PHP Webshell Malware
Published date: 10/07/2025
Written by: Lizzie Danielson
A PHP webshell is a malicious script that gives attackers a back door into your web server. Once uploaded, it acts as a command-and-control interface, letting threat actors browse your file system, upload more malware, steal data, or even take over the server completely. It’s a sneaky and dangerous tool used to maintain persistent access and escalate attacks.
What is PHP Webshell Malware?
A PHP webshell is a type of malware that provides attackers with remote administration of a web server. It's not a virus or a specific named strain but rather a malicious tool written in the PHP programming language. Because PHP powers a huge percentage of websites (think WordPress, Joomla, and Drupal), PHP webshells are a widespread and persistent threat.
Once an attacker successfully uploads a webshell script to a server, they can access it through a web browser. This gives them a powerful, web-based interface to execute commands, manipulate files, and pivot deeper into a network. Popular webshells like C99, R57, and B374K offer extensive features, turning a compromised server into a launchpad for further malicious activities. The threat level is high because a successful webshell attack can lead to complete server compromise, data exfiltration, and lateral movement across an organization's infrastructure.
When was PHP Webshell First Discovered?
Webshells aren't a new phenomenon; they've been around for as long as web servers have existed. The concept dates back to the late 1990s and early 2000s, evolving alongside web technologies. Early versions were simple scripts, but they have since become highly sophisticated, with obfuscated code and advanced functionalities. There isn't a single "discovery" date for PHP webshells as a category, but their use has been documented by security researchers for over two decades.
Who Created PHP Webshell?
There is no single creator of PHP webshells. They are tools developed by countless individual attackers, penetration testers, and cybercriminal groups. Many popular webshells are open-source or traded on underground forums, allowing any attacker to download, modify, and deploy them. The anonymity of the internet makes it nearly impossible to attribute a specific webshell to a single person or group, though some advanced versions have been linked to state-sponsored threat actors.
What Does PHP Webshell Target?
PHP webshells target any web server running PHP-based applications. This includes a massive range of systems, from personal blogs to large enterprise websites and e-commerce platforms. Content Management Systems (CMS) like WordPress, Joomla, and Drupal are especially frequent targets due to their widespread use and the availability of vulnerable plugins and themes.
Attackers aren't picky; they target any industry or geography with a vulnerable web presence. The goal is to establish a foothold for various nefarious purposes, including:
Data theft: Stealing sensitive customer information, financial data, or intellectual property.
Hosting malicious content: Using the compromised server to host phishing pages or distribute other malware.
DDoS botnets: Enlisting the server into a network of bots to launch Distributed Denial-of-Service attacks.
Cryptomining: Hijacking server resources to mine for cryptocurrencies.
PHP Webshell Distribution Method
Attackers use several common methods to upload a PHP webshell onto a target server. The initial infection vector almost always involves exploiting a weakness in the web application or server configuration.
Common distribution methods include:
Application Vulnerabilities: Exploiting flaws like SQL injection, Remote File Inclusion (RFI), or Local File Inclusion (LFI) to trick the server into executing code that downloads the webshell.
Unrestricted File Uploads: Many websites allow users to upload files (like profile pictures or documents). If not properly configured, attackers can upload a malicious .php file disguised as an image or another benign file type.
Weak Credentials: Brute-forcing or using stolen administrator credentials to log into the CMS or server backend and manually upload the webshell.
Compromised Plugins or Themes: Using nulled or outdated third-party plugins and themes that contain backdoors or known vulnerabilities.
Technical Analysis of PHP Webshell Malware
Once a PHP webshell is on a server, it lies dormant until the attacker accesses it via a specific URL. The script then executes on the server, presenting the attacker with a control panel in their browser. The webshell runs with the same permissions as the web server's user account (e.g., www-data, apache), which often has broad access to read, write, and execute files within the web root directory.
Attackers often use obfuscation techniques to hide their webshells from detection. This can involve encoding the script in Base64, splitting the code into multiple files, or using innocent-looking filenames like settings.php or cache.php to blend in with legitimate application files. The ultimate goal is persistence—maintaining access for as long as possible without being discovered.
Tactics, Techniques & Procedures (TTPs)
PHP webshells are directly associated with several MITRE ATT&CK techniques, primarily under Persistence and Execution.
T1505.003 - Server Software Component: Web Shell: This is the primary technique. The adversary places a webshell on the server to maintain persistent access and execute commands.
T1190 - Exploit Public-Facing Application: This technique is often used as the initial access vector to upload the webshell in the first place.
T1059 - Command and Scripting Interpreter: Webshells provide an interface to execute shell commands, scripts (like Python or Perl), or PHP functions directly on the server.
T1105 - Ingress Tool Transfer: Attackers use the webshell to upload additional tools, backdoors, or ransomware onto the compromised system.
Indicators of Compromise (IoCs)
Detecting webshells can be tricky because they often mimic legitimate traffic. However, there are several IoCs to watch for:
Unusual Files: Suspiciously named .php files in upload directories or files with recent modification timestamps that don't correspond to any known development activity.
Abnormal Network Traffic: Outgoing connections from the web server to unknown IP addresses or an unusual amount of POST requests to a single PHP file.
High Server Resource Usage: Unexplained spikes in CPU or memory usage could indicate the server is being used for activities like cryptomining.
Suspicious Log Entries: Web server logs (like Apache's access.log) may show repeated POST requests to a non-standard PHP file from a single IP address.
Common Webshell Filenames: Files named c99.php, r57.php, WSO.php, or other known webshell variants.
Malware Guide
Our malware guide shows you how to shut down those infiltration paths before they ever become a crisis.
How to Know if You’re Infected with PHP Webshell?
Besides looking for specific IoCs, several symptoms might suggest your server has been compromised with a webshell:
Your website is suddenly blacklisted by search engines for hosting malware.
You notice new, unauthorized user accounts in your CMS backend.
Your website's files have been modified or defaced.
You receive complaints from users about strange redirects or pop-ups.
Performance is sluggish, and server resources are consistently maxed out.
PHP Webshell Removal Instructions
Removing a webshell requires more than just deleting the malicious file. Attackers often leave behind other backdoors or modified files to regain access.
Isolate the Server: Take the compromised server offline immediately to prevent further damage or lateral movement.
Identify the Webshell: Use file integrity monitoring tools, malware scanners, or manual inspection to locate the webshell script(s). Check web server logs for suspicious POST requests to pinpoint the file.
Analyze and Remove: Before deleting, make a copy of the webshell for analysis. This can help you understand how the attacker got in. Once you've identified all malicious files, remove them.
Patch the Vulnerability: This is the most critical step. Identify and fix the security hole that allowed the attacker to upload the webshell. This could mean updating a plugin, changing weak passwords, or fixing a code vulnerability.
Restore from a Clean Backup: The safest method is often to wipe the server and restore it from a known-good backup created before the infection occurred.
Use a Professional Tool: For guaranteed removal and future protection, lean on a solution like Huntress Managed EDR. Our 24/7 ThreatOps team can hunt for, isolate, and remediate threats like webshells so you don't have to.
Is PHP Webshell Still Active?
Absolutely. PHP webshells are more active than ever in 2025. As long as there are vulnerable PHP applications on the internet, attackers will continue to use webshells as a go-to tool for compromising servers. They are constantly evolving, with new obfuscation techniques and features appearing all the time. They remain a fundamental tool in the arsenal of both low-skilled hackers and sophisticated APT groups.
Mitigation & Prevention Strategies
Don't wait for an infection to happen. A proactive defense is your best bet against webshells.
Keep Everything Updated: Regularly patch your CMS, plugins, themes, and server software. This closes the known vulnerabilities attackers love to exploit.
Harden Your Server: Implement strong file permissions to prevent the web server process from writing to unauthorized directories. Disable unnecessary PHP functions that could be abused.
Use Strong Passwords and MFA: Enforce multi-factor authentication and complex passwords for all administrative accounts.
Validate File Uploads: If your site allows file uploads, strictly validate file types and scan all uploads for malicious code.
Implement a Web Application Firewall (WAF): A WAF can help filter out malicious requests and block attempts to exploit common vulnerabilities.
Continuous Monitoring: The best defense is a good offense. Employ a 24/7 managed detection and response solution like Huntress ITDR to monitor for suspicious activity, detect webshells, and stop attackers in their tracks. Our human-led ThreatOps team hunts for threats that automated tools alone can't find.
PHP Webshell FAQs
Protect What Matters
