A kind of WebShell detection method and system
Technical field
The present invention relates to the detection method and system of internet security technical field, more particularly to a kind of WebShell.
Background technology
With the birth of the internet product of Web2.0, social networks, microblogging etc. a series of new, based on Web environment
The Internet, applications it is more and more extensive, during IT application in enterprises it is various application be all erected on Web platforms, Web service
Develop the strong interest for also causing hackers rapidly, what is come one after another is exactly highlighting for Web security threats, and hacker is grasped using website
Make the leak of system and the SQL injection leak of Web service program etc. and obtain the control authority of Web server, gently then distort webpage
Content, heavy then steal important internal data, even more serious is then that malicious code is implanted into webpage so that website caller by
To infringement.This also causes increasing user to pay close attention to the safety problem of application layer, also gradual to the attention rate of Web application safety
Heating.
Usual hacker can undergo following steps when attacking a Web site, be information first, find target
The relevant information of website;Followed by vulnerability exploit, using the information being collected into, find utilizable leak, such as SQL injection
Leak, file upload leak etc., carry out data are stolen or WebShell is uploaded etc..
For simple, WebShell is exactly an asp or php wooden horses back door, and WebShell is that the script of Web invasions is attacked
Hit instrument.Instrument is after WebShell is uploaded, and the later can of hacker is by WebShell very easily to targeted website
Server is manipulated, without repeating to find website vulnerability and the process using website vulnerability again.As can be seen here,
Harm of the WebShell to website is very huge, if WebShell be present on a website, then can be certainly
Say, this website is very serious leak be present, is timely found after under fire in website, and target website server is done
Loss, can so be preferably minimized by necessary leak repairing as far as possible, find and defend to be also in security defensive system afterwards
An important ring.
In existing technical scheme, mainly there are two kinds of local detection and remote detection for WebShell detection.It is local
Detection is typically the software of an operation on the target system, and the software can access the root of website, and directly carry out
The WebShell detections of source code level.Because existing local detection method needs to run executable program on destination server,
And the authority for accessing and reading website root is needed, this scheme has very big security risk, to security audit
Compare does not allow under strict application scenarios.
Another remote detection is mainly based upon web crawlers, by path dictionary and WebShell fingerprint characteristics storehouse
To identify and detect WebShell.Remote detection does not need extra authority, but due to WebShell disguise, and net
Page reptile can only capture the limitation for the page that adduction relationship be present, cause the detection mode based on path dictionary to exist very big
Limitation, because WebShell upload path and upload filename are arbitrarily designated by attacker, once attacker uses
One extremely complex path, and this path is not in the path dictionary of remote detection, then remote detection just can not
This WebShell is detected, so remote detection can only detect relatively common WebShell.
The content of the invention
In view of this, the present invention provides a kind of WebShell detection method and system, and the invention need not take in target
Business device end operation executable program, and the detection mode by log audit and detection combination is used, it compensate in the prior art
The not comprehensive problem of detection.
Specifically, a kind of WebShell detection method of the present invention, the described method comprises the following steps:
A, server access daily record is collected, analyze the URL of suspicious access behavior.
B, the URL combination WebShell feature databases for analyzing suspicious access behavior are subjected to local detection.
C, the URL combination WebShell feature databases for analyzing suspicious access behavior are subjected to remote detection.
D, judged as found WebShell, then to perform step E according to detection.
E, WebShell paths are reported, while the path for being identified as WebShell is added into WebShell paths storehouse.
Further, the local detection described in step B, including configure destination server information and be remotely logged into target clothes
Device progress source code level of being engaged in WebShell is checked.
Further, described source code level WebShell inspections are combining sources in the local detection of WebShell feature databases
Fingerprint base is by way of fingerprint comparison to obtaining in Web server root file and the URL files of suspicious access behavior
The source code of various language carries out WebShell inspections.
Further, the remote detection described in step C, including remote detection configuration and spiders and remote detection webpage
Code.
Further, described spiders is basis source in the WebShell paths storehouse of WebShell feature databases and can
The URL of access behavior is doubted as remote detection path and obtains the reply data in the remote detection path.
Further, described remote detection web page code is that combining source refers in the remote detection of WebShell feature databases
Line storehouse carries out WebShell detections by way of fingerprint comparison to the reply data obtained in remote detection path.
Further, the URL of the suspicious access behavior described in step A is to be analyzed by the URL frequency accessed and parameter
URL, the URL occurred, it is low to give a level of suspicion;The minimum URL of visiting frequency, giving a level of suspicion is
In;There is the URL of hostile content, give a level of suspicion as height.
Present invention simultaneously provides a kind of WebShell detecting systems, the system includes,
Log audit module:For collecting server access daily record, the URL of suspicious access behavior is analyzed.
Local detection module:For the URL combination WebShell feature databases for analyzing suspicious access behavior to be carried out.
Remote detection module:For the URL combination WebShell feature databases for analyzing suspicious access behavior to be carried out.
As a result output module:For judging as found WebShell, then to report WebShell paths, will according to detection simultaneously
The path for being identified as WebShell adds to WebShell paths storehouse.
Further, described local detection module, specifically for configuration destination server information and it is remotely logged into mesh
Mark server and carry out source code level WebShell inspections.
Further, described source code level WebShell inspections are combining sources in the local detection of WebShell feature databases
Fingerprint base is by way of fingerprint comparison to obtaining in Web server root file and the URL files of suspicious access behavior
The source code of various language carries out WebShell inspections
Further, described remote detection module, specifically for remote detection configuration and spiders and remote detection
Web page code.
Further, described spiders is basis source in the WebShell paths storehouse of WebShell feature databases and can
The URL of access behavior is doubted as remote detection path and obtains the reply data in the remote detection path.
Further, described remote detection web page code is that combining source refers in the remote detection of WebShell feature databases
Line storehouse carries out WebShell detections by way of fingerprint comparison to the reply data obtained in remote detection path.
Further, the URL of described suspicious access behavior is come the URL analyzed, institute by the URL frequency accessed and parameter
The URL occurred, it is low to give a level of suspicion;The minimum URL of visiting frequency, during a given level of suspicion is;Go out
The URL of existing hostile content, a level of suspicion is given as height.
As can be seen here, for the limitation of the detections of WebShell in the prior art, the present invention is by by suspicious access behavior
URL and local detection and remote detection coordinate this comprehensive WebShell detection modes further to improve WebShell
The accuracy rate of detection, improves recall rate and detection efficiency, reduces rate of failing to report and rate of false alarm, and local detection of the present invention is led to
The mode for crossing Telnet performs, and avoiding local detection in the prior art needs asking in destination server installation and operation program
Topic, and make detection is more convenient to perform.
Brief description of the drawings
Fig. 1 is the flow chart of WebShell detection method in one embodiment of the present invention;
Fig. 2 is the detecting system building-block of logic of WebShell in one embodiment of the present invention.
Embodiment
Technical solution of the present invention is described in further detail with reference to Fig. 1 and Fig. 2.
The present invention is by presetting suspicious WebShell paths storehouse, local detection fingerprint base and remote detection fingerprint
Storehouse, the basic foundation as detection.It is comprehensive below in conjunction with how the network security detection technology description present invention realizes
The process of WebShell detections.
Fig. 1 is a kind of flow chart of WebShell detection method of the present invention.In a preferred embodiment, present invention side
Method is specific as follows:
A, server access daily record is collected, analyze the URL of suspicious access behavior.
Specifically, Web middlewares are obtained by SSH login services device(The softwares such as apache, tomcat, iis)It is caused
Access log, record has the URL that user accesses each time, parameter etc. in access log, by the frequency of the URL to access and
The inspection of parameter, the WebShell the most doubtful page is found out, Inspection and analysis then is carried out to these pages, analyzes website
Bibliographic structure and suspicious access behavior, and counted to access behavior suspicious in website, by the URL frequency accessed and
Parameter counts, the URL occurred, gives a level of suspicion to be low;The minimum URL of visiting frequency, giving one can
During doubtful rank is;There is the URL of hostile content, give a level of suspicion as height.
The method for obtaining server access daily record in present embodiment can also have various ways, as configured hair on server
Daily record is sent to Syslog modes, configuration file sharing mode on server, ftp uploads downloading mode, passes through SSH, T elnet etc.
Or other long-range modes for reading journal file.Hostile content includes executable command, SQL statement, sensitive document name and file
Content, script etc..
B, the URL combination WebShell feature databases for analyzing suspicious access behavior are subjected to local detection and remote detection.
Specifically, local detection, opens SSH remote login services, and configuration destination server information such as user accesses account
Password and backup website root etc., and destination server is remotely logged into, combining source is in the local of WebShell feature databases
Fingerprint base is detected by way of fingerprint comparison to being obtained in Web server root file and the URL files of suspicious access behavior
The source code of the various language obtained carries out WebShell inspections.The purpose that website root is backed up in configuration information is for not shadow
Ring other users and access server.The source code of various language, includes, such as asp (Active more commonly used at present
Server Page),jsp(Java Server Pages), the page script language such as php (Hypertext Preprocessor)
Source code.In the present embodiment, the user profile that local detection configuration needs to configure is demand and ring of the user according to oneself
Specified by the needs of border, the user profile of configuration mentioned here is not whole user profile, and simply partial content information.
SSH is the service routine that standard server can all be installed, and also can voluntarily be installed as system is fitted without.Local detection fingerprint base can
To be the fingerprint characteristic extracted from source code.Fingerprint includes some dangerous method calls, some common character strings etc..
In a preferred embodiment Telnet mode can be by SSH mode Telnets, it is certainly, described long-range
Login mode can also be other Telnet modes that can realize the above method, such as Telnet or other Telnet sides
Formula.It is not limited herein.
Specifically, remote detection, including remote detection configuration and spiders and remote detection web page code.
Website URL is configured, simulation normal client remote access targeted website, spiders basis source is in WebShell
The URL of the WebShell paths storehouse of feature database and suspicious access behavior is remote detection path and obtained in the remote detection path
Reply data, remote detection web page code combining source passes through fingerprint ratio in the remote detection fingerprint base of WebShell feature databases
To mode WebShell detections are carried out to the reply data that is obtained in remote detection path.Preferably described reply data is
Client terminal web page source code is typically html codes.The remote detection fingerprint base can be the finger extracted from webpage html codes
Line feature.
C, judged as found WebShell, then to perform step D according to detection.
D, WebShell paths are reported, while the path for being identified as WebShell is added into WebShell paths storehouse.
In embodiment described above, operating system is not particularly limited, under the operating systems such as windows, linux
It is all executable, wherein any a part of detection can also be only carried out according further to needs, such as only carries out local detection and daily record
Audit coordinate or only carry out remote detection and log audit cooperation any of which part can complete its it is corresponding detect it is complete
WebShell testing processes.
Based on the above method, Fig. 2 gives WebShell of the present invention detecting system building-block of logic.The detecting system should
For PC, as the operation carrier of the logic detection system, the hardware environment of the PC equipment typically at least all includes CPU,
Internal memory and other hardware.Logic module is stored in internal memory.
Log audit module:Server access daily record is collected, the URL of suspicious access behavior is analyzed, specifically, passing through
SSH login services device obtains Web middlewares(The softwares such as apache, tomcat, iis)Caused access log, in access log
Record has the url that user accesses each time, parameter etc., is counted by the URL frequency accessed and parameter, the URL occurred,
A given level of suspicion is low;The minimum URL of visiting frequency, during a given level of suspicion is;There is hostile content
URL, a level of suspicion is given as height.
Local detection module:The URL combination WebShell feature databases for analyzing suspicious access behavior are subjected to local detection,
Specifically, being remotely logged into destination server, combining source passes through fingerprint in the local detection fingerprint base of WebShell feature databases
The mode of comparison is to the source generation of the various language obtained in Web server root file and the URL files of suspicious access behavior
Code carries out WebShell inspections.
Remote detection module:The URL combination WebShell feature databases for analyzing suspicious access behavior are subjected to remote detection,
Specifically, configuration website URL, simulation normal client remote access targeted website, spiders basis source is in WebShell
The URL of the WebShell paths storehouse of feature database and suspicious access behavior is remote detection path and obtained in the remote detection path
Reply data, remote detection web page code combining source passes through fingerprint ratio in the remote detection fingerprint base of WebShell feature databases
To mode WebShell detections are carried out to the reply data that is obtained in remote detection path.
As a result output module:Judged such as to find WebShell according to detection, then report WebShell paths, while will identification
For WebShell path add to WebShell paths storehouse after.
Described above is only the preferable implementation of the present invention, not to limit protection scope of the present invention,
Any equivalent changes and modifications all because being included within the scope of the present invention.