hunting-for-webshells-in-web-servers
SKILL.md
Instructions
- Install dependencies:
pip install yara-python - Identify web server document roots to scan (e.g.,
/var/www/html,/opt/lampp/htdocs). - Run the agent to scan for webshells:
- Shannon entropy analysis flags files with entropy > 5.5
- Pattern matching detects eval(), base64_decode(), system(), passthru(), shell_exec()
- File modification time analysis finds recently changed files
- Extension filtering targets .php, .jsp, .asp, .aspx, .cgi, .py files
python scripts/agent.py --webroot /var/www/html --output webshell_report.json
Examples
High-Entropy PHP Webshell Detection
File: /var/www/html/uploads/img_thumb.php
Entropy: 6.12 (threshold: 5.5)
Patterns matched: eval(), base64_decode(), str_rot13()
Last modified: 2025-12-01 03:42:00 (outside business hours)
Verdict: SUSPICIOUS - likely obfuscated webshell
Weekly Installs
1
Repository
mukul975/anthro…y-skillsGitHub Stars
1.3K
First Seen
2 days ago
Security Audits
Installed on
zencoder1
amp1
cline1
opencode1
cursor1
kimi-cli1