The Website is Implanted with Webshell, How to Deal with it

The website is implanted with a webshell, which means that the website has high-risk vulnerabilities that can be exploited. Attackers use the vulnerabilities to invade the website and write the webshell to take over the control of the website. In order to obtain permissions, conventional methods such as: arbitrary file upload in front and back end, remote command execution, SQL injection to write files, etc.

Symptom
The site administrator found a webshell in the site directory, so he began to analyze the invasion process.



Webshell killing tool:

D shield_Web killing: http://www.d99net.net/index.asp



Hippo: Supports multiple platforms, but requires a networked environment.

Instructions:

wget http://down.shellpub.com/hm/latest/hm-linux-amd64.tgz
tar xvf hm-linux-amd64.tgz
hm scan /www


Event analysis
1. Positioning time range

Through the found webshell file creation time point, go to check the access log of the relevant date.



2. Web log analysis

After log analysis, no suspicious upload was found at the time of file creation, but suspicious webservice interface was found



3. Vulnerability analysis

Visit the webservice interface and find that the variables: buffer, distinctpach, newfilename can be customized on the client



4. Vulnerability recurrence

Try to reproduce the vulnerability, you can successfully upload the webshell, control the website server







5. Bug fixes

Clear the webshell and fix the code of the webservice interface.

From the discovery of webshell to log analysis, to vulnerability reproduction and repair, this article does not involve traceability forensics.