Webshell, as the name implies: web refers to the web server, and the shell is a script program written in a scripting language, webshell is a management tool of the web, the authority to operate the web server, also called webadmin. Webshell is generally used by website administrators for website management, server management, etc. However, due to the powerful function of webshell, you can upload and download files, view the database, and even call some system-related commands on the server (such as creating users, Modify and delete files, etc.), usually used by hackers, through some uploading methods, hackers upload their own webshell to the directory of the web server's page, and then invade through the form of page access, or connect to the local by inserting a sentence Some related tools directly invade the server.
From the perspective of security protection ability, detection is the first ability,
webshell detection mainly has the following methods:
It is easy to deploy and analyze the original information directly through traffic mirroring. Behavior analysis based on payload not only detects known webshells, but also identifies unknown and strong camouflage webshells. Perform correlation analysis on webshell access characteristics (IP/UA/Cookie), payload characteristics, path characteristics, time characteristics, etc., using time as an index to restore attack events.
(2) File-based webshell analysis engine
Check if it contains webshell features, such as commonly used functions. Check whether it is encrypted (obfuscation processing) to determine whether it is a webshell file hash detection, create a webshell sample hashing library, and compare and analyze suspicious files. Test the file creation time, modification time, file permissions, etc. to confirm whether it is webshell sandbox technology, and judge based on the behavior characteristics of the dynamic language sandbox runtime
(3) Webshell analysis engine based on log
Supports many common log formats. Modeling the website's access behavior can effectively identify webshell uploading and other behaviors, comprehensively analyze the log, and trace back the entire attack process.
Three kinds of detection methods, file-based detection, many times the deployment cost of obtaining samples is relatively high, and at the same time, the entire attack process cannot be seen by the samples alone. Some behavioral information based on the log cannot be seen in the log. Generally speaking, the information seen based on the "traffic" is the most, and the entire attack process can be more fully restored.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
