After studying the detection of the above two models, it has been considered to implement Webshell analysis and detection on network traffic. After all, the cost required to implement the Agent model and the log analysis model is too great to consider not only compatibility issues, but also performance and security issues. If traffic-based detection is used, the cost and deployment difficulty will be much reduced.
To realize the detection of Webshell through network traffic, you first need to "visualize" the restoring of the traffic. The "visual" method can learn from some mature frameworks on the market to achieve this. I will not explain more here. We will mainly discuss the uploading of the Webshell to the server. And Webshell is accessed by the payload characteristics in the network traffic to realize Webshell detection.
Third. Payload during upload
We know that normal websites usually allow uploading of some "harmless" files when needed, but will not allow uploading of files in the form of script files such as PHP, ASP, JSP, etc., and Webshell is based on this script The form of the file exists and is parsed by the server. Although there will be no attack payload during the upload process. However, uploading files to the server will also generate some upload-related payloads. Below we discuss the two common upload forms of Webshell, namely uploading "Malaysia" and "Little Ma".
3.1 Upload directly to Webshell
This method uploads a Webshell file directly through POST or after a simple transformation and uploads it to the server in the form of:
From the above log, the following key features can be found: POST upload ASP.asp 200 Through these key features, it can be determined that ASP.php is a suspected Webshell file.
3.2 Upload a sentence Webshell
In the case that the Webshell cannot be uploaded directly, the intruder will usually upload a "little horse" to assist in uploading "Malaysia" or upload a sentence of Webshell and cooperate with a client to control the server. Here we do not discuss how to upload "little horse" "And a word Webshell. We only discuss how to use "Little Ma" to upload "Malaysia".
The special point of this method is that it is not the file that is sent in the flow but a parameter is sent in the flow, so the method may be either GET or POST.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.