How can I quickly find WebBackDoor with millions of files?

If the original comparison information such as snapshot, Hash, and timestamp is not retained, this can only be traversed ......
 
The Method for Determining the file modification time is not advisable because the attacker may greatly modify the file time.
 
If traversal is performed, efficient processing algorithms are critical.
 
If you have Web access logs, You can first filter out some files with zero access traffic, which can greatly reduce the number of files to be traversed, but there is a disadvantage, if it is a trojan in the image inclusion mode, although the image is 0, it is still loaded and executed by other scripts ......
 
However, this disadvantage can be found after keyword matching (to determine all the containing statements in the script and the file suffix included), so the chances of omission is very small and will hardly be missed, all omissions are discarded backdoors. Although they are image suffixes, they do not contain any file, so they cannot be executed. They are discarded and harmless ......
 
In general, I can summarize the following steps:
 
Middle,. mid ......" (Note: When filtering files, you can add an if judgment to determine the deformed backdoors such as special file names and malformed directories. For example:/. asp/a.jpg+a.asp;a.jpg,. asp; jpg, aux. asp, com1.asp ......, It can be directly determined as a backdoor! Keyword matching is not used at all, saving a lot of time ......), Such as non-script suffix files (you can also filter large files), note: it must be a blacklist filter. If you use a whitelist, some files with special paths will be omitted, for example: a.asp;a.jpg,. asp; jpg, file (without a suffix )......, After this suffix filtering operation, we can exclude more than 60%-70% non-script files, or even more (the more gorgeous websites, images, and scripts )...... Www.2cto.com
 
2. If there is a Web access log, as described above, you can analyze the File Access frequency (you can focus on checking files with high access rates) and exclude a large batch of files with zero access volume, most of these files are common library files. Generally, a website contains many files, and only a very small number of files are accessible to foreground users. In this way, a large batch of files can be filtered, there are at least 10%, but this has a defect. First, if the log is large, analysis will consume a lot of time and some contained backdoors may be missed. Use this method as needed.
 
3. After the above processing, only about 10%-20% of the remaining files need to be processed, that is, more than 0.1 million files (after the Win7 flagship version is installed, there are about more than 60 thousand files on the C drive, this is not much). You can perform keyword matching by reading one key. If your keyword matching algorithm is better, it will not take a long time.
 
4. Other filtering algorithms.
 
Wait for other advanced solutions ......

Author's core attack