A shell finder is a type of reconnaissance tool that is used by threat actors to identify websites that have already been compromised and contain backdoor shells.
A backdoor shell is a form of malware that is added by a threat actor after gaining unauthorized access to a website. The purpose of a backdoor shell is to secretly maintain unauthorized access even after the initial vulnerability is fixed. It can be compared to a criminal breaking into a building and creating secret entry points (backdoors) that they can reuse to secretly enter the building again in the future. The attacker does not want others to know about the backdoor and so they use different techniques to make it more difficult to identify the locations of the backdoors. This is why a shell finder is used rather than just attempting to use a search engine to locate these backdoors on compromised websites.
A shell finder operates similarly to a website crawler, but with one major exception: it only searches for backdoor shells and compiles a list of the discovered backdoor shells.
Many shell finders are written in Python and utilize a static list of known backdoor shell filenames and their most popular directories. These are added to the crafted request sent from the shell finder to websites when searching for the existence of such backdoor shells.
lista = ["1337.php","xl.php","r4qxl.php","e8bgm.php","wp-god.Php","olx.php","class-wp-http-requests-hooks.php","wp-ahsera.php","user.php","ukccpnrkon.php","tebitwbejt.php","poplfqudwb.php","jtbknjjpvc.php","nilppomgwj.php","rrrzlhymub.php","ruzu6mit.php","boilxnplrr.php","wajarhdzbt.php",".dha.php","wp-admin.php","logs.php","wp-easy.php","wxo.php","wp-video.php","amigo.php","-.php",".yoi.php","wp-info.php","wp-contentt.php","i3wfj.php","5fesj.php","s46v1.php","djfksr4.php","p7m94.php","we1y8.php","wxo.php","s46v1.php","jdimzmtaas.php","wp-content/iu.php","ccx/th3_err0r.php","ccx/index.php","cgi-bin/ffAA531.php","cgi-bin/991176.php","991176.php","up-kon.php","codeboy1877_up.php","wp-content/codeboy1877_up.php","hehe.php","post-data.php","wp-admin/codeboy1877_up.php","batm.php","wp-includes/codeboy1877_up.php","w0.php","webr00t.php","finca.php","qibozpiuqx.php","wp-content/finca.php","rg3v6.php","qly7i.php","cjaWY8Kf7Ci.php","wp-admin/ysp6c.php","soz.php","wp-admin/ysf87.php","wp-admin/ugeaz.php","wp-admin/nd8z1.php","wp-content/mny4z.php","wp-admin/mdsa9.php","wp-admin/lkf65.php","wp-admin/jensq.php","UNZipeRpoe.php","wp-admin/UNZipeRpoe.php","wp-admin/zphxi.php","wp-content/Free-fixed.php","wp-content/local.php","shell20211028.php","wp-content/ave.php","wp-content/xx.php","wp-admin-configs.php","ys16l.php","wp-content/Foxs1sx.php","Foxs1sx.php","uy7sw.php","75888592_err0r.php","syhrnvhpze.php","wp-admin/hb81i.php","wp-admin/zgpsy.php","wp-admin/Anonime-shell.php","wp-admin/wso32.php","wp-content/1788821455_error_log.php","wp-content/export.php","1788821455_error_log.php","cyb3r-sh3ll.php","fc11.php","wp-admin/oTm4n3x.php","oTm4n3x.php","assets/js/ice.php","img/ice.php","js/ice.php","wp-admin/ycxlu.php","fonts/ice.php","DKIZ.php?DKIZ","wp-content/ice.php","wp-admin/ice.php","fmb97.php","shl.php","pi.php","wp-admin/lx.php","wp-includes/assets/lx.php","wp-content/plugins/tusupugnpr/up.php?php=anonymousfox.is/_@files/php/up.txt","wp-admin/9h7zj.php","f6qxl.php","wp-signup.php?Fox=sQFLZ","angyw.php","wp-admin/57yke.php","gxsyuzkutr.php","3x.php","qb9sl.php","hewsioaypm.php","mailer.php","maileraso.php","dsdfklsjroden.php","_.php","wpse.php","Fresh.php","fkbqn.php","2.php","c9ny3.php","5.php","cakt.php","ab.php","wp-content/ak.php","wp-snapshots/ss.php","wp-content/alpa.php","wp_wrong_datlib.php","uploads/up.php","vekizcjxrc.php","wp-content/shell20211028.php","wp-sid.php","ALFA_DATA/wp-2019.php","defaul1.php","DownloadApp/wp-2019.php","wp-admin/setup-config.php","Logo/wp-2019.php","takeout.php","tmpurufu.php","images/vuln.php","admin.php","mt/pekok.php","wp_wrong_datlib.php","media-admin.php","wp-content/upload.php","","xleet-shell.php","vse.php","shadowx.php","romfc.php","0byt3m1n1.php","wp-admin/alfav41.php","alfav41.php","wp-admin/zat2.php","zat2.php","wp-admin/webr00tv3.php","webr00tv3.php","wp-admin/romfc.php","ALFA_DATA/alfacgiapi/shellgo.php","deleteme.chajbbh2.php","ALFA_DATA/alfacgiapi/fox.php","FoxSH-3izfw/fox.sh","lock360.php","ffAA531.php","root.php","wp-site.php","homepage-index.php","wp-comments-post.php","reset.php","wp_logx.php","gank.php.PhP","mst.php","wp_wrong_datlib.php","indeeex.php","FoxWSO-full.php","w3llstore.php","wp-content/zfox.php","tmp/plupload/vuln.phP","pop.php","wp_wrong_datlib.php","wp-plugins.php","system_log.php","accesson.php","media-admin.php","gank.php.PhP","octeesfes.php","moduless.php","lok.php","inc.class.3index.php","inc.class.wp-plugins.php","wp-l0gin.php","1index.php","123.php","ot.php","masshp.php","pl1gn.php","wp-2019.php","xml.php","/wp-content/ninja.php","wp-content/a.php","ninja.php","radio.php","23.php","codeboy1877x.php","wp-content/think.php","sts.php","1877x.php","wp-content/plugins/upspy/con.php","wp-content/uploads/F0x.php","wp-includes/css/F0x.php","wp-includes/css/F0x.ph","wp-content/plugins/html404/xccc.php","wp-content/plugins/upspy/up.php","wp-content/5.php","wp-content/plugins/html404/wso25.php","wp-content/plugins/html404/xccc.php","wp-content/plugins/upspy/con.php#ubh@ubh","wp-content/plugins/upspy/sllolx.php","stindex.php","new-index.php","wp-content/plugins/css-ready/file.php","wp-content/plugins/css-ready-sel/file.php","sindex.php","wp-includes/css/modules.php","old-index.php","baindex.php","wikindex.php","ext15.php","Marvins.php","XxX.php","wp-admin/shapes.php","wp-content/plugins/upspy/index.php","wp-content/plugins/ubh/index.php","wp-content/plugins/vwcleanerplugin/bump.php?cache","wp-content/themes/gaukingo/db.php","wp-content/plugins/xichang/x.php?xi","wp-content/plugins/wp-db-ajax-made/wp-ajax.php","wp-content/plugins/html404/index.html","small.php","wp-content/uploads/small.php","wsanon.php","wp-content/small.php","wp-content/mode.php","doc.php","wp-content/plugins/three-column-screen-layout/db.php","indo.php","beence.php","indosec.php","archives.php","po8sa.php","thesmartestx.php","zcanp.php","burjuva.aspx","content.php","pvt.php","shell20211028.php","cgi-bin/wp-2019.php","crypted.php","h0110w4y.php","alf.php","55.php","vesiw.php","w.php","class-wp-widget-archives.php","wp-db.php","site_islemleri.php","1.php","Chitoge.php","lollers.php","0x1999 Private Shell (0x Shell).php","CyberNetic v2 (BANGLADESH CYBER ARMY) Shell. php","tl.phP","ccaef.php","/wp-includes/lx.php","/wp-content/ice.php","/wp-content/lx.php","lx.php","useri.php","tonant.php","wp.plug.PHp","css.PHp","f0x.php","1s2c4.php","config.bak.php","176.php","bypass403.php","css.php","zudjr.php","ra due ayang.php","2.php","3index.php","529.php","about.php","snowwins.php","uzgnsomdco.php","adminer.php","allahnaber.php","AK-74.php","alfa3.php","wp-admin/ALFA_DATA/alfacgiapi/perl.alfa","alfacgiapi/perl.alfa","/ALFA_DATA/alfacgiapi/alfa.php","/ALFA_DATA/alfacgiapi/c99.php","/ALFA_DATA/alfacgiapi/fw.php","/ALFA_DATA/alfacgiapi/mini.php","/ALFA_DATA/alfacgiapi/perl.alfa","ALFA_DATA/alfacgiapi/perl.alfa","/ALFA_DATA/alfacgiapi/r57.php","/ALFA_DATA/alfacgiapi/uploader.php","/ALFA_DATA/alfacgiapi/ups.php","alfaindex.php","alfa.php",".alf.php","b374k.php","bb.php","bypass.php","c99.php","cmd.php","css/ALFA_DATA/alfacgiapi/perl.alfa","cw.php","date.php","files/ALFA_DATA/alfacgiapi/perl.alfa","fw.php","haxor.php","icomsium.php","ico.php","images/ALFA_DATA/alfacgiapi/perl.alfa","indoxploit.php","leaf.php","marijuana.php","mass.php","mini.php","priv8.php","pws.php","r57.php","robots.php","shell.aspx","shell.php","small.php","snd.php","uploader.php","ups.php","wp-admin/alfacgiapi/perl.alfa","wp-admin/ALFA_DATA/alfacgiapi/perl.alfa","wp-class.php","wp-content/alfacgiapi/perl.alfa","wp-content/ALFA_DATA/alfacgiapi/perl.alfa","wp-content/batm.php","wp-content/masshp.php","wp-content/alfa.php","wp-content/fw.php","wp-content/plugins/cekidot/alf.php","wp-includes/alfacgiapi/perl.alfa","wp-includes/ALFA_DATA/alfacgiapi/perl.alfa","wso1.php","wso2.8.5.php","wso.php","ww.php","www.php","mininew.php","xleet.php"] #pathlistShell finder authors will often include a UI to make it as easy as possible to operate, and encourage new users to use it. In fact, shell finders can be found offered for free by their authors so that they can gain a large userbase and distribute the workload of crawling websites searching for backdoors that they can takeover and sell on illicit marketplaces. They operate in such marketplaces as access brokers, or selling unauthorized access to prospective buyers who quickly need a website for malicious activity like phishing.
Identifying Traffic from Shell Finders
Because of their popularity, traffic from shell finders is fairly common as they crawl websites searching for backdoor shells to hijack. However log analysis and code analysis of shell finder tools reveal they use hard‑coded data for the requests that they send to websites when crawling, which makes it possible to accurately detect such crawling and develop signatures or rules that can be used to block such requests.
The main two identifiers in the requests are below:
- User Agents
User agents often contain suspicious misspellings or words that make it easy to identify the crawler. These user agents are unique enough that they are not used by legitimate traffic. Usually, more than 50% of the requests from shell finder tools will use a unique user agent similar to the list below:
Mozilla/5.0 (Linux; Android 7.0; SM‑G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36/8mqULwuL‑67wp_is_mobileMozlila/5.0 (Linux; Android 7.0; SM‑G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36
- Referer URLs
When the user agent is not unique enough to use as an identifier for shell finder traffic, we can use the Referer URL as it is another static identifier that is hardcoded into the shell finder tool’s code. The shell finder will use common search engine websites as the Referer URL to attempt to obfuscate their requests and possibly to bypass some access controls.
google.com- http://www.google.com
bing.com- http://www.bing.com
binance.com- http://www.binance.com
WPScan 