Detection of Webshell

Original address: http://www.freebuf.com/articles/others-articles/71604.html
(the original text is mainly aimed at spy type Webshell detection to discuss, the first part introduces the traditional method of detection Webshell, then find out the shortcomings of the traditional method, put forward a new method for Spy Webshell, this article mainly focus on its traditional methods of introduction)
at present, the characteristic detection for Webshell is usually through the characteristic comparison and the file attribute anomaly.Static Detectionand based on the characteristics of the access situation, behavior patternsDynamic DetectionWay to Avira.

I. Traditional and existing testing methods
1. Static Detection
static feature detection refers to the use of the script file in the keyword, high-risk function, file modification time, file permissions, file owner and other files and other features of the characteristics of the correlation, such as the first to establish a malicious string feature library, for example: "Group dedicated horse | right |" Trojan | php\s. Bounce right cmd execution "," Wscript.Shell, Shell.Application, Eval (), Excute (), Set Server, Run (), Exec (), Shellexcute () ", The Web file modification time, file permissions, and file owner are also confirmed. Typically, Web files do not contain the above features or feature exceptions, and high-risk script files are retrieved by comparison with the feature library.
the advantages of the detection method: rapid detection, rapid positioning;
Cons: It is easy to make false positives and cannot detect encrypted or specially processed Webshell files. In particular, spy-type Webshell cannot be accurately detected because spy-type Webshell typically have similar characteristics to normal web script files.

2. Dynamic Detection
dynamic feature detection detects the threat level of an action by Webshell the system commands used by the runtime or the anomalies of the network traffic and state, and Webshell is usually encrypted to avoid the detection of static features. When the Webshell runtime must send system commands to the system to achieve the purpose of the control system or operation of the database, through the detection system to monitor and even intercept the system command is executed, from the behavior mode of depth detection script security.
Advantages: Can be used for the site cluster, the new variant script has a certain detection capability
disadvantage: The door for a specific use is difficult to detect, the implementation is more difficult

3. Log Analysis
using Webshell generally does not leave a record in the system log, but it leaves access data and data submission records for Webshell pages in the Web log of the Web site. Log analysis detection technology through a large number of log files to establish the request model to detect the exception file, called: HTTP exception request model detection. For example, a request that is usually get has a POST request and a return code of 200, the visitor IP for a page, the access time is regular, and so on.
advantages: Using a certain data analysis method, the site access to a certain level of the results of this detection method has a large reference value.
disadvantage: There is a certain false positive, for a large number of access logs, detection tool processing power and efficiency will be relatively low.

4. Statistics
One of the most widely used methods in Webshell backdoor detection is the statistical approach, Neopi is a statistically popular Webshell backdoor detection tool that uses five statistical methods to search for potentially obfuscated or encoded malicious code in a script file.
Neopi uses the following five methods of Detection:
* Information Entropy (Entropy): Measure the uncertainty of a file by using an ASCII code table;
* Longest Word (Longestword): The longest string may potentially be encoded or confused;
* Coincident index (Indexof coincidence): Low coincident exponent indicates that the file code is potentially encrypted or mixed;
* Feature (Signature): Search for a known malicious code string fragment in a file;
* Compression (Compression): Compare the compression ratio of the file.
This detection method also has obvious weaknesses, Neopi's detection center of gravity is to identify the confusion code, it often in the identification of fuzzy code or confusing the choreography of the Trojan good performance. The non-obfuscated code is more transparent to the Neopi detection mechanism. If the code is integrated into other scripts in the system, this "normal" file will most likely not be recognized by Neopi.

Ii. shortcomings of traditional detection methods
The existing technology is for the common script backdoor, to control the server for the purpose, usually contains more obvious static characteristics or behavior patterns, can not be effective detection of spy type backdoor.
Web script file-related properties often change due to frequent business system updates, soa method that is biased toward file attribute detectiontend to generate more false positives.
a method based on dynamic behavior detectionoften the technology is difficult, difficult to achieve, and the system caused by the performance of a large impact, and may even affect the stability of the system.
Log-based detection method, on the one hand, because of the business function is more and more complex, some functions may be rarely used, its log access may hit some detection rules resulting in more false positives, on the other hand, a large number of logging processing will be a burden on the performance of the server, and due to the huge log volume detection process time consuming, The detection speed is slow. And the spy type Webshell backdoor often simulates normal database operation, does not have the more obvious static special attribute, the number of visits is less, cannot form the more obvious access characteristic, through the log analysis also is difficult to discover.

Webshell detection