CN103905422B - Method and system for searching for webshell with assistance of local simulation request - Google Patents
Method and system for searching for webshell with assistance of local simulation request Download PDFInfo
- Publication number
- CN103905422B CN103905422B CN201310691213.9A CN201310691213A CN103905422B CN 103905422 B CN103905422 B CN 103905422B CN 201310691213 A CN201310691213 A CN 201310691213A CN 103905422 B CN103905422 B CN 103905422B
- Authority
- CN
- China
- Prior art keywords
- webshell
- web page
- page files
- returned data
- files
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000004088 simulation Methods 0.000 title claims abstract description 26
- 238000000034 method Methods 0.000 title claims abstract description 21
- 238000001514 detection method Methods 0.000 abstract description 5
- 239000000284 extract Substances 0.000 description 7
- 238000005516 engineering process Methods 0.000 description 5
- 230000009545 invasion Effects 0.000 description 3
- 230000002155 anti-virotic effect Effects 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000000605 extraction Methods 0.000 description 2
- 238000009434 installation Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000007796 conventional method Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 239000004744 fabric Substances 0.000 description 1
- 230000035800 maturation Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
Landscapes
- Information Transfer Between Computers (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a method and system for searching for webshell with assistance of a local simulation request. The method includes the steps that firstly, configuration files of a web server is read so as to obtain related information of the web server, wherein the related information comprises the number of websites, paths of the websites, domain names of the websites or port numbers of the websites; all files in the websites are traversed sequentially, webpage files are screened out, and the path information of the webpage files is stored; according to the path information, the local simulation request has access to the webpage files sequentially to obtain return data; characteristic scanning is conducted on the return data, and a detection result is generated according to scanning results. The method can also be used for detecting encrypted webshell.
Description
Technical field
The present invention relates to field of information security technology, more particularly to a kind of simulation request assisted lookup webshell
Method and system.
Background technology
Webshell is a kind of order performing environment existed in the web page files such as asp, php, jsp, cgi form, also may be used
To be referred to as a kind of webpage back door.Behind invasion website, Jing often places webshell to invader in the WEB catalogues of WEB server
Backdoor file, and be mixed in-rise with normal web page files under WEB server WEB catalogue, it is difficult to be found.Invader can use
WEB modes access webshell and obtain order performing environment to reach the purpose of control website or WEB server, the behaviour that can be carried out
Work includes uploading to be downloaded file, checks database, performs random procedure order etc..Webshell act as pin in WEB invasions
The effect of this attack tool.
The approach at invader's deployment webshell back doors has various, for example directly upload, privately addition modification upload type,
Using WEB system background management functions, the backup using database, recovery, query function and other various methods.It is deployed to
Invader just can pass through authority that website port is operated in a way to WEB server etc. after work(.
Because the data that webshell is exchanged with controlled WEB server or distance host are transmitted by 80 ports
, therefore will not be intercepted by fire wall.And record typically will not be left in system journal using webshell, only meeting exists
Some data are left in the daily record of WEB server and submits record to, unfamiliar keeper is to be difficult to find out invasion vestige.
At present most webshell document codes are encrypted, and thus bypassed WEB fire walls and anti-virus is soft
The killing of part.With maturation (such as virustotal multi engines of continuous open, the multi engine Scanning Detction engine of a large amount of leaks
Scanning) facilitate webshell making free to kill, the raising of encryption technology, the various technology public affairs for bypassing anti-virus monitoring system
Cloth, the killing for making current webshell is faced with severe situation.And traditional detection method is only capable of the limited cipher mode of killing
Webshell, attacker can hide killing using all kinds of self-defining cipher modes.
The content of the invention
For above-mentioned technical problem, the invention provides the method for a kind of simulation request assisted lookup webshell and
System, the method accesses all web page files by the request of this simulation, after obtaining returned data, to returned data feature is carried out
Detection, so as to recognize the webshell pages, for the webshell pages after encryption equally can be recognized effectively.
The present invention adopts with the following method to realize:The method that a kind of simulation asks assisted lookup webshell, including:
Web server configuration file is read, web server relevant information is obtained;The relevant information includes:Website
Number, path, domain name or port numbers;
All Files under website is traveled through successively, web page files are filtered out, and preserves the routing information of the web page files;
According to the routing information, the request of this simulation, the web page files are accessed successively, obtain returned data;
Mark scanning is carried out to returned data, and examining report is generated according to scanning result.
Further, the web page files include the web page files of asp, php, jsp or cgi form.
Further, it is described the feature that mark scanning used is carried out to returned data to be:Obtain the return of webshell
Data, extract webshell clear text fields as feature.
Further, it is described the feature that mark scanning used is carried out to returned data to be:For with login password
Webshell, extracts critical field as feature.
The present invention is realized using following system:The system that a kind of simulation asks assisted lookup webshell, including:
Relevant information acquisition module, for reading web server configuration file, obtains web server relevant information;It is described
Relevant information includes:Website number, path, domain name or port numbers;
Page path acquisition module, for traveling through All Files under website successively, filters out web page files, and preserves described
The routing information of web page files;
Request analog module, for according to the routing information, the request of this simulation, the web page files being accessed successively,
Obtain returned data;
Mark scanning module, for carrying out mark scanning to returned data, and generates examining report according to scanning result.
Further, the web page files include the web page files of asp, php, jsp or cgi form.
Further, it is described the feature that mark scanning used is carried out to returned data to be:Obtain the return of webshell
Data, extract webshell clear text fields as feature.
Further, it is described the feature that mark scanning used is carried out to returned data to be:For with login password
Webshell, extracts critical field as feature.
In sum, the invention provides the method and system of a kind of simulation request assisted lookup webshell, institute
Method and system is stated mainly by the routing information of all web page files under acquisition web server, using the routing information
Simulation request, so as to access these web page files, for return clear data detect, detection used be characterized in that it is logical
The returned data for crossing known webshell extracts clear text field, or for the webshell pages with login password, then carries
Take what its critical field was obtained as feature.Above-mentioned technical proposal can effectively overcome existing scheme for the webshell of encryption
The defect that cannot effectively recognize.
Description of the drawings
In order to be illustrated more clearly that technical scheme, letter will be made to the accompanying drawing to be used needed for embodiment below
Singly introduce, it should be apparent that, drawings in the following description are only some embodiments described in the present invention, for this area
For those of ordinary skill, on the premise of not paying creative work, can be with according to these other accompanying drawings of accompanying drawings acquisition.
Fig. 1 asks the method flow diagram of assisted lookup webshell for a kind of simulation that the present invention is provided;
Fig. 2 asks the system construction drawing of assisted lookup webshell for a kind of simulation that the present invention is provided.
Specific embodiment
The present invention gives the method and system of a kind of simulation request assisted lookup webshell, in order that this technology
The personnel in field more fully understand the technical scheme in the embodiment of the present invention, and make the above objects, features and advantages of the present invention
Can become apparent from understandable, technical scheme in the present invention is described in further detail below in conjunction with the accompanying drawings:
Present invention firstly provides the method that a kind of simulation asks assisted lookup webshell, as shown in figure 1, bag
Include:
S101 reads web server configuration file, obtains web server relevant information;The relevant information includes:Website
Number, path, domain name or port numbers;For example:baidu.com:81、baiduba.com:8080 etc.;
Web server configuration file, can be led to by web server key assignments such as traversal registration table search IIS, Apache
Cross key assignments content and find installation path, then web server is read from installation path and drain into file, obtain site paths, website
The information such as number, domain name or port numbers;
For example:Apache Server default configuration file/etc/apache2/httpd.conf, parses website IP, end
The information such as mouth, website root.
S102 travels through successively All Files under website, filters out web page files, and preserves the path letter of the web page files
Breath;
S103 accesses successively the web page files according to the routing information, the request of this simulation, obtains returned data;
S104 carries out mark scanning to returned data, and generates examining report according to scanning result.
Preferably, the web page files include the web page files of asp, php, jsp or cgi form.
Preferably, it is described the feature that mark scanning used is carried out to returned data to be:Obtain the return number of webshell
According to extraction webshell clear text fields are used as feature.The clear text field includes:File Manager、CMD、SHELL、
The character strings such as Process, file management, scanning, system information.
Preferably, it is described the feature that mark scanning used is carried out to returned data to be:For with login password
Webshell, extracts critical field as feature.
The critical field includes:<input name=”passtext”、type=”password”、id=”passtext”
Or<Input type=" hidden " name=" _ VIEWSTATE " are this kind of the text control of password type.
Present invention also offers the system that a kind of simulation asks assisted lookup webshell, as shown in Fig. 2 including:
Relevant information acquisition module 201, for reading web server configuration file, obtains web server relevant information;
The relevant information includes:Website number, path, domain name or port numbers;
Page path acquisition module 202, for traveling through All Files under website successively, filters out web page files, and preserves
The routing information of the web page files;
Request analog module 203, for according to the routing information, the request of this simulation, the webpage text being accessed successively
Part, obtains returned data;
Mark scanning module 204, for carrying out mark scanning to returned data, and generates detection report according to scanning result
Accuse.
Preferably, the web page files include the web page files of asp, php, jsp or cgi form.
Preferably, it is described the feature that mark scanning used is carried out to returned data to be:Obtain the return number of webshell
According to extraction webshell clear text fields are used as feature.
Preferably, it is described the feature that mark scanning used is carried out to returned data to be:For with login password
Webshell, extracts critical field as feature.
As described above, The present invention gives the tool of the method and system of a kind of simulation request assisted lookup webshell
Body embodiment, it is with the difference of conventional method, and current most technical schemes all cannot have for the webshell of encryption
Effect identification.Technical scheme given by the present invention, by reading web server configuration file, so as to obtain website number and road
The information such as footpath, for the All Files under website is screened, find out all of web page files, obtain the path of web page files;
Using web page files are accessed, the characteristics of can return plaintext, simulation request accesses the web page files, for returned data is entered
Row mark scanning, such that it is able to the effectively identification webshell pages, solves existing webshell encryptions deformation so as to cannot killing
Problem.
Above example is to illustrative and not limiting technical scheme.Appointing without departing from spirit and scope of the invention
What modification or local are replaced, and all should be covered in the middle of scope of the presently claimed invention.
Claims (4)
1. the method that a kind of simulation asks assisted lookup webshell, it is characterised in that include:
Web server configuration file is read, web server relevant information is obtained;The relevant information includes:Website number, road
Footpath, domain name or port numbers;
All Files under website is traveled through successively, web page files are filtered out, and preserves the routing information of the web page files;
According to the routing information, the request of this simulation, the web page files are accessed successively, obtain returned data;
Mark scanning is carried out to returned data, and examining report is generated according to scanning result;
Wherein, it is described the feature that mark scanning used is carried out to returned data to be:The returned data of webshell is obtained, is extracted
Webshell clear text fields are used as feature;Or, for the webshell with login password, critical field is extracted as spy
Levy.
2. the method for claim 1, it is characterised in that the web page files include asp, php, jsp or cgi form
Web page files.
3. the system that a kind of simulation asks assisted lookup webshell, it is characterised in that include:
Relevant information acquisition module, for reading web server configuration file, obtains web server relevant information;The correlation
Information includes:Website number, path, domain name or port numbers;
Page path acquisition module, for traveling through All Files under website successively, filters out web page files, and preserves the webpage
The routing information of file;
Request analog module, for according to the routing information, the request of this simulation, the web page files being accessed successively, obtains
Returned data;
Mark scanning module, for carrying out mark scanning to returned data, and generates examining report according to scanning result;
Wherein, it is described the feature that mark scanning used is carried out to returned data to be:The returned data of webshell is obtained, is extracted
Webshell clear text fields are used as feature;Or, for the webshell with login password, critical field is extracted as spy
Levy.
4. system as claimed in claim 3, it is characterised in that the web page files include asp, php, jsp or cgi form
Web page files.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310691213.9A CN103905422B (en) | 2013-12-17 | 2013-12-17 | Method and system for searching for webshell with assistance of local simulation request |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310691213.9A CN103905422B (en) | 2013-12-17 | 2013-12-17 | Method and system for searching for webshell with assistance of local simulation request |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103905422A CN103905422A (en) | 2014-07-02 |
| CN103905422B true CN103905422B (en) | 2017-04-26 |
Family
ID=50996576
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310691213.9A Active CN103905422B (en) | 2013-12-17 | 2013-12-17 | Method and system for searching for webshell with assistance of local simulation request |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103905422B (en) |
Families Citing this family (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104331663B (en) * | 2014-10-31 | 2017-09-01 | 北京奇虎科技有限公司 | Web shell detection method and web server |
| CN105760379B (en) * | 2014-12-16 | 2020-01-21 | 中国移动通信集团公司 | Method and device for detecting webshell page based on intra-domain page association relation |
| CN107770133B (en) * | 2016-08-19 | 2020-08-14 | 北京升鑫网络科技有限公司 | Adaptive webshell detection method and system |
| CN106992981B (en) * | 2017-03-31 | 2020-04-07 | 北京知道创宇信息技术股份有限公司 | Website backdoor detection method and device and computing equipment |
| CN107493278B (en) * | 2017-08-10 | 2020-09-08 | 杭州迪普科技股份有限公司 | Access method and device for bidirectional encrypted webshell |
| CN107911433A (en) * | 2017-12-21 | 2018-04-13 | 上海数烨数据科技有限公司 | A kind of LAN cluster system access method based on WebShell |
| CN110909350B (en) * | 2019-11-16 | 2022-02-11 | 杭州安恒信息技术股份有限公司 | Method for remotely and accurately identifying WebShell backdoor |
| CN111163095B (en) * | 2019-12-31 | 2022-08-30 | 奇安信科技集团股份有限公司 | Network attack analysis method, network attack analysis device, computing device, and medium |
| CN113746784B (en) * | 2020-05-29 | 2023-04-07 | 深信服科技股份有限公司 | Data detection method, system and related equipment |
| CN111723378B (en) * | 2020-06-17 | 2023-03-10 | 浙江网新恒天软件有限公司 | Website directory blasting method based on website map |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101471818A (en) * | 2007-12-24 | 2009-07-01 | 北京启明星辰信息技术股份有限公司 | Detection method and system for malevolence injection script web page |
| CN101527660A (en) * | 2009-04-03 | 2009-09-09 | 华为技术有限公司 | Alarm method, associated equipment and system |
| CN101587527A (en) * | 2009-07-08 | 2009-11-25 | 北京东方微点信息技术有限责任公司 | Method and apparatus for scanning virus program |
| CN101599947A (en) * | 2008-06-06 | 2009-12-09 | 盛大计算机(上海)有限公司 | Trojan horse virus scanning method based on the WEB webpage |
| CN101808093A (en) * | 2010-03-15 | 2010-08-18 | 北京安天电子设备有限公司 | System and method for automatically detecting WEB security |
| CN103258163A (en) * | 2013-05-15 | 2013-08-21 | 腾讯科技(深圳)有限公司 | Script virus identifying method, script virus identifying device and script virus identifying system |
Family Cites Families (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060294199A1 (en) * | 2005-06-24 | 2006-12-28 | The Zeppo Network, Inc. | Systems and Methods for Providing A Foundational Web Platform |
| CN101350745B (en) * | 2008-08-15 | 2011-08-03 | 北京启明星辰信息技术股份有限公司 | Intrude detection method and device |
| CN101692267B (en) * | 2009-09-15 | 2011-09-07 | 北京大学 | Method and system for detecting large-scale malicious web pages |
| CN102254111B (en) * | 2010-05-17 | 2015-09-30 | 北京知道创宇信息技术有限公司 | Malicious site detection method and device |
| CN102104601B (en) * | 2011-01-14 | 2013-06-12 | 无锡市同威科技有限公司 | Web vulnerability scanning method and device based on infiltration technology |
| CN102088379B (en) * | 2011-01-24 | 2013-03-13 | 国家计算机网络与信息安全管理中心 | Detecting method and device of client honeypot webpage malicious code based on sandboxing technology |
| CN102158499B (en) * | 2011-06-02 | 2013-09-18 | 国家计算机病毒应急处理中心 | Trojan-embedded website detection method based on hyper text transfer protocol (HTTP) traffic analysis |
| CN103294952B (en) * | 2012-11-29 | 2016-03-09 | 北京安天电子设备有限公司 | A kind of method and system detecting webshell based on page relation |
| CN103065089B (en) * | 2012-12-11 | 2016-03-09 | 深信服网络科技(深圳)有限公司 | The detection method of webpage Trojan horse and device |
-
2013
- 2013-12-17 CN CN201310691213.9A patent/CN103905422B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101471818A (en) * | 2007-12-24 | 2009-07-01 | 北京启明星辰信息技术股份有限公司 | Detection method and system for malevolence injection script web page |
| CN101599947A (en) * | 2008-06-06 | 2009-12-09 | 盛大计算机(上海)有限公司 | Trojan horse virus scanning method based on the WEB webpage |
| CN101527660A (en) * | 2009-04-03 | 2009-09-09 | 华为技术有限公司 | Alarm method, associated equipment and system |
| CN101587527A (en) * | 2009-07-08 | 2009-11-25 | 北京东方微点信息技术有限责任公司 | Method and apparatus for scanning virus program |
| CN101808093A (en) * | 2010-03-15 | 2010-08-18 | 北京安天电子设备有限公司 | System and method for automatically detecting WEB security |
| CN103258163A (en) * | 2013-05-15 | 2013-08-21 | 腾讯科技(深圳)有限公司 | Script virus identifying method, script virus identifying device and script virus identifying system |
Non-Patent Citations (1)
| Title |
|---|
| wehshell检测的新思路;石磊,宋昭;《第二届全国信息安全等级保护技术大会会议论文集》;20130621;第605-608页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103905422A (en) | 2014-07-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103905422B (en) | Method and system for searching for webshell with assistance of local simulation request | |
| CN105933268B (en) | A kind of website back door detection method and device based on the analysis of full dose access log | |
| Iqbal et al. | Fingerprinting the fingerprinters: Learning to detect browser fingerprinting behaviors | |
| Duessel et al. | Detecting zero-day attacks using context-aware anomaly detection at the application-layer | |
| DE102016203565B4 (en) | Identifying malicious web infrastructures | |
| CN101369276B (en) | Evidence obtaining method for Web browser caching data | |
| CN109861995A (en) | A kind of safe big data intelligent analysis method of cyberspace, computer-readable medium | |
| CN109885562A (en) | A kind of big data intelligent analysis system based on cyberspace safety | |
| WO2015101337A1 (en) | Malicious website address prompt method and router | |
| CN110119469A (en) | A kind of data collection and transmission and method towards darknet | |
| CN103118035B (en) | Method and the device of analyzing web site access request parameters legal range | |
| CN109690547A (en) | For detecting the system and method cheated online | |
| CN108449319A (en) | A kind of method and device of identification swindle website and the evidence obtaining of long-range wooden horse | |
| CN102685145A (en) | Domain name server (DNS) data packet-based bot-net domain name discovery method | |
| CN108874943A (en) | A kind of darknet resource detection system based on shot and long term Memory Neural Networks | |
| JP7340286B2 (en) | Method, apparatus and computer program for providing cybersecurity using knowledge graphs | |
| CN107644166A (en) | It is a kind of based on the WEB application safety protecting method learnt automatically | |
| JP5522850B2 (en) | Vulnerability diagnostic device | |
| CN103294952A (en) | Method and system for detecting webshell based on page relation | |
| CN103166966A (en) | Method and device for distinguishing illegal access request to website | |
| CN109411073A (en) | Medical data integrated system | |
| CN108881316A (en) | Attack backtracking method under heaven and earth integrated information network | |
| CN103067387A (en) | Monitoring system and monitoring method for anti phishing | |
| CN116976435A (en) | Knowledge graph construction method based on network security | |
| Pallaras | New technology: opportunities and challenges for prosecutors |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| PE01 | Entry into force of the registration of the contract for pledge of patent right | ||
| PE01 | Entry into force of the registration of the contract for pledge of patent right |
Denomination of invention: Method and system for searching for webshell with assistance of local simulation request Effective date of registration: 20170621 Granted publication date: 20170426 Pledgee: Bank of Longjiang, Limited by Share Ltd, Harbin Limin branch Pledgor: Harbin Antiy Technology Co., Ltd. Registration number: 2017110000004 |
|
| PC01 | Cancellation of the registration of the contract for pledge of patent right |
Date of cancellation: 20190614 Granted publication date: 20170426 Pledgee: Bank of Longjiang, Limited by Share Ltd, Harbin Limin branch Pledgor: Harbin Antiy Technology Co., Ltd. Registration number: 2017110000004 |
|
| PC01 | Cancellation of the registration of the contract for pledge of patent right | ||
| CP03 | Change of name, title or address | ||
| CP03 | Change of name, title or address |
Address after: 150028 Building 7, Innovation Plaza, Science and Technology Innovation City, Harbin High-tech Industrial Development Zone, Heilongjiang Province (838 Shikun Road) Patentee after: Harbin antiy Technology Group Limited by Share Ltd Address before: 150090 room 506, Hongqi Street, Nangang District, Harbin Development Zone, Heilongjiang, China, 162 Patentee before: Harbin Antiy Technology Co., Ltd. |
|
| PE01 | Entry into force of the registration of the contract for pledge of patent right | ||
| PE01 | Entry into force of the registration of the contract for pledge of patent right |
Denomination of invention: Method and system for searching for webshell with assistance of local simulation request Effective date of registration: 20190828 Granted publication date: 20170426 Pledgee: Bank of Longjiang, Limited by Share Ltd, Harbin Limin branch Pledgor: Harbin antiy Technology Group Limited by Share Ltd Registration number: Y2019230000002 |
|
| CP01 | Change in the name or title of a patent holder | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 150028 Building 7, Innovation Plaza, Science and Technology Innovation City, Harbin High-tech Industrial Development Zone, Heilongjiang Province (838 Shikun Road) Patentee after: Antan Technology Group Co.,Ltd. Address before: 150028 Building 7, Innovation Plaza, Science and Technology Innovation City, Harbin High-tech Industrial Development Zone, Heilongjiang Province (838 Shikun Road) Patentee before: Harbin Antian Science and Technology Group Co.,Ltd. |
|
| PC01 | Cancellation of the registration of the contract for pledge of patent right | ||
| PC01 | Cancellation of the registration of the contract for pledge of patent right |
Date of cancellation: 20211119 Granted publication date: 20170426 Pledgee: Bank of Longjiang Limited by Share Ltd. Harbin Limin branch Pledgor: Harbin Antian Science and Technology Group Co.,Ltd. Registration number: Y2019230000002 |