The Website is Implanted with Webshell, How to Deal with it

Source: Internet
Author: User
Keywords webshell webshell attack webshell php
The website is implanted with a webshell, which means that the website has high-risk vulnerabilities that can be exploited. Attackers use the vulnerabilities to invade the website and write the webshell to take over the control of the website. In order to obtain permissions, conventional methods such as: arbitrary file upload in front and back end, remote command execution, SQL injection to write files, etc.

Symptom
The site administrator found a webshell in the site directory, so he began to analyze the invasion process.



Webshell killing tool:

D shield_Web killing: http://www.d99net.net/index.asp



Hippo: Supports multiple platforms, but requires a networked environment.

Instructions:

wget http://down.shellpub.com/hm/latest/hm-linux-amd64.tgz
tar xvf hm-linux-amd64.tgz
hm scan /www


Event analysis
1. Positioning time range

Through the found webshell file creation time point, go to check the access log of the relevant date.



2. Web log analysis

After log analysis, no suspicious upload was found at the time of file creation, but suspicious webservice interface was found



3. Vulnerability analysis

Visit the webservice interface and find that the variables: buffer, distinctpach, newfilename can be customized on the client



4. Vulnerability recurrence

Try to reproduce the vulnerability, you can successfully upload the webshell, control the website server







5. Bug fixes

Clear the webshell and fix the code of the webservice interface.

From the discovery of webshell to log analysis, to vulnerability reproduction and repair, this article does not involve traceability forensics.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.