Abstract: WebShell is a common webpage back door, which can be used by attackers to obtain Web server permissions. The realization mechanism of Linux WebShell is analyzed, the common characteristics and the characteristic mixed method are described in this paper. On this basis, a detection method based on SVM classiifer is put forward and realized. From three aspects of accuracy, speciifcity and sensitivity, the WebShell detection methods individually based on SVM classiifer, characteristic matching and decision tree are compared. The experimental result shows that the method proposed in this paper can detect WebShell accurately and efifciently.