webshell is a script attack tool for website intrusion
The hacker obtains the execution permission of the server after uploading the webshell by hacking the website, such as executing system commands, stealing user data, deleting web pages, modifying the homepage, etc. The harm is self-evident.
What are the characteristics of
Webshell attacks?
Continuous remote access
Intruders can use webshell to achieve long-term control of the website server. If the attacker fixes the vulnerability on his own to ensure that no one else will use the vulnerability, the attacker can control the server at any time in a low-key manner. Some popular webshells use password verification and other techniques to ensure that only attackers who upload webshells can access it.
Elevation of authority
In the case of no server configuration error, webshell will run under the user authority of the web server, which is limited. By using webshell, attackers can try to perform privilege escalation by exploiting local vulnerabilities on the system. Common ones include finding sensitive configuration files, escalating privileges through kernel vulnerabilities, and using scripts in low-privilege user directories that can be invoked by root-privileged users. , Mission planning, etc.
Extremely concealed
Some malicious webpage scripts can be nested and run in normal webpages, and are not easy to be killed. Webshell can also pass through the server firewall. Since the data interacting with the controlled server or remote host is transmitted through port 80, it will not be intercepted by the firewall. In the case of no recorded traffic, webshell uses post packets to send, nor Being recorded in the system log, only some data submission records will be recorded in the web log.
Common methods to get
webshell
Direct upload to get webshell
Due to inadequate filtering and uploading of files, users can directly upload webshell to any writable directory on the website, so as to obtain the administrator control authority of the website.
Add edit upload type
Many script program upload modules are not only allowed to upload legal file types, most systems are allowed to add upload types.
Use the background management function to write to the webshell
After entering the background, you can also write the webshell by modifying the relevant files.
Use background database backup and recovery
It is mainly to use the "backup database" or "restore database" function of the access database in the background. The variables such as "backup database path" are not filtered, so that any file suffix can be changed to asp, so as to get the webshell.
php+mysql system
The background needs to have mysql data query function, intruders can use it to execute SELECT ... in TO OUTFILE query output php file, because all the data is stored in mysql, so we can insert our WebShell code through normal means mysql is using the SELECT ... in TO OUTFILE statement to export the shell.
Webshell website backdoor removal method
There are two cases of webshell backdoor removal:
The backdoor files can be deleted directly. If you find the backdoor files, just delete them directly;
You cannot delete the backdoor file directly, you can only delete the Trojan code in the file content to clear it.
Four characteristics of backdoor files can be directly deleted:
1. The file names are index.asp and index.php. These are automatically generated SEO type files and can be deleted directly. If you want to completely remove the backdoor, you need to find the source file that generated this file.
2. The content of the file is only one line, or a small amount of code, and this type is called a "sentence backdoor".
3. Password or UserPass keywords exist in the file content.
4. Other files in the upload component directory or upload directory can be deleted directly. Such as eWebEditor, Editor, FCKeditor, webeditor, UploadFiles, uploads, etc.
Can only delete the Trojan code in the file content
The following features are performed for removal:
1. The website's own files are inserted into malicious code
2. Website configuration file
This type of backdoor removal method inserted into the site's own code:
First back up this file for error recovery and recovery. Find the location of the backdoor code. Generally, you can locate it by looking for the keywords "eval, execute, request, ExecuteGlobal". Delete the code determined to be the backdoor and save the file. Visit the website to see if any errors are reported to confirm whether there are any errors.
How do websites defend against webshell attacks?
To fundamentally solve the security problem of dynamic web scripts, to prevent injection, anti-riot library, anti-COOKIES deception, anti-cross-site attacks, etc., be sure to configure the server FSO permissions.
1. It is recommended that users upload and maintain web pages through ftp, and try not to install upload programs.
2. The call to the upload program must be authenticated, and only trusted people can use the upload program.
3. The user name and password of the program administrator must be complicated, not too simple, and pay attention to regular replacement.
4. To download the program on the regular website, the database name and storage path should be modified, and the database name must have certain complexity.
5. Try to keep the program up to date.
6. Do not add a link to the landing page of the background management program on the webpage.
7. In order to prevent the program from having unknown vulnerabilities, you can delete the login page of the background management program after maintenance and upload it next time.
8. Always back up important files such as databases.
9. Daily maintenance, and pay attention to whether there are unknown asp files in the space.
10. Turn off the website search function as much as possible, and use external search tools to explode the data.
11. Use the white list to upload files. Any upload that is not in the white list is prohibited, and the upload directory permissions follow the principle of least permission.
