Hi Guys,
I found couple of good scripts which could be helpful for system admins to detect the presence of web backdoor shells on their servers. So just sharing them here:
1. Web Shell Detection Using NeoPI - A python Script
(https://github.com/Neohapsis/NeoPI)
2. PHP Shell Scanner - A perl Script
3. PHP script to find malicious code on a hacked server - A PHP Script
(http://25yearsofprogramming.com/blog/2010/20100315.htm)
I've tested the 1st and 2nd and found them good. 3rd one probably needs some customization.
Btw for a quick one, the following grep command can also be used:
The command says:Code:grep -RPl --include=*.{php,txt,asp} "(passthru|shell_exec|system|phpinfo|base64_decode|chmod|mkdir|fopen|fclose|readfile) *\(" /var/www/
1. Check files with extensions php or txt or asp only. You can add in more.
2. The pattern matching strings would be "passthru", shell_exec and so on. You can add/remove patterns.
3. The directory from where a recursive search has to be started. In this case it is /var/www/
Rgds