{
	"id": "6db5b4be-ec0f-49a1-9fcd-8656e51304a6",
	"created_at": "2026-04-06T15:53:02.982754Z",
	"updated_at": "2026-04-10T03:21:04.094318Z",
	"deleted_at": null,
	"sha1_hash": "9b4bf64bd6fdbddaaec018bf159bb3cdfa126e36",
	"title": "WSO Shell: The Hack Is Coming From Inside The House!",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 209031,
	"plain_text": "WSO Shell: The Hack Is Coming From Inside The House!\r\nBy Wordfence Author\r\nPublished: 2017-06-22 · Archived: 2026-04-06 15:37:49 UTC\r\nImagine that one day you discover that a burglar has broken into your home and attempted to make off with your\r\nbig-screen TV. Fearing for your safety, you immediately contact local law enforcement, and they promptly\r\napprehend the criminal. But to your horror, as they drag the burglar away in handcuffs, they have an additional\r\nshocking revelation: the burglar has not only been living in the basement of your home for months, entirely\r\nundetected by you, but he’s also converted your basement into an elaborate base for all of his criminal\r\noperations.\r\nYou, of course, are both shocked and appalled! How could you not have noticed a nefarious criminal had hijacked\r\nyour whole residence right under your nose? And how much damage have they already done, unbeknownst to you,\r\nall while secretly living under your own roof?\r\nThat’s a lot like what it’s like when an attacker compromises your website and quietly installs a malicious web\r\nshell, taking over and executing all kinds of malicious scripts and behavior: your website has been broken into,\r\nhackers have made themselves at home on your server, your bandwidth and storage space have been stolen, and\r\nyou’re none the wiser.\r\nThe Wordfence team has seen thousands of malicious scripts from hackers attempting to compromise the millions\r\nof sites that we protect. But there’s one particularly invasive script that, once it makes its way onto your website,\r\nacts exactly like the burglar in the above scenario, living in your site’s “basement” and allowing the attacker to\r\nwreak havoc almost completely undetected indefinitely: the WSO web shell.\r\nWhat Is a Web Shell?\r\nA web shell is a script that runs on a web server, much like WordPress or any other PHP code. It allows the user to\r\ndo things as if they were logged in to the server directly. It’s like a server administration tool: it lets the user view\r\nor edit files, work with databases, and even run programs. Web shells created by hackers usually have additional\r\nmalicious features, such as sending spam or automatically defacing a website.\r\nWeb shells are not inherently a type of attack or an exploit. Rather, they’re a tool used to manipulate a site after\r\nit’s already been broken into. We talk a lot about the different kinds of exploits and why they put your site at risk,\r\nbut the truth is that security vulnerabilities and exploits are merely the first step in any successful hack. The goal is\r\nto break into your website, and then use a script to take over your site and wreak all sorts of havoc via your server.\r\nThat, in a nutshell, is exactly what the WSO web shell does. It takes over your site for the hacker’s own purposes\r\nwithout you ever realizing it’s there.\r\nWhat’s “Special” About WSO?\r\nhttps://www.wordfence.com/blog/2017/06/wso-shell/\r\nPage 1 of 5\n\nWSO is a favorite web shell among hackers because of its particularly powerful set of features.\r\nPassword protection\r\nServer information disclosure\r\nFile management features like uploading, downloading, or editing files, creating directories, browsing\r\nthrough directories, and searching for text in files\r\nCommand-line console\r\nDatabase administration\r\nPHP code execution\r\nEncoding and decoding text input\r\nBrute-force attacks against FTP or database servers\r\nInstallation of a Perl script to act as a more direct backdoor on the server\r\nOnce they’re installed on a website, web shells are notoriously difficult to remove, in large part because hackers\r\noften place multiple copies of a web shell all over a site to try to retain access even if some of their malware is\r\nremoved.\r\nWSO is designed to be used via a web browser, and it has a pretty simple user-friendly interface, making it very\r\neasy for any would-be hacker to learn and put to use.\r\nIt seems to strike a good balance between simplicity and capability, since it’s one of the most popular web shells\r\nout there. In fact, despite the simple browser interface, we see a lot of hackers using it simply to execute malicious\r\nPHP code on websites. In theory, that’s something that a hacker could accomplish more easily with a very small\r\namount of code:\r\n\u003c?php eval($_POST['c']); ?\u003e\r\nBut hackers seem to like and trust WSO so much that they want it on their compromised websites anyway.\r\nhttps://www.wordfence.com/blog/2017/06/wso-shell/\r\nPage 2 of 5\n\nA whole ecosystem has sprung up in the hacker community around WSO shell, with hackers developing\r\nsecondary tools that support its execution and use. For example, there’s a tool to build a customized version of the\r\nshell with only the features you want.\r\nWe’ve also seen a tool to manage multiple sites infected with it, making it that much easier for even entry-level\r\nhackers to take over a large number of websites relatively easily.\r\nHistory\r\nFor such a ubiquitous tool, WSO’s origins remains something of an unsolved mystery.\r\nWSO apparently stands for “web shell by oRb.” It was first seen in hacker communities between 2008 and 2009.\r\nThe earliest mention we could find was a thread in a Russian hacking forum in January of 2009 by a user named\r\noRb, which the script has since been named after.\r\nThat thread was used to announce a major update to the script, though, so that probably wasn’t the first release of\r\nWSO. But Google searches for “WSO Shell” started to pick up soon after.\r\nhttps://www.wordfence.com/blog/2017/06/wso-shell/\r\nPage 3 of 5\n\noRb continued to post updates and new versions of the script until late 2010, when they released version 2.5. That\r\nremains the most popular version, though some hackers have released variations since then (and not always out of\r\naltruism toward other hackers – some releases include hidden code to notify the author where they’re installed,\r\nthereby causing multiple levels of infiltration and damage).\r\nThe WSO shell is widely used by countless hackers all over the world, with the community of users who prefer it\r\nas a web shell growing every day.\r\nIn January of this year, for example, we published research about the ChickenKiev or ‘CK’ botnet which uses\r\nWSO as part of its operation.\r\nEach new iteration is intended to make it easier and easier for hackers to take over websites and do whatever they\r\nwant after that. The laziness of hackers in this regard can’t be overstated. For example, one of the first lines in the\r\nWSO shell sets the password required to use it:\r\n$auth_pass = \"63a9f0ea7bb98050796b649e85481845\";\r\nSpecifically, this sets the password to the word ‘root.’ Our WAF has blocked hundreds of attempts to upload WSO\r\nto websites we protect – all trying to execute with this simple no-brainer default password.\r\nHow Wordfence Blocks WSO\r\nWe have been monitoring and blocking WSO shell hijacking attempts for some time, and as a direct result, we’ve\r\ndeveloped a few powerful ways of making sure every website we protect is safe from this aggressive invasion.\r\nWordfence protects your site from exploitation using WSO shell in the following ways:\r\nWordfence will detect and block any attempt to upload WSO shell. The Wordfence WAF scans all requests\r\nto your website to look for malicious code using our custom-designed malware signatures, which are\r\ncontinuously updated. The WAF, once installed on your site, will detect any attempt to upload WSO shell –\r\nand immediately block it.\r\nWordfence’s malware scanner will detect the presence of WSO shell on your filesystem if an attacker\r\nmanages to find some other way to install it. You will be instantly alerted if WSO shell is found lurking\r\nanywhere on your server.\r\nWordfence also blocks attempts to run WSO shell commands, so that even if a hacker manages to get past\r\nthe first two defenses, it’s a moot point: WSO shell commands simply won’t work on your site.\r\nHow to Tell If WSO Shell Is Lurking on Your Website\r\nWe have two incredibly easy ways that you can use to determine if WSO shell is secretly lying in wait on your\r\nwebsite:\r\n1. If you have Wordfence installed, simply run a scan. If the results come back clean, you almost\r\ncertainly don’t have WSO shell on your site.\r\n2. If you don’t have Wordfence installed, or if you use another content management system like Joomla or\r\nDrupal, simply use Gravityscan to scan your website. (Important: make sure you have the Gravityscan\r\nhttps://www.wordfence.com/blog/2017/06/wso-shell/\r\nPage 4 of 5\n\nAccelerator installed.) Gravityscan will scour your website’s entire filesystem, and your scan results\r\nshould let you know if you have WSO shell installed anywhere.\r\nConclusion\r\nBecause of its low barrier of entry, WSO shell is one of the most popular and most malicious tools used by\r\nhackers to infect websites. Having WSO shell installed on your website can a dangerous liability for you and your\r\nbusiness.\r\nOf course, the best defense is a good offense, and using Wordfence or Gravityscan, you can not just block and\r\neasily detect its presence and keep your site safe from any would-be attackers – you can also make certain that\r\nthey never break into your “home” on the web in the first place.\r\nSource: https://www.wordfence.com/blog/2017/06/wso-shell/\r\nhttps://www.wordfence.com/blog/2017/06/wso-shell/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.wordfence.com/blog/2017/06/wso-shell/"
	],
	"report_names": [
		"wso-shell"
	],
	"threat_actors": [],
	"ts_created_at": 1775490782,
	"ts_updated_at": 1775791264,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9b4bf64bd6fdbddaaec018bf159bb3cdfa126e36.pdf",
		"text": "https://archive.orkl.eu/9b4bf64bd6fdbddaaec018bf159bb3cdfa126e36.txt",
		"img": "https://archive.orkl.eu/9b4bf64bd6fdbddaaec018bf159bb3cdfa126e36.jpg"
	}
}