{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,25]],"date-time":"2026-02-25T17:13:33Z","timestamp":1772039613653,"version":"3.50.1"},"publisher-location":"Republic and Canton of Geneva, Switzerland","reference-count":37,"publisher":"International World Wide Web Conferences Steering Committee","license":[{"start":{"date-parts":[[2016,4,11]],"date-time":"2016-04-11T00:00:00Z","timestamp":1460332800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"National Science Foundation (NSF)","award":["CNS-1527086"],"award-info":[{"award-number":["CNS-1527086"]}]},{"name":"Office of Naval Research (ONR)","award":["N00014-16-1-2264"],"award-info":[{"award-number":["N00014-16-1-2264"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2016,4,11]]},"DOI":"10.1145\/2872427.2882992","type":"proceedings-article","created":{"date-parts":[[2017,1,23]],"date-time":"2017-01-23T20:35:52Z","timestamp":1485203752000},"page":"1021-1032","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":43,"title":["No Honor Among Thieves"],"prefix":"10.1145","author":[{"given":"Oleksii","family":"Starov","sequence":"first","affiliation":[{"name":"Stony Brook University, Stony Brook, NY, USA"}]},{"given":"Johannes","family":"Dahse","sequence":"additional","affiliation":[{"name":"Ruhr-University Bochum, Bochum, Germany"}]},{"given":"Syed Sharique","family":"Ahmad","sequence":"additional","affiliation":[{"name":"Stony Brook University, Stony Brook, NY, USA"}]},{"given":"Thorsten","family":"Holz","sequence":"additional","affiliation":[{"name":"Ruhr-University Bochum, Bochum, Germany"}]},{"given":"Nick","family":"Nikiforakis","sequence":"additional","affiliation":[{"name":"Stony Brook University, Stony Brook, NY, USA"}]}],"member":"320","published-online":{"date-parts":[[2016,4,11]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"JohnTroony's php-webshells repository. https:\/\/github.com\/JohnTroony\/php-webshells.  JohnTroony's php-webshells repository. https:\/\/github.com\/JohnTroony\/php-webshells."},{"key":"e_1_3_2_1_2_1","unstructured":"Nikicat's web-malware-collection repository. https:\/\/github.com\/nikicat\/web-malware-collection\/tree\/master\/Backdoors\/PHP.  Nikicat's web-malware-collection repository. https:\/\/github.com\/nikicat\/web-malware-collection\/tree\/master\/Backdoors\/PHP."},{"key":"e_1_3_2_1_3_1","unstructured":"Tennc's webshell repository. https:\/\/github.com\/tennc\/webshell\/.  Tennc's webshell repository. https:\/\/github.com\/tennc\/webshell\/."},{"key":"e_1_3_2_1_4_1","unstructured":"UnPHP the Online PHP Decoder. http:\/\/www.unphp.net\/.  UnPHP the Online PHP Decoder. http:\/\/www.unphp.net\/."},{"key":"e_1_3_2_1_5_1","unstructured":"Web Shells and RFIs Collection. http:\/\/www.irongeek.com\/i.php?page=webshells-and-rfis.  Web Shells and RFIs Collection. http:\/\/www.irongeek.com\/i.php?page=webshells-and-rfis."},{"key":"e_1_3_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1145\/1177080.1177086"},{"key":"e_1_3_2_1_7_1","volume-title":"Moss: A system for detecting software plagiarism","author":"Aiken A.","year":"2005"},{"key":"e_1_3_2_1_8_1","volume-title":"Proceedings of the 23rd USENIX Security Symposium","author":"Alrwais S.","year":"2014"},{"key":"e_1_3_2_1_9_1","unstructured":"VirusTotal. https:\/\/www.virustotal.com\/.  VirusTotal. https:\/\/www.virustotal.com\/."},{"key":"e_1_3_2_1_10_1","unstructured":"A. Brandt. Malicious PHP Scripts on the Rise. http:\/\/www.webroot.com\/blog\/2011\/02\/22\/malicious-php-scripts-on-the-rise\/.  A. Brandt. Malicious PHP Scripts on the Rise. http:\/\/www.webroot.com\/blog\/2011\/02\/22\/malicious-php-scripts-on-the-rise\/."},{"key":"e_1_3_2_1_11_1","volume-title":"20th Annual Network & Distributed System Security Symposium (NDSS)","author":"Canali D.","year":"2013"},{"key":"e_1_3_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1145\/2488388.2488405"},{"key":"e_1_3_2_1_13_1","first-page":"1","volume-title":"Proceedings of the 2Nd Conference on USENIX Workshop on Offensive Technologies (WOOT)","author":"Cova M.","year":"2008"},{"key":"e_1_3_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2014.23262"},{"key":"e_1_3_2_1_15_1","unstructured":"Google Hacking Database (GHDB). https:\/\/www.exploit-db.com\/google-hacking-database\/.  Google Hacking Database (GHDB). https:\/\/www.exploit-db.com\/google-hacking-database\/."},{"key":"e_1_3_2_1_16_1","volume-title":"Manuscript","author":"Englehardt S.","year":"2015"},{"key":"e_1_3_2_1_17_1","volume-title":"Malware Lateral Movement: A Primer. https:\/\/www.fireeye.com\/blog\/executive-perspective\/2015\/08\/malware_lateral_move.html","author":"Holmes C.","year":"2015"},{"key":"e_1_3_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2005.58"},{"key":"e_1_3_2_1_19_1","volume-title":"The Domain Game: How People Get Rich from Internet Domain Names","author":"Kesmodel D.","year":"2008"},{"key":"e_1_3_2_1_20_1","volume-title":"Journal of Information Processing Systems (JIPS)","author":"Kim J.","year":"2015"},{"key":"e_1_3_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.diin.2006.06.015"},{"key":"e_1_3_2_1_22_1","volume-title":"http:\/\/web.archive.org\/web\/20120722073150\/http:\/\/ddos.arbornetworks.com\/2008\/04\/netbot-attacker-anti-cnn-tool\/","author":"Nazario J.","year":"2008"},{"key":"e_1_3_2_1_23_1","unstructured":"NeoPI: Detection of web shells using statistical methods. https:\/\/github.com\/Neohapsis\/NeoPI.  NeoPI: Detection of web shells using statistical methods. https:\/\/github.com\/Neohapsis\/NeoPI."},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1145\/2382196.2382274"},{"key":"e_1_3_2_1_25_1","unstructured":"OWASP\n   : Testing for Local File Inclusion. https:\/\/www.owasp.org\/index.php\/Testing_for_Local_File_Inclusion.  OWASP : Testing for Local File Inclusion. https:\/\/www.owasp.org\/index.php\/Testing_for_Local_File_Inclusion."},{"key":"e_1_3_2_1_26_1","unstructured":"OWASP\n   : Testing for Remote File Inclusion. https:\/\/www.owasp.org\/index.php\/Testing_for_Remote_File_Inclusion.  OWASP : Testing for Remote File Inclusion. https:\/\/www.owasp.org\/index.php\/Testing_for_Remote_File_Inclusion."},{"key":"e_1_3_2_1_27_1","unstructured":"OWASP\n   : Unrestricted File Upload. https:\/\/www.owasp.org\/index.php\/Unrestricted_File_Upload.  OWASP : Unrestricted File Upload. https:\/\/www.owasp.org\/index.php\/Unrestricted_File_Upload."},{"key":"e_1_3_2_1_28_1","unstructured":"PHP\n  : runkit Functions - Manual. http:\/\/php.net\/manual\/en\/ref.runkit.php.  PHP: runkit Functions - Manual. http:\/\/php.net\/manual\/en\/ref.runkit.php."},{"key":"e_1_3_2_1_29_1","unstructured":"PHP\n  : Using Register Globals - Manual. http:\/\/php.net\/manual\/en\/security.globals.php.  PHP: Using Register Globals - Manual. http:\/\/php.net\/manual\/en\/security.globals.php."},{"key":"e_1_3_2_1_30_1","unstructured":"R-fx Networks. Linux Malware Detect. https:\/\/www.rfxn.com\/projects\/linux-malware-detect\/.  R-fx Networks. Linux Malware Detect. https:\/\/www.rfxn.com\/projects\/linux-malware-detect\/."},{"key":"e_1_3_2_1_31_1","unstructured":"R57 Shell | C99 Shell | Shell | TXT Shell | R57.php | c99.php | r57shell.net. http:\/\/www.r57shell.net\/.  R57 Shell | C99 Shell | Shell | TXT Shell | R57.php | c99.php | r57shell.net. http:\/\/www.r57shell.net\/."},{"key":"e_1_3_2_1_32_1","unstructured":"Web Shell Detector. http:\/\/www.shelldetector.com\/.  Web Shell Detector. http:\/\/www.shelldetector.com\/."},{"key":"e_1_3_2_1_33_1","unstructured":"Webserver Malware Scanner. http:\/\/sourceforge.net\/projects\/smscanner\/.  Webserver Malware Scanner. http:\/\/sourceforge.net\/projects\/smscanner\/."},{"key":"e_1_3_2_1_34_1","volume-title":"http:\/\/www.emposha.com\/security\/php-shell-detector-web-shell-detection-tool.html","author":"Shell PHP","year":"2011"},{"key":"e_1_3_2_1_35_1","unstructured":"M. Stowe. PHP Malicious Code Scanner. http:\/\/www.mikestowe.com\/2010\/10\/php-malicious-code-scanner.php.  M. Stowe. PHP Malicious Code Scanner. http:\/\/www.mikestowe.com\/2010\/10\/php-malicious-code-scanner.php."},{"key":"e_1_3_2_1_36_1","unstructured":"H. Sverre. c99.php - phpshell. https:\/\/helgesverre.com\/c99.php.  H. Sverre. c99.php - phpshell. https:\/\/helgesverre.com\/c99.php."},{"key":"e_1_3_2_1_37_1","first-page":"1","volume-title":"Communication and Networking Technologies (ICCCNT), 2014 International Conference on","author":"Tu T. D.","year":"2014"}],"event":{"name":"WWW '16: 25th International World Wide Web Conference","location":"Montr\u00e9al Qu\u00e9bec Canada","acronym":"WWW '16","sponsor":["IW3C2 International World Wide Web Conference Committee","SIGWEB ACM Special Interest Group on Hypertext, Hypermedia, and Web"]},"container-title":["Proceedings of the 25th International Conference on World Wide Web"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2872427.2882992","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/2872427.2882992","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T04:39:05Z","timestamp":1750221545000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2872427.2882992"}},"subtitle":["A Large-Scale Analysis of Malicious Web Shells"],"short-title":[],"issued":{"date-parts":[[2016,4,11]]},"references-count":37,"alternative-id":["10.1145\/2872427.2882992","10.5555\/2872427"],"URL":"https:\/\/doi.org\/10.1145\/2872427.2882992","relation":{},"subject":[],"published":{"date-parts":[[2016,4,11]]},"assertion":[{"value":"2016-04-11","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}