CN107135199B - Method and device for detecting webpage backdoor - Google Patents
Method and device for detecting webpage backdoor Download PDFInfo
- Publication number
- CN107135199B CN107135199B CN201710197494.0A CN201710197494A CN107135199B CN 107135199 B CN107135199 B CN 107135199B CN 201710197494 A CN201710197494 A CN 201710197494A CN 107135199 B CN107135199 B CN 107135199B
- Authority
- CN
- China
- Prior art keywords
- weight
- access
- determining
- sub
- access file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 29
- 238000001514 detection method Methods 0.000 claims description 10
- 238000004364 calculation method Methods 0.000 claims description 4
- 238000005516 engineering process Methods 0.000 abstract description 9
- 238000010586 diagram Methods 0.000 description 6
- 230000003203 everyday effect Effects 0.000 description 5
- 230000000694 effects Effects 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 238000005034 decoration Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 239000005058 Isophorone diisocyanate Substances 0.000 description 1
- 239000003795 chemical substances by application Substances 0.000 description 1
- NIMLQBUJDJZYEJ-UHFFFAOYSA-N isophorone diisocyanate Chemical compound CC1(C)CC(N=C=O)CC(C)(CN=C=O)C1 NIMLQBUJDJZYEJ-UHFFFAOYSA-N 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The invention discloses a method and a device for detecting a webpage backdoor. Wherein, the method comprises the following steps: determining a weight value of an access file according to a preset condition, wherein the access file is used for accessing a webpage; judging whether the weight is greater than or equal to a preset threshold value; and under the condition that the weight is judged to be more than or equal to the preset threshold value, determining the access file as a webpage backdoor. The method and the device solve the technical problem of lower accuracy of detecting the deformed webpage backdoor in the related technology.
Description
Technical Field
The invention relates to the technical field of webpage detection, in particular to a method and a device for detecting a webpage backdoor.
Background
In the related technology, the method for detecting the webpage backdoor is mainly based on a feature code detection method, each webpage content is scanned and matched by collecting the feature code of the known webpage backdoor, if the feature code is matched with the feature code, the webpage backdoor is judged, and since a hacker can transform, deform and even encrypt the webpage backdoor code by using grammar skills, a safety worker cannot extract the feature code at all, or although the feature code can be extracted, the hacker can bypass checking and killing by slightly modifying, the deformed webpage backdoor cannot be timely and effectively detected.
Aiming at the problem that the accuracy of detecting the deformed webpage backdoor in the related technology is low, an effective solution is not provided at present.
Disclosure of Invention
The embodiment of the invention provides a method and a device for detecting a webpage backdoor, which are used for at least solving the technical problem of lower accuracy in detecting a deformed webpage backdoor in the related technology.
According to an aspect of the embodiments of the present invention, there is provided a method for detecting a backdoor of a web page, including: determining a weight value of an access file according to a preset condition, wherein the access file is used for accessing a webpage; judging whether the weight is greater than or equal to a preset threshold value; and under the condition that the weight is judged to be larger than or equal to a preset threshold value, determining the access file as a webpage backdoor.
Further, according to a preset condition, determining a weight of the access file includes: determining a first sub-weight value of the access file according to the number of the access IP addresses of the access file; calculating the access frequency of the access file accessing the same IP address to obtain a first access frequency; determining a second sub-weight value of the access file according to the first access frequency; judging whether the content identical to a preset character exists in the returned content of the access file; if the returned content of the access file is judged to have the content which is the same as the preset character, determining a third sub-weight of the access file; and superposing the first sub-weight, the second sub-weight and the third sub-weight to obtain a weight of the access file.
Further, determining the first sub-weight of the access file according to the number of the access IP addresses of the access file includes: counting the number of all file access IP addresses; counting the number of the addresses for accessing the IP in a search engine crawler mode; calculating the number of the IP addresses accessed by the accessed files according to the number of the IP addresses accessed by all the files and the number of the IP addresses accessed by a crawler mode of a search engine; and determining a first sub-weight value of the access file according to the number of the access IP addresses of the access file.
Further, determining the first sub-weight of the access file according to the number of the access IP addresses of the access file includes: determining a target numerical range in which the number of the access IP addresses of the access file is located from a plurality of preset numerical ranges, wherein the plurality of preset numerical ranges comprise a first preset numerical range, a second preset numerical range and a third preset numerical range; if the target numerical range is the first preset numerical range, determining that the weight of the accessed file is increased by a first numerical value; if the target numerical range is the second preset numerical range, determining that the weight of the accessed file is increased by a second numerical value; and if the target numerical range is the third preset numerical range, determining that the weight of the accessed file is increased by a third numerical value.
Further, according to the first access frequency, determining a second sub-weight of the access file includes: determining a target time range in which the first access frequency is located from a plurality of preset time ranges under the condition that the first access frequency meets a preset sub-condition, wherein the plurality of preset time ranges comprise a fourth preset time range, a fifth preset time range and a sixth preset time range; if the target time range is the fourth preset time range, determining that the weight of the access file is increased by the first numerical value; if the target time range is the fifth preset time range, determining that the weight of the access file is increased by the second numerical value; and if the target time range is the sixth preset time range, determining that the weight of the access file is increased by the third numerical value.
Further, after the first sub-weight, the second sub-weight, and the third sub-weight are superimposed to obtain a weight of the access file, the method further includes: judging that the IP address of the carrier of the access file comes from a server; if the IP address of the carrier of the access file is judged not to be from the server, determining a fourth sub-weight of the access file; and superposing the first sub-weight, the second sub-weight, the third sub-weight and the fourth sub-weight to obtain a weight of the access file.
According to another aspect of the embodiments of the present invention, there is also provided a storage medium, where the storage medium includes a stored program, and the method for detecting a backdoor of a web page in any one of the above embodiments is executed when the program runs.
According to another aspect of the embodiments of the present invention, there is further provided a processor, where the processor is configured to execute a program, where the program executes the method for detecting a backdoor of a web page in any one of the above embodiments when running.
According to another aspect of the embodiments of the present invention, there is also provided a device for detecting a backdoor of a web page, including: the device comprises a first determining unit, a second determining unit and a third determining unit, wherein the first determining unit is used for determining the weight of an access file according to a preset condition, and the access file is used for accessing a webpage; the judging unit is used for judging whether the weight is greater than or equal to a preset threshold value; and the second determining unit is used for determining the access file as a webpage backdoor under the condition that the weight is judged to be greater than or equal to a preset threshold value.
Further, the first determination unit includes: the first determining submodule is used for determining a first sub-weight of the access file according to the number of the IP addresses accessed by the access file; the calculation submodule is used for calculating the access frequency of the access file for accessing the same IP address to obtain a first access frequency; the second determining submodule is used for determining a second sub-weight of the access file according to the first access frequency; the judging submodule is used for judging whether the content identical to the preset characters exists in the returned content of the access file; a third determining submodule, configured to determine a third sub-weight of the access file if it is determined that content identical to a preset character exists in the returned content of the access file; and the superposition submodule is used for superposing the first sub-weight, the second sub-weight and the third sub-weight to obtain the weight of the accessed file.
In the embodiment of the present invention, a weight of an access file may be obtained according to a preset condition, where the access file is a file for accessing a webpage, after the weight of the access file is obtained, whether the weight is greater than or equal to a preset threshold may be determined according to the weight, the access file is determined to be a webpage backdoor if the weight is greater than or equal to the preset threshold, and the access file is determined not to be the webpage backdoor if the weight is lower than the preset threshold. According to the embodiment, whether the access file is the webpage backdoor or not can be judged by analyzing the weight of the access file accessing the webpage, the webpage backdoor does not need to be detected by means of the feature code, the efficiency and the accuracy of detecting the webpage backdoor can be improved, the technical problem that the accuracy is low when the deformed webpage backdoor is detected in the related technology is solved, and the effect of improving the accuracy of detecting the webpage backdoor is achieved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention without limiting the invention. In the drawings:
FIG. 1 is a schematic diagram of a method for detecting a backdoor of a web page according to an embodiment of the invention;
FIG. 2 is a schematic diagram of an alternative method for detecting backdoors of a web page according to an embodiment of the invention; and
fig. 3 is a schematic diagram of another alternative web backdoor detection apparatus according to an embodiment of the present invention.
Detailed Description
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
First, some terms or terms appearing in the description of the embodiments of the present application are applicable to the following explanations:
the crawler is a program for automatically acquiring webpage content and is an important component of a search engine. According to a certain rule, automatically capturing a program or script of the world wide web information.
The web page backdoor is a section of web page code, mainly takes ASP and PHP codes as main codes, the codes are operated at a server end, and an attacker carries out certain dangerous operations at the server end through the codes to obtain certain sensitive technical information.
In accordance with an embodiment of the present invention, there is provided an embodiment of a method for detecting web backdoors, it should be noted that the steps illustrated in the flowchart of the drawings may be performed in a computer system such as a set of computer-executable instructions, and that although a logical order is illustrated in the flowchart, in some cases the steps illustrated or described may be performed in an order different than here.
Fig. 1 is a schematic diagram of a method for detecting a backdoor of a web page according to an embodiment of the present invention, as shown in fig. 1, the method includes the following steps:
and S102, determining a weight value of an access file according to a preset condition, wherein the access file is used for accessing the webpage.
And step S104, judging whether the weight value is greater than or equal to a preset threshold, wherein the step S106 is executed under the condition that the weight value is greater than or equal to the preset threshold, and the step S108 is executed under the condition that the weight value is lower than the preset threshold.
And step S106, determining the access file as a webpage backdoor.
Step S108, determining that the access file is not a webpage backdoor.
Through the embodiment, the weight value of the access file can be obtained according to the preset condition, the access file is a file used for accessing the webpage, after the weight value of the access file is obtained, whether the weight value is larger than or equal to the preset threshold value or not can be judged according to the weight value, the access file is determined to be the webpage backdoor under the condition that the weight value is judged to be larger than or equal to the preset threshold value, and the access file is determined not to be the webpage backdoor under the condition that the weight value is judged to be lower than the preset threshold value. According to the embodiment, whether the access file is the webpage backdoor or not can be judged by analyzing the weight of the access file, the webpage backdoor is not required to be detected by means of the feature code, the efficiency and the accuracy of detecting the webpage backdoor can be improved, the technical problem that the accuracy is low when the deformed webpage backdoor is detected in the related technology is solved, and the effect of improving the accuracy of detecting the webpage backdoor is achieved.
Optionally, the foregoing embodiment may be applied to a terminal or a server, and the terminal may detect which access files are web backdoors, so that the accuracy of detecting the web backdoors may be improved.
Optionally, the access file may be a file for accessing a web page, and the access file may be multiple types of files, for example, an access request authentication code or a section of access code, through which the web page may be normally accessed, and a hacker or other personnel may directly enter the web page through the other code instead of the normal access web page, where the normal access web page may need to send an access request and may only browse the web page but may not obtain the content of the web page, and may directly enter the web page through a back door of the web page and may directly obtain the content of the web page.
The preset threshold may be a plurality of values, and may be set according to actual conditions, for example, the preset threshold is set to 0.6.
Optionally, the weight is a set numerical value used for evaluating whether the access file is a webpage backdoor, different weights can be set according to actual conditions in the weight generation mode, multiple evaluated weights can be obtained according to different preset conditions, and finally the size of the weight is determined according to the weights under multiple conditions. The weight may be a value greater than 0 and less than 1.
In another optional implementation manner, determining the weight of the accessed file according to the preset condition includes: determining a first sub-weight value of the access file according to the number of the access IP addresses of the access file; calculating the access frequency of the access file to access the same IP address to obtain a first access frequency; determining a second sub-weight value of the access file according to the first access frequency; judging whether the content identical to the preset characters exists in the returned content of the access file or not; if the returned content of the access file is judged to have the content which is the same as the preset character, determining a third sub-weight of the access file; and superposing the first sub-weight, the second sub-weight and the third sub-weight to obtain the weight of the access file.
Optionally, the access file access IP address may be each address of a file for accessing a web page, the IP address may be multiple, and after a visitor (e.g., a user) accesses a certain web page, the server may record the IP address of the visitor, where a single web page may have multiple access IP addresses, and a single access IP address may also access multiple web pages. In the above embodiment, the number of access IP addresses of all access files is described.
It should be noted that the return content of the access file in the above embodiment may include content in the acquired web page, where the return content may include content of the visitor when accessing the web page, and after accessing the web page through the web page backdoor, it may be detected whether the return content carries multiple contents during returning, for example, the return content may include contents such as ".", "rwxrwrxrwx", and these may be the first characters of the return content in the characters of the web page backdoor. The preset characters can be stored in advance through a data table, after the return content of the access file is detected, whether the content identical to the preset characters exists in the first characters can be detected, and if the content identical to the preset characters exists in the first characters, the third sub-weight value is determined. The third sub-weight value may be an increased value, and the value is set according to the actual situation, such as 0.35.
Optionally, determining the first sub-weight of the access file according to the number of the access IP addresses of the access file includes: counting the number of all file access IP addresses; counting the number of the addresses for accessing the IP in a search engine crawler mode; calculating the number of IP addresses accessed by the accessed files according to the number of IP addresses accessed by all files and the number of IP addresses accessed by a crawler of a search engine; and determining a first sub-weight value of the access file according to the number of the access IP addresses of the access file.
The number of access file access IP addresses for the above embodiment may be obtained by subtracting the number of addresses of the access IP by the search engine crawler from the number of all file access IP addresses, for example, if the number of all file access IP addresses is set to a, the number of addresses of the access IP by the search engine crawler is set to B, and the number of access file access IP addresses is set to C, then C is a-B.
After obtaining the number of access file access IP addresses, a weight value that the number of access file access IP addresses per day is within a predetermined range may be calculated. The predetermined range may be set according to actual conditions, and is not limited herein. For example, the predetermined range may be set to 25, i.e., a weight of 25 for the number of access IP addresses for accessing the file per day is calculated.
For the above embodiment, determining the first sub-weight value of the access file according to the number of the access IP addresses of the access file includes: determining a target numerical range in which the number of the IP addresses accessed by the access file is located from a plurality of preset numerical ranges, wherein the plurality of preset numerical ranges comprise a first preset numerical range, a second preset numerical range and a third preset numerical range; if the target numerical range is a first preset numerical range, determining that the weight of the accessed file is increased by a first numerical value; if the target value range is a second preset value range, determining that the weight of the accessed file is increased by a second value; and if the target numerical range is a third preset numerical range, determining that the weight of the accessed file is increased by a third numerical value.
Optionally, the first preset value range, the second preset value range, the third preset value range, the first value, the second value, and the first variance value may be determined according to the number of the IP addresses accessed by the file every day, for example, the first preset value range is 1 to 8, that is, when the first preset value range is 1 to 8, the value of the weight may be set to increase by the first value (e.g., 0.3), the second preset value range may be 8 to 16, the value of the weight may be set to increase by the second value (e.g., 0.2), the third preset value range may be 16 to 25, and the value of the weight may be set to increase by the third value (e.g., 0.1).
In another optional implementation manner, determining the second sub-weight value of the access file according to the first access frequency includes: under the condition that the first access frequency meets a preset sub-condition, determining a target time range in which the first access frequency is located from a plurality of preset time ranges, wherein the plurality of preset time ranges comprise a fourth preset time range, a fifth preset time range and a sixth preset time range; if the target time range is a fourth preset time range, determining that the weight of the accessed file is increased by a first value; if the target time range is a fifth preset time range, determining that the weight of the accessed file is increased by a second numerical value; and if the target time range is the sixth preset time range, determining that the weight of the accessed file is increased by a third numerical value.
The first access frequency may be a ratio of a period of time (T) to the number of times of access to the same IP address in the period of time (N), and if the first access frequency is set to G, G is N/T. The web backdoor is detected through the access frequency, because the frequency of the network packet is greater than the frequency of the normal manual access of the web page when a hacker connects the web backdoor through a hacker tool. The access frequency is detected to obtain the weight value of whether the access file is the webpage backdoor or not, and whether the access file is the webpage backdoor or not can be judged according to the weight value.
The preset sub-condition may be a condition that the access frequency is greater than a preset value, where the preset value is a value set separately for the access frequency, for example, 1, that is, when the access frequency G is greater than 1, each preset time range is determined. In the application, the preset time can be set within 0 to 1 second, and the first value is 0.3, that is, if the first preset time range is met, the weight of the accessed file can be increased by 0.3; optionally, the preset time may be set within 1 to 10 seconds, and the second value is 0.2, that is, if the second preset time range is met, the weight of the accessed file may be increased by 0.2; the preset time may be set to be greater than 10 seconds, and the third value is 0.1, that is, if the third preset time range is satisfied, the weight of the accessed file may be increased by 0.1.
Optionally, after the first sub-weight, the second sub-weight, and the third sub-weight are superimposed to obtain a weight of the access file, the method further includes: judging whether the IP address of the carrier accessing the file comes from a server or not; if the IP address of the carrier of the access file is judged to be from the server, determining a fourth sub-weight of the access file; and superposing the first sub-weight, the second sub-weight, the third sub-weight and the fourth sub-weight to obtain the weight of the access file.
For the above embodiment, the visitor (i.e. the IP of the carrier accessing the file) may be determined, whether the search engine IP is a public IP (e.g. IP of a virtual host provider) is determined according to the IP address of the carrier accessing the file, and when the IP address is determined to be the public IP and not to be a search engine crawler, the probability that the search engine IP may be a backdoor of a web page is increased, because most hackers do not access the web page through the personal IP and generally pass through the proxy, so that the probability that the access IP that passes through the server and is not the search engine crawler is increased as the backdoor of the web page, in this application, the fourth sub-weight value may be set to a value such as 0.25 or 0.27 added to the weight value.
Optionally, after the first sub-weight, the second sub-weight, the third sub-weight, and the fourth sub-weight are superimposed to obtain a weight of the access file, the method includes: and determining a fifth sub-weight value through the IP repetition frequency of the access file within the preset time, and overlapping the first sub-weight value, the second sub-weight value, the third sub-weight value, the fourth sub-weight value and the fifth sub-weight value to obtain the weight value of the access file.
Optionally, the predetermined time is not fixed, for example, 10 days, and may be set according to an actual situation, which is not limited in this application. And counting the number A of the IP addresses accessed by all the accessed files within 10 days, counting the number B of the crawlers of the search engine, and calculating the number D of the IP addresses accessed by the files within 10 days, wherein D is A-B.
In another alternative embodiment, U may be used to indicate the number of days in which the file access web page is accessed in a predetermined time, which is greater than 1 and less than 10. A fifth sub-weight may be calculated, where when D may be set to 1, the weight is increased by a fourth value, where the fourth value may be a product of a fifth value and the number of days U for accessing the web page by the file in the predetermined time, where the fifth value may be 0.05, that is, when D is 1, the weight for accessing the file is increased by U × 0.05; optionally, D may be set to be a value between 1 and 10, and the fourth value may be a product of a sixth value and the number of days U for accessing the web page by the file in the predetermined time, where the sixth value may be 0.03, that is, when D is 1 to 10, the weight of the accessed file is increased by U × 0.03; optionally, D may be set to be a value greater than 10, and the fourth value may be a product of a number U of days for accessing the webpage by the file in the predetermined time and a seventh value, where the seventh value may be 0.02, that is, when D is greater than 10, the weight of the accessed file is increased by U × 0.02.
Through the implementation mode, each weight of the access file can be calculated, whether the access file is the webpage backdoor or not is obtained through comparison between the calculated weight and the preset threshold, and whether the access file is the webpage backdoor or not can be more accurately judged through judgment of the weight.
Fig. 2 is a schematic diagram of another alternative detection method for a web backdoor according to an embodiment of the present invention, as shown in fig. 2, the detection method includes:
step S201, according to the access IP address of the access file, determining a first sub-weight value.
Optionally, the web backdoor is generally accessed only by a hacker, in a website, the less the IP addresses of a certain file accessed every day, the greater the probability that the accessed file is the web backdoor, and different weights are calculated according to the accessed IPDI addresses.
Optionally, the number X of access IPs of all files may be calculated, the program determines that the number of IPs of the search engine crawler is Y, counts the number Z of IPs (Z ═ X-Y) of accessing the website files except the search engine crawler every day, and counts the number of IPs (except the number of IPs of the search engine crawler) of accessing the files every day to be not more than 20, and performs weight calculation.
When 1< Z < ═ 5, the weight is increased by 0.3;
when 5< Z < ═ 10, the weight is increased by 0.2;
when 11< Z < ═ 20, the weight is increased by 0.1.
Through the above embodiment, the first sub-weight value may be calculated.
Step S203, calculating the access frequency of the same IP address access file, and determining a second sub-weight value according to the access frequency.
Optionally, the frequency of normally accessing the file is different from the frequency of a hacker connecting with a backdoor of the web page through a tool, and the access frequency is greater than the normal access frequency, and the second sub-weight value may be determined based on the above principle.
Alternatively, the frequency (H) of accessing the file by the same IP may be calculated, that is, the number of times (N) that the same IP accesses within a period of time (T) (second), where H is N/T; (when a hacker connects a backdoor through a hacking tool, the frequency of network packets is greater than that of normal manual access to a webpage), for example, when 0< T ═ 1 and H >1, the weight is increased by 0.3; when 1< T < ═ 10 and H >1, the weight is increased by 0.2; when T >10, H >1, the weight is increased by 0.1.
Through the above embodiment, the second sub-weight value may be calculated.
Step S205, determining whether the IP address of the visitor comes from the server, so as to determine the third sub-weight.
Optionally, most hackers connect with a web page backdoor (webshell) through a server, and when it is determined that the access IP address of the access file is from the server and the IP address is not from the search engine crawler, a third sub-weight value of the access file is determined.
Optionally, the IP of the visitor is judged, and whether the IP is a public IP (IP of a virtual host provider, IP of an IDC room, etc.) is judged according to the IP judgment engine, and if the IP is a public IP and the IP is not from a crawler of a search engine, the weight is increased by 0.25. (90% of hackers do not access the web backdoor through personal IP, typically through an agent).
Step S207, in a predetermined time, the frequency of the access IP of the access file is calculated, and the fourth sub-weight is determined according to the frequency.
Optionally, by recording the frequency of accessing the files for a long time, calculating the number of all files accessing the IP addresses in 10 days as X, counting the number of the IP addresses of the search engine crawler as Y, counting the number of the IP addresses of the website files accessing the website except the search engine crawler in 10 days as Z (X-Y), and using M to represent the number of days that a certain IP accesses in 10 days.
For example, if Z is 1, the weight is increased by M × 0.05; (representing that in the case of only one IP mode in the last ten days, the probability of the IP appearing every day is higher, and the weight is higher); if 1< Z < ═ 10, the weight is increased by M0.03; if 10< Z < ═ 70, the weight is increased by M0.02.
Through the above embodiment, the fourth sub-weight value may be calculated.
Step S209, the return content of the access file is obtained, and the fifth sub-weight value is determined according to the return content.
Optionally, after obtaining the returned content of the access file, if there are preset characters in the first few characters of the returned content, the weight may be increased by 0.35, where the preset characters may include various characters, such as ". or" rwxrwrxrwx ".
It should be noted that, in the embodiment of the present invention, the order of executing the first sub-weight, the second sub-weight, the third sub-weight, the fourth sub-weight, and the fifth sub-weight is not limited to be determined, that is, the steps S201 to S209 may also be a parallel order or another serial order.
And step S211, determining whether the access file is a webpage backdoor or not according to the first sub-weight, the second sub-weight, the third sub-weight, the fourth sub-weight and the fifth sub-weight.
Optionally, the first sub-weight, the second sub-weight, the third sub-weight, the fourth sub-weight, and the fifth sub-weight may be accumulated to obtain a total weight; judging whether the total weight is greater than or equal to 0.6; and when the total weight value is judged to be more than or equal to 0.6, determining that the access file is the webpage backdoor, and when the total weight value is judged to be lower than 0.6, determining that the access file is not the webpage backdoor.
According to the embodiment, whether the access file is the webpage backdoor or not can be judged by analyzing the weight values (including the first sub-weight value, the second sub-weight value, the third sub-weight value, the fourth sub-weight value and the fifth sub-weight value) of the access file accessing the webpage, the webpage backdoor is not required to be detected by means of the feature code, the efficiency and the accuracy of detecting the webpage backdoor can be improved, the technical problem that the accuracy is low when a deformed webpage backdoor is detected in the related technology is solved, and the effect of improving the accuracy of detecting the webpage backdoor is achieved.
According to another aspect of the embodiments of the present invention, there is also provided a storage medium, where the storage medium includes a stored program, and the method for detecting a backdoor of a web page in any one of the above embodiments is performed when the program runs.
According to another aspect of the embodiments of the present invention, there is further provided a processor, where the processor is configured to execute a program, where the program executes the method for detecting a backdoor of a web page in any one of the above embodiments when running.
Fig. 3 is a schematic diagram of another alternative web backdoor detection apparatus according to an embodiment of the present invention, as shown in fig. 3, the apparatus includes: a first determining unit 31, configured to determine a weight of an access file according to a preset condition, where the access file is used to access a web page; a judging unit 33, configured to judge whether the weight is greater than or equal to a preset threshold; the second determining unit 35 is configured to determine that the access file is a web backdoor if the weight is determined to be greater than or equal to the preset threshold; and a third determining unit 37, configured to determine that the access file is not a web backdoor if the weight is determined to be lower than the preset threshold.
Through the above embodiment, the first determining unit 31 may obtain a weight value of an access file according to a preset condition, where the access file is a file for accessing a web page, after obtaining the weight value of the access file, the determining unit 33 may determine whether the weight value is greater than or equal to a preset threshold according to the weight value, the second determining unit 35 determines that the access file is a web page backdoor if the weight value is greater than or equal to the preset threshold, and the third determining unit 37 determines that the access file is not the web page backdoor if the weight value is lower than the preset threshold. According to the embodiment, whether the access file is the webpage backdoor or not can be judged by analyzing the weight of the access file accessing the webpage, the webpage backdoor does not need to be detected by means of the feature code, the efficiency and the accuracy of detecting the webpage backdoor can be improved, the technical problem that the accuracy is low when the deformed webpage backdoor is detected in the related technology is solved, and the effect of improving the accuracy of detecting the webpage backdoor is achieved.
Optionally, the first determining unit 31 includes: the first determining submodule is used for determining a first sub-weight of the access file according to the number of the IP addresses accessed by the access file; the calculation submodule is used for calculating the access frequency of the access file accessing the same IP address to obtain a first access frequency; the second determining submodule is used for determining a second sub-weight of the access file according to the first access frequency; the judging submodule is used for judging whether the content identical to the preset characters exists in the returned content of the access file; the third determining submodule is used for determining a third sub-weight of the access file if the returned content of the access file is judged to have the content which is the same as the preset characters; and the superposition submodule is used for superposing the first sub-weight, the second sub-weight and the third sub-weight to obtain the weight of the access file.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
In the above embodiments of the present invention, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
In the embodiments provided in the present application, it should be understood that the disclosed technology can be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units may be a logical division, and in actual implementation, there may be another division, for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, units or modules, and may be in an electrical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a Read-only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic or optical disk, and other various media capable of storing program codes.
The foregoing is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, various modifications and decorations can be made without departing from the principle of the present invention, and these modifications and decorations should also be regarded as the protection scope of the present invention.
Claims (7)
1. A method for detecting a backdoor of a webpage is characterized by comprising the following steps:
determining a weight value of an access file according to a preset condition, wherein the access file is used for accessing a webpage;
judging whether the weight is greater than or equal to a preset threshold value;
determining the access file as a webpage backdoor under the condition that the weight is judged to be more than or equal to a preset threshold value,
according to the preset conditions, determining the weight of the access file comprises the following steps: determining a first sub-weight value of the access file according to the number of the access IP addresses of the access file; calculating the access frequency of the access file accessing the same IP address to obtain a first access frequency; determining a second sub-weight value of the access file according to the first access frequency; judging whether the content identical to a preset character exists in the returned content of the access file; if the returned content of the access file is judged to have the content which is the same as the preset character, determining a third sub-weight of the access file; judging whether the IP address of the carrier for accessing the file comes from a server or not; if the IP address of the carrier of the access file is judged to be from the server, determining a fourth sub-weight of the access file; determining a fifth sub-weight value through the IP repetition frequency of the access file within the preset time; and superposing the first sub-weight, the second sub-weight, the third sub-weight, the fourth sub-weight and the fifth sub-weight to obtain a weight of the access file.
2. The detection method according to claim 1, wherein determining the first sub-weight of the access file according to the number of the access IP addresses of the access file comprises:
counting the number of all file access IP addresses;
counting the number of the addresses for accessing the IP in a search engine crawler mode;
calculating the number of the IP addresses accessed by the accessed files according to the number of the IP addresses accessed by all the files and the number of the IP addresses accessed by a crawler mode of a search engine;
and determining a first sub-weight value of the access file according to the number of the access IP addresses of the access file.
3. The detection method according to claim 2, wherein determining the first sub-weight of the access file according to the number of the access IP addresses of the access file comprises:
determining a target numerical range in which the number of the access IP addresses of the access file is located from a plurality of preset numerical ranges, wherein the plurality of preset numerical ranges comprise a first preset numerical range, a second preset numerical range and a third preset numerical range;
if the target numerical range is the first preset numerical range, determining that the weight of the accessed file is increased by a first numerical value;
if the target numerical range is the second preset numerical range, determining that the weight of the accessed file is increased by a second numerical value;
and if the target numerical range is the third preset numerical range, determining that the weight of the accessed file is increased by a third numerical value.
4. The detection method according to claim 3, wherein determining the second sub-weight value of the access file according to the first access frequency comprises:
determining a target time range in which the first access frequency is located from a plurality of preset time ranges under the condition that the first access frequency meets a preset sub-condition, wherein the plurality of preset time ranges comprise a fourth preset time range, a fifth preset time range and a sixth preset time range;
if the target time range is the fourth preset time range, determining that the weight of the access file is increased by the first numerical value;
if the target time range is the fifth preset time range, determining that the weight of the access file is increased by the second numerical value;
and if the target time range is the sixth preset time range, determining that the weight of the access file is increased by the third numerical value.
5. A web backdoor detection apparatus, comprising:
the device comprises a first determining unit, a second determining unit and a third determining unit, wherein the first determining unit is used for determining the weight of an access file according to a preset condition, and the access file is used for accessing a webpage;
the judging unit is used for judging whether the weight is greater than or equal to a preset threshold value;
a second determining unit, configured to determine that the access file is a backdoor of a web page if the weight is greater than or equal to a preset threshold,
the first determination unit includes: the first determining submodule is used for determining a first sub-weight of the access file according to the number of the IP addresses accessed by the access file; the calculation submodule is used for calculating the access frequency of the access file for accessing the same IP address to obtain a first access frequency; the second determining submodule is used for determining a second sub-weight of the access file according to the first access frequency; the judging submodule is used for judging whether the content identical to the preset characters exists in the returned content of the access file; a third determining submodule, configured to determine a third sub-weight of the access file if it is determined that content identical to a preset character exists in the returned content of the access file;
the judging submodule is also used for judging whether the IP address of the carrier of the access file is from a server or not; if the IP address of the carrier of the access file is judged to be from the server, determining a fourth sub-weight of the access file; determining a fifth sub-weight value through the IP repetition frequency of the access file within the preset time; and the superposition submodule is used for superposing the first sub-weight, the second sub-weight, the third sub-weight, the fourth sub-weight and the fifth sub-weight to obtain the weight of the access file.
6. A storage medium comprising a stored program, wherein the method for detecting a backdoor of a web page according to any one of claims 1 to 4 is performed when the program is executed.
7. A processor, configured to execute a program, wherein the program executes the method for detecting a backdoor of a web page according to any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710197494.0A CN107135199B (en) | 2017-03-29 | 2017-03-29 | Method and device for detecting webpage backdoor |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710197494.0A CN107135199B (en) | 2017-03-29 | 2017-03-29 | Method and device for detecting webpage backdoor |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107135199A CN107135199A (en) | 2017-09-05 |
| CN107135199B true CN107135199B (en) | 2020-05-01 |
Family
ID=59714897
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710197494.0A Active CN107135199B (en) | 2017-03-29 | 2017-03-29 | Method and device for detecting webpage backdoor |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107135199B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107844702B (en) * | 2017-11-24 | 2020-09-04 | 杭州安恒信息技术股份有限公司 | Website trojan backdoor detection method and device based on cloud protection environment |
| CN111031025B (en) * | 2019-12-07 | 2022-04-29 | 杭州安恒信息技术股份有限公司 | Method and device for automatically detecting and verifying Webshell |
| WO2021223177A1 (en) * | 2020-05-07 | 2021-11-11 | 深圳市欢太科技有限公司 | Abnormal file detection method and related product |
| CN114329456A (en) * | 2020-09-27 | 2022-04-12 | 中国移动通信集团河南有限公司 | Webpage backdoor detection method, device and equipment |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102647421A (en) * | 2012-04-09 | 2012-08-22 | 北京百度网讯科技有限公司 | Web back door detection method and device based on behavioral characteristics |
| CN104967616A (en) * | 2015-06-05 | 2015-10-07 | 北京安普诺信息技术有限公司 | WebShell file detection method in Web server |
| CN105046154A (en) * | 2015-08-13 | 2015-11-11 | 浪潮电子信息产业股份有限公司 | Webshell detection method and device |
| CN105516151A (en) * | 2015-12-15 | 2016-04-20 | 北京奇虎科技有限公司 | Scanning-killing method and device of backdoor file |
| CN105553767A (en) * | 2015-12-15 | 2016-05-04 | 北京奇虎科技有限公司 | Website backdoor file detection method and device |
-
2017
- 2017-03-29 CN CN201710197494.0A patent/CN107135199B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102647421A (en) * | 2012-04-09 | 2012-08-22 | 北京百度网讯科技有限公司 | Web back door detection method and device based on behavioral characteristics |
| CN104967616A (en) * | 2015-06-05 | 2015-10-07 | 北京安普诺信息技术有限公司 | WebShell file detection method in Web server |
| CN105046154A (en) * | 2015-08-13 | 2015-11-11 | 浪潮电子信息产业股份有限公司 | Webshell detection method and device |
| CN105516151A (en) * | 2015-12-15 | 2016-04-20 | 北京奇虎科技有限公司 | Scanning-killing method and device of backdoor file |
| CN105553767A (en) * | 2015-12-15 | 2016-05-04 | 北京奇虎科技有限公司 | Website backdoor file detection method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107135199A (en) | 2017-09-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107465651B (en) | Network attack detection method and device | |
| CN107659583B (en) | Method and system for detecting attack in fact | |
| US9462009B1 (en) | Detecting risky domains | |
| EP2691848B1 (en) | Determining machine behavior | |
| CN107135199B (en) | Method and device for detecting webpage backdoor | |
| CN103701793B (en) | The recognition methods of server broiler chicken and device | |
| CN104519032A (en) | Internet account safety policy and system | |
| JP6674036B2 (en) | Classification device, classification method and classification program | |
| JP6717206B2 (en) | Anti-malware device, anti-malware system, anti-malware method, and anti-malware program | |
| CN107465702B (en) | Early warning method and device based on wireless network intrusion | |
| CN107566401B (en) | Protection method and device for virtualized environment | |
| CN107332804B (en) | Method and device for detecting webpage bugs | |
| CN107241292B (en) | Vulnerability detection method and device | |
| CN112350992A (en) | Safety protection method, device, equipment and storage medium based on web white list | |
| CN113496033A (en) | Access behavior recognition method and device and storage medium | |
| CN111079138A (en) | Abnormal access detection method and device, electronic equipment and readable storage medium | |
| CN106685899A (en) | Method and device for identifying malicious access | |
| CN106250761B (en) | Equipment, device and method for identifying web automation tool | |
| CN107395608A (en) | A kind of network access method for detecting abnormality and device | |
| CN105989149A (en) | Method and system for extracting and recognizing fingerprint of user equipment | |
| CN110135162A (en) | The recognition methods of the back door WEBSHELL, device, equipment and storage medium | |
| JP5656266B2 (en) | Blacklist extraction apparatus, extraction method and extraction program | |
| CN105939328A (en) | Method and device for updating network attack feature library | |
| CN105939321A (en) | DNS (Domain Name System) attack detection method and device | |
| CN109067716B (en) | Method and system for identifying dark chain |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |