commandlinefu.com is the place to record those command-line gems that you return to again and again.
You can sign-in using OpenID credentials, or register a traditional username and password.
Subscribe to the feed for:
I have found that base64 encoded webshells and the like contain lots of data but hardly any newlines due to the formatting of their payloads. Checking the "width" will not catch everything, but then again, this is a fuzzy problem that relies on broad generalizations and heuristics that are never going to be perfect.
What I have done is set an arbitrary threshold (200 for example) and compare the values that are produced by this script, only displaying those above the threshold. One webshell I tested this on scored 5000+ so I know it works for at least one piece of malware.
passthru, shell_exec, system, phpinfo, base64_decode, chmod, mkdir, fopen, fclose, readfile
Since some of the strings may occur in normal text or legitimately you will need to adjust the command or the entire regex to suit your needs.
Especially for sysadmins when they don't want to waste time to add -p flag on the N processes of a processname.
In the old school, you did ;
and typing strace -f -p 456 -p 678 -p 974...
You can add -f argument to the function. That way, the function will deal with pgrep to match the command-line.
processname -f jrockit