CN109905396A - A kind of WebShell file test method, device and electronic equipment - Google Patents
A kind of WebShell file test method, device and electronic equipment Download PDFInfo
- Publication number
- CN109905396A CN109905396A CN201910181342.0A CN201910181342A CN109905396A CN 109905396 A CN109905396 A CN 109905396A CN 201910181342 A CN201910181342 A CN 201910181342A CN 109905396 A CN109905396 A CN 109905396A
- Authority
- CN
- China
- Prior art keywords
- web
- file
- matching result
- detected
- webshell
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Information Transfer Between Computers (AREA)
Abstract
The embodiment of the invention provides a kind of WebShell file test method, device and electronic equipment, method includes: to obtain the webpage Web process identity information at Website server current time;According to Web process identity information, the Web file to be detected in the Web root of web application corresponding with Web process is obtained;Web file to be detected is matched with preset characters string, obtains the first matching result;When the first matching result is successful match, determine that Web file to be detected is WebShell file.In the embodiment of the present invention, it is not necessary that Web catalogue to be detected is manually specified, but Web catalogue to be detected is dynamically determined by the real-time webpage Web process identity information at current time, and carry out WebShell file detection, it is thereby achieved that the automatic detection of WebShell file.
Description
Technical field
The present invention relates to field of information security technology, more particularly to a kind of WebShell file test method, device and
Electronic equipment.
Background technique
WebShell file be in the form of web page files existing for a kind of malicious web pages backdoor file.Hacker is in invasion one
After Website server, webpage backdoor file and web page files normal under Website server Web catalogue are mixed, to reach
The malicious operations such as data deletion or modification are carried out to Website server.
Currently, the method for carrying out the detection of WebShell file are as follows: manually rule of thumb in advance may be used in Website server
Can have the Web catalogue of WebShell file as Web catalogue to be detected, then by the matched method of canonical, by it is above-mentioned to
The content in each web page files in detection Web catalogue is matched with the character string set previously according to experience, is obtained
With as a result, determining that the web page files are WebShell file when matching result is successful match, when matching result is that matching is lost
When losing, determining the web page files not is WebShell file.
It can be seen that in the prior art, to the detection method of WebShell file, rely primarily on manually determine it is to be detected
Web catalogue cannot achieve automatic detection.
Summary of the invention
The embodiment of the present invention is designed to provide a kind of WebShell file test method, device and electronic equipment, with
Realize the automatic detection of WebShell file.Specific technical solution is as follows:
In a first aspect, the embodiment of the invention provides a kind of WebShell file test methods, comprising:
Obtain the webpage Web process identity information at Website server current time;
According to the Web process identity information, the Web root of web application corresponding with the Web process is obtained
In Web file to be detected;
The Web file to be detected is matched with preset characters string, obtains the first matching result, the preset characters
String is the character string of characterization WebShell file characteristic;
When first matching result is successful match, determine that the Web file to be detected is WebShell file.
Further, described according to the Web process identity information, obtain Web application journey corresponding with the Web process
The step of Web file to be detected in the Web root of sequence, comprising:
The type of the corresponding web application of the Web process is determined according to the Web process identity information;
According to the type of the web application, from configuration file store path information data corresponding with the type
The store path information of the configuration file of the web application is obtained in library;
According to the store path information of the configuration file of the web application, the configuration of the web application is obtained
File;
The Web root store path letter of the web application is obtained from the configuration file of the web application
Breath;
According to the Web root store path information, obtain to be checked in the Web root of the web application
Survey Web file.
Further, described to match the Web file to be detected with preset characters string, obtain the first matching result
The step of, comprising:
The Web file to be detected and preset characters string are subjected to canonical matching, obtain the first matching result, described first
Matching result includes canonical matching result or the string matching result.
Further, described when first matching result is successful match, determine that the Web file to be detected is
The step of WebShell file, comprising:
When the canonical matching result or the string matching result are successful match, determine described to be detected
Web file is WebShell file.
Further, Web application corresponding with the Web process is obtained according to the Web process identity information described
After the step of Web file to be detected in the Web root of program, the method also includes:
It monitors in each Web subdirectory in the Web root with the presence or absence of Web file creation operation;
If it exists, newly created Web file is matched with the preset characters string, obtains the second matching result;
When second matching result is successful match, determine that the newly created Web file is WebShell file.
Further, Web application corresponding with the Web process is obtained according to the Web process identity information described
After the step of Web file to be detected in the Web root of program, the method also includes:
It monitors in each Web subdirectory in the Web root with the presence or absence of subdirectory creation operation;
If it exists, judge in newly created subdirectory with the presence or absence of Web file;
If there are Web files in newly created subdirectory, by Web file present in the newly created subdirectory and institute
It states preset characters string to be matched, obtains third matching result;
When the third matching result is successful match, Web file present in the newly created subdirectory is determined
For WebShell file.
Second aspect, the embodiment of the invention provides a kind of WebShell file detection devices, comprising:
Process identity information obtains module, for obtaining the webpage Web process identity information at Website server current time;
Web file acquisition module, for obtaining corresponding with the Web process according to the Web process identity information
Web file to be detected in the Web root of web application;
First matching result obtains module and obtains for matching the Web file to be detected with preset characters string
First matching result, the preset characters string are the character string for characterizing WebShell file characteristic;
First WebShell file determining module, described in determining when first matching result is successful match
Web file to be detected is WebShell file.
Further, the Web file acquisition module includes: type determination module, the first store path acquisition of information
Submodule, configuration file acquisition submodule, the second store path acquisition of information submodule and Web file acquisition submodule;
The type determination module, for determining that the Web process is corresponding according to the Web process identity information
The type of web application;
The first store path acquisition of information submodule, for the type according to the web application, from it is described
The store path of the configuration file of the web application is obtained in the corresponding configuration file store path information database of type
Information;
The configuration file acquisition submodule, the store path for the configuration file according to the web application are believed
Breath, obtains the configuration file of the web application;
The second store path acquisition of information submodule, for being obtained from the configuration file of the web application
The Web root store path information of the web application;
The Web file acquisition submodule, for obtaining the Web and answering according to the Web root store path information
With the Web file to be detected in the Web root of program.
Further, first matching result obtains module, is specifically used for the Web file to be detected and predetermined word
Symbol string carries out canonical matching or string matching, obtains the first matching result, and first matching result includes canonical matching
Or the string matching result as a result.
Further, the first WebShell file determining module, be specifically used for when the canonical matching result or
When the string matching result is successful match, determine that the Web file to be detected is WebShell file.
Further, described device further include:
Web file creation operation monitoring module, for according to the Web process identity information, obtained described with it is described
After Web file to be detected in the Web root of the corresponding web application of Web process, monitor in the Web root
Each Web subdirectory in whether there is Web file creation operation;
Second matching result obtains module, if for there are Web texts in each Web subdirectory in the Web root
Part creation operation, newly created Web file is matched with the preset characters string, obtains the second matching result;
2nd WebShell file determining module, described in determining when second matching result is successful match
Newly created Web file is WebShell file.
Further, described device further include:
Subdirectory creation operation monitoring module, for according to the Web process identity information, obtained described with it is described
After Web file to be detected in the Web root of the corresponding web application of Web process, monitor in the Web root
Each Web subdirectory in the presence or absence of subdirectory creation operation;
Judgment module, if sentencing for there are subdirectory creations to operate in each Web subdirectory in the Web root
Break in newly created subdirectory with the presence or absence of Web file;
Third matching result obtains module, if for there are Web files in newly created subdirectory, it will be described newly created
Web file present in subdirectory is matched with the preset characters string, obtains third matching result;
3rd WebShell file determining module, described in determining when the third matching result is successful match
Web file present in newly created subdirectory is WebShell file.
The third aspect, the embodiment of the invention provides a kind of electronic equipment, including processor, communication interface, memory and
Communication bus, wherein processor, communication interface, memory complete mutual communication by communication bus;
Memory, for storing computer program;
Processor when for executing the program stored on memory, realizes any of the above-described WebShell file detection side
The step of method.
Fourth aspect, it is described computer-readable to deposit the embodiment of the invention also provides a kind of computer readable storage medium
Instruction is stored in storage media, when run on a computer, so that computer executes any of the above-described WebShell
File test method.
5th aspect, the embodiment of the invention also provides a kind of computer program products comprising instruction, when it is being calculated
When being run on machine, so that computer executes any of the above-described WebShell file test method.
A kind of WebShell file test method, device and electronic equipment provided in an embodiment of the present invention obtain website clothes
The webpage Web process identity information at business device current time;According to the Web process identity information, obtain and the Web process pair
Web file to be detected in the Web root for the web application answered;By the Web file to be detected and preset characters string into
Row matching, obtains the first matching result, and the preset characters string is the character string for characterizing WebShell file characteristic;When described
When one matching result is successful match, determine that the Web file to be detected is WebShell file.In the embodiment of the present invention, nothing
Web catalogue to be detected need to be manually specified, but be dynamically determined by the real-time webpage Web process identity information at current time to be checked
Web catalogue is surveyed, and the Web file to be detected in the Web root of web application corresponding with Web process is matched,
To realize the automatic detection of WebShell file.
Certainly, implement any of the products of the present invention or method it is not absolutely required at the same reach all the above excellent
Point.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described.
Fig. 1 is a kind of flow diagram of WebShell file test method provided in an embodiment of the present invention;
Fig. 2 is another flow diagram of WebShell file test method provided in an embodiment of the present invention;
Fig. 3 is a kind of flow diagram that the detection of WebShell file is carried out to newly created Web file;
Fig. 4 is another flow diagram that the detection of WebShell file is carried out to newly created Web file;
Fig. 5 is a kind of structural schematic diagram of WebShell file detection device provided in an embodiment of the present invention;
Fig. 6 is the structural schematic diagram of electronic equipment provided in an embodiment of the present invention.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation description.
For the automatic detection for realizing WebShell file, the embodiment of the invention provides a kind of detections of WebShell file
Method, apparatus and electronic equipment, are described in detail separately below.
Referring to Fig. 1, Fig. 1 is a kind of flow diagram of WebShell file test method provided in an embodiment of the present invention.
In the present embodiment, following WebShell file test methods can be periodically executed according to a certain preset duration, it can also
Sporadically to execute following WebShell file test methods as needed, about the trigger condition for executing this method, herein
It is not construed as limiting.
The above method specifically comprises the following steps:
Step 101, the webpage Web process identity information at Website server current time is obtained.
In this step, the webpage Web process identity information at the Website server current time of acquisition may include Web process
Title or identification coding id information.
The webpage Web process identity information at Website server current time can be the task manager from Website server
Middle reading.
Step 102, according to Web process identity information, the Web root of web application corresponding with Web process is obtained
In Web file to be detected.
It may include multiple Web files in the Web root of web application corresponding with Web process, the present invention is implemented
In example, the Web that can successively the multiple Web files for including in Web root be detected, and current time is detected
File is determined as Web file to be detected.
The Web root store path letter of web application can be obtained by searching for the configuration file of web application
Breath, and then the Web file to be detected in Web root is obtained, it is to be checked in the Web root for obtaining web application
The specific method for surveying Web file, is not construed as limiting herein.
Step 103, Web file to be detected is matched with preset characters string, obtains the first matching result.
Content in Web file to be detected can be matched with preset characters string, obtain the first matching result.Specifically
, when Web file to be detected is matched with preset characters string, it can be matched using canonical matching algorithm, it can also be with
Using other matching algorithms, such as: finite automata algorithm, Boyer Moore algorithm string matching algorithm are matched.
Used algorithm, is not construed as limiting when herein, for matching the content of the Web file with preset characters string.
It is matched using canonical matching algorithm, not only can carry out preset characters in the content of Web file to be detected
String matching search, i.e. keyword match, can also be carried out in the content of Web file to be detected can preset rules matching search for,
The a certain preset rules of WebShell file are directed to, matching search is carried out.
Compared with canonical matching algorithm, string matching algorithm can only be preset in the content of Web file to be detected
String matching search, i.e. keyword match, but calculating speed is very fast.
Step 104, when the first matching result is successful match, determine that the Web file is WebShell file.
Since preset characters string is the character string for characterizing WebShell file characteristic, when the first matching result is
With success, i.e., when in Web file to be detected comprising preset characters String matching, determine that Web file to be detected is WebShell file.
In the embodiment of the present invention, it is not necessary that Web catalogue to be detected is manually specified, but pass through the real-time webpage at current time
Web process identity information is dynamically determined Web catalogue to be detected, and to the Web root mesh of web application corresponding with Web process
Web file to be detected in record is matched, to realize the automatic detection of WebShell file.
Fig. 2 is another flow diagram of WebShell file test method provided in an embodiment of the present invention, specific to wrap
Include following steps:
Step 201, the webpage Web process identity information at Website server current time is obtained.
Web process identity information can be the title etc. of Web process.
Step 202, the type of the corresponding web application of Web process is determined according to Web process identity information.
Since the store path information of application profiles is stored according to the type of application program, it may be assumed that
The store path information of the configuration file of same class application program is stored to same configuration file store path information database
In, therefore, for obtain application program configuration file store path information, firstly, it is necessary to determine application program type.
For example, the type of web application may include Nginx type, Apache type and Tomcat type etc..When
When the title of Web process is started with Nginx, determine that the type of the corresponding web application of Web process is Nginx;Work as Web
When the title of process is started with Apache, determine that the type of the corresponding web application of Web process is Apache;Similarly,
When the title of Web process is started with Tomcat, determine that the type of the corresponding web application of Web process is Tomcat.
Step 203, according to the type of web application, from configuration file store path information data corresponding with type
The store path information of the configuration file of web application is obtained in library.
Road is stored since the store path information of the configuration file of same class application program is stored to same configuration file
In diameter information database, therefore, Web application can be obtained from configuration file store path information database corresponding with type
The store path information of the configuration file of program.For example, ought be determined that the type of web application is in step 202
When Tomcat, then the web application can be obtained from configuration file store path information database corresponding with Tomcat
Configuration file store path information.
Step 204, according to the store path information of the configuration file of web application, the configuration of web application is obtained
File.
For example, the store path information of the configuration file when web application are as follows: computer/local disk (C :)/
When Program Files (x86)/XX, it can directly pass through above-mentioned routing information, get the configuration file of web application.
Step 205, the Web root store path letter of web application is obtained from the configuration file of web application
Breath.
Step 206, it according to Web root store path information, obtains to be checked in the Web root of web application
Survey Web file.
Step 207, Web file to be detected and preset characters string are subjected to canonical matching or string matching, obtain the
One matching result, the first matching result include canonical matching result or string matching result.
Web file to be detected and preset characters string can be subjected to canonical matching, obtain canonical matching result, meanwhile, also
Web file to be detected and preset characters string can be subjected to string matching, obtain string matching result.
Step 208, when canonical matching result or string matching result are successful match, Web text to be detected is determined
Part is WebShell file.
In the embodiment of the present invention, it is not necessary that Web catalogue to be detected is manually specified, but pass through the real-time webpage at current time
Web process identity information is dynamically determined Web catalogue to be detected, and to the Web root mesh of web application corresponding with Web process
Web file to be detected in record is matched, to realize the automatic detection of WebShell file.Canonical is used simultaneously
With being matched with two kinds of algorithms of string matching, canonical matching result and string matching are respectively obtained as a result, when canonical
And have in result and string matching result one for successful match when, determine that Web file to be detected is WebShell file, because
This, improves the accuracy of WebShell file detection.
When carrying out the detection of WebShell file, in the Web root for getting the corresponding web application of Web process
Web file to be detected after, in addition to the Web to be detected in the Web root to web application corresponding with Web process
Except file is detected, it can also monitor with the presence or absence of Web file creation operation in each Web subdirectory, it is when it is present, right
Newly created Web file also carries out WebShell file detection.
The process detected to newly created Web file can be to web application corresponding with Web process
Web file to be detected in Web root carries out after being detected, can also be to Web application journey corresponding with Web process
Web file to be detected in the Web root of sequence carries out before being detected, and can also and answer Web corresponding with Web process
It the process that is detected with the Web file to be detected in the Web root of program while carrying out.
Referring to Fig. 3, Fig. 3 is a kind of flow diagram that the detection of WebShell file is carried out to newly created Web file, tool
Body includes the following steps:
Step 301, monitoring in each Web subdirectory in Web root whether there is Web file creation operation.If depositing
In Web file creation operation, step 302. is executed
In this step, the monitoring of Web file creation operation can be carried out using Inotify mechanism, inotify is Linux
One application programming interfaces API of operating system, it provides a kind of mechanism for monitoring file system event, can monitor file
The variation of system such as file modification, newly-increased, deletion etc., and provide corresponding event notice.
Step 302, newly created Web file is matched with preset characters string, obtains the second matching result.
In this step, the second matching result, which can be, to be obtained using canonical matching algorithm, is also possible to using character string
What matching algorithm obtained, it can also be based on after canonical matching algorithm and string matching algorithm synthesis, obtain, herein,
For the second matching result acquisition methods with no restriction.
Step 303, when the second matching result is successful match, determine that newly created Web file is WebShell file.
When carrying out the detection of WebShell file, in the Web root for getting the corresponding web application of Web process
Web file to be detected after, in addition to the Web to be detected in the Web root to web application corresponding with Web process
Except file is detected, it whether there is Web file creation operation in each Web subdirectory also in monitoring Web root, when
In the presence of, newly created Web file is matched with preset characters string, and according to matching result, carry out WebShell file
Detection just carries out the inspection of WebShell file to newly created Web file due to monitoring there are when Web file creation operation
It surveys, it is thus possible to improve the timeliness of WebShell file detection.
Referring to fig. 4, Fig. 4 is another flow diagram that the detection of WebShell file is carried out to newly created Web file,
Specifically comprise the following steps:
Step 401, it monitors in each Web subdirectory in Web root with the presence or absence of subdirectory creation operation.If it exists
Subdirectory creation operation, executes step 402.
In this step, the monitoring of subdirectory creation operation can also be carried out using Inotify mechanism.
Step 402, judge in newly created subdirectory with the presence or absence of Web file.Web file if it exists executes step
403。
Step 403, Web file present in newly created subdirectory is matched with preset characters string, obtains third
Matching result.
Identical as step 303, in this step, third matching result, which can be, to be obtained using canonical matching algorithm, can also
To be obtained using string matching algorithm, can also be based on canonical matching algorithm and string matching algorithm synthesis
Afterwards, obtain, herein, for third matching result acquisition methods with no restriction.
Step 404, when third matching result is successful match, Web file present in newly created subdirectory is determined
For WebShell file.
When carrying out the detection of WebShell file, in the Web root for getting the corresponding web application of Web process
Web file to be detected after, in addition to the Web to be detected in the Web root to web application corresponding with Web process
Except file is detected, with the presence or absence of subdirectory creation operation in each Web subdirectory also in Web root, work as presence
When, judge in newly created subdirectory with the presence or absence of Web file, and if it exists, by Web file present in newly created subdirectory
It is matched with preset characters string, and according to matching result, since there are Web files in judging newly created subdirectory
When, just to newly created Web file carry out the detection of WebShell file, it is thus possible to improve WebShell file detection and
Shi Xing.
Based on the same inventive concept, the WebShell file test method provided according to that above embodiment of the present invention, accordingly
Ground, one embodiment of the invention additionally provide a kind of WebShell file detection device, and structural schematic diagram is as shown in figure 5, packet
It includes:
Process identity information obtains module 501, and the webpage Web process identification (PID) for obtaining Website server current time is believed
Breath;
Web file acquisition module 502, for obtaining Web application corresponding with Web process according to Web process identity information
Web file to be detected in the Web root of program;
First matching result obtains module 503 and obtains for matching Web file to be detected with preset characters string
First matching result, preset characters string are the character string for characterizing WebShell file characteristic;
First WebShell file determining module 504, for determining to be detected when the first matching result is successful match
Web file is WebShell file.
Further, Web file acquisition module 502 includes: type determination module, the first store path acquisition of information
Module, configuration file acquisition submodule, the second store path acquisition of information submodule and Web file acquisition submodule;
Type determination module, for determining the corresponding web application of Web process according to Web process identity information
Type;
First store path acquisition of information submodule is matched for the type according to web application from corresponding with type
Set the store path information that the configuration file of web application is obtained in file store path information database;
Configuration file acquisition submodule is obtained for the store path information according to the configuration file of web application
The configuration file of web application;
Second store path acquisition of information submodule, for obtaining Web application journey from the configuration file of web application
The Web root store path information of sequence;
Web file acquisition submodule, for obtaining the Web of web application according to Web root store path information
Web file to be detected in root.
Further, the first matching result obtains module 503, is specifically used for Web file to be detected and preset characters string
Carry out canonical matching or string matching, obtain the first matching result, the first matching result include canonical matching result or
String matching result.
Further, the first WebShell file determining module 504 is specifically used for working as canonical matching result or character string
When matching result is successful match, determine that Web file to be detected is WebShell file.
Further, device further include:
Web file creation operation monitoring module, for obtaining corresponding with Web process according to Web process identity information
After Web file to be detected in the Web root of web application, monitor in each Web subdirectory in Web root
With the presence or absence of Web file creation operation;
Second matching result obtains module, if for there are Web file wounds in each Web subdirectory in Web root
Operation is built, newly created Web file is matched with preset characters string, obtains the second matching result;
2nd WebShell file determining module, for determining newly created when the second matching result is successful match
Web file is WebShell file.
Further, device further include:
Subdirectory creation operation monitoring module, for obtaining corresponding with Web process according to Web process identity information
After Web file to be detected in the Web root of web application, monitor in each Web subdirectory in Web root
It creates and operates with the presence or absence of subdirectory;
Judgment module, if judgement is new for there are subdirectory creations to operate in each Web subdirectory in Web root
It whether there is Web file in the subdirectory of creation;
Third matching result obtains module, if for there are Web files in newly created subdirectory, by newly created specific item
Web file present in record is matched with preset characters string, obtains third matching result;
3rd WebShell file determining module, for determining newly created when third matching result is successful match
Web file present in subdirectory is WebShell file.
In the embodiment of the present invention, process identity information obtains the webpage Web that module 501 obtains Website server current time
Process identity information;Web file acquisition module 502 obtains Web application corresponding with Web process according to Web process identity information
Web file to be detected in the Web root of program;First matching result obtains module 503 for Web file to be detected and presets
Character string is matched, and the first matching result is obtained;When the first matching result is successful match, Web file to be detected is determined
For WebShell file.In the embodiment of the present invention, but it is true by the real-time webpage Web process identity information at current time dynamic
Fixed Web catalogue to be detected, and to the Web file to be detected in the Web root of web application corresponding with Web process into
Row matching, to realize the automatic detection of WebShell file.
The embodiment of the invention also provides a kind of electronic equipment, as shown in fig. 6, include processor 601, communication interface 602,
Memory 603 and communication bus 604, wherein processor 601, communication interface 602, memory 603 are complete by communication bus 604
At mutual communication,
Memory 603, for storing computer program;
Processor 601 when for executing the program stored on memory 603, realizes following steps:
Obtain the webpage Web process identity information at Website server current time;
According to the Web process identity information, the Web root of web application corresponding with the Web process is obtained
In Web file to be detected;
The Web file to be detected is matched with preset characters string, obtains the first matching result, the preset characters
String is the character string of characterization WebShell file characteristic;
When first matching result is successful match, determine that the Web file to be detected is WebShell file.
The communication bus that above-mentioned electronic equipment is mentioned can be Peripheral Component Interconnect standard (Peripheral Component
Interconnect, abbreviation PCI) bus or expanding the industrial standard structure (Extended Industry Standard
Architecture, abbreviation EISA) bus etc..The communication bus can be divided into address bus, data/address bus, control bus etc..
Only to be indicated with a thick line in figure, it is not intended that an only bus or a type of bus convenient for indicating.
Communication interface is for the communication between above-mentioned electronic equipment and other equipment.
Memory may include random access memory (Random Access Memory, abbreviation RAM), also may include
Nonvolatile memory (non-volatile memory), for example, at least a magnetic disk storage.Optionally, memory may be used also
To be storage device that at least one is located remotely from aforementioned processor.
Above-mentioned processor can be general processor, including central processing unit (Central Processing Unit,
Abbreviation CPU), network processing unit (Network Processor, abbreviation NP) etc.;It can also be digital signal processor
(Digital Signal Processing, abbreviation DSP), specific integrated circuit (Application Specific
Integrated Circuit, abbreviation ASIC), field programmable gate array (Field-Programmable Gate Array,
Abbreviation FPGA) either other programmable logic device, discrete gate or transistor logic, discrete hardware components.
In another embodiment provided by the invention, a kind of computer readable storage medium is additionally provided, which can
It reads to be stored with instruction in storage medium, when run on a computer, so that computer executes any institute in above-described embodiment
The WebShell file test method stated.
In another embodiment provided by the invention, a kind of computer program product comprising instruction is additionally provided, when it
When running on computers, so that computer executes any WebShell file test method in above-described embodiment.
In the above-described embodiments, can come wholly or partly by software, hardware, firmware or any combination thereof real
It is existing.When implemented in software, it can entirely or partly realize in the form of a computer program product.The computer program
Product includes one or more computer instructions.When loading on computers and executing the computer program instructions, all or
It partly generates according to process or function described in the embodiment of the present invention.The computer can be general purpose computer, dedicated meter
Calculation machine, computer network or other programmable devices.The computer instruction can store in computer readable storage medium
In, or from a computer readable storage medium to the transmission of another computer readable storage medium, for example, the computer
Instruction can pass through wired (such as coaxial cable, optical fiber, number from a web-site, computer, server or data center
User's line (DSL)) or wireless (such as infrared, wireless, microwave etc.) mode to another web-site, computer, server or
Data center is transmitted.The computer readable storage medium can be any usable medium that computer can access or
It is comprising data storage devices such as one or more usable mediums integrated server, data centers.The usable medium can be with
It is magnetic medium, (for example, floppy disk, hard disk, tape), optical medium (for example, DVD) or semiconductor medium (such as solid state hard disk
Solid State Disk (SSD)) etc..
It should be noted that, in this document, relational terms such as first and second and the like are used merely to a reality
Body or operation are distinguished with another entity or operation, are deposited without necessarily requiring or implying between these entities or operation
In any actual relationship or order or sequence.Moreover, the terms "include", "comprise" or its any other variant are intended to
Non-exclusive inclusion, so that the process, method, article or equipment including a series of elements is not only wanted including those
Element, but also including other elements that are not explicitly listed, or further include for this process, method, article or equipment
Intrinsic element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that
There is also other identical elements in process, method, article or equipment including the element.
Each embodiment in this specification is all made of relevant mode and describes, same and similar portion between each embodiment
Dividing may refer to each other, and each embodiment focuses on the differences from other embodiments.Especially for device,
For electronic equipment embodiment, since it is substantially similar to the method embodiment, so be described relatively simple, related place referring to
The part of embodiment of the method illustrates.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the scope of the present invention.It is all
Any modification, equivalent replacement, improvement and so within the spirit and principles in the present invention, are all contained in protection scope of the present invention
It is interior.
Claims (13)
1. a kind of WebShell file test method characterized by comprising
Obtain the webpage Web process identity information at Website server current time;
According to the Web process identity information, in the Web root for obtaining web application corresponding with the Web process
Web file to be detected;
The Web file to be detected is matched with preset characters string, obtains the first matching result, the preset characters string is
Characterize the character string of WebShell file characteristic;
When first matching result is successful match, determine that the Web file to be detected is WebShell file.
2. the method according to claim 1, wherein described according to the Web process identity information, acquisition and institute
The step of stating the Web file to be detected in the Web root of the corresponding web application of Web process, comprising:
The type of the corresponding web application of the Web process is determined according to the Web process identity information;
According to the type of the web application, from configuration file store path information database corresponding with the type
Obtain the store path information of the configuration file of the web application;
According to the store path information of the configuration file of the web application, the configuration text of the web application is obtained
Part;
The Web root store path information of the web application is obtained from the configuration file of the web application;
According to the Web root store path information, the Web to be detected in the Web root of the web application is obtained
File.
3. the method according to claim 1, wherein described by the Web file to be detected and preset characters string
The step of being matched, obtaining the first matching result, comprising:
The Web file to be detected and preset characters string are subjected to canonical matching or string matching, obtain the first matching knot
Fruit, first matching result include canonical matching result or the string matching result.
4. according to the method described in claim 3, it is characterized in that, it is described when first matching result be successful match when,
Determine the step of Web file to be detected is WebShell file, comprising:
When the canonical matching result or the string matching result are successful match, the Web text to be detected is determined
Part is WebShell file.
5. the method according to claim 1, wherein described according to the Web process identity information, obtain with
After the step of Web file to be detected in the Web root of the corresponding web application of the Web process, the method is also
Include:
It monitors in each Web subdirectory in the Web root with the presence or absence of Web file creation operation;
If it exists, newly created Web file is matched with the preset characters string, obtains the second matching result;
When second matching result is successful match, determine that the newly created Web file is WebShell file.
6. the method according to claim 1, wherein described according to the Web process identity information, obtain with
After the step of Web file to be detected in the Web root of the corresponding web application of the Web process, the method is also
Include:
It monitors in each Web subdirectory in the Web root with the presence or absence of subdirectory creation operation;
If it exists, judge in newly created subdirectory with the presence or absence of Web file;
If there are Web file in newly created subdirectory, by Web file present in the newly created subdirectory with it is described pre-
If character string is matched, third matching result is obtained;
When the third matching result is successful match, determine that Web file present in the newly created subdirectory is
WebShell file.
7. a kind of WebShell file detection device characterized by comprising
Process identity information obtains module, for obtaining the webpage Web process identity information at Website server current time;
Web file acquisition module, for obtaining Web corresponding with the Web process and answering according to the Web process identity information
With the Web file to be detected in the Web root of program;
First matching result obtains module and obtains first for matching the Web file to be detected with preset characters string
Matching result, the preset characters string are the character string for characterizing WebShell file characteristic;
First WebShell file determining module, for determining described to be checked when first matching result is successful match
Survey Web file is WebShell file.
8. device according to claim 7, which is characterized in that the Web file acquisition module includes: type determination mould
Block, the first store path acquisition of information submodule, configuration file acquisition submodule, the second store path acquisition of information submodule and
Web file acquisition submodule;
The type determination module, for determining that the corresponding Web of the Web process is answered according to the Web process identity information
With the type of program;
The first store path acquisition of information submodule, for the type according to the web application, from the type
The store path letter of the configuration file of the web application is obtained in corresponding configuration file store path information database
Breath;
The configuration file acquisition submodule is obtained for the store path information according to the configuration file of the web application
Take the configuration file of the web application;
The second store path acquisition of information submodule, described in being obtained from the configuration file of the web application
The Web root store path information of web application;
The Web file acquisition submodule, for obtaining the Web application journey according to the Web root store path information
Web file to be detected in the Web root of sequence.
9. device according to claim 7, which is characterized in that first matching result obtains module, and being specifically used for will
The Web file to be detected and preset characters string carry out canonical matching or string matching, obtain the first matching result, described
First matching result includes canonical matching result or the string matching result.
10. device according to claim 9, which is characterized in that
The first WebShell file determining module is specifically used for working as the canonical matching result or the string matching
When being as a result successful match, determine that the Web file to be detected is WebShell file.
11. device according to claim 7, which is characterized in that described device further include:
Web file creation operation monitoring module, for according to the Web process identity information, obtained described with the Web into
After Web file to be detected in the Web root of the corresponding web application of journey, monitor each in the Web root
It whether there is Web file creation operation in Web subdirectory;
Second matching result obtains module, if for there are Web file wounds in each Web subdirectory in the Web root
Operation is built, newly created Web file is matched with the preset characters string, obtains the second matching result;
2nd WebShell file determining module, for determining the new wound when second matching result is successful match
The Web file built is WebShell file.
12. device according to claim 7, which is characterized in that described device further include:
Subdirectory creation operation monitoring module, for according to the Web process identity information, obtained described with the Web into
After Web file to be detected in the Web root of the corresponding web application of journey, monitor each in the Web root
With the presence or absence of subdirectory creation operation in Web subdirectory;
Judgment module, if judgement is new for there are subdirectory creations to operate in each Web subdirectory in the Web root
It whether there is Web file in the subdirectory of creation;
Third matching result obtains module, if for there are Web files in newly created subdirectory, by the newly created specific item
Web file present in record is matched with the preset characters string, obtains third matching result;
3rd WebShell file determining module, for determining the new wound when the third matching result is successful match
Web file present in the subdirectory built is WebShell file.
13. a kind of electronic equipment, which is characterized in that including processor, communication interface, memory and communication bus, wherein processing
Device, communication interface, memory complete mutual communication by communication bus;
Memory, for storing computer program;
Processor when for executing the program stored on memory, realizes any method and step of claim 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910181342.0A CN109905396A (en) | 2019-03-11 | 2019-03-11 | A kind of WebShell file test method, device and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910181342.0A CN109905396A (en) | 2019-03-11 | 2019-03-11 | A kind of WebShell file test method, device and electronic equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN109905396A true CN109905396A (en) | 2019-06-18 |
Family
ID=66947052
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910181342.0A Pending CN109905396A (en) | 2019-03-11 | 2019-03-11 | A kind of WebShell file test method, device and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109905396A (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110519270A (en) * | 2019-08-27 | 2019-11-29 | 杭州安恒信息技术股份有限公司 | The method and device of WebShell is quickly detected based on document source |
| CN111090861A (en) * | 2019-12-24 | 2020-05-01 | 深信服科技股份有限公司 | Virus detection method and device, electronic equipment and storage medium |
| CN112256646A (en) * | 2020-10-22 | 2021-01-22 | 北京金山云网络技术有限公司 | Method and device for operating subdirectory of file system, electronic equipment and storage medium |
| JP2021086636A (en) * | 2019-11-28 | 2021-06-03 | ネイバー ビジネス プラットフォーム コーポレーション | Method and system for detecting webshell using process information |
| CN113746784A (en) * | 2020-05-29 | 2021-12-03 | 深信服科技股份有限公司 | Data detection method, system and related equipment |
| CN113810375A (en) * | 2021-08-13 | 2021-12-17 | 网宿科技股份有限公司 | Webshell detection method, device and equipment and readable storage medium |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102546683A (en) * | 2010-12-10 | 2012-07-04 | 厦门市美亚柏科信息股份有限公司 | Host computer domain name collecting method and device |
| CN104793957A (en) * | 2015-04-30 | 2015-07-22 | 浪潮电子信息产业股份有限公司 | Method and device for detecting website existing in server and device |
| KR20160003584A (en) * | 2015-12-11 | 2016-01-11 | 주식회사 윈스 | Apparatus and method for detecting webshell in real time using kernel-based file event notification function |
| CN105812393A (en) * | 2016-05-24 | 2016-07-27 | 浪潮电子信息产业股份有限公司 | Website protection device and method |
| CN106572117A (en) * | 2016-11-11 | 2017-04-19 | 北京安普诺信息技术有限公司 | Method and apparatus for detecting WebShell file |
| CN106709334A (en) * | 2015-11-17 | 2017-05-24 | 阿里巴巴集团控股有限公司 | Method, device and system for detecting intrusive script files |
| CN108182363A (en) * | 2017-12-25 | 2018-06-19 | 哈尔滨安天科技股份有限公司 | Detection method, system and the storage medium of embedded office documents |
-
2019
- 2019-03-11 CN CN201910181342.0A patent/CN109905396A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102546683A (en) * | 2010-12-10 | 2012-07-04 | 厦门市美亚柏科信息股份有限公司 | Host computer domain name collecting method and device |
| CN104793957A (en) * | 2015-04-30 | 2015-07-22 | 浪潮电子信息产业股份有限公司 | Method and device for detecting website existing in server and device |
| CN106709334A (en) * | 2015-11-17 | 2017-05-24 | 阿里巴巴集团控股有限公司 | Method, device and system for detecting intrusive script files |
| KR20160003584A (en) * | 2015-12-11 | 2016-01-11 | 주식회사 윈스 | Apparatus and method for detecting webshell in real time using kernel-based file event notification function |
| CN105812393A (en) * | 2016-05-24 | 2016-07-27 | 浪潮电子信息产业股份有限公司 | Website protection device and method |
| CN106572117A (en) * | 2016-11-11 | 2017-04-19 | 北京安普诺信息技术有限公司 | Method and apparatus for detecting WebShell file |
| CN108182363A (en) * | 2017-12-25 | 2018-06-19 | 哈尔滨安天科技股份有限公司 | Detection method, system and the storage medium of embedded office documents |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110519270A (en) * | 2019-08-27 | 2019-11-29 | 杭州安恒信息技术股份有限公司 | The method and device of WebShell is quickly detected based on document source |
| CN110519270B (en) * | 2019-08-27 | 2022-01-28 | 杭州安恒信息技术股份有限公司 | Method and device for rapidly detecting WebShell based on file source |
| JP2021086636A (en) * | 2019-11-28 | 2021-06-03 | ネイバー ビジネス プラットフォーム コーポレーション | Method and system for detecting webshell using process information |
| JP7049432B2 (en) | 2019-11-28 | 2022-04-06 | ネイバー クラウド コーポレーション | Methods and systems for detecting web shells using process information |
| CN111090861A (en) * | 2019-12-24 | 2020-05-01 | 深信服科技股份有限公司 | Virus detection method and device, electronic equipment and storage medium |
| CN111090861B (en) * | 2019-12-24 | 2022-09-30 | 深信服科技股份有限公司 | Virus detection method and device, electronic equipment and storage medium |
| CN113746784A (en) * | 2020-05-29 | 2021-12-03 | 深信服科技股份有限公司 | Data detection method, system and related equipment |
| CN113746784B (en) * | 2020-05-29 | 2023-04-07 | 深信服科技股份有限公司 | Data detection method, system and related equipment |
| CN112256646A (en) * | 2020-10-22 | 2021-01-22 | 北京金山云网络技术有限公司 | Method and device for operating subdirectory of file system, electronic equipment and storage medium |
| CN112256646B (en) * | 2020-10-22 | 2024-03-08 | 北京金山云网络技术有限公司 | Method and device for operating file system subdirectory, electronic equipment and storage medium |
| CN113810375A (en) * | 2021-08-13 | 2021-12-17 | 网宿科技股份有限公司 | Webshell detection method, device and equipment and readable storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109905396A (en) | A kind of WebShell file test method, device and electronic equipment | |
| US10091227B2 (en) | Detection of potential security threats based on categorical patterns | |
| CN106101145B (en) | A kind of website vulnerability detection method and device | |
| CN107659570A (en) | Webshell detection methods and system based on machine learning and static and dynamic analysis | |
| CN103297394B (en) | Website security detection method and device | |
| CN113489713B (en) | Network attack detection method, device, equipment and storage medium | |
| CN107992738B (en) | Account login abnormity detection method and device and electronic equipment | |
| CN109474640B (en) | Malicious crawler detection method and device, electronic equipment and storage medium | |
| CN104901975B (en) | Web log file safety analytical method, device and gateway | |
| CN104935601B (en) | Web log file safety analytical method based on cloud, apparatus and system | |
| CN112491602B (en) | Behavior data monitoring method and device, computer equipment and medium | |
| CN106534146A (en) | Safety monitoring system and method | |
| CN108573146A (en) | A kind of malice URL detection method and device | |
| CN108282440A (en) | A kind of safety detection method, safety detection device and server | |
| US20210136120A1 (en) | Universal computing asset registry | |
| US20160321255A1 (en) | Unsolicited bulk email detection using url tree hashes | |
| CA3120755C (en) | Identifying equivalent links on a page | |
| CN104462985A (en) | Detecting method and device of bat loopholes | |
| CN105262730B (en) | Monitoring method and device based on enterprise domain name safety | |
| CN116451215A (en) | Correlation analysis method and related equipment | |
| CN109067794A (en) | A kind of detection method and device of network behavior | |
| CN107992402A (en) | Blog management method and log management apparatus | |
| CN112989158A (en) | Method, device and storage medium for identifying webpage crawler behavior | |
| CN106911649A (en) | A kind of method and apparatus for detecting network attack | |
| CN109784049B (en) | Method, apparatus, system, and medium for threat data processing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190618 |