During a regular anaysis of a WordPress website for a new user I’ve noticed a file named wp-blogs.php in the public_html folder.
As an experienced WordPress user, the name itself drew attention, as I do not recall ever seeing a file called wp-blogs.php in WordPress core.
After opening the file it’s obvious that it is NOT part of WordPress CMS.
Same as the LeafMailer PHP Script or the WSO Shell – this script is NOT detected by ConfigServer eXploit Scanner (cxs) but Imunify360 DOES detect it!
The script itself doesn’t even deserve to be called a web shell as it provides no option to execute any arbitrary commands.
It provides a pretty basic file manager and some server information, but that’s pretty much it.
![File manager of the Spade Mini Shell File manager of the Spade Mini Shell](https://i0.wp.com/pcx3.com/wp-content/uploads/2021/02/SPADE-SHELL.png?resize=736%2C374&ssl=1)
A notable feature is the Kill Me link which tries to remove the script itself and prints a message Sayonara Suckers!
File editor is also spartan:
![File Editor from the Spade Mini Shell File Editor from the Spade Mini Shell](https://i0.wp.com/pcx3.com/wp-content/uploads/2021/02/FILE-EDITOR-1024x520.png?resize=736%2C374&ssl=1)
System information page gives a lot of usefull information:
![System information from Spade Mini Shell System information from Spade Mini Shell](https://i0.wp.com/pcx3.com/wp-content/uploads/2021/02/SYSTEM-INFO.png?resize=736%2C371&ssl=1)
A lot of links in the code are loaded from the now-expired domain name xbox.nu which at the time when this script was uploaded looked like this: