commandlinefu.com is the place to record those command-line gems that you return to again and again.
You can sign-in using OpenID credentials, or register a traditional username and password.
Subscribe to the feed for:
passthru, shell_exec, system, phpinfo, base64_decode, chmod, mkdir, fopen, fclose, readfile
Since some of the strings may occur in normal text or legitimately you will need to adjust the command or the entire regex to suit your needs.
There are 4 alternatives - vote for the best!
I have found that base64 encoded webshells and the like contain lots of data but hardly any newlines due to the formatting of their payloads. Checking the "width" will not catch everything, but then again, this is a fuzzy problem that relies on broad generalizations and heuristics that are never going to be perfect.
What I have done is set an arbitrary threshold (200 for example) and compare the values that are produced by this script, only displaying those above the threshold. One webshell I tested this on scored 5000+ so I know it works for at least one piece of malware.
If you can do better, submit your command here.
You must be signed in to comment.