Developement now taks place at https://gitlab.cylab.be/cylab/webshell-detector
The webshell detector can be integrated as a composer library to your project, or you can run it from the command line.
composer require cylab-be/webshell-detector
require_once "vendor/autoload.php";
use RUCD\WebshellDetector\Detector;
$detector = new Detector();
echo $detector->analyzeFile("strange_file.php");
Download the runnable PHAR from the Releases pages.
To run:
webshell-detector.phar analyze:directory /path/to/directory
You can modify the "sensitivity" of the detector, by modifying the threshold for displaying files. This will display the suspiciousness score of every files:
webshell-detector.phar analyze:directory -t 0.0 /path/to/directory
The default threshold used by the tool is 0.4