Webshell Hunting Agent

v20260317

hunting-for-webshells-in-web-servers

Scans web server roots for high-entropy files, suspicious PHP/JSP/ASP payloads, and recent modifications to flag obfuscated webshells via entropy thresholds, regex signatures, and file metadata.

Websecurity Forensics Automation Python Entropy IncidentResponse

Get Skill

228 downloads

Overview

Instructions

Install dependencies: pip install yara-python
Identify web server document roots to scan (e.g., /var/www/html, /opt/lampp/htdocs).
Run the agent to scan for webshells:
- Shannon entropy analysis flags files with entropy > 5.5
- Pattern matching detects eval(), base64_decode(), system(), passthru(), shell_exec()
- File modification time analysis finds recently changed files
- Extension filtering targets .php, .jsp, .asp, .aspx, .cgi, .py files

python scripts/agent.py --webroot /var/www/html --output webshell_report.json

Examples

High-Entropy PHP Webshell Detection

File: /var/www/html/uploads/img_thumb.php
Entropy: 6.12 (threshold: 5.5)
Patterns matched: eval(), base64_decode(), str_rot13()
Last modified: 2025-12-01 03:42:00 (outside business hours)
Verdict: SUSPICIOUS - likely obfuscated webshell

Info

Category Development

Name hunting-for-webshells-in-web-servers

Version v20260317

Size 8.55KB

Source mukul975/Anthropic-Cybersecurity-Skills

Updated At 2026-03-18