Detects webshells in web servers by scanning high-entropy files, suspicious PHP/JSP/ASP patterns (eval, base64_decode, system, passthru), recent web root modifications, and abnormal file sizes using Shannon entropy and regex.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
1. 安装依赖:`pip install yara-python`
Hunts Webshell deployments on internet-facing servers by analyzing web directory file creations, web server process anomalies, and HTTP patterns. Useful for threat hunting, incident response, and security assessments.
Hunts for web shell deployments on internet-facing servers by analyzing file creation in web directories, suspicious process spawning from web servers, and anomalous HTTP patterns. Useful for threat hunting and incident response.
Hunts webshell deployments on servers by analyzing web directory file creations, web server process spawns, and anomalous HTTP patterns using EDR and SIEM tools.
Share bugs, ideas, or general feedback.
pip install yara-python/var/www/html、/opt/lampp/htdocs)。python scripts/agent.py --webroot /var/www/html --output webshell_report.json
File: /var/www/html/uploads/img_thumb.php
Entropy: 6.12 (threshold: 5.5)
Patterns matched: eval(), base64_decode(), str_rot13()
Last modified: 2025-12-01 03:42:00 (outside business hours)
Verdict: SUSPICIOUS - likely obfuscated webshell