Wubi Posted August 10, 2012 Report Posted August 10, 2012 PHP Shell Detector is a php script that helps you find and identify php shells. It also has a “web shells” signature database that helps to identify “web shell” up to 99%. By using the latest javascript and css technologies, php shell detector has a light weight and friendly interface . The main features is that if you’re not sure about a suspicious file, you may send it to the websecure.co.il team. After submitting your file, it will be inspected and if there are any threats, it will be inserted into a “php shell detector” web shells signature database and the next time this file will be recognized positivelyWe were planing to build similar kind of tool for internal testing process. PHP Shell Detector will help us to build it. Settings used in PHP Shell Detector:extension – extensions that should be scanned showlinenumbers – show line number where suspicious function used dateformat – used with access time & modified time langauge – if I want to use other language directory – scan specific directory task – perform different task report_format – used with is_cron(true) file format for report file is_cron – if true run like a cron(no output) filelimit – maximum files to scan (more then 30000 you should scan specific directory) useget – activate _GET variable for easy way to recive tasks authentication – protect script with user & password in case to disable simply set to NULL remotefingerprint – get shells signatures db by remote Number of shells in signature database is: 141 Download PHP Shell Detector: PHP Shell Detector – emposha-PHP-Shell-Detector-001fa28.tar.gzSursa:PHP Shell Detector a new Tool for web shell detection — PenTestIT Quote
Hack.Oradea Posted September 5, 2012 Report Posted September 5, 2012 adk asta chiar nu inteleg? Quote
danutz0501 Posted October 15, 2012 Report Posted October 15, 2012 Ar fi bine sa faca ce zice dar nu prea cred, asa zisa baza de date cu sheluri e un simplu fisier nici macar un sqlite(cu toate ca iau pus extensia .db), in care pastreaza monstre din sheluri base 64 encode.Preia fisier cu file_get_contents, verifica cu ce e in bza de date si 2-3 preg match ca sa detecteze base64 encode eval exec etc. Downlod de la sursa acum se lauda cu o baza de date de 462 semnaturi Quote
Xander Posted October 21, 2012 Report Posted October 21, 2012 la fel fac si antivirusii ( in mare parte... ) ideea e buna... dar se pot face foarte simplu bypass-uri de exemplu inloc de base64_decode poti sa faci$c = 'b' . "ase6" . '4_d' . 'eco' . "de";$c("base 64 encoded string"); Quote