In this issue of the article, we continue to talk about the detection method of
Webshell.
Testing skills
Currently, there are many ways to detect Webshell, including HTTP traffic, Web access logs, file characteristics, etc. It is recommended that relevant students choose appropriate methods according to the actual situation of the business in daily operation and maintenance, attack and defense drills, etc.
Webshell detection and disposal.
This article mainly introduces three host-oriented, file-based detection methods and tools (the tools listed in the text are intended to explain the detection methods, please select and use according to the actual situation).
File feature-based detection
File feature detection is mainly to determine whether it is a known Webshell by matching feature values such as Webshell variable names and dangerous function names.
Advantages: easy to deploy, a script can be completed, high accuracy, strong scalability, you can add rules by yourself.
Disadvantage: If an attacker modifies the characteristic value of a file, it is likely to be bypassed.
Tool introduction: Searching for Webshell inspection on the Internet can find many detection tools based on file characteristics, but most of them have problems such as the inability to cross-platform, the inability to customize the rules, the unopen source code, etc., and the reliability is low. The administrator is cautious about using it.
File hash-based detection
Comparing the web directory that may be attacked in the production system with the known secure web directory (for example: exported from SVN), you can identify inconsistent files, and by checking the newly added and modified files, you can identify the attacker uploading Webshell.
File behavior-based detection
For most normal web applications, system management commands such as ipconfig and netstat are rarely called. On the contrary, Webshell often generates such calls. By analyzing the key process call logs of the web application server and monitoring system calls or process calls, such abnormal behaviors can be identified, and the Webshell in the web server can be further sorted out.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
