Web Shell Detection in WAS

Document created by Dave Ferguson Employee on Dec 3, 2019Last modified by Dave Ferguson Employee on Mar 30, 2020
Version 3Show Document
  • View in full screen mode

Recently, the WAS scan engine began testing for the presence of known web shells via QID 150239.  This QID is included in Core detection scope and is rated by Qualys as severity 5 (highest severity).  If a web shell is found, it means the scanned application has already been compromised and immediate action is required.  If you're unfamiliar with web shells, you can find more information at US-CERT Alert #TA15-314A.


Here is the list of known web shells that WAS tests for when QID 150239 is enabled:


  • c99.php
  • Antichat Shell.php
  • b374k.php
  • b374k_mini.php
  • c99madshell.php
  • PHP Shell.php
  • r57shell.php
  • JspWebShell.jsp
  • shell.jsp
  • zend.jsp
  • warn.jsp
  • JspSpy.jsp
  • Indexer.asp
  • NTDaddy.asp
  • RemExp.asp
  • zehir4.asp
  • Elmaliseker.asp
  • pouya.asp


Each of these files is tested at the specified base location of the web app's target URL and two directory levels deep inside the web app. If the response contains a match with a regular expression, then QID 150239 will be reported.