Instructions
- Install dependencies:
pip install yara-python
- Identify web server document roots to scan (e.g.,
/var/www/html, /opt/lampp/htdocs).
- Run the agent to scan for webshells:
- Shannon entropy analysis flags files with entropy > 5.5
- Pattern matching detects eval(), base64_decode(), system(), passthru(), shell_exec()
- File modification time analysis finds recently changed files
- Extension filtering targets .php, .jsp, .asp, .aspx, .cgi, .py files
python scripts/agent.py --webroot /var/www/html --output webshell_report.json
Examples
High-Entropy PHP Webshell Detection
File: /var/www/html/uploads/img_thumb.php
Entropy: 6.12 (threshold: 5.5)
Patterns matched: eval(), base64_decode(), str_rot13()
Last modified: 2025-12-01 03:42:00 (outside business hours)
Verdict: SUSPICIOUS - likely obfuscated webshell
