CN103905422A - Method and system for searching for webshell with assistance of local simulation request - Google Patents

Method and system for searching for webshell with assistance of local simulation request Download PDF

Info

Publication number
CN103905422A
CN103905422A CN201310691213.9A CN201310691213A CN103905422A CN 103905422 A CN103905422 A CN 103905422A CN 201310691213 A CN201310691213 A CN 201310691213A CN 103905422 A CN103905422 A CN 103905422A
Authority
CN
China
Prior art keywords
webshell
described
return data
web page
characterized
Prior art date
Application number
CN201310691213.9A
Other languages
Chinese (zh)
Other versions
CN103905422B (en
Inventor
刘佳男
白淳升
李柏松
Original Assignee
哈尔滨安天科技股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 哈尔滨安天科技股份有限公司 filed Critical 哈尔滨安天科技股份有限公司
Priority to CN201310691213.9A priority Critical patent/CN103905422B/en
Publication of CN103905422A publication Critical patent/CN103905422A/en
Application granted granted Critical
Publication of CN103905422B publication Critical patent/CN103905422B/en

Links

Abstract

The invention discloses a method and system for searching for webshell with assistance of a local simulation request. The method includes the steps that firstly, configuration files of a web server is read so as to obtain related information of the web server, wherein the related information comprises the number of websites, paths of the websites, domain names of the websites or port numbers of the websites; all files in the websites are traversed sequentially, webpage files are screened out, and the path information of the webpage files is stored; according to the path information, the local simulation request has access to the webpage files sequentially to obtain return data; characteristic scanning is conducted on the return data, and a detection result is generated according to scanning results. The method can also be used for detecting encrypted webshell.

Description

The method and system of a kind of simulation request assisted lookup webshell

Technical field

The present invention relates to field of information security technology, relate in particular to the method and system of a kind of simulation request assisted lookup webshell.

Background technology

Webshell is a kind of command execution environment existing with web page files forms such as asp, php, jsp, cgi, also can be called a kind of webpage back door.Invader, behind invasion website, places webshell backdoor file in the WEB catalogue of the WEB server of being everlasting, and with WEB server WEB catalogue under normal web page files be mixed in-rise, be difficult for being found.Invader can access webshell by WEB mode and obtain command execution environment to reach the object of controlling website or WEB server, and the operation that can carry out comprises uploads download file, checks database, carries out random procedure order etc.The effect that webshell is serving as script attack tool in WEB invasion.

The approach that invader disposes webshell back door has multiple, for example, directly upload, privately add amendment and upload type, utilize WEB system back-stage management function, the backup that utilizes database, recovery, query function and other the whole bag of tricks.After deployment success, invader just can obtain by website port the authority of operation in a way etc. to WEB server.

Because the data of webshell and controlled WEB server or distance host exchange are all transmitted by 80 ports, therefore can not tackled by fire compartment wall.And use webshell generally can in system journal, not leave record, only can in the daily record of WEB server, leave some data and submit record to, unfamiliar keeper is difficult to find out invasion vestige.

The webshell document code of most is encrypted, and has walked around thus the killing of WEB fire compartment wall and anti-virus software.The maturation (the many engine scanning of for example virustotal) that detects engine along with constantly open, the many engine scanning of a large amount of leaks has facilitated the raising of webshell making free to kill, encryption technology, the various technology of walking around anti-virus supervisory control system to announce, and makes the killing of current webshell be faced with severe situation.And traditional detection method only can the limited cipher mode of killing webshell, assailant can use all kinds of self-defining cipher modes to hide killing.

Summary of the invention

For above-mentioned technical problem, the invention provides the method and system of a kind of simulation request assisted lookup webshell, the method is by all web page files of this simulation request access, obtain after return data, return data is carried out to feature detection, thereby the identification webshell page, can effectively identify equally for the webshell page after encrypting.

The present invention adopts with the following method and realizes: the method for a kind of simulation request assisted lookup webshell, comprising:

Read web server configuration file, obtain web server relevant information; Described relevant information comprises: website number, path, domain name or port numbers;

Travel through successively All Files under website, filter out web page files, and preserve the routing information of described web page files;

According to described routing information, the request of this simulation, accesses described web page files successively, obtains return data;

Return data is carried out to mark scanning, and generate examining report according to scanning result.

Further, described web page files comprises the web page files of asp, php, jsp or cgi form.

Further, described being characterized as that return data is carried out to mark scanning uses: obtain the return data of webshell, extract webshell clear text field as feature.

Further, described being characterized as that return data is carried out to mark scanning uses: for the webshell with login password, extract critical field as feature.

The present invention adopts following system to realize: the system of a kind of simulation request assisted lookup webshell, comprising:

Relevant information acquisition module, for reading web server configuration file, obtains web server relevant information; Described relevant information comprises: website number, path, domain name or port numbers;

Page path acquisition module, for traveling through successively All Files under website, filters out web page files, and preserves the routing information of described web page files;

Request analog module, for according to described routing information, the request of this simulation, accesses described web page files successively, obtains return data;

Mark scanning module, for return data is carried out to mark scanning, and generates examining report according to scanning result.

Further, described web page files comprises the web page files of asp, php, jsp or cgi form.

Further, described being characterized as that return data is carried out to mark scanning uses: obtain the return data of webshell, extract webshell clear text field as feature.

Further, described being characterized as that return data is carried out to mark scanning uses: for the webshell with login password, extract critical field as feature.

In sum, the invention provides the method and system of a kind of simulation request assisted lookup webshell, described method and system is mainly by obtaining the routing information of all web page files under web server, utilize described routing information simulation request, thereby access these web page files, detect for the clear data returning, detecting the feature using is to extract clear text field by the return data of known webshell, or for the webshell page with login password, extract its critical field as feature obtain.Technique scheme can effectively overcome the defect that existing scheme cannot effectively be identified for the webshell encrypting.

Brief description of the drawings

In order to be illustrated more clearly in technical scheme of the present invention, to the accompanying drawing of required use in embodiment be briefly described below, apparently, the accompanying drawing the following describes is only some embodiment that record in the present invention, for those of ordinary skill in the art, do not paying under the prerequisite of creative work, can also obtain according to these accompanying drawings other accompanying drawing.

Fig. 1 is the method flow diagram of a kind of simulation request assisted lookup webshell provided by the invention;

Fig. 2 is the system construction drawing of a kind of simulation request assisted lookup webshell provided by the invention.

Embodiment

The present invention has provided the method and system of a kind of simulation request assisted lookup webshell, in order to make those skilled in the art person understand better the technical scheme in the embodiment of the present invention, and above-mentioned purpose of the present invention, feature and advantage can be become apparent more, below in conjunction with accompanying drawing, technical scheme in the present invention is described in further detail:

First the present invention provides the method for a kind of simulation request assisted lookup webshell, as shown in Figure 1, comprising:

S101 reads web server configuration file, obtains web server relevant information; Described relevant information comprises: website number, path, domain name or port numbers; For example: baidu.com:81, baiduba.com:8080 etc.;

Web server configuration file, can search the web server such as IIS, Apache key assignments by traversal registration table, find installation path by key assignments content, then from installation path, read web server and drain into file, obtain the information such as site paths, website number, domain name or port numbers;

For example: Apache Server default configuration file/etc/apache2/httpd.conf, parses the information such as website IP, port, website root.

S102 travels through All Files under website successively, filters out web page files, and preserves the routing information of described web page files;

S103 is according to described routing information, and the request of this simulation, accesses described web page files successively, obtains return data;

S104 carries out mark scanning to return data, and generates examining report according to scanning result.

Preferably, described web page files comprises the web page files of asp, php, jsp or cgi form.

Preferably, described being characterized as that return data is carried out to mark scanning uses: obtain the return data of webshell, extract webshell clear text field as feature.Described clear text field comprises: the character strings such as File Manager, CMD, SHELL, Process, file management, scanning, system information.

Preferably, described being characterized as that return data is carried out to mark scanning uses: for the webshell with login password, extract critical field as feature.

Described critical field comprises: <input name=" passtext ", type=" password ", id=" passtext " or <input type=" hidden " name=" _ VIEWSTATE " this class has the text control of password type.

The present invention also provides the system of a kind of simulation request assisted lookup webshell, as shown in Figure 2, comprising:

Relevant information acquisition module 201, for reading web server configuration file, obtains web server relevant information; Described relevant information comprises: website number, path, domain name or port numbers;

Page path acquisition module 202, for traveling through successively All Files under website, filters out web page files, and preserves the routing information of described web page files;

Request analog module 203, for according to described routing information, the request of this simulation, accesses described web page files successively, obtains return data;

Mark scanning module 204, for return data is carried out to mark scanning, and generates examining report according to scanning result.

Preferably, described web page files comprises the web page files of asp, php, jsp or cgi form.

Preferably, described being characterized as that return data is carried out to mark scanning uses: obtain the return data of webshell, extract webshell clear text field as feature.

Preferably, described being characterized as that return data is carried out to mark scanning uses: for the webshell with login password, extract critical field as feature.

As mentioned above, the present invention has provided the specific embodiment of the method and system of a kind of simulation request assisted lookup webshell, and the difference of itself and conventional method is, current most technical schemes all cannot effectively be identified for the webshell encrypting.The technical scheme that the present invention is given, by reading web server configuration file, thereby obtains the information such as website number and path, screens for the All Files under website, finds out all web page files, obtains the path of web page files; Utilize accessed web page file, can return to feature expressly, simulation request, access described web page files, carry out mark scanning for return data, thereby can effectively identify the webshell page, encrypt thereby solve existing webshell the problem that distortion cannot killing.

Above embodiment is unrestricted technical scheme of the present invention in order to explanation.Do not depart from any modification or partial replacement of spirit and scope of the invention, all should be encompassed in the middle of claim scope of the present invention.

Claims (8)

1. a method of this simulation request assisted lookup webshell, is characterized in that, comprising:
Read web server configuration file, obtain web server relevant information; Described relevant information comprises: website number, path, domain name or port numbers;
Travel through successively All Files under website, filter out web page files, and preserve the routing information of described web page files;
According to described routing information, the request of this simulation, accesses described web page files successively, obtains return data;
Return data is carried out to mark scanning, and generate examining report according to scanning result.
2. the method for claim 1, is characterized in that, described web page files comprises the web page files of asp, php, jsp or cgi form.
3. the method for claim 1, is characterized in that, described being characterized as that return data is carried out to mark scanning uses: obtain the return data of webshell, extract webshell clear text field as feature.
4. the method for claim 1, is characterized in that, described being characterized as that return data is carried out to mark scanning uses: for the webshell with login password, extract critical field as feature.
5. a system of this simulation request assisted lookup webshell, is characterized in that, comprising:
Relevant information acquisition module, for reading web server configuration file, obtains web server relevant information; Described relevant information comprises: website number, path, domain name or port numbers;
Page path acquisition module, for traveling through successively All Files under website, filters out web page files, and preserves the routing information of described web page files;
Request analog module, for according to described routing information, the request of this simulation, accesses described web page files successively, obtains return data;
Mark scanning module, for return data is carried out to mark scanning, and generates examining report according to scanning result.
6. system as claimed in claim 5, is characterized in that, described web page files comprises the web page files of asp, php, jsp or cgi form.
7. system as claimed in claim 5, is characterized in that, described being characterized as that return data is carried out to mark scanning uses: obtain the return data of webshell, extract webshell clear text field as feature.
8. system as claimed in claim 5, is characterized in that, described being characterized as that return data is carried out to mark scanning uses: for the webshell with login password, extract critical field as feature.
CN201310691213.9A 2013-12-17 2013-12-17 Method and system for searching for webshell with assistance of local simulation request CN103905422B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310691213.9A CN103905422B (en) 2013-12-17 2013-12-17 Method and system for searching for webshell with assistance of local simulation request

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310691213.9A CN103905422B (en) 2013-12-17 2013-12-17 Method and system for searching for webshell with assistance of local simulation request

Publications (2)

Publication Number Publication Date
CN103905422A true CN103905422A (en) 2014-07-02
CN103905422B CN103905422B (en) 2017-04-26

Family

ID=50996576

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310691213.9A CN103905422B (en) 2013-12-17 2013-12-17 Method and system for searching for webshell with assistance of local simulation request

Country Status (1)

Country Link
CN (1) CN103905422B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104331663A (en) * 2014-10-31 2015-02-04 北京奇虎科技有限公司 Detection method of web shell and web server
CN105760379A (en) * 2014-12-16 2016-07-13 中国移动通信集团公司 Webshell page detection method and device based on intra-domain page association
CN106992981A (en) * 2017-03-31 2017-07-28 北京知道创宇信息技术有限公司 A kind of website back door detection method, device and computing device
CN107493278A (en) * 2017-08-10 2017-12-19 杭州迪普科技股份有限公司 A kind of two-way encryption webshell access method and device
CN107770133A (en) * 2016-08-19 2018-03-06 北京升鑫网络科技有限公司 A kind of adaptability webshell detection methods and system

Citations (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060294199A1 (en) * 2005-06-24 2006-12-28 The Zeppo Network, Inc. Systems and Methods for Providing A Foundational Web Platform
CN101471818A (en) * 2007-12-24 2009-07-01 北京启明星辰信息技术股份有限公司 Detection method and system for malevolence injection script web page
CN101527660A (en) * 2009-04-03 2009-09-09 华为技术有限公司 Alarm method, associated equipment and system
CN101587527A (en) * 2009-07-08 2009-11-25 北京东方微点信息技术有限责任公司 Method and apparatus for scanning virus program
CN101599947A (en) * 2008-06-06 2009-12-09 盛大计算机(上海)有限公司 Trojan horse virus scanning method based on the WEB webpage
CN101692267A (en) * 2009-09-15 2010-04-07 北京大学 Method and system for detecting large-scale malicious web pages
CN101808093A (en) * 2010-03-15 2010-08-18 北京安天电子设备有限公司 System and method for automatically detecting WEB security
US20110016528A1 (en) * 2008-08-15 2011-01-20 Venus Info Tech Inc. Method and Device for Intrusion Detection
CN102088379A (en) * 2011-01-24 2011-06-08 国家计算机网络与信息安全管理中心 Detecting method and device of client honeypot webpage malicious code based on sandboxing technology
CN102104601A (en) * 2011-01-14 2011-06-22 无锡市同威科技有限公司 Web vulnerability scanning method and device based on infiltration technology
CN102158499A (en) * 2011-06-02 2011-08-17 国家计算机病毒应急处理中心 Trojan-embedded website detection method based on hyper text transfer protocol (HTTP) traffic analysis
CN102254111A (en) * 2010-05-17 2011-11-23 北京知道创宇信息技术有限公司 Malicious site detection method and device
CN103065089A (en) * 2012-12-11 2013-04-24 深信服网络科技(深圳)有限公司 Method and device for detecting webpage Trojan horses
CN103258163A (en) * 2013-05-15 2013-08-21 腾讯科技(深圳)有限公司 Script virus identifying method, script virus identifying device and script virus identifying system
CN103294952A (en) * 2012-11-29 2013-09-11 北京安天电子设备有限公司 Method and system for detecting webshell based on page relation

Patent Citations (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060294199A1 (en) * 2005-06-24 2006-12-28 The Zeppo Network, Inc. Systems and Methods for Providing A Foundational Web Platform
CN101471818A (en) * 2007-12-24 2009-07-01 北京启明星辰信息技术股份有限公司 Detection method and system for malevolence injection script web page
CN101599947A (en) * 2008-06-06 2009-12-09 盛大计算机(上海)有限公司 Trojan horse virus scanning method based on the WEB webpage
US20110016528A1 (en) * 2008-08-15 2011-01-20 Venus Info Tech Inc. Method and Device for Intrusion Detection
CN101527660A (en) * 2009-04-03 2009-09-09 华为技术有限公司 Alarm method, associated equipment and system
CN101587527A (en) * 2009-07-08 2009-11-25 北京东方微点信息技术有限责任公司 Method and apparatus for scanning virus program
CN101692267A (en) * 2009-09-15 2010-04-07 北京大学 Method and system for detecting large-scale malicious web pages
CN101808093A (en) * 2010-03-15 2010-08-18 北京安天电子设备有限公司 System and method for automatically detecting WEB security
CN102254111A (en) * 2010-05-17 2011-11-23 北京知道创宇信息技术有限公司 Malicious site detection method and device
CN102104601A (en) * 2011-01-14 2011-06-22 无锡市同威科技有限公司 Web vulnerability scanning method and device based on infiltration technology
CN102088379A (en) * 2011-01-24 2011-06-08 国家计算机网络与信息安全管理中心 Detecting method and device of client honeypot webpage malicious code based on sandboxing technology
CN102158499A (en) * 2011-06-02 2011-08-17 国家计算机病毒应急处理中心 Trojan-embedded website detection method based on hyper text transfer protocol (HTTP) traffic analysis
CN103294952A (en) * 2012-11-29 2013-09-11 北京安天电子设备有限公司 Method and system for detecting webshell based on page relation
CN103065089A (en) * 2012-12-11 2013-04-24 深信服网络科技(深圳)有限公司 Method and device for detecting webpage Trojan horses
CN103258163A (en) * 2013-05-15 2013-08-21 腾讯科技(深圳)有限公司 Script virus identifying method, script virus identifying device and script virus identifying system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
石磊,宋昭: "wehshell检测的新思路", 《第二届全国信息安全等级保护技术大会会议论文集》 *

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104331663A (en) * 2014-10-31 2015-02-04 北京奇虎科技有限公司 Detection method of web shell and web server
CN104331663B (en) * 2014-10-31 2017-09-01 北京奇虎科技有限公司 Web shell detection method and web server
CN105760379A (en) * 2014-12-16 2016-07-13 中国移动通信集团公司 Webshell page detection method and device based on intra-domain page association
CN105760379B (en) * 2014-12-16 2020-01-21 中国移动通信集团公司 Method and device for detecting webshell page based on intra-domain page association relation
CN107770133A (en) * 2016-08-19 2018-03-06 北京升鑫网络科技有限公司 A kind of adaptability webshell detection methods and system
CN106992981A (en) * 2017-03-31 2017-07-28 北京知道创宇信息技术有限公司 A kind of website back door detection method, device and computing device
CN106992981B (en) * 2017-03-31 2020-04-07 北京知道创宇信息技术股份有限公司 Website backdoor detection method and device and computing equipment
CN107493278A (en) * 2017-08-10 2017-12-19 杭州迪普科技股份有限公司 A kind of two-way encryption webshell access method and device

Also Published As

Publication number Publication date
CN103905422B (en) 2017-04-26

Similar Documents

Publication Publication Date Title
US10110633B2 (en) Method, a device and computer program products for protecting privacy of users from web-trackers
CN104144158B (en) Method and apparatus for the automatic agreement based on strategy
Patton et al. Uninvited connections: a study of vulnerable devices on the internet of things (IoT)
US20180063186A1 (en) System for tracking data security threats and method for same
US20160277444A1 (en) Systems, methods, and media for generating bait information for trap-based defenses
Bejtlich The practice of network security monitoring: understanding incident detection and response
US10193929B2 (en) Methods and systems for improving analytics in distributed networks
Nazir et al. Assessing and augmenting SCADA cyber security: A survey of techniques
Jain et al. A novel approach to protect against phishing attacks at client side using auto-updated white-list
US9307036B2 (en) Web access using cross-domain cookies
Nelms et al. Execscent: Mining for new c&c domains in live networks with adaptive control protocol templates
Wondracek et al. A practical attack to de-anonymize social network users
Bilge et al. EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis.
Deibert The geopolitics of internet control: Censorship, sovereignty, and cyberspace
DE102016203565A1 (en) Identify malicious web infrastructures
Muir et al. Internet geolocation: Evasion and counterevasion
Homer et al. Improving attack graph visualization through data reduction and attack grouping
US8695091B2 (en) Systems and methods for enforcing policies for proxy website detection using advertising account ID
US7596804B2 (en) Seamless cross-site user authentication status detection and automatic login
WO2015200308A1 (en) Entity group behavior profiling
CA2729760C (en) A system and method of data cognition incorporating autonomous security protection
Filasto et al. OONI: Open Observatory of Network Interference.
US8290994B2 (en) Obtaining file system view in block-level data storage systems
Moore et al. Evil searching: Compromise and recompromise of internet hosts for phishing
CN104426906A (en) Identifying malicious devices within a computer network

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
PE01 Entry into force of the registration of the contract for pledge of patent right
PE01 Entry into force of the registration of the contract for pledge of patent right

Denomination of invention: Method and system for searching for webshell with assistance of local simulation request

Effective date of registration: 20170621

Granted publication date: 20170426

Pledgee: Bank of Longjiang, Limited by Share Ltd, Harbin Limin branch

Pledgor: Harbin Antiy Technology Co., Ltd.

Registration number: 2017110000004

PC01 Cancellation of the registration of the contract for pledge of patent right
PC01 Cancellation of the registration of the contract for pledge of patent right

Date of cancellation: 20190614

Granted publication date: 20170426

Pledgee: Bank of Longjiang, Limited by Share Ltd, Harbin Limin branch

Pledgor: Harbin Antiy Technology Co., Ltd.

Registration number: 2017110000004

CP03 Change of name, title or address
CP03 Change of name, title or address

Address after: 150028 Building 7, Innovation Plaza, Science and Technology Innovation City, Harbin High-tech Industrial Development Zone, Heilongjiang Province (838 Shikun Road)

Patentee after: Harbin antiy Technology Group Limited by Share Ltd

Address before: 150090 room 506, Hongqi Street, Nangang District, Harbin Development Zone, Heilongjiang, China, 162

Patentee before: Harbin Antiy Technology Co., Ltd.

PE01 Entry into force of the registration of the contract for pledge of patent right

Denomination of invention: Method and system for searching for webshell with assistance of local simulation request

Effective date of registration: 20190828

Granted publication date: 20170426

Pledgee: Bank of Longjiang, Limited by Share Ltd, Harbin Limin branch

Pledgor: Harbin antiy Technology Group Limited by Share Ltd

Registration number: Y2019230000002

PE01 Entry into force of the registration of the contract for pledge of patent right