Web Protection-Webshell attack detection "reprint"

Original: http://www.2cto.com/Article/201511/451757.html

1. What is Webshell? The software based on B/S architecture is deployed on the Internet, so security is a must to be concerned, attackers can attack in various ways, gain control of the system, in which Webshell is a common attack mode. Webshell is the ASP, PHP, JSP program file that an attacker has implanted on the attacked website, after the attacker has invaded a web system, they often put these asp, PHP, JSP Trojan back door files in the Web server Web directory, mixed with the normal website files.    Then the attacker can access the ASP, PHP, JSP program Trojan backdoor control Web server through normal Web Access, including creating, modifying, deleting files, uploading and downloading files, viewing the database, executing arbitrary program commands, etc. Webshell attack is applied to all systems based on B/s structure, including website, OA (www.chysoft.net), CRM, ERP and so on. 2. Classification of Webshell

　　Big horse, pony, a word horse

　　

2.1 Upload "Big horse"

This way upload a Webshell file directly via post or simply warp and upload it to the server, as in the following example:

2009-02-10 06:32:58 w3svc77065997 XXXX. Xxxx. Xxxx. XXXX post/lesson_manage/upload/40/asp.asp–80–xxxx. Xxxx. Xxxx. XXXX mozilla/4.0+compatible;+msie+6.0; 200 0 0

The following key features can be found in the above access record: POST upload asp.asp 200 through these key characteristics can be analyzed asp.php may be a suspected webshell.

2.2 Uploading "pony"

In the case of not uploading the "big horse" webshell, hackers usually upload a "pony" to help complete the upload "big horse" or upload a sentence Webshell and with a client implementation control server, here we also do not discuss how to upload "pony" and a word Webshell. We only discuss how to use "Pony" to upload "big horse".

The special point in this way is not a complete file transmission in the network but a parameter that exists in the HTTP protocol in the network transmission, the way to transfer parameters can be either get or post, let's look at the following a real example:

In the We are not difficult to find that this is obviously using a sentence Trojan client through the form of post is uploading a Webshell script code, and will be written to a word trojan in the same directory under a body.asp file, thereby implementing the upload "Big horse". In the interception of traffic data can be found, such as: act= body.asp Value=execute, such as payload, through the detection of these payload can be uploaded in the process of analysis Webshell and its behavior.

2.3. Payload during the visit

In Webshell is made to control the server or steal confidential information, in order to achieve these capabilities an attacker would have to send some control instructions to Webshell to operate the Webshell. In control directives, it is common to include attack payload with obvious features. Let's take a look at the following types of payload:

It is clear that Webshell is trying to connect to the database of the Web site, and the attacker uses post to submit the connection parameters to Webshell, which can be found in payload: Action=sqladmin,dbhost=localhost, Dbport=3306,dbuser=root,dbpass=1qaz2wsx,connect=connect and so on.

3, Webshell detection

Reference article: http://www.sec-un.org/ideas-like-article-espionage-webshell-method.html

Three ways to detect Webshell

From the perspective of safety protection, detection is the first ability, Webshell detection mainly in the following ways:

(1) Flow-based Webshell detection engine

Easy deployment, direct analysis of raw information through traffic mirroring. Based on the payload behavior analysis, not only the known Webshell is detected, but also the unknown and the strong camouflage Webshell can be identified. The Webshell features (Ip/ua/cookie), payload features, path characteristics, time characteristics, etc. are correlated and analyzed, and the attack events are restored by Time index.

(2) file-based Webshell analysis engine

Detects whether a Webshell feature is included, such as various functions commonly used. Detect whether encryption (obfuscation) to determine whether the Webshell file hash detection, create Webshell sample hashing library, comparative analysis of suspicious files. Detection of file creation time, modification time, file permissions, etc. to confirm whether Webshell sandbox technology, according to dynamic language sandbox runtime behavior characteristics to judge

(3) Log-based Webshell analysis engine

supports a variety of common log formats. The site's access behavior is modeled to effectively identify Webshell uploads and other behaviors to analyze the log comprehensively, backtracking the entire attack process.

Three kinds of detection methods, based on file detection, most of the time to obtain a sample deployment cost is relatively high, and only by the sample can not see the entire attack process. Some of the log-based behavior information is not visible in the log, in general, based on the "traffic" to see the most information, but also to more fully restore the entire attack process.

4. Webshell response measures

After understanding the basic principles of Webshell, the most critical prevention device embedded in ASP, PHP, JSP and other Trojan program files, using Webshell generally do not leave a record in the system log, will only leave some data submission records in the Web log of the website, Inexperienced administrators are hard to see the signs of an invasion. We can generally deal with security in the following ways:

1, Web software development Security A, the program has a file upload vulnerability, attackers exploit the vulnerability to upload Trojan files. B, anti-SQL injection, riot Control library, anti-cookie spoofing, anti-cross-site scripting attacks.    2, the security of the server and the security of the Web server A, the server to do various security settings, virus and Trojan detection software Installation (Note: Webshell Trojan Horse program can not be detected by such software), start the firewall and shut down the unnecessary ports and services. B, enhance the security settings of the Web server C, the following command to control permissions (in Windows as an example): Cmd.exe net.exe net1.exe ping.exe netstat.exe ftp.exe tftp.exe Telnet.exe 3, FTP file upload security set up the FTP server, to prevent attackers directly using FTP upload Trojan files to the directory of the Web program 4, file system storage permissions set the Web program directory and other directories of the system permissions, the relevant directory of write permissions only to the super-user,　　Partial directory Write permissions are given to system users. Separate the Web application and any uploaded files (including), keep the Web application pure, and the reading of the file can be read by the server and the Web server (Apache/nginx plus tomcat and other Web servers), or read the picture. A program reads the file directly, returning it to the client as a stream. 5, do not use the Super User running Web services for Apache, Tomcat and other Web servers, after installation to the system user or the user specified permissions to run, if the system is embedded in the ASP, PHP, JSP and other Trojan program files, as Superuser, run, Webshell the power to gain superuser privileges and then control the entire system and the computer.

Web Protection-Webshell attack detection "reprint"