Webshell - Detection Method based on Traffic

First. Overview

   The author has been paying attention to the security analysis of Webshell, and recently I will share with you my experience during this period.

   Webshell generally has three detection methods:

   based on traffic pattern

   Based on agent mode (essentially directly analyzing webshell files)

   Based on log analysis mode

   The author summarizes the classification of Webshell as follows:


Second. Thinking of webshell detection based on traffic

   After studying the detection of the above two models, it has been considered to implement Webshell analysis and detection on network traffic. After all, the cost required to implement the Agent model and the log analysis model is too great to consider not only compatibility issues, but also performance and security issues. If traffic-based detection is used, the cost and deployment difficulty will be much reduced.

To realize the detection of Webshell through network traffic, you first need to "visualize" the restoring of the traffic. The "visual" method can learn from some mature frameworks on the market to achieve this. I will not explain more here. We will mainly discuss the uploading of the Webshell to the server. And Webshell is accessed by the payload characteristics in the network traffic to realize Webshell detection.

Third. Payload during upload

We know that normal websites usually allow uploading of some "harmless" files when needed, but will not allow uploading of files in the form of script files such as PHP, ASP, JSP, etc., and Webshell is based on this script The form of the file exists and is parsed by the server. Although there will be no attack payload during the upload process. However, uploading files to the server will also generate some upload-related payloads. Below we discuss the two common upload forms of Webshell, namely uploading "Malaysia" and "Little Ma".

  3.1 Upload directly to Webshell

   This method uploads a Webshell file directly through POST or after a simple transformation and uploads it to the server in the form of:

  2009-02-10 06:32:58 W3SVC77065997 8.8.8.8 POST /lesson_manage/upload/40/ASP.asp – 80 – 118.122.124.103 Mozilla/4.0+compatible;+MSIE+6.0; 200 0 0

   From the above log, the following key features can be found: POST upload ASP.asp 200 Through these key features, it can be determined that ASP.php is a suspected Webshell file.

  3.2 Upload a sentence Webshell

In the case that the Webshell cannot be uploaded directly, the intruder will usually upload a "little horse" to assist in uploading "Malaysia" or upload a sentence of Webshell and cooperate with a client to control the server. Here we do not discuss how to upload "little horse" "And a word Webshell. We only discuss how to use "Little Ma" to upload "Malaysia".

  The special point of this method is that it is not the file that is sent in the flow but a parameter is sent in the flow, so the method may be either GET or POST.