404.php Webshell backdoor is a sneaky one, if an admin views the php page it will look as if the file is not there and benign: The secret trick to logging into the shell is hitting the tab button and a little prompt will appear where you type in your password to access the shell:   And then we login:     Here is what the network traffic it generates looks like:   017-01-20 02:34:21.437548 IP 192.168.1.102.53294 > 192.168.1.100.55555: Flags [P.], seq 703:1125, ack 1011, win 2049, length 422 E…..@…e….f…d…..w….{.P…….GET /404.php HTTP/1.1 Host: 192.168.1.100:55555 Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 […]