Provided by: neopi_0.0+git20120821.9ffff8-6_all
neopi - web shell code detection
neopi [options] <dir> [regex]
This manual page documents briefly the neopi command. neopi is a Python script that uses a variety of statistical methods to detect obfuscated and encrypted content within text/script files. The intended purpose of NeoPI is to aid in the detection of hidden web shell code. The development focus of NeoPI was creating a tool that could be used in conjunction with other established detection methods such as Linux Malware Detect or traditional signature/keyword based searches. NeoPI recursively scans through the file system from a base directory and will rank files based on the results of a number of tests. It also presents a “general” score derived from file rankings within the individual tests.
The program follows the usual GNU command line syntax, with long options starting with two dashes (`-'). A summary of options is included below. -v, --version Show version of program. -h, --help Show summary of options. -C FILECSV, --csv=FILECSV Generates a CSV output to FILECSV containing the results of the scan. -a, --all Run all tests including entropy, longest word, and index of coincidence. This is the recommended way of running neopi. -e, --entropy Run only the entropy test. -l, --longestword Run only the longestword test. -c, --ic Run only the Index Coincidence test. -A, --auto This flag runs an auto generated regular expression that contains many common web application file extensions. This list is by no means comprehensive but does include a good ‘best effort’ scan if you are unsure of what web application languages your server is running. Current list of included extensions: php, asp, aspx, sh, bash, zsh, csh, tsch, pl, py, txt, cgi, cfm
neopi -C scan1.csv -a -A /var/www/ neopi -a /tmp/phpbb "php|txt" neopi -a -A /var/www/html/
neopi authors are Ben Hagen <email@example.com> and Scott Behrens <firstname.lastname@example.org>. This man page was written by Arturo Borrero Gonzalez <email@example.com> for the Debian GNU/Linux distribution (but it may be used by others). Oct 11, 2016 NEOPI(1)