Webshell Security Detection (4)-traffic-based Webshell analysis example

Webshell Security Detection (4)-traffic-based Webshell analysis example
1. Typical operations

After a full introduction to the previous articles, I think everyone has some knowledge about how to detect webshells. Today we will discuss how to detect and discover webshells from network traffic.

We know that the purpose of "da ma" is to escalate permissions and control them. The common "Trojan" is generally a complex structure with many functions. "multi-functionality of a single file" is one of the purposes of the "Trojan" design, on the other hand, it is large in size. It is not difficult to summarize the typical functions in various categories of "Trojan.

File Operations: Upload, download, edit, and delete; database operations: connect to the database, detach the database, and insert data; command execution: Submit custom commands, and "Trojan" pre-fabricated commands.

Of course, generally speaking, the "Trojan" function is far more than that, but we only discuss how to discover these three features in traffic by attackers and then discover webshells.

Typical traffic Payload2.1 File Operations

Let's perform an upload operation with a simple elevation tool. Through Webshell, we can do this:

After the file is successfully sent to the server, let's take a look at the records we captured from the network traffic on the server:

Next, let's take a look at the content of the packet returned by the server from the traffic:

By capturing the actual network traffic to obtain a Payload pair, they appear in the access request and the data returned by the server respectively:

Request Payload: POST | upfiles | pr.exe

Return Payload: 200

Through the above Payload, We can summarize the following conclusions:

The server may have been infiltrated and successfully uploaded Webshell backdoor, attackers are trying to exploit Microsoft Windows RPCSS to isolate Local Privilege Escalation Vulnerability (MS09-012) vulnerability for Elevation of Privilege, it also means that the server may have a long time without installing system security patches.

2.2 database operations

Let's take a look at an example of a real MySQL Data operation:

The traffic information returned by the server is also taken out:

We can see that a large amount of Payload is generated during the operation of a database connection. The simple URL Decoding of POST data can be more obvious:

Auth [driver] = server & auth [server] = localhost & auth [username] = root & auth [password] = & auth [db] = mysql & auth [permanent] = 1

Next, let's analyze the Payload pair:

Request Payload: POST | localhost | root | mysql

Return Payload: localhost | root | mysql | 200 | *. SQL | user

Through the preceding paired Payload, we can draw the following conclusions:

Attackers are attempting to access the MySQL database and accessing the table information in the mysql database. Attackers can export the tables in the mysql database to the. SQL file.

2.3 Command Execution

Finally, let's look at the operation process of a command:

 

Check the traffic data obtained by the server:

Check the traffic returned by the server to obtain the following data:

In this case, an attacker sends a command to the server to view the current permission. The server runs the command after receiving the command and reports the result to the attacker through the response topic. Let's analyze the Payload.

Request Payload: POST | act = cmd | cmd = who | precmd

Return Payload: 200 | net authority \ | system

Through the Payload summarized above, we can draw the following conclusions:

The server has been intruded. The attacker tried to send the operating system permission used to query the middleware running to the server and obtained satisfactory results. Then the tragic outcome of this server can be imagined.

Compared with a single Webshell management tool, the Payload in the access process is relatively simple and more obvious, and it is relatively easy to detect, but there is no absolute thing, the encrypted and premade Webshell can completely escape the above Payload detection process.