NAME¶
neopi - web shell code detection
SYNOPSIS¶
neopi [options] <dir> [regex]
DESCRIPTION¶
This manual page documents briefly the
neopi command.
neopi is a Python script that uses a variety of statistical methods to
detect obfuscated and encrypted content within text/script files.
The intended purpose of NeoPI is to aid in the detection of hidden web shell
code.
The development focus of NeoPI was creating a tool that could be used in
conjunction with other established detection methods such as Linux Malware
Detect or traditional signature/keyword based searches.
NeoPI recursively scans through the file system from a base directory and will
rank files based on the results of a number of tests.
It also presents a “general” score derived from file rankings
within the individual tests.
OPTIONST¶
The program follows the usual GNU command line syntax, with long options
starting with two dashes (`-'). A summary of options is included below.
- -v, --version
- Show version of program.
- -h, --help
- Show summary of options.
- -C FILECSV, --csv=FILECSV
- Generates a CSV output to FILECSV containing the results of the
scan.
- -a, --all
- Run all tests including entropy, longest word, and index of coincidence.
This is the recommended way of running neopi.
- -e, --entropy
- Run only the entropy test.
- -l, --longestword
- Run only the longestword test.
- -c, --ic
- Run only the Index Coincidence test.
- -A, --auto
- This flag runs an auto generated regular expression that contains many
common web application file extensions.
This list is by no means comprehensive but does include a good ‘best
effort’ scan if you are unsure of what web application languages
your server is running.
Current list of included extensions: php, asp, aspx, sh, bash, zsh, csh,
tsch, pl, py, txt, cgi, cfm
EXAMPLES¶
neopi -C scan1.csv -a -A /var/www/
neopi -a /tmp/phpbb "php|txt"
neopi -a -A /var/www/html/
ABOUT¶
neopi authors are Ben Hagen <ben.hagen@neohapsis.com> and Scott
Behrens <scott.behrens@neohapsis.com>.
This man page was written by Arturo Borrero Gonzalez
<arturo.borrero.glez@gmail.com> for the Debian GNU/Linux distribution
(but it may be used by others).