Webshell Detection (I.)

0x01:webshell Introduction

XXX in the corporate website, usually through a variety of ways to obtain Webshell to gain control of the corporate website, and then facilitate the subsequent behavior. Common XXX ways are: direct upload to get Webshell, SQL injection, remote file inclusion (RFI), FTP, and even use cross-site scripting (XSS) as part of XXX, even some older methods to take advantage of background database backup and recovery to get Webshell, database compression, etc. Common features include, but are not limited to, shell command execution, code execution, database enumeration, and file management.

1.Webshell classification

Webshell from the protocol, the first TCP, UDP-based Shell, and later the ICMP-based shell and the DNS-based shell. Depending on the tool, there are NC bounce, telnet bounce, SSH port forwarding and other means, extremely wretched even with the use of awk rebound Shell. In terms of language, popular languages can be used to write back doors, from bash to 3P (Perl Python PHP) to Ruby and Java.

2.Webshell function

(1) Webmaster Tools

Webshell is often used by webmasters for website management, server management, etc., according to the different FSO permissions, the role of online editing web script, upload download files, view the database, execute arbitrary program commands.

(2) Continuous remote access

Users can be used to achieve long-term control of the purpose of the Web server, if the xxx to fix the vulnerability, to ensure that no one else will exploit the vulnerability, XXX can be low-key at any time to control the server. Some popular Webshell use password authentication and other techniques to ensure that only xxx who uploads Webshell can access it. (Webshell Password Blasting tool is not satisfied)

(3) Privilege elevation

In the event that the server does not have a configuration error, Webshell will run under the user rights of the Web server, and the user's permissions are limited. By using WEBSHELL,XXX, you can attempt to perform privilege elevation by exploiting a local vulnerability on the system, common to find sensitive profiles, power through kernel exploits, use scripts that can be invoked by root users under a low-privileged user directory, task scheduling, and so on (from getting started to giving up)

(4) Very strong concealment

Some malicious web scripts can be nested in a normal web page to run, and not easily be avira. Webshell can also traverse the server firewall, because the data that interacts with the controlled server or remote host is passed through 80 ports, so it is not blocked by the firewall, and without logging traffic, Webshell is sent using a post package and is not recorded in the system log. Only a few records of data submissions are recorded in the Web log.

0x02:webshell detection 1. Based on Webshell feature detection

Common Webshell functions

(1) There are command execution functions called by the system, such as Eval, System, Cmd_shell, assert, etc.

(2) There are file operation functions of system call, such as fopen, fwrite, Readdir, etc.

(3) The existence of database operation function, call the system's own stored procedure to connect the database operation;

(4) has a very deep self-concealment, can camouflage, can be latent to the Web source code for a long time;

(5) Many derivative variants can be bypassed by custom encryption and decryption functions, XOR, string inversion, compression, truncation and recombination.

//利用base64编码<?php$b = base64_encode(‘whoami‘);echo $b.‘<br />‘;echo base64_decode($b).‘<br />‘;?>//利用gzcompress压缩<?php$c = gzcompress(‘whoami‘);echo $c.‘<br>‘;echo gzuncompress($c)."<br />";?>

//进制运算     <[email protected]$_++; $__=("#"^"|").("."^"~").("/"^"`").("|"^"/").("{"^"/"); ?>//利用注释符<[email protected]${$__}[!$_](${$__}[$_]);@$_="s"."s"./*-/*-*/"e"./*-/*-*/"r";@$_=/*-/*-*/"a"./*-/*-*/$_./*-/*-*/"t";@$_/*-/*-*/($/*-/*-*/{"_P"./*-/*-*/"OS"./*-/*-*/"T"}[/*-/*-*/0/*-/*-*/-/*-/*-*/2/*-/*-*/-/*-/*-*/5/*-/*-*/]);    ?>

The above for the Webshell itself behavior analysis, it with the system calls, system configuration, database, file operation action, can be found through keyword matching script file to find Webshell, and then some of the compressed data, it is possible that some WAF will not detect the content is dangerous. After the data is denatured, WAF can not detect the danger, the first script file with these special functions, itself is suspicious files, of course, there are other ways to detect.

This kind of detection can be through grep to find Webshell,d shield, such as Webshell Avira tools also use this principle, the source of the killing. But often there will be xxx after uploading webshell back door, get to the information they want, will be deleted Webshell, or encountered some deformed webshell back door, our key words did not search, The way to find Webshell by file is not applicable at this time.

find  /site/* -type f -name "*.php"  |xargs grep "eval"

If XXX does a kill-free process, you can see if you are using cryptographic functions

find /site/* -type f -name “*.php” |xargs grep "base64_decode"

See if the stitching is done

find /site/* -type f -name “*.php” |xargs grep "@$"
To search for the content, manually check whether it is xxx, you can open the script file locally, view the page generation time or upload to some detected sites for detection (http://www.virscan.org/;https://x.threatbook.cn/), Of course to analyze the code is absolutely no problem.

2. Webshell detection based on traffic characteristics

(1) Webshell detection based on traffic behavior characteristics

Based on the detection of traffic, it is impossible to detect the keywords that constitute webshell dangerous function, but webshell with common write system calls, system configuration, database, file operation and so on, its behavior determines its data flow in the multi-band parameters have some obvious characteristics, The detection is done by the traffic characteristic of matching behavior, which is also based on Webshell behavior characteristics, and of course it can be detected from the system level Webshell behavior.

ipconfig/ifconfigsystemwhoaminetstatevaldatabasesysteminfo......

Common can be from the data to retrieve XXX commonly used commands and payload, of course, most of the Webshell will not be so direct, may be encoded, such as the most classic Webshell Chinese kitchen knives used is the first URL encoding and base64 coding, corresponding to the use of decoding methods to detect sensitive behavioral characteristics. This is also the benefit of crawling traffic, because in the Web Access log, is unable to crawl post mode of the package, it is impossible to analyze the behavior after webshell***, and traffic is very good to do this.

(2) Detection based on Webshell tool features

One: Chinese kitchen knife webshell flow characteristics detection

Use the most common sentence XXX build environment, directly grab the package view, you can see the chopper sent the packet

After decoding can see the current execution of the command is Netstat-an, then those who turn off error echo, "Z1" and other string operations is the Chinese kitchen knife this webshell characteristics.

Detection of flow characteristics of two Webacoo Webshell

Use the Webacoo tool to generate the Webshell and connect the packet-capture test

Through the analysis of Wireshark and other grasping package tools, it can be found that the encoded communication content is transmitted through the cookie head, which has three cm, CN and CP variables, which is the characteristic of Webacoo Webshell management tool.

3. Detection based on behavior characteristics of Webshell system
This idea and based on the Webshell traffic behavior characteristics of the detection probably always, xxx upload webshell always do something, then can go to monitor the system changes and sensitive operation, as far as possible to collect information about the server, By comparing the monitoring system with the previous configuration and the changes of the file, the results of Webshell can be found as far as possible.

(1) file analysis

Check the/tmp,/INIT.D,/usr/bin,/usr/sbin and other sensitive directories have suspicious files, for the available files can use stat to create modified time, access time Detailed view, if the modification time distance event Date Close, there is a linear association, the description may be tampered with or other.

For files, you can also use Find new files to find files that are close to the security event time.

For example:

To find PHP files that have been modified within 24 hours: Find/-mtime 0-name "*.php", not just php files, many backdoors will create many files.

To reverse a changed file according to the time determined:? ls-al/tmp | grep "Feb 27"

? find permissions for 777 and hidden files (in "." The file that starts with a hidden property): Find/*.jsp-perm 4777

(2) Process analysis

Using the Netstat network connection command, analysis suspicious port, suspicious IP, suspicious PID and program process (top can view the overall operation of the system in real-time, the main analysis of CPU and memory process, is a good combination of multi-faceted information monitoring system performance and operational information tools), It is better to distinguish between the external listening port and the internal listening port, generally can effectively find out the back door.

NETSTAT–ANTLP | More

Image.png such as DNS backdoor using Python for DNS queries, DNS as a channel for covert communication is the core of the data to be passed as the hostname part of the DNS request. By grasping the packet can see the traffic is encrypted, through the traffic detection may not be able to detect, of course, can also be used to hide the process through rootkits, Linux/proc will create a directory for each, according to his PID command, can also be based on this to analyze. You can view the hidden process from the following command:

ps -ef | awk ‘{print}‘ | sort -n | uniq >1ls /proc | sort -n |uniq >2 diff 1 2

(3) System Information analysis

history (cat /root/.bash_history)//查看分析history (cat /root/.bash_history)，曾经的命令操作痕迹，以便进一步排查溯源/etc/passwd//查看有无新增的恶意用户或者除root之外uid为0的用户crontab  /etc/cron*//查看当前的任务计划有哪些，是否有后门×××程序启动相关信息$PATH//分析有无敏感可疑信息 ......

The above is also the emergency frequently to analyze the system information, but placed on the Webshell detection is also suitable for Webshell detection, such as the discovery of suspicious items, can be analyzed by reverse thinking. This piece I also with a lot of big guy communication, including in the detection, simple can be very good to find, for example, through the most primitive blasting analysis traceability, IDs very good to solve a lot of artificial repetitive work, for deformation or bypass xxx, may need to extract as much information as possible, crossed comprehensive analysis, Apt and other advanced xxx, testing will be quite troublesome, willing to listen to the big guy to explain.

(4) configuration file

such as the most common PAM.D SSH authentication module to SU's verification module, then log in again, verify the UID is 0, then the root of the password-free login, and the general situation, not careful is not observed, there are more back door, and then into the php.ini back door, so need to monitor some training files, compared with the previous configuration file To find out where the problem lies.

(5) Chkrootkit/rkhunter

Chkrootkit is a tool used to monitor whether a rootkit is installed in the current system. A rootkit is a tool commonly used by a class of people. This kind of tool is usually very secretive, so that users are not aware of, through such tools, the establishment of a regular system, or real-time control of the system. Therefore, we should use Chkrootkit to monitor the system regularly to ensure the safety of the system.

Chkrootkit main functions:

L Detect if the backdoor, XXX, rootkit are implanted

L Detect if the system command is normal (avoid using the replaced command when detecting analysis)

L Detect Log in log

Use Chkrootkit–n, if found to be abnormal, will quote "infected" words.

Rkhunter is an open-source detection tool under the Linux system platform, with a very comprehensive scanning range, in addition to the ability to detect a variety of known rootkit signatures, but also support port scanning, common program file changes check.

Rkhunter main functions:

System command (Binary) detection, including MD5 checksum

Rootkit detection

Native sensitive directory, system configuration, service and suite anomaly detection

Three-party application version detection

If the command of the system (for example, netstat LS, etc.) is replaced, for further troubleshooting, a new command needs to be downloaded or copied from another uninfected host. Of course, similar to the login backdoor such as detection, you can also use the command md5sum to the existing/bin/login file for verification, compared with the previous values.

4. Detection of behavior characteristics based on Web log Webshell

Before you prepare to analyze Webshell and XXX events, first understand the system architecture, such as server type, business architecture, network topology, and so on.

? Server type: Windows, Linux etc..

? Cms:dedecms, Phpcms, TRS CMS etc.

? Middleware, containers, frameworks, databases: Tomcat, IIS, Apache, WebLogic, struts, mysqletc.

? Scripting language: ASP, PHP, JSP etc..

? Business Architecture: such as whether the front-end Web content is the backend via FTP upload (more news Network) etc.

......

Then take a look at the xxx steps of common XXX:

Under normal circumstances, XXX will look for web vulnerabilities, just like me, through a number of high-risk vulnerabilities, such as STRUTS2, anti-sequence, SQL injection and so on, and then directly get Webshell.

The most common is to find a SQL injection point, get the admin account password of the background of the website, and then upload a webshell in the background. Uploaded Webshell, leaving a script file on the server, then by looking for Webshell is also in the emergency when a cut-in, through the Webshell to determine the time and XXX, and then from the time dimension and the XXX dimension further analysis.

As above, using the grep command to search for common webshellxxx inside the dangerous function may be used, find Webshell, and then from the log out of the record about this Webshell, find access to Wenshell XXX IP, so continue to search for XXX access records, You can restore the entire xxx has done the action.

Webshell Access Features (if you have to tell me that XXX has inserted webshell into other dynamic pages 2333)

1) A small amount of IP to initiate access to it

2) The total number of visits is low

3) This page belongs to the orphaned page

Then you can use awk, uniq, sort, or script to make a statistical analysis of the total number of visits to URLs per day, URLs that are accessed independently, and so on.

awk -F " " ‘{print $1}‘ log |sort| uniq -c |sort -nr |morecat access.log | cut-f1 -d " " | sort | uniq -c | sort -k 1 -r | head -10             //查看页面访问排名前十的IPcat access.log | cut-f4 -d " " | sort | uniq -c | sort -k 1 -r | head -10             //查看页面访问排名前十的URL

In the log when the right to remove some of the static page and error request information, the common can be grep-v to exclude, exclusions are:

一：去除静态path（例如jpeg,jpg,gif,png,bmp,css,js,xls,xlsx,doc,xml,wav,tar.gz,zip,swf,mp3,ico,pidf,torrent）    二：去除白名单path （例如主页index.php,index.asp,index.aspx,index.ashx,index.html)三：去除非webshell后缀的path （例如asp,aspx,php,jsp,py,cgi,pl,java,sh,war,cfm,phtml)四：去除扫描器造成的path（按扫描器IP信誉库（云扫描器IP信誉库与时效性扫描器IP信誉库）与扫描器行为（可以简单的按ip host聚类，将单位时间内请求数超过M，独立路径数超过N的请求视为扫描器）来去除）五：去除响应码非200的path

5.webshell Other detection methods

From this beginning the following is all hearsay, but many enterprises are doing, I have limited technology, not personally, just for the integrity of the article!

One: Dynamic detection (sandbox)

This article describes the static detection, through the specified script keyword, high-risk function, ask price modification time, permissions, and other documents related to the characteristics of multiple latitude, such as detection. Fast and fast positioning, dynamic feature detection determines the threat level of the action by Webshell the system commands used by the runtime or the network traffic and state anomalies, and Webshell is usually encrypted to avoid the detection of static features. When the Webshell runtime must send system commands to the system to achieve the purpose of the control system or operation of the database, through the detection system to monitor and even intercept the system command is executed, from the behavior mode of deep detection script file security. What I can think of is a python-like crawler that uses selenium to simulate browser behavior.

II: Statistics

In log analysis, it is found that Webshell is also a statistic based on Webshell features. Neopis a statistically-based Webshell backdoor detection tool that uses five accounting methods to search for potentially confusing or encoded malicious code in a script file.

Neopi uses the following five methods of Detection:

1, Information entropy (Entropy): The use of ASCII code table to measure the uncertainty of the document;

2. Longest Word (Longestword): The longest string may potentially be encoded or confused;

3, coincident Index (Indexof coincidence): Low coincidence index indicates that the file code is potentially encrypted or mixed;

4. Feature (Signature): Search for a known malicious code string fragment in a file;

5, Compression (Compression): Compare the file compression ratio.

Three: Machine learning

Cite the next brother to share the Webshell Discovery Technology discovery based on machine learning and the Project machine learning detection Webshell on GitHub

0x03:webshell Defense

Fundamentally solve the Dynamic Web page scripting security issues, to do anti-injection, anti-riot library, prevent cookie spoofing, anti-cross-station XXX and so on, be sure to configure the server FSO permissions.

1, it is recommended that users upload and maintain Web pages through FTP, and try not to install the ASP upload program.

2, the ASP upload program calls must be authenticated, and only allow trusted people to use the upload program.

3, the ASP program Administrator user name and password to have a certain complexity, not too simple, but also pay attention to regular replacement.

4, to the regular website download program, after downloading to the database name and storage path to modify, database name to have a certain complexity.

5, to try to keep the program is the latest version.

6, do not fill the page with the background Management program landing pages link.

7, in order to prevent the program has an unknown vulnerability, you can delete the background Management Program landing page after maintenance, the next maintenance by uploading.

8, you should always back up the database and other important files.

9, daily to more maintenance, and pay attention to whether there are unknown in the space of ASP files.

10, as far as possible to close the site search function, the use of external search tools to prevent data burst.

11, the use of white list upload files, not in the white list of all prohibit upload, upload directory permissions to follow the principle of minimum permissions.

Postscript:

In the spirit of sharing, the level is limited, but also hope forgive me!

A person's letter Ann's road is very difficult ~ ~ ~

Reference documents:

https://www.imperva.com/blog/2018/07/the-trickster-hackers-backdoor-obfuscation-and-evasion-techniques/

Http://www.360doc.com/content/16/0612/17/30594932_567188526.shtml

Https://github.com/tennc/webshell

UNIX Linux Network log analysis and traffic monitoring

Webshell Detection (I.)