, filter and store this as you see fit.

Another common method is to prepend a GIF file header to the start of the file. This method is used to avoid file upload filters that might otherwise block a .php file from being uploaded. If you find a PHP file that contains this type of header, you can be certain something nefarious is going on. The following method will look for the 3 gif types 86, 87, and 89.

find . -name *.php -exec grep -i "GIF86a|GIF87a|GIF89a" '{}' \; -print

As a supplement, people have put together exploit scanners that try to look for these and other exploits. A search at your favorite search engine should come up with many options.

Happy hunting!


Leave a Reply