'; } else{ echo ''; } echo 'Hillstone Networks'; } elseif ($_SERVER[HTTP_HOST] == "update1.huaantech.com.cn") { echo ''; echo 'huaantech'; } elseif ($_SERVER[HTTP_HOST] == "update1.dcnetworks.com.cn") { echo ''; echo 'dcnetworks'; } elseif ($_SERVER[HTTP_HOST] == "update1.w-ibeda.com") { if (false===strpos($_SERVER[REQUEST_URI],"/en/")) echo ''; else echo ''; echo 'w-ibeda'; } elseif ($_SERVER[HTTP_HOST] == "update1.hp-telecom.com") { echo ''; echo 'hp-telecom'; } elseif ($_SERVER[HTTP_HOST] == "update1.maipu.com") { echo ''; echo 'Maipu'; } elseif ($_SERVER[HTTP_HOST] == "update1.ncurity.com") { echo ''; echo 'Ncurity'; } elseif ($_SERVER[HTTP_HOST] == "update1.socusnetwork.com") { echo ''; echo 'Socusnetwork'; } else{ echo ''; echo 'Hillstone Networks'; } ?>
 
   
 

RULE(RULE ID:339864)

Rule General Information
Release Date: 2026-03-30
Rule Name: W3D SQL Shell Access Detection
Severity:
CVE ID:
Rule Protection Details
Description: 138shell is a well-known webshell resource repository in the hacking community, providing a variety of PHP-based malicious webshell scripts for remote server control.
Impact: Once a Webshell file is uploaded and executed, attackers can directly take control of the server remotely, steal or tamper with data, and even conduct lateral movement within the internal network.
Affected OS: Windows, Linux, Others
Reference: https://www.threatbook.com/resource/webshell/138shell/
Solutions
Please immediately check the server for the existence of 138shell-related files, delete malicious webshell scripts, and audit server access logs to trace the intrusion source.