Simple analysis from webshell hiding to picking

 

Author: shandao

Webshell, needless to say !, Webshells are required to break the network between Chinese and foreign countries in ancient and modern times. If you have a great chance of being stabbed, let's say that it's a big blow. Let's talk about the theme.

First of all, we say to the dark, once the site is accessed, there will be a backdoor, and currently the mainstream is asp, php no kill, aspx is still relatively small, I will skip it if there is no kill.
1. log on to the site and view the directory permissions. Can I write or cross-directory permissions?
2. Check the internal information of admin, data, inc, upload, and other directories, or keep the root directory of the site directly accessed by few users.
The default image format is win2000, but the default win2003iis6 does not. It is directly parsed into a script for execution, leading to the emergence of webshell, the dynamic single page contains a single sentence for submission or can be executed using the include large method. This is also a method that cannot be found by backdoors.

Okay. Let's talk about it in brief. Let's talk about it from the webmaster of Guangming. There is no access problem to the site. It doesn't mean there is no problem. oday, code vulnerability, injection, xss, nc upload can cause the site to be attacked by webshell in minutes.
1. the basic method mentioned above is the shell scanner, which also compares the files with the old backup data. If there is no backup, it doesn't matter. List the latest files directly, use dreamwear to view the code. Generally, Daniel uses it to dig holes .. haha.
2. page injection security should be protected against injection, user account permissions should be limited, and directory script execution should also be limited. Generally, execution of uploaded images is prohibited, writing of other directories is prohibited, ws formation and cmd are deleted, unless the website is maintained by the user, the management background is renamed and the ip address of the network segment is limited. Only the user's fixed ip Address can log on to the background.
3. if a website has used an editor, such as ewebeditor and fck, it deletes irrelevant content. The editor's logon background address is deleted, and the password of the editor's background Administrator account is complicated, removing the possibility of uploading asa, asp, asasp, phpaspx, These suffixes, the database is set to read-only.
4. For the suspicious html clearance Inclusion Vulnerability, as mentioned above, it can include the upload code for running. It is like this: index? Id = nhs8.com to access the upload screen.
5. Back up frequently, upgrade web programs, scan and view records.
In this way, most of the intrusions can be blocked, unless the webshell is hidden to an extremely imperceptible level. the name of the file is changed to the last modification time. In the middle, a backdoor containing the file is also redirected to the system page, and the backdoor is also specially encrypted.