{"id":48889254,"url":"https://github.com/aryma-f4/worldshellfinder","last_synced_at":"2026-04-16T07:01:10.439Z","repository":{"id":257802207,"uuid":"862199787","full_name":"Aryma-f4/worldshellfinder","owner":"Aryma-f4","description":"Web Shell finder using grep, where it has wordlist around the world to grep inside using regex and wordlist. So Lightweight and fast!","archived":false,"fork":false,"pushed_at":"2025-02-06T01:53:20.000Z","size":9806,"stargazers_count":31,"open_issues_count":0,"forks_count":5,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-12-02T17:58:32.188Z","etag":null,"topics":["backdoor","backdoor-defense","backdoor-finder","cyber-security","cybersecurity","finder","finder-shell","security","security-scanner","shell","shell-detection","shell-detector","shell-finder","shell-script","web-shell","webshell","worldfind","worldshellfinder"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Aryma-f4.png","metadata":{"files":{"readme":"readme.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2024-09-24T07:52:26.000Z","updated_at":"2025-11-17T21:31:13.000Z","dependencies_parsed_at":null,"dependency_job_id":"1022096e-2938-47ea-a0f2-4e48e9f6e297","html_url":"https://github.com/Aryma-f4/worldshellfinder","commit_stats":null,"previous_names":["arya-f4/worldshellfinder","aryma-f4/worldshellfinder"],"tags_count":11,"template":false,"template_full_name":null,"purl":"pkg:github/Aryma-f4/worldshellfinder","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Aryma-f4%2Fworldshellfinder","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Aryma-f4%2Fworldshellfinder/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Aryma-f4%2Fworldshellfinder/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Aryma-f4%2Fworldshellfinder/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Aryma-f4","download_url":"https://codeload.github.com/Aryma-f4/worldshellfinder/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Aryma-f4%2Fworldshellfinder/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31875183,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-15T15:24:51.572Z","status":"online","status_checked_at":"2026-04-16T02:00:06.042Z","response_time":69,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["backdoor","backdoor-defense","backdoor-finder","cyber-security","cybersecurity","finder","finder-shell","security","security-scanner","shell","shell-detection","shell-detector","shell-finder","shell-script","web-shell","webshell","worldfind","worldshellfinder"],"created_at":"2026-04-16T07:01:08.312Z","updated_at":"2026-04-16T07:01:10.424Z","avatar_url":"https://github.com/Aryma-f4.png","language":"Go","readme":"\u003cmeta name=\"description\" content=\"World Shell Finder is a Go-based web shell detection tool with keyword, rule, and heuristic scanning.\"\u003e\n\u003cmeta name=\"keywords\" content=\"webshell finder, web shell detection, golang security tool, malware scanner, incident response\"\u003e\n\n# World Shell Finder\n\nWorld Shell Finder is a Go command-line tool for detecting suspicious web shells and backdoors inside web roots or other source directories. It combines keyword matching, regex rules, and heuristic scoring to improve detection quality while reducing noisy single-hit matches.\n\n![shellfind](https://github.com/user-attachments/assets/3fa2513f-5eef-433c-ac7f-92d3e5789397)\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"https://img.shields.io/github/go-mod/go-version/Aryma-f4/worldshellfinder\" alt=\"Go version\"\u003e\n  \u003ca href=\"https://github.com/Aryma-f4/worldshellfinder/releases/\"\u003e\u003cimg src=\"https://img.shields.io/github/release/Aryma-f4/worldshellfinder\" alt=\"Latest release\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://github.com/Aryma-f4/worldshellfinder/issues\"\u003e\u003cimg src=\"https://img.shields.io/github/issues-raw/Aryma-f4/worldshellfinder\" alt=\"Issues\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://github.com/Aryma-f4/worldshellfinder/discussions\"\u003e\u003cimg src=\"https://img.shields.io/github/discussions/Aryma-f4/worldshellfinder\" alt=\"Discussions\"\u003e\u003c/a\u003e\n  \u003cimg src=\"https://img.shields.io/github/repo-size/Aryma-f4/worldshellfinder\" alt=\"Repository size\"\u003e\n\u003c/p\u003e\n\n![Worldshellfinder flow](https://github.com/user-attachments/assets/430df5ec-d1b3-46f8-9fdd-27be51c30d88)\n\n## Disclaimer\n\nThis project is intended for educational, incident response, and defensive security use. It does not replace a full malware analysis process. False positives and false negatives are still possible.\n\n## Highlights\n\n- Refactored into a **Clean Architecture** to ensure modularity, maintainability, and scalability.\n- Beautiful, intuitive **Interactive UI** powered by `pterm`.\n- Integrates **VirusTotal API** as a malware reference database to improve detection rules and confirm suspicious files.\n- Detects suspicious files using a scoring-based engine.\n- Combines keyword matches, regex signatures, and heuristic indicators.\n- Supports custom wordlists on top of the embedded default wordlist.\n- Produces clearer output with suspicion score and evidence summary.\n- Includes a string-removal mode for cleanup workflows.\n- Ships with GitHub Actions CI/CD and automatic prereleases on each push to the main branch.\n- Includes deep scan mode for suspicious traffic and broader rootkit checks.\n\n## Detection Approach\n\nThe scanner evaluates files using multiple signals:\n\n- Strong signatures such as obfuscated `eval(base64_decode(...))` patterns.\n- Dangerous runtime execution flows like `system($_REQUEST['cmd'])`.\n- Upload and dropper behavior such as `move_uploaded_file(... .php)`.\n- Heuristic combinations like user input plus command execution.\n- Known shell markers from the bundled wordlist.\n\nFiles are reported when their suspicion score reaches the configured threshold.\n\n## Installation\n\n### Build from source\n\n```bash\ngit clone https://github.com/Aryma-f4/worldshellfinder.git\ncd worldshellfinder\ngo build -o worldshellfinder .\n```\n\n### Install with Go\n\n```bash\ngo install github.com/Aryma-f4/worldshellfinder@latest\n```\n\nIf your Go binary path is not available in `PATH`, add it first:\n\n```bash\nexport PATH=\"$PATH:$HOME/go/bin\"\n```\n\n## Usage\n\n### Interactive mode\n\nRun the program without flags to use the menu-based interactive mode:\n\n```bash\n./worldshellfinder\n```\n\n### Detection mode\n\nBasic detection:\n\n```bash\n./worldshellfinder -mode detect -dir /var/www/html\n```\n\nVerbose detection:\n\n```bash\n./worldshellfinder -mode detect -dir /var/www/html -v\n```\n\nDetection with a custom wordlist:\n\n```bash\n./worldshellfinder -mode detect -dir /var/www/html -wordlist ./wordlists/zeus.txt\n```\n\nDetection with a stricter threshold:\n\n```bash\n./worldshellfinder -mode detect -dir /var/www/html -min-score 6 -max-evidence 8\n```\n\nSave results to a file:\n\n```bash\n./worldshellfinder -mode detect -dir /var/www/html -out result.txt\n```\n\n### Deep scan mode\n\nDeep scan combines:\n\n- file-based shell detection,\n- suspicious traffic inspection,\n- threat hunting on common auth, nginx, and apache logs,\n- rootkit checks using `rkhunter`, `chkrootkit`, `unhide`, and built-in heuristics.\n\nExample:\n\n```bash\n./worldshellfinder -mode deep -dir /var/www/html -out deep-report.txt -v\n```\n\n### Remove-string mode\n\n```bash\n./worldshellfinder -mode remove -dir /var/www/html -remove-string \"malicious_snippet\"\n```\n\n### Help\n\n```bash\n./worldshellfinder -h\n```\n\n## CLI Options\n\n```text\n-h, --help              Show help information\n-v                      Enable verbose output\n-mode string            Operation mode: detect, deep, or remove\n-dir string             Directory to scan\n-out string             Output file path\n-wordlist string        Additional custom wordlist file\n-min-score int          Minimum score before a file is reported\n-max-evidence int       Maximum evidence entries shown per file\n-remove-string string   String to remove when mode=remove\n-vt-api-key string      VirusTotal API key for checking suspicious files against the malware database\n--update                Update to the latest release\n```\n\n## Wordlists\n\nThe wordlist format is simple:\n\n- One keyword or signature per line.\n- Empty lines are ignored.\n- Custom entries are merged with the embedded default wordlist.\n\nSee:\n\n- [`wordlists/default.txt`](wordlists/default.txt)\n- [`wordlists/zeus.txt`](wordlists/zeus.txt)\n\n## Known Coverage\n\nThe repository also documents many shell families and samples already covered by the project:\n\n- [Known shell list](list_find_already_shell.md)\n\n## CI/CD\n\nGitHub Actions now provides:\n\n- Test execution on pull requests and pushes.\n- Multi-platform build artifacts for Linux, Windows, and macOS.\n- Automatic prerelease creation for every push to `main` or `master`.\n- Attached archives and checksum file in each generated release.\n\n## Rootkit Detection\n\nDeep scan does not rely on a single tool. It can use:\n\n- `rkhunter`\n- `chkrootkit`\n- `unhide`\n- built-in heuristic checks for preload abuse, suspicious modules, hidden executables, temporary privilege-escalation binaries, and persistence points\n\n## Log Threat Hunting\n\nDeep scan also inspects common log locations such as:\n\n- `/var/log/auth.log`\n- `/var/log/secure`\n- `/var/log/nginx/access.log`\n- `/var/log/apache2/access.log`\n\nIt looks for signs such as:\n\n- `cmd=`, `exec=`, `shell=`, or encoded payload probes\n- suspicious upload and dropper patterns\n- repeated authentication failures and invalid users\n- `sudo`, `curl`, `wget`, `nc`, or privilege escalation activity in auth logs\n\nIf the process lacks permission to inspect protected paths, the tool prints:\n\n```text\nnot enough permission to do this, gotta root\n```\n\n## Compatibility\n\n- Linux\n- Windows\n- macOS\n\n[![Go Workflow](https://github.com/Aryma-f4/worldshellfinder/actions/workflows/go.yml/badge.svg)](https://github.com/Aryma-f4/worldshellfinder/actions/workflows/go.yml)\n\n## Contributing\n\nContributions are welcome. Feel free to open an issue or submit a pull request for:\n\n- new shell signatures,\n- detection improvements,\n- performance fixes,\n- documentation updates.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faryma-f4%2Fworldshellfinder","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Faryma-f4%2Fworldshellfinder","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faryma-f4%2Fworldshellfinder/lists"}