This note documents detection patterns related to Webshell on Linux on Linux systems.
Direct Indicators
| Source | Grep Pattern / Artifact | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Web root | system( | Command execution function | Critical | Classic PHP webshell indicator. |
| Web root | exec( | Command execution | Critical | Common shell primitive. |
| Web root | shell_exec( | Command execution | Critical | Strong PHP shell signal. |
| Web root | passthru( | Raw command output | Critical | Frequent webshell primitive. |
| Web root | base64_decode( | Obfuscated payload logic | Critical | Very common concealment pattern. |
| Web root | eval( | Dynamic code execution | Critical | Often chained with obfuscation. |
| Web root | assert( | Alternate code execution | High | Common in stealth shells. |
| Web root | preg_replace /e | Legacy execution primitive | High | Seen in older shells. |
| Web root | cmd= parameter handling | Interactive shell parameter | Critical | Direct webshell logic. |
| File timestamps | recently modified web file | Shell insertion timing | Critical | Timeline anchor. |
| Access logs | suspicious POST/GET with command params | Webshell usage | Critical | Runtime evidence. |
| Error logs | shell execution errors | Runtime clue | High | Useful when shell malformed. |
auditd | web process writing web root | File write attribution | Critical | Best attribution if enabled. |
| Process tree | web process spawning shell | Runtime execution | Critical | Strong compromise signal. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Tiny PHP file recently created | Minimal shell dropper | Critical | Common attacker pattern. |
| Legitimate page modified subtly | Shell inserted into existing file | Critical | Harder to spot than new file. |
| Obfuscated one-liner | Encoded payload | Critical | Common stealth pattern. |
| Web request followed by shell spawn | Active exploitation | Critical | Strong runtime correlation. |
| File name mimics asset | cache.php, db.php, img.php | High | Camouflage pattern. |
| Shell under upload dir | Upload abuse | Critical | Very common compromise route. |
| Multiple similar shell copies | Redundant access paths | High | Operator resilience. |
| Shell plus reverse shell command | Full operator pivot | Critical | Strong intrusion chain. |
| Access from rare IP | Operator access | High | Useful context. |
| Webshell plus temp payload | Stage-to-shell chain | Critical | Common escalation path. |
Common Tools
| Tool | Usage |
|---|---|
| Minimal PHP one-liners | Fast shell drop. |
| Obfuscated PHP shells | Concealed access. |
| Uploaded webshell kits | Interactive file managers / shells. |
| Existing page injection | Hide shell in legit file. |
Relevant Artifacts
| Artifact | Path / Command | Forensic Value | Notes |
|---|---|---|---|
| Web root | /var/www, app directories | Critical | Primary shell location. |
| Access logs | web server access logs | Critical | Usage evidence. |
| Error logs | web server error logs | High | Execution clues. |
| File metadata | stat | Critical | Timeline truth. |
| File diff | compare with baseline | Critical | Detect subtle injection. |
| Process tree | web process children | Critical | Runtime shell proof. |
| Audit logs | /var/log/audit/audit.log | Critical | File write attribution. |
| Temp paths | /tmp, /dev/shm | High | Follow-on payload staging. |
MITRE ATT&CK References
- T1505 Server Software Component
- T1505.003 Web Shell
- T1059 Command and Scripting Interpreter
Decision Tree
-
Is suspicious server-side code present?
- Search web roots for execution primitives.
-
Is file new or modified?
- Compare timestamps and baseline.
-
Was shell accessed?
- Inspect access logs and parameters.
-
Did shell spawn OS commands?
- Process tree, temp payloads, outbound sockets.
-
Is persistence linked?
- Cron, services, keys, startup.
-
Pivot
- File → code review.
- Request → source IP.
- Timestamp → intrusion chain.
-
Confirm webshell
- Execution primitive + suspicious access + runtime shell = strong webshell finding.
Example Detection Templates
Grep
grep -R "system(\|exec(\|shell_exec(\|passthru(\|base64_decode(\|eval(" /var/www 2>/dev/null
grep -R "cmd=\|assert(\|preg_replace" /var/www 2>/dev/null
find /var/www -type f -printf '%TY-%Tm-%Td %TT %p\n' 2>/dev/null | sort
Journalctl
journalctl | grep -E "apache|nginx|php"
File Inspection
find /var/www -type f -name "*.php" 2>/dev/null
stat suspicious.php
Sigma
title: Linux Webshell Indicators
id: linux-webshell-indicators
status: experimental
description: Detects suspicious server-side code patterns associated with webshells
logsource:
product: linux
detection:
selection_keywords:
message|contains:
- 'system('
- 'exec('
- 'shell_exec('
- 'base64_decode('
condition: selection_keywords
fields:
- message
- hostname
falsepositives:
- Legitimate application code
level: high
tags:
- attack.persistence
- attack.t1505.003
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| File baseline | Baseline web roots | Critical | Unknown file changes should stand out. |
| Upload controls | Restrict executable uploads | Critical | Major prevention layer. |
| File monitoring | Watch web root writes | Critical | Strong invariant detection. |
| Least privilege | Restrict web process write rights | Critical | Blocks shell planting. |
| Auditd | Monitor web root writes | High | Strong attribution. |
| Web logging | Preserve access/error logs | High | Needed for shell use proof. |
Fast Triage Checks
| Question | Command / Artifact | Why It Matters |
|---|---|---|
| Any execution primitives in web root? | grep web root | Immediate shell check. |
| Which file changed recently? | sort timestamps | Timeline anchor. |
| Was shell accessed? | access logs | Runtime proof. |
| Did web process spawn shell? | process tree | Strong execution evidence. |
| Is temp payload linked? | inspect temp dirs | Follow-on staging. |
| Any outbound callback? | sockets / logs | Operator pivot clue. |
High Value Grep Strings
| Pattern | Why It Matters |
|---|---|
system( | Core command execution primitive. |
exec( | Command execution. |
shell_exec( | Shell execution. |
passthru( | Raw output execution. |
base64_decode( | Obfuscation clue. |
eval( | Dynamic execution. |
cmd= | Interactive shell parameter. |
Analyst Notes
| Scenario | Interpretation |
|---|---|
| Tiny new PHP file | Very common shell drop. |
| Legit page slightly modified | Hidden shell insertion likely. |
| Webshell plus temp payload | Operator escalated beyond web layer. |
| Access log with cmd parameter | Direct shell use evidence. |
| Web process spawns bash | Strong runtime shell proof. |
| Multiple obfuscated copies | Redundant persistence. |