|Table of Contents|

[1] Truong Dinh Tu, , Cheng Guang, et al. Evil-hunter: a novel web shell detection systembased on scoring scheme [J]. Journal of Southeast University (English Edition), 2014, 30 (3): 278-284. [doi:10.3969/j.issn.1003-7985.2014.03.004]

Evil-hunter: a novel web shell detection systembased on scoring scheme()

Journal of Southeast University (English Edition)[ISSN:1003-7985/CN:32-1325/N]

2014 3
Research Field:
Computer Science and Engineering
Publishing date:


Evil-hunter: a novel web shell detection systembased on scoring scheme
Truong Dinh Tu1 2 3 Cheng Guang1 3 Guo Xiaojun1 3 Pan Wubin1 3
1School of Computer Science and Engineering, Southeast University, Nanjing 210096, China
2Department of Information Technology, Tuyhoa Industrial College, Phuyen 620900, Vietnam
3 Key Laboratory of Computer Network and Information Integration of Ministry of Education, Southeast University, Nanjing 210096, China
web shell detection scoring scheme malicious code identification
In order to detect web shells that hackers inject into web servers by exploiting system vulnerabilities or web page open sources, a novel web shell detection system based on the scoring scheme is proposed, named Evil-hunter. First, a large set of malicious function samples normally used in web shells are collected from various sources on the Internet and security forums. Secondly, according to the danger level and the frequency of using these malicious functions in the web shells as well as in legal web applications, an assigning score strategy for each malicious sample is devised. Then, the appropriate score threshold value for each sample is obtained from the results of a statistical analysis. Finally, based on the threshold value, a simple algorithm is presented to identify files that contain web shells in web applications. The experimental results show that compared with other approaches, Evil-hunter can identify web shells more efficiently and accurately.


[1] Behrens S, Hagen B. Web shell detection using NeoPI [EB/OL].(2012-04-13)[2013-10-10]. http://resources.infosecinstitute.com/web-shell-detection/.
[2] Luczko P, Thornton J. PHP shell detector [EB/OL].(2012-06-12)[2013-10-10]. https://github.com/emposha/PHP-Shell-Detector.
[3] Unix operating system. A manual for grep [EB/OL].(2008-05-20)[2013-09-10].http://www.gnu.org/savannah-checkouts/gnu/grep/manual/grep.html.
[4] Jakobsson M, Ramzan Z. Crimeware: understanding new attacks and defenses [M]. New York: Addison Wesley, 2008: 608.
[5] Canali D, Balzarotti D, Francillon A. The role of web hosting providers in detecting compromised websites [C]//Proceedings of the 22nd International Conference on World Wide Web. Rio de Janeiro, Brazil, 2013: 177-187.
[6] Garg A, Singh S. A review on web application security vulnerabilities [J]. International Journal of Advanced Research in Computer Science and Software Engineering, 2013, 3(1): 222-226.
[7] Mirdula S, Manivannan D. Security vulnerabilities in web application an attack perspective [J]. International Journal of Engineering and Technology, 2013, 5(2): 1806-1811.
[8] Cova M, Kruegel C, Vigna G. Detection and analysis of drive-by-download attacks and malicious javascript code [C]//Proceedings of the 19th International Conference on World Wide Web. Raleigh, NC, USA, 2010: 281-290.
[9] Exploitable PHP functions [EB/OL].(2012-03-22)[2013-09-10].http://stackoverflow.com/questions/3115559/exploitable-php-functions.
[10] Mingkun X, Xi C, Yan H. Design of software to search ASP web shell [J]. Journal of Procedia Engineering, 2012, 29(1): 123-127.
[11] Hu J K, Xu Z, Ma D H, et al. Research of webshell detection based on decision tree [J]. Journal of Network New Media, 2012, 1(6): 15-19.(in Chinese)
[12] Rahul S. Effectiveness of antivirus in detecting web application backdoors [EB/OL].(2012-07-30)[2013-10-10]. http://www.chmag.in/article/feb2011/effectivenessantivirus-detecting-web-appli-cation-backdoors.
[13] Hou Y T, Chang Y, Chen T, et al. Malicious web content detection by machine learning [J]. Expert Systems with Applications, 2010, 37(1): 55-60.
[14] Koo T M, Chang H C, Hsu Y T, et al. Malicious website detection based on honeypot systems [C]//The 2nd International Conference on Advances in Computer Science and Engineering. Paris:Atlantis Press, 2013:76-81.
[15] Canali D, Balzarotti D. Behind the scenes of online attacks: an analysis of exploitation behaviors on the web [C]//Proceedings of the 20th Annual Network & Distributed System Security Symposium. San Diego, CA, USA, 2013:1-18.
[16] Verma A, Insan D S. Signature based detection of web application attacks [J]. International Journal of Advanced Research in Computer Science and Software Engineering, 2013, 3(8): 117-121.
[17] Certified ethical hacker [EB/OL].(2012-02-200[2013-09-10]. http://ceh.vn/@4rum/forumdisplay.php?fid=10.
[18] Alexa—The web information company[EB/OL].(2012-03-30)[2013-09-10].http://www.alexa.com.
[19] Project hosting on google code provides a free collaborative development environment for open source projects [EB/OL].(2012-05-16)[2013-09-10].http://code.google.com/.
[20] VirusTotal—Free online virus, malware and url scanner [EB/OL].(2007-02-01)[2013-09-10].https://www.virustotal.com.
[21] Agbefu R E, Hori Y, Sakurai K. Domain information based blacklisting method for the detection of malicious webpages [J]. International Journal of Cyber-Security and Digital Forensics, 2013, 2(2): 36-47.


Biographies: Truong Dinh Tu(1979—), male, graduate; Cheng Guang(corresponding author), male, doctor, professor, gcheng@njnet.edu.cn.
Foundation items: The Science and Technology Support Program of Jiangsu Province(No.BE2011173), the Future Network Proactive Program of Jiangsu Province(No.BY2013095-5-03), the Program for Special Talent in Six Fields of Jiangsu Province(No.2011-DZ024).
Citation: Truong Dinh Tu, Cheng Guang, Guo Xiaojun, et al. Evil-hunter: a novel web shell detection system based on scoring scheme[J].Journal of Southeast University(English Edition), 2014, 30(3):278-284.[doi:10.3969/j.issn.1003-7985.2014.03.004]
Last Update: 2014-09-20