CN103905422A - Method and system for searching for webshell with assistance of local simulation request - Google Patents

Method and system for searching for webshell with assistance of local simulation request Download PDF

Info

Publication number
CN103905422A
CN103905422A CN201310691213.9A CN201310691213A CN103905422A CN 103905422 A CN103905422 A CN 103905422A CN 201310691213 A CN201310691213 A CN 201310691213A CN 103905422 A CN103905422 A CN 103905422A
Authority
CN
China
Prior art keywords
webshell
return data
web page
page files
files
Prior art date
Application number
CN201310691213.9A
Other languages
Chinese (zh)
Other versions
CN103905422B (en
Inventor
刘佳男
白淳升
李柏松
Original Assignee
哈尔滨安天科技股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 哈尔滨安天科技股份有限公司 filed Critical 哈尔滨安天科技股份有限公司
Priority to CN201310691213.9A priority Critical patent/CN103905422B/en
Publication of CN103905422A publication Critical patent/CN103905422A/en
Application granted granted Critical
Publication of CN103905422B publication Critical patent/CN103905422B/en

Links

Abstract

The invention discloses a method and system for searching for webshell with assistance of a local simulation request. The method includes the steps that firstly, configuration files of a web server is read so as to obtain related information of the web server, wherein the related information comprises the number of websites, paths of the websites, domain names of the websites or port numbers of the websites; all files in the websites are traversed sequentially, webpage files are screened out, and the path information of the webpage files is stored; according to the path information, the local simulation request has access to the webpage files sequentially to obtain return data; characteristic scanning is conducted on the return data, and a detection result is generated according to scanning results. The method can also be used for detecting encrypted webshell.

Description

The method and system of a kind of simulation request assisted lookup webshell
Technical field
The present invention relates to field of information security technology, relate in particular to the method and system of a kind of simulation request assisted lookup webshell.
Background technology
Webshell is a kind of command execution environment existing with web page files forms such as asp, php, jsp, cgi, also can be called a kind of webpage back door.Invader, behind invasion website, places webshell backdoor file in the WEB catalogue of the WEB server of being everlasting, and with WEB server WEB catalogue under normal web page files be mixed in-rise, be difficult for being found.Invader can access webshell by WEB mode and obtain command execution environment to reach the object of controlling website or WEB server, and the operation that can carry out comprises uploads download file, checks database, carries out random procedure order etc.The effect that webshell is serving as script attack tool in WEB invasion.
The approach that invader disposes webshell back door has multiple, for example, directly upload, privately add amendment and upload type, utilize WEB system back-stage management function, the backup that utilizes database, recovery, query function and other the whole bag of tricks.After deployment success, invader just can obtain by website port the authority of operation in a way etc. to WEB server.
Because the data of webshell and controlled WEB server or distance host exchange are all transmitted by 80 ports, therefore can not tackled by fire compartment wall.And use webshell generally can in system journal, not leave record, only can in the daily record of WEB server, leave some data and submit record to, unfamiliar keeper is difficult to find out invasion vestige.
The webshell document code of most is encrypted, and has walked around thus the killing of WEB fire compartment wall and anti-virus software.The maturation (the many engine scanning of for example virustotal) that detects engine along with constantly open, the many engine scanning of a large amount of leaks has facilitated the raising of webshell making free to kill, encryption technology, the various technology of walking around anti-virus supervisory control system to announce, and makes the killing of current webshell be faced with severe situation.And traditional detection method only can the limited cipher mode of killing webshell, assailant can use all kinds of self-defining cipher modes to hide killing.
Summary of the invention
For above-mentioned technical problem, the invention provides the method and system of a kind of simulation request assisted lookup webshell, the method is by all web page files of this simulation request access, obtain after return data, return data is carried out to feature detection, thereby the identification webshell page, can effectively identify equally for the webshell page after encrypting.
The present invention adopts with the following method and realizes: the method for a kind of simulation request assisted lookup webshell, comprising:
Read web server configuration file, obtain web server relevant information; Described relevant information comprises: website number, path, domain name or port numbers;
Travel through successively All Files under website, filter out web page files, and preserve the routing information of described web page files;
According to described routing information, the request of this simulation, accesses described web page files successively, obtains return data;
Return data is carried out to mark scanning, and generate examining report according to scanning result.
Further, described web page files comprises the web page files of asp, php, jsp or cgi form.
Further, described being characterized as that return data is carried out to mark scanning uses: obtain the return data of webshell, extract webshell clear text field as feature.
Further, described being characterized as that return data is carried out to mark scanning uses: for the webshell with login password, extract critical field as feature.
The present invention adopts following system to realize: the system of a kind of simulation request assisted lookup webshell, comprising:
Relevant information acquisition module, for reading web server configuration file, obtains web server relevant information; Described relevant information comprises: website number, path, domain name or port numbers;
Page path acquisition module, for traveling through successively All Files under website, filters out web page files, and preserves the routing information of described web page files;
Request analog module, for according to described routing information, the request of this simulation, accesses described web page files successively, obtains return data;
Mark scanning module, for return data is carried out to mark scanning, and generates examining report according to scanning result.
Further, described web page files comprises the web page files of asp, php, jsp or cgi form.
Further, described being characterized as that return data is carried out to mark scanning uses: obtain the return data of webshell, extract webshell clear text field as feature.
Further, described being characterized as that return data is carried out to mark scanning uses: for the webshell with login password, extract critical field as feature.
In sum, the invention provides the method and system of a kind of simulation request assisted lookup webshell, described method and system is mainly by obtaining the routing information of all web page files under web server, utilize described routing information simulation request, thereby access these web page files, detect for the clear data returning, detecting the feature using is to extract clear text field by the return data of known webshell, or for the webshell page with login password, extract its critical field as feature obtain.Technique scheme can effectively overcome the defect that existing scheme cannot effectively be identified for the webshell encrypting.
Brief description of the drawings
In order to be illustrated more clearly in technical scheme of the present invention, to the accompanying drawing of required use in embodiment be briefly described below, apparently, the accompanying drawing the following describes is only some embodiment that record in the present invention, for those of ordinary skill in the art, do not paying under the prerequisite of creative work, can also obtain according to these accompanying drawings other accompanying drawing.
Fig. 1 is the method flow diagram of a kind of simulation request assisted lookup webshell provided by the invention;
Fig. 2 is the system construction drawing of a kind of simulation request assisted lookup webshell provided by the invention.
Embodiment
The present invention has provided the method and system of a kind of simulation request assisted lookup webshell, in order to make those skilled in the art person understand better the technical scheme in the embodiment of the present invention, and above-mentioned purpose of the present invention, feature and advantage can be become apparent more, below in conjunction with accompanying drawing, technical scheme in the present invention is described in further detail:
First the present invention provides the method for a kind of simulation request assisted lookup webshell, as shown in Figure 1, comprising:
S101 reads web server configuration file, obtains web server relevant information; Described relevant information comprises: website number, path, domain name or port numbers; For example: baidu.com:81, baiduba.com:8080 etc.;
Web server configuration file, can search the web server such as IIS, Apache key assignments by traversal registration table, find installation path by key assignments content, then from installation path, read web server and drain into file, obtain the information such as site paths, website number, domain name or port numbers;
For example: Apache Server default configuration file/etc/apache2/httpd.conf, parses the information such as website IP, port, website root.
S102 travels through All Files under website successively, filters out web page files, and preserves the routing information of described web page files;
S103 is according to described routing information, and the request of this simulation, accesses described web page files successively, obtains return data;
S104 carries out mark scanning to return data, and generates examining report according to scanning result.
Preferably, described web page files comprises the web page files of asp, php, jsp or cgi form.
Preferably, described being characterized as that return data is carried out to mark scanning uses: obtain the return data of webshell, extract webshell clear text field as feature.Described clear text field comprises: the character strings such as File Manager, CMD, SHELL, Process, file management, scanning, system information.
Preferably, described being characterized as that return data is carried out to mark scanning uses: for the webshell with login password, extract critical field as feature.
Described critical field comprises: <input name=" passtext ", type=" password ", id=" passtext " or <input type=" hidden " name=" _ VIEWSTATE " this class has the text control of password type.
The present invention also provides the system of a kind of simulation request assisted lookup webshell, as shown in Figure 2, comprising:
Relevant information acquisition module 201, for reading web server configuration file, obtains web server relevant information; Described relevant information comprises: website number, path, domain name or port numbers;
Page path acquisition module 202, for traveling through successively All Files under website, filters out web page files, and preserves the routing information of described web page files;
Request analog module 203, for according to described routing information, the request of this simulation, accesses described web page files successively, obtains return data;
Mark scanning module 204, for return data is carried out to mark scanning, and generates examining report according to scanning result.
Preferably, described web page files comprises the web page files of asp, php, jsp or cgi form.
Preferably, described being characterized as that return data is carried out to mark scanning uses: obtain the return data of webshell, extract webshell clear text field as feature.
Preferably, described being characterized as that return data is carried out to mark scanning uses: for the webshell with login password, extract critical field as feature.
As mentioned above, the present invention has provided the specific embodiment of the method and system of a kind of simulation request assisted lookup webshell, and the difference of itself and conventional method is, current most technical schemes all cannot effectively be identified for the webshell encrypting.The technical scheme that the present invention is given, by reading web server configuration file, thereby obtains the information such as website number and path, screens for the All Files under website, finds out all web page files, obtains the path of web page files; Utilize accessed web page file, can return to feature expressly, simulation request, access described web page files, carry out mark scanning for return data, thereby can effectively identify the webshell page, encrypt thereby solve existing webshell the problem that distortion cannot killing.
Above embodiment is unrestricted technical scheme of the present invention in order to explanation.Do not depart from any modification or partial replacement of spirit and scope of the invention, all should be encompassed in the middle of claim scope of the present invention.

Claims (8)

1. a method of this simulation request assisted lookup webshell, is characterized in that, comprising:
Read web server configuration file, obtain web server relevant information; Described relevant information comprises: website number, path, domain name or port numbers;
Travel through successively All Files under website, filter out web page files, and preserve the routing information of described web page files;
According to described routing information, the request of this simulation, accesses described web page files successively, obtains return data;
Return data is carried out to mark scanning, and generate examining report according to scanning result.
2. the method for claim 1, is characterized in that, described web page files comprises the web page files of asp, php, jsp or cgi form.
3. the method for claim 1, is characterized in that, described being characterized as that return data is carried out to mark scanning uses: obtain the return data of webshell, extract webshell clear text field as feature.
4. the method for claim 1, is characterized in that, described being characterized as that return data is carried out to mark scanning uses: for the webshell with login password, extract critical field as feature.
5. a system of this simulation request assisted lookup webshell, is characterized in that, comprising:
Relevant information acquisition module, for reading web server configuration file, obtains web server relevant information; Described relevant information comprises: website number, path, domain name or port numbers;
Page path acquisition module, for traveling through successively All Files under website, filters out web page files, and preserves the routing information of described web page files;
Request analog module, for according to described routing information, the request of this simulation, accesses described web page files successively, obtains return data;
Mark scanning module, for return data is carried out to mark scanning, and generates examining report according to scanning result.
6. system as claimed in claim 5, is characterized in that, described web page files comprises the web page files of asp, php, jsp or cgi form.
7. system as claimed in claim 5, is characterized in that, described being characterized as that return data is carried out to mark scanning uses: obtain the return data of webshell, extract webshell clear text field as feature.
8. system as claimed in claim 5, is characterized in that, described being characterized as that return data is carried out to mark scanning uses: for the webshell with login password, extract critical field as feature.
CN201310691213.9A 2013-12-17 2013-12-17 Method and system for searching for webshell with assistance of local simulation request CN103905422B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310691213.9A CN103905422B (en) 2013-12-17 2013-12-17 Method and system for searching for webshell with assistance of local simulation request

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310691213.9A CN103905422B (en) 2013-12-17 2013-12-17 Method and system for searching for webshell with assistance of local simulation request

Publications (2)

Publication Number Publication Date
CN103905422A true CN103905422A (en) 2014-07-02
CN103905422B CN103905422B (en) 2017-04-26

Family

ID=50996576

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310691213.9A CN103905422B (en) 2013-12-17 2013-12-17 Method and system for searching for webshell with assistance of local simulation request

Country Status (1)

Country Link
CN (1) CN103905422B (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104331663A (en) * 2014-10-31 2015-02-04 北京奇虎科技有限公司 Detection method of web shell and web server
CN105760379A (en) * 2014-12-16 2016-07-13 中国移动通信集团公司 Webshell page detection method and device based on intra-domain page association
CN106992981A (en) * 2017-03-31 2017-07-28 北京知道创宇信息技术有限公司 A kind of website back door detection method, device and computing device
CN107493278A (en) * 2017-08-10 2017-12-19 杭州迪普科技股份有限公司 A kind of two-way encryption webshell access method and device
CN107770133A (en) * 2016-08-19 2018-03-06 北京升鑫网络科技有限公司 A kind of adaptability webshell detection methods and system
CN107911433A (en) * 2017-12-21 2018-04-13 上海数烨数据科技有限公司 A kind of LAN cluster system access method based on WebShell

Citations (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060294199A1 (en) * 2005-06-24 2006-12-28 The Zeppo Network, Inc. Systems and Methods for Providing A Foundational Web Platform
CN101471818A (en) * 2007-12-24 2009-07-01 北京启明星辰信息技术股份有限公司 Detection method and system for malevolence injection script web page
CN101527660A (en) * 2009-04-03 2009-09-09 华为技术有限公司 Alarm method, associated equipment and system
CN101587527A (en) * 2009-07-08 2009-11-25 北京东方微点信息技术有限责任公司 Method and apparatus for scanning virus program
CN101599947A (en) * 2008-06-06 2009-12-09 盛大计算机(上海)有限公司 Trojan horse virus scanning method based on the WEB webpage
CN101692267A (en) * 2009-09-15 2010-04-07 北京大学 Method and system for detecting large-scale malicious web pages
CN101808093A (en) * 2010-03-15 2010-08-18 北京安天电子设备有限公司 System and method for automatically detecting WEB security
US20110016528A1 (en) * 2008-08-15 2011-01-20 Venus Info Tech Inc. Method and Device for Intrusion Detection
CN102088379A (en) * 2011-01-24 2011-06-08 国家计算机网络与信息安全管理中心 Detecting method and device of client honeypot webpage malicious code based on sandboxing technology
CN102104601A (en) * 2011-01-14 2011-06-22 无锡市同威科技有限公司 Web vulnerability scanning method and device based on infiltration technology
CN102158499A (en) * 2011-06-02 2011-08-17 国家计算机病毒应急处理中心 Trojan-embedded website detection method based on hyper text transfer protocol (HTTP) traffic analysis
CN102254111A (en) * 2010-05-17 2011-11-23 北京知道创宇信息技术有限公司 Malicious site detection method and device
CN103065089A (en) * 2012-12-11 2013-04-24 深信服网络科技(深圳)有限公司 Method and device for detecting webpage Trojan horses
CN103258163A (en) * 2013-05-15 2013-08-21 腾讯科技(深圳)有限公司 Script virus identifying method, script virus identifying device and script virus identifying system
CN103294952A (en) * 2012-11-29 2013-09-11 北京安天电子设备有限公司 Method and system for detecting webshell based on page relation

Patent Citations (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060294199A1 (en) * 2005-06-24 2006-12-28 The Zeppo Network, Inc. Systems and Methods for Providing A Foundational Web Platform
CN101471818A (en) * 2007-12-24 2009-07-01 北京启明星辰信息技术股份有限公司 Detection method and system for malevolence injection script web page
CN101599947A (en) * 2008-06-06 2009-12-09 盛大计算机(上海)有限公司 Trojan horse virus scanning method based on the WEB webpage
US20110016528A1 (en) * 2008-08-15 2011-01-20 Venus Info Tech Inc. Method and Device for Intrusion Detection
CN101527660A (en) * 2009-04-03 2009-09-09 华为技术有限公司 Alarm method, associated equipment and system
CN101587527A (en) * 2009-07-08 2009-11-25 北京东方微点信息技术有限责任公司 Method and apparatus for scanning virus program
CN101692267A (en) * 2009-09-15 2010-04-07 北京大学 Method and system for detecting large-scale malicious web pages
CN101808093A (en) * 2010-03-15 2010-08-18 北京安天电子设备有限公司 System and method for automatically detecting WEB security
CN102254111A (en) * 2010-05-17 2011-11-23 北京知道创宇信息技术有限公司 Malicious site detection method and device
CN102104601A (en) * 2011-01-14 2011-06-22 无锡市同威科技有限公司 Web vulnerability scanning method and device based on infiltration technology
CN102088379A (en) * 2011-01-24 2011-06-08 国家计算机网络与信息安全管理中心 Detecting method and device of client honeypot webpage malicious code based on sandboxing technology
CN102158499A (en) * 2011-06-02 2011-08-17 国家计算机病毒应急处理中心 Trojan-embedded website detection method based on hyper text transfer protocol (HTTP) traffic analysis
CN103294952A (en) * 2012-11-29 2013-09-11 北京安天电子设备有限公司 Method and system for detecting webshell based on page relation
CN103065089A (en) * 2012-12-11 2013-04-24 深信服网络科技(深圳)有限公司 Method and device for detecting webpage Trojan horses
CN103258163A (en) * 2013-05-15 2013-08-21 腾讯科技(深圳)有限公司 Script virus identifying method, script virus identifying device and script virus identifying system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
石磊,宋昭: "wehshell检测的新思路", 《第二届全国信息安全等级保护技术大会会议论文集》 *

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104331663A (en) * 2014-10-31 2015-02-04 北京奇虎科技有限公司 Detection method of web shell and web server
CN104331663B (en) * 2014-10-31 2017-09-01 北京奇虎科技有限公司 Web shell detection method and web server
CN105760379A (en) * 2014-12-16 2016-07-13 中国移动通信集团公司 Webshell page detection method and device based on intra-domain page association
CN105760379B (en) * 2014-12-16 2020-01-21 中国移动通信集团公司 Method and device for detecting webshell page based on intra-domain page association relation
CN107770133A (en) * 2016-08-19 2018-03-06 北京升鑫网络科技有限公司 A kind of adaptability webshell detection methods and system
CN107770133B (en) * 2016-08-19 2020-08-14 北京升鑫网络科技有限公司 Adaptive webshell detection method and system
CN106992981A (en) * 2017-03-31 2017-07-28 北京知道创宇信息技术有限公司 A kind of website back door detection method, device and computing device
CN106992981B (en) * 2017-03-31 2020-04-07 北京知道创宇信息技术股份有限公司 Website backdoor detection method and device and computing equipment
CN107493278A (en) * 2017-08-10 2017-12-19 杭州迪普科技股份有限公司 A kind of two-way encryption webshell access method and device
CN107493278B (en) * 2017-08-10 2020-09-08 杭州迪普科技股份有限公司 Access method and device for bidirectional encrypted webshell
CN107911433A (en) * 2017-12-21 2018-04-13 上海数烨数据科技有限公司 A kind of LAN cluster system access method based on WebShell

Also Published As

Publication number Publication date
CN103905422B (en) 2017-04-26

Similar Documents

Publication Publication Date Title
US20180063186A1 (en) System for tracking data security threats and method for same
AU2015202863B2 (en) A system and method of data cognition incorporating autonomous security protection
Bejtlich The practice of network security monitoring: understanding incident detection and response
US10193929B2 (en) Methods and systems for improving analytics in distributed networks
US20170161520A1 (en) Systems and Methods of Determining Compromised Identity Information
Nelms et al. Execscent: Mining for new c&c domains in live networks with adaptive control protocol templates
Baig et al. Future challenges for smart cities: Cyber-security and digital forensics
US20190075130A1 (en) Secure application for accessing web resources
Wondracek et al. A practical attack to de-anonymize social network users
Vacca Network and system security
Homer et al. Improving attack graph visualization through data reduction and attack grouping
Bilge et al. EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis.
Muir et al. Internet geolocation: Evasion and counterevasion
US9516107B2 (en) Secure local server for synchronized online content management system
US8695091B2 (en) Systems and methods for enforcing policies for proxy website detection using advertising account ID
Filasto et al. OONI: Open Observatory of Network Interference.
Salonikias et al. Access control issues in utilizing fog computing for transport infrastructure
Moore et al. Evil searching: Compromise and recompromise of internet hosts for phishing
KR101291782B1 (en) Webshell detection and corresponding system
Leigland et al. A formalization of digital forensics
CN104426906A (en) Identifying malicious devices within a computer network
US8051484B2 (en) Method and security system for indentifying and blocking web attacks by enforcing read-only parameters
CN104125209B (en) Malice website prompt method and router
US8909792B2 (en) Method, system, and computer program product for identifying and tracking social identities
US20020069370A1 (en) System and method for tracking and preventing illegal distribution of proprietary material over computer networks

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
PE01 Entry into force of the registration of the contract for pledge of patent right
PE01 Entry into force of the registration of the contract for pledge of patent right

Denomination of invention: Method and system for searching for webshell with assistance of local simulation request

Effective date of registration: 20170621

Granted publication date: 20170426

Pledgee: Bank of Longjiang, Limited by Share Ltd, Harbin Limin branch

Pledgor: Harbin Antiy Technology Co., Ltd.

Registration number: 2017110000004

PC01 Cancellation of the registration of the contract for pledge of patent right
PC01 Cancellation of the registration of the contract for pledge of patent right

Date of cancellation: 20190614

Granted publication date: 20170426

Pledgee: Bank of Longjiang, Limited by Share Ltd, Harbin Limin branch

Pledgor: Harbin Antiy Technology Co., Ltd.

Registration number: 2017110000004

CP03 Change of name, title or address
CP03 Change of name, title or address

Address after: 150028 Building 7, Innovation Plaza, Science and Technology Innovation City, Harbin High-tech Industrial Development Zone, Heilongjiang Province (838 Shikun Road)

Patentee after: Harbin antiy Technology Group Limited by Share Ltd

Address before: 150090 room 506, Hongqi Street, Nangang District, Harbin Development Zone, Heilongjiang, China, 162

Patentee before: Harbin Antiy Technology Co., Ltd.

PE01 Entry into force of the registration of the contract for pledge of patent right

Denomination of invention: Method and system for searching for webshell with assistance of local simulation request

Effective date of registration: 20190828

Granted publication date: 20170426

Pledgee: Bank of Longjiang, Limited by Share Ltd, Harbin Limin branch

Pledgor: Harbin antiy Technology Group Limited by Share Ltd

Registration number: Y2019230000002

PE01 Entry into force of the registration of the contract for pledge of patent right