ShellBreaker: Automatically detecting PHP-based malicious web shells

A web shell is a server-side script uploaded by an attacker to enable persistent access on a compromised machine. Detecting web shells is therefore of significant importance. In this paper, we present a novel system named ShellBreaker to detect web shells written in PHP, one of the leading languages used for server-side script development. ShellBreaker performs detection by correlating syntactical and semantic features that systematically characterize web shells through three aspects including (i) their communication with external users/attackers, (ii) their adaption to the run-time environment, and (iii) their usage of sensitive operations. We have evaluated ShellBreaker using real-world, PHP-based web shells and benign PHP scripts. Experimental results have demonstrated that ShellBreaker can achieve a high detection rate of 91.7% at a low false positive rate of 1%.