Journal of Information Processing Systems

Korea Information Processing Society (한국정보처리학회)
권호 표지
DOI QR코드

DOI QR Code

WebSHArk 1.0: A Benchmark Collection for Malicious Web Shell Detection

  • Kim, Jinsuk (Department of Science & Technology Security, National Institute of Supercomputing & Networking (NISN), Korea Institute of Science & Technology Information (KISTI)) ;
  • Yoo, Dong-Hoon (Department of Science & Technology Security, National Institute of Supercomputing & Networking (NISN), Korea Institute of Science & Technology Information (KISTI)) ;
  • Jang, Heejin (Department of Science & Technology Security, National Institute of Supercomputing & Networking (NISN), Korea Institute of Science & Technology Information (KISTI)) ;
  • Jeong, Kimoon (Department of Science & Technology Security, National Institute of Supercomputing & Networking (NISN), Korea Institute of Science & Technology Information (KISTI))
  • Received : 2014.02.25
  • Accepted : 2014.04.16
  • Published : 2015.06.30
Download PDF
⟨ Previous Next ⟩

Abstract

Web shells are programs that are written for a specific purpose in Web scripting languages, such as PHP, ASP, ASP.NET, JSP, PERL-CGI, etc. Web shells provide a means to communicate with the server's operating system via the interpreter of the web scripting languages. Hence, web shells can execute OS specific commands over HTTP. Usually, web attacks by malicious users are made by uploading one of these web shells to compromise the target web servers. Though there have been several approaches to detect such malicious web shells, no standard dataset has been built to compare various web shell detection techniques. In this paper, we present a collection of web shell files, WebSHArk 1.0, as a standard dataset for current and future studies in malicious web shell detection. To provide baseline results for future studies and for the improvement of current tools, we also present some benchmark results by scanning the WebSHArk dataset directory with three web shell scanning tools that are publicly available on the Internet. The WebSHArk 1.0 dataset is only available upon request via email to one of the authors, due to security and legal issues.

Keywords

References

  1. Netcraft, "January 2014 Web server survey," 2014; http://news.netcraft.com/archives/2014/01/03/january-2014-web-server-survey.html.
  2. KrCERT/CC, Monthly trend and analysis of Internet attacks (May 2008). Seoul: Korea Internet & Security Agency, 2008.
  3. S. Behrens and B. Hagen, "What's up with these pesky shells?" 2011; http://resources.infosecinstitute.com/webshell-detection/.
  4. X. Mingkun, C. Xi, and H. Yan, "Design of software to search ASP web shell," Procedia Engineering, vol. 29, pp. 123-127, 2012. https://doi.org/10.1016/j.proeng.2011.12.680
  5. D. Canali, D. Balzarotti, and A. Francillon, "The role of web hosting providers in detecting com-promised websites," in Proceedings of the 22nd international conference on World Wide Web, Rio de Janiro, Brazil, 2013, pp. 177-188.
  6. Emposha, "PHP shell detector: web shell detection tool," 2011; http://www.emposha.com/security/php-shelldetector-web-shell-detection-tool.html.
  7. H. Park, J. Kim, K. Jeong, and Y. Lee, User Guide to WSF (Web Security Framework). Daejeon, Korea: Korea Institute of Science & Technology Information, 2014.
  8. R-fx Networks Linux Malware Detect, https://www.rfxn.com/projects/linux-malware-detect/.
  9. 1998 DARPA Intrusion Detection Evaluation Data Set, http://www.ll.mit.edu/ideval/data/1998data.html.
  10. 1999 DARPA Intrusion Detection Evaluation Data Set, http://www.ll.mit.edu/ideval/data/1999data.html.
  11. G. Creech and J. Hu, "Generation of a new IDS test dataset: time to retire the KDD collection," in Proceedings of IEEE Wireless Communications and Networking Conference (WCNC), Shanghai, China, 2013, pp. 4487-4492.
  12. Webshell, https://github.com/tennc/webshell.
  13. Web shells and RFIs collection, http://www.irongeek.com/i.php?page=webshells-and-rfis.
  14. W3Techs, "Usage of server-side programming languages in websites," http://w3techs.com/technologies/overview/programming_language/all.
  15. ASP Nuke CMS ASP Nuke 0.80, http://asp-nuke-cms.soft112.com/.
  16. Umbraco, http://umbraco.com/.
  17. ASP VBScript CMS: open source content management for window IIS, http://code.google.com/p/asp-vbscript-cms/.
  18. Instant content management systems, http://www.instant-cms.com/.
  19. Joomla!, http://www.joomla.org/.
  20. Magnolia CMS, http://www.magnolia-cms.com/.
  21. MySQL ASP Web Content Management, http://www.mysql.aspcontentmanagement.com/.
  22. Web Content Management System openEngine, http://www.openengine.de/html/pages/de/index.htm.
  23. WordPress.com, http://wordpress.com.
  24. C. J. Van Rijsbergen, Information Retrieval, 2nd ed. London: Buttersworths, 1979.