The website is implanted with a
webshell, which means that the website has high-risk vulnerabilities that can be exploited. Attackers use the vulnerabilities to invade the website and write the webshell to take over the control of the website. In order to obtain permissions, conventional methods such as: arbitrary file upload in front and back end, remote command execution, SQL injection to write files, etc.
Symptom
The site administrator found a
webshell in the site directory, so he began to analyze the invasion process.
Webshell killing tool:
D shield_Web killing: http://www.d99net.net/index.asp
Hippo: Supports multiple platforms, but requires a networked environment.
Instructions:
wget http://down.shellpub.com/hm/latest/hm-linux-amd64.tgz
tar xvf hm-linux-amd64.tgz
hm scan /www
Event analysis
1. Positioning time range
Through the found webshell file creation time point, go to check the access log of the relevant date.
2. Web log analysis
After log analysis, no suspicious upload was found at the time of file creation, but suspicious webservice interface was found
3. Vulnerability analysis
Visit the webservice interface and find that the variables: buffer, distinctpach, newfilename can be customized on the client
4. Vulnerability recurrence
Try to reproduce the vulnerability, you can successfully upload the webshell, control the website server
5. Bug fixes
Clear the webshell and fix the code of the webservice interface.
From the discovery of webshell to log analysis, to vulnerability reproduction and repair, this article does not involve traceability forensics.
