WebShell detection is an important part of offensive and defensive confrontation, and it is a required course for security personnel. How to quickly detect whether Web Server has been controlled by WebShell is very important to website security. The following is a typical
WebShell detection idea:
Keyword check
Keyword matching is the most common detection method. For example, the eval function name in WebShell is a very dangerous keyword. It mainly depends on the size and strength of the WebShell signature database of the inspector. At the same time, feature matching itself also has the problem of false positives and false negatives.
File status comparison
A file added or modified on the Web Server must be discovered through technical means. At present, there are similar security products that regularly scan for changes in files on the server, and even compare the current and historical MD5 values of each file to quickly locate suspicious files.
Run feature detection
The WebShell deployed on the server is ultimately to be accessed. Identifying WebShell can be judged from some abnormal request behaviors, for example: continuous script file requests without obvious business parameters during non-working hours.
Audit code logic
Checking the code running logic through manual or software means is usually called white box detection. The logic of rigorously reviewing the code can accurately discover WebShell, but the current situation is that the manual method is very inefficient, and the tool detection is serious.
WebShell detection evasion
Of course, in order to circumvent various detection methods, the industry also has many typical detection circumvention measures. The following measures can reduce the probability of WebShell being detected to a certain extent.
Mainstream method
Character confusion OR variable generation keywords
In order to circumvent key detection, function keywords can be generated through some combination of variables.
File contains
Splitting the WebShell file into two or more files and loading the main file through include is a common way to avoid detection. The most typical is to write the WebShell function code to the JPG file, and then include it in the script file.
<?php include "images/logo.jpg"; ?>
Whimsy
Invisible file name: full-width Chinese spaces are used as the file name, the real code is in the file with the invisible file name, for example:
<?php include " "; ?>
Hidden directory: virtual directory, NTFS data stream
If an attacker can manipulate the Web Server configuration file, he can place the WebShell file in a non-website directory, thereby bypassing the file check. You can also use the Windows NTFS data stream feature to create magical WebShell files, such as:
<?php include "./test.php:.txt"; ?>
Among them, the file ./test.php:.txt cannot be seen in the Explorer, and the size under the command line is 0.
Use HTTP: Data is transmitted through HTTP HEAD or Cookie
Most of the data interaction of WebShell is completed in the Body section of the HTTP protocol. If the command is placed in the HTTP HEAD, the inspection by various interception tools can be bypassed.
With the help of the database: store the key code of the shell in the database
The code is stored in the database, and WebShell will be more hidden. This also brings a huge challenge to the killing.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
