WSO (Web Shell by oRb) is a popular PHP-based web shell used for remote administration and control of web servers. Although designed for system administrators and developers, it can be exploited by malicious users.

June 22, 2017 - The earliest mention we could find was a thread in a Russian hacking forum in January of 2009 by a user named oRb, which the script has since been named after. That thread was used to announce a major update to the script, though, so that probably wasn’t the first release of WSO. But Google searches for “WSO Shell” started to pick up soon after.

Web Shell by oRb · This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.

You will find once a hacker has exploited a vulnerability and imbedded their own web shell they will go ahead and patch the vulnerability to prevent others from following their steps · The password protection works by using a simple HTTP password authentication.

November 22, 2023 - WSO, short for "web shell by oRb," is a well-established web shell that has been present for a minimum of 14 years.

May 25, 2022 - This form of web shell is a PHP script and is generally obfuscated using simple techniques like string replacement, gzip, and Base64. This form of web shell avoids web crawlers from search engines like Google, Yahoo, Bing, and more.

August 9, 2017 - WSO – Stands for “web shell by orb” and has the ability to masquerade as an error page containing a hidden login form.

WSO – Stands for “web shell by orb” and has the ability to masquerade as an error page · containing a hidden login form.  · C99 – A version of the WSO shell with additional functionality. Can display the server’s · security measures and contains a self-delete function.

July 14, 2025 - WSO – Stands for “web shell by orb” and has the ability to masquerade as an error page containing a hidden login form.

October 15, 2020 - Some of the better-known include b374k (a PHP web shell), WSO (short for Web Shell by Orb), and the advanced China Chopper web shell (commonly used in attacks originating from China).

May 17, 2017 - An example of the hugely popular and feature-rich WSO (Web Shell by Orb) shell.

August 31, 2025 - WSO (Web Shell by Orb) is a widely used PHP-based web shell that provides attackers with a full suite of post-exploitation capabilities.

April 8, 2024 - The forum thread’s title was PAS (php web-shell) but the shell’s code refers to it as P.A.S., so we can speculate that it’s likely an acronym relating to PHP Web Shell. For example, the popular web shell WSO is an acronym for Web Shell by Orb.

May 18, 2017 - An example of the hugely popular and feature-rich WSO (Web Shell by Orb) shell.

Web shell by orb (WSO) continues to be the most prolific open source web shell by mentions, primarily because variants are posted to paste sites weekly.

July 23, 2025 - WSO (Web Shell by Orb): Common in compromised WordPress installations.

March 16, 2018 - up near top @define(‘WSO_VERSION’, ‘2.5’); indicates it uses WSO, Web Shell something “WSO (web shell by oRb) is a PHP shell backdoor that provide an interface for various remote operations.

We cannot provide a description for this page right now

WSO (sometimes "FilesMan") is a PHP program appearing in compromised WordPress installations. "WSO" stands for "Web Shell by Orb", a comment that appears in many variants' source code.

August 14, 2010 - Web Shell by oRb malware - Hello, I have a major security flaw in one of my vps. There was some injection attempt couple of days ago while a process was running This w