CN105046154A - Webshell detection method and device - Google Patents
Webshell detection method and device Download PDFInfo
- Publication number
- CN105046154A CN105046154A CN201510496802.0A CN201510496802A CN105046154A CN 105046154 A CN105046154 A CN 105046154A CN 201510496802 A CN201510496802 A CN 201510496802A CN 105046154 A CN105046154 A CN 105046154A
- Authority
- CN
- China
- Prior art keywords
- webshell
- abnormal information
- file
- weighted value
- target abnormal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/30—Information retrieval; Database structures therefor; File system structures therefor of unstructured textual data
- G06F16/33—Querying
- G06F16/3331—Query processing
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Physics & Mathematics (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- Computational Linguistics (AREA)
- Data Mining & Analysis (AREA)
- Databases & Information Systems (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The invention provides a webshell detection method and device. The method comprises the following steps: according to a webshell sample library, determining more than two target exception information to be detected, determining a first weight value corresponding to each piece of target exception information, and determining a standard value; obtaining all script files under a web server website directory; detecting the target exception information contained in each script file; according to each piece of target exception information contained in each script file and the first weight value corresponding to each piece of target exception information, calculating a third weight value corresponding to each piece of script file; and judging whether the third weight value of each script file is greater than or equal to the standard value or not, and if the third weight of each script file is greater than or equal to the standard value, determining that the script file corresponding to the third weight value which is greater than or equal to the standard value comprises webshell. Through the technical scheme of the invention, the webshell in the web server can be detected.
Description
Technical field
The present invention relates to field of information security technology, particularly a kind of webshell detection method and device.
Background technology
Webshell be a kind of in web server with page script document form exist wooden horse file, invader directly accesses webshell to obtain order execution environment by browser, and then is uploaded in invaded web server by this webshell or download file, amendment file content, check database, perform random procedure order etc.
Webshell act as the effect of script attack tool in web invasion, and invader can reach by webshell the object controlling website or web server; The data exchanged due to webshell and controlled web server or distance host are all transmitted by http protocol default port, therefore, webshell can be considered to normal website visiting, can not be tackled by fire wall, simultaneously, because page script file normal under webshell and web server directory web site is mixed in-rises, there is extremely strong disguise, be not easily found.
Summary of the invention
In view of this, the invention provides a kind of webshell detection method and device, the webshell in web server can be detected.
First aspect, the invention provides a kind of webshell detection method, comprising:
S0: determine plural target abnormal information to be detected according to webshell Sample Storehouse, determine the first weighted value that each target abnormal information is corresponding and confirmed standard value, also comprise:
S1: obtain the whole script files under web server directory web site;
S2: detect target abnormal information included in each script file;
S3: each the target abnormal information comprised according to script file described in each and the first weighted value corresponding to each target abnormal information described calculate the 3rd weighted value corresponding to script file described in each;
S4: judge whether the 3rd weighted value of script file described in each is more than or equal to described standard value, if so, then the script file determining to be more than or equal to the 3rd weighted value of described standard value corresponding comprises webshell.
Further, also comprise after described step S4:
Isolated area is set;
When the script file that the 3rd weighted value determining to be more than or equal to described standard value is corresponding comprises webshell, described webshell is transferred to described isolated area.
Further, after described webshell is transferred to isolated area, also comprise:
Detect website corresponding to described webshell whether to report an error, if so, then recover corresponding webshell according to error information from described isolated area.
Further, describedly determine that plural target abnormal information to be detected comprises: at least two kinds in following abnormal information are defined as plural target abnormal information to be detected:
File provide upload or download function, had by file acquisition infosystem information, file other file of amendment function, to be performed the command and control information systems such as shell, cmd by file, by file infosystem inquired about or revise, file is greater than 100k or file is less than 10k.
Further,
Describedly determine the first weighted value that each target abnormal information is corresponding, comprise: add up the total degree occurring described plural target abnormal information in the number of times and described webshell Sample Storehouse that each target abnormal information occurs in described webshell Sample Storehouse, for each target abnormal information, the first weighted value that the number of times current target abnormal information occurred in described webshell Sample Storehouse is corresponding as current target abnormal information with the business of the total degree occurring described plural target abnormal information in described webshell Sample Storehouse;
Described confirmed standard value, comprise: the target complete abnormal information comprised according to each webshell in described webshell Sample Storehouse, the first weighted value that each the target abnormal information comprised by current webshell is corresponding and as the second weighted value corresponding to current webshell; Contrast the second weighted value that webshell in webshell Sample Storehouse described in each is corresponding, determine that wherein minimum second weighted value comprises standard value.
Second aspect, the invention provides a kind of webshell pick-up unit, comprising:
Determining unit, for determining plural target abnormal information to be detected, determining the first weighted value that each target abnormal information is corresponding and confirmed standard value according to webshell Sample Storehouse;
Acquiring unit, for obtaining the whole script files under web server directory web site;
First detecting unit, for detecting target abnormal information included in each script file;
Computing unit, calculates the 3rd weighted value corresponding to script file described in each for each target abnormal information of comprising according to script file described in each and the first weighted value corresponding to each target abnormal information described;
Judging unit, judges whether the 3rd weighted value of script file described in each is more than or equal to described standard value, and if so, then the script file determining to be more than or equal to the 3rd weighted value of described standard value corresponding comprises webshell.
Further, also comprise:
Setting unit, for arranging isolated area;
Processing unit, when comprising webshell for the script file corresponding when the 3rd weighted value determining to be more than or equal to described standard value, is transferred to described isolated area by described webshell.
Further, also comprise:
Whether the second detecting unit, report an error for detecting website corresponding to described webshell;
Recovery unit, for when the testing result of described detecting unit is for being, the isolated area arranged from described first setting unit recovers corresponding webshell.
Further,
Described determining unit, at least two kinds in following abnormal information being defined as plural target abnormal information to be detected:
File provide upload or download function, had by file acquisition infosystem information, file other file of amendment function, to be performed the command and control information systems such as shell, cmd by file, by file infosystem inquired about or revise, file is greater than 100k or file is less than 10k.
Further,
Described determining unit, also for adding up the total degree occurring described plural target abnormal information in number of times and described webshell Sample Storehouse that each target abnormal information occurs in described webshell Sample Storehouse, for each target abnormal information, the first weighted value that the number of times current target abnormal information occurred in described webshell Sample Storehouse is corresponding as current target abnormal information with the business of the total degree occurring described plural target abnormal information in described webshell Sample Storehouse;
Described determining unit, target complete abnormal information also for comprising according to each webshell in described webshell Sample Storehouse, the first weighted value that each the target abnormal information comprised by current webshell is corresponding and as the second weighted value corresponding to current webshell; Contrast the second weighted value that sample webshell described in each is corresponding, determine that wherein minimum second weighted value comprises standard value.
A kind of webshell detection method provided by the invention and device, by obtaining the whole script files under web server directory web site, whole abnormal informations of each script file are obtained according to the abnormal information detected by the predetermined needs of webshell Sample Storehouse, and the 3rd weighted value of each script file is calculated according to the first weighted value corresponding by the predetermined abnormal information of this webshell Sample Storehouse, if there is the 3rd weighted value to be greater than the standard value determined by this webshell Sample Storehouse, then determine that the script file that the 3rd weighted value is corresponding is webshell, thus detect the webshell in web server, and then improve detection efficiency.
Accompanying drawing explanation
In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, be briefly described to the accompanying drawing used required in embodiment or description of the prior art below, apparently, accompanying drawing in the following describes is some embodiments of the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these accompanying drawings.
Fig. 1 is the process flow diagram of a kind of webshell detection method that one embodiment of the invention provides;
Fig. 2 is the process flow diagram of the another kind of webshell detection method that one embodiment of the invention provides;
Fig. 3 is the structural representation of a kind of webshell pick-up unit that one embodiment of the invention provides;
Fig. 4 is the structural representation of the another kind of webshell pick-up unit that one embodiment of the invention provides.
Embodiment
For making the object of the embodiment of the present invention, technical scheme and advantage clearly; below in conjunction with the accompanying drawing in the embodiment of the present invention; technical scheme in the embodiment of the present invention is clearly and completely described; obviously; described embodiment is the present invention's part embodiment, instead of whole embodiments, based on the embodiment in the present invention; the every other embodiment that those of ordinary skill in the art obtain under the prerequisite not making creative work, all belongs to the scope of protection of the invention.
As shown in Figure 1, embodiments provide a kind of webshell detection method, the method can comprise the following steps:
S0: determine plural target abnormal information to be detected according to webshell Sample Storehouse, determine the first weighted value that each target abnormal information is corresponding and confirmed standard value;
S1: obtain the whole script files under web server directory web site;
S2: detect target abnormal information included in each script file;
S3: each the target abnormal information comprised according to script file described in each and the first weighted value corresponding to each target abnormal information described calculate the 3rd weighted value corresponding to script file described in each;
S4: judge whether the 3rd weighted value of script file described in each is more than or equal to described standard value, if so, then the script file determining to be more than or equal to the 3rd weighted value of described standard value corresponding comprises webshell.
A kind of webshell detection method provided by the invention, by obtaining the whole script files under web server directory web site, whole abnormal informations of each script file are obtained according to the abnormal information detected by the predetermined needs of webshell Sample Storehouse, and the 3rd weighted value of each script file is calculated according to the first weighted value corresponding by the predetermined abnormal information of this webshell Sample Storehouse, if there is the 3rd weighted value to be greater than the standard value determined by this webshell Sample Storehouse, then determine that the script file that the 3rd weighted value is corresponding is webshell, thus detect the webshell in web server, and then improve detection efficiency.
Continue to prevent the webshell that is detected to damage or steal information in this web server to this web server, in a preferred embodiment of the invention, also comprise after described step S4: isolated area is set, when the script file that the 3rd weighted value determining to be more than or equal to described standard value is corresponding comprises webshell, described webshell is transferred to described isolated area.
Further, in order to prevent carrying out detecting mistiming to script file, the normal foot presents under current web server is moved to isolated area as webshell, in a preferred embodiment of the invention, after described webshell is transferred to isolated area, also comprise: detect website corresponding to described webshell and whether report an error, if so, then corresponding webshell is recovered according to error information from described isolated area.
Under some specific environment, normal foot presents under web server also may possess the abnormal information identical with webshell file, such as, when keeper carries out system maintenance, can to change other script files by specific script file and accessing database Update Table library information etc., and now, owing to it comprises multiple abnormal information when detecting this specific script file, 3rd weighted value that it may be caused to calculate higher than standard value, and then makes it be moved into isolated area.
Therefore, on the one hand, isolated area file can be set to can not check and can not perform, prevent invader from continuing damage web server or steal the information in this web server, on the other hand, isolated area file can be set to recoverable file, such as, causing corresponding website to report an error when detecting that the normal foot presents of web server next one date by name is lost, associated rights can be utilized to recover from isolated area the script file that this file is called date.
Be directed to and determine plural target abnormal information to be detected according to webshell Sample Storehouse, particularly, by carrying out behavioural analysis to webshell Sample Storehouse to obtain at least two target abnormal informations, target abnormal information includes but not limited to: file provide upload or download function, had by file acquisition infosystem information, file other file of amendment function, to be performed the command and control information systems such as shell, cmd by file, by file infosystem inquired about or revise, file is greater than 100k or file is less than 10k; It should be noted that, above-mentioned abnormal information is only analyzes to webshell Sample Storehouse the main abnormal information that obtains, can also comprise other abnormal informations, and such as file content is abnormal, file compression rate is abnormal.
Further, by adding up the total degree occurring described plural target abnormal information in number of times and described webshell Sample Storehouse that each target abnormal information occurs in described webshell Sample Storehouse, for each target abnormal information, the first weighted value that the number of times current target abnormal information occurred in described webshell Sample Storehouse is corresponding as current target abnormal information with the business of the total degree occurring described plural target abnormal information in described webshell Sample Storehouse.
Further, the target complete abnormal information that can comprise according to each webshell in described webshell Sample Storehouse, the first weighted value that each the target abnormal information comprised by current webshell is corresponding and as the second weighted value corresponding to current webshell; Contrast the second weighted value that webshell in webshell Sample Storehouse described in each is corresponding, determine that wherein minimum second weighted value comprises standard value.
For making the object, technical solutions and advantages of the present invention clearly, below in conjunction with drawings and the specific embodiments, the present invention is described in further detail.
As shown in Figure 2, embodiments provide another kind of webshell detection method, the method can comprise the following steps:
Step 201, arranges webshell Sample Storehouse, by carrying out behavioural analysis to the webshell in this webshell Sample Storehouse to determine target abnormal information to be detected.
That target abnormal information and webshell can possess usually and script file under web server does not possess or only have the information that just can possess under specific circumstances, such as webshell provides the function of accessing database, normal foot presents in web server does not generally possess this function, the script file only having matching management person to carry out data base administration just possesses this function, therefore, can will visit data library facility be provided as a target abnormal information;
For example, a webshell Sample Storehouse can be set and comprise 7 webshell sample files, be respectively a, b, c, d, e, f, g, carry out behavioural analysis to 7 sample files in this webshell Sample Storehouse can obtain the target abnormal information that the webshell in current webshell Sample Storehouse comprises and comprise, A: file provides to be uploaded or download function, B: by file acquisition infosystem information, C: file has the function of other file of amendment, D: perform shell by file, the command and control information systems such as cmd, E: by file infosystem inquired about or revise, F: file is greater than 100k or file is less than 10k, it should be noted that target abnormal information includes but not limited to above-mentioned target abnormal information, such as, file compression rate exception, file content exception etc. can also be comprised.
Step 202, determines the first weighted value that each target abnormal information to be detected is corresponding.
Add up the target abnormal information that in this webshell Sample Storehouse, each webshell is corresponding as follows,
A comprises: A, B, C, D, E, F;
B comprises: B, C, D, E, F;
C comprises: C, D, E;
D comprises: A, B, C;
E comprises: A, C, D;
F comprises: A, B, C, D;
G comprises: A, C, D.
By above-mentioned data, can show that the number of times that above-mentioned 6 kinds of target abnormal informations occur respectively in this webshell Sample Storehouse is, A:5 time, B:4 time, C:7 time, D:6 time, E:3 time, F:2 time; And in this webshell Sample Storehouse, occur that the total degree of target abnormal information is 27 times.
Analyzed by Probability from above-mentioned data, based on this Sample Storehouse, occur in each webshell that the probability of above-mentioned different target abnormal information is that the abnormal number of times occurred in Sample Storehouse of each target is divided by the total degree occurring target abnormal information in this webshell Sample Storehouse, can show that result of calculation is respectively, A:0.19, B:0.15, C:0.26, D:0.22, E:0.11, F:0.07; The probability corresponding due to a certain item target abnormal information is higher, illustrate invader use this target abnormal information to damage web server or information under stealing this web server may be also higher, therefore, when detecting this target abnormal information, relatively high weight can be given to this information, such as, the probability correspondence that can occur by each target abnormal information is set to weight corresponding to this abnormal information, namely as the first weighted value that this target abnormal information is corresponding.
Step 203, calculates the second weighted value that in this webshell Sample Storehouse, each webshell is corresponding, and minimum second weighted value is defined as standard value.
In the present embodiment, from this webshell Sample Storehouse, the information that invader can use a webshell possessing multiple target abnormal information to destroy web server or steal in this web server usually, in the present embodiment, owing to determining the target abnormal information that all may occur according to webshell Sample Storehouse, and impart the first corresponding weighted value respectively according to the probability that each target abnormal information occurs in webshell, same based on Probability analysis, first weighted value corresponding to target abnormal information that can be corresponding by the webshell in current webshell Sample Storehouse is added the value drawn, i.e. the second weighted value, as the probability that the file judging to possess corresponding target abnormal information is webshell, can be obtained by above-mentioned computing method, the second weighted value that each webshell in this webshell Sample Storehouse is corresponding is respectively, a:1, b:0.81, c:0.59, d:0.6, e:0.67, f:0.82, g:0.67,
From above-mentioned data, the second weighted value that the webshell that c is corresponding is corresponding is minimum, therefore, the second corresponding for c weighted value 0.59 can be set to the lowest weightings value that judgement script file comprises webshell, i.e. standard value.
It should be noted that, the present embodiment is only preferred version of the present invention, determine abnormal information to be detected by arranging webshell Sample Storehouse and calculate in the process of the first weighted value and standard value, when different with specimen types for selection sample webshell quantity, the first weighted value calculated and standard value may have less difference, can select as far as possible many specimen types and sample size and determine that more target abnormal information can draw more rational first weighted value and standard value.
Step 204, obtains the whole script files under web server directory web site.
By traveling through directory web site under this web server to obtain whole script files.
Step 205, detects target abnormal information included in each script file.
Step 206, calculates the 3rd weighted value that script file described in each is corresponding.
Computing method by the second weighted value calculating webshell in webshell Sample Storehouse in step 203 calculate the 3rd weighted value corresponding to each script file, such as, for the script file m under this web server directory web site and script file n, script file m comprises target abnormal information A to be detected, B, C, D, script file n comprises target abnormal information A to be detected, B, C, D, E, the first weighted value that in the present embodiment, these abnormal informations are corresponding is respectively: A:0.19, B:0.15, C:0.26, D:0.22, E:0.11, F:0.07, the value that can draw the 3rd weighted value A+B+C+D that script file m is corresponding is thus 0.82, the value of the 3rd weighted value A+B+C+D+E that script file n is corresponding is 0.93.
Step 207, judges whether the 3rd weighted value that each script file is corresponding is more than or equal to standard value.
Step 208, is transferred to isolated area by script file corresponding for the 3rd weighted value being more than or equal to standard value.
File in isolated area is set to not allow to be opened or to perform, and prevents the webshell be transferred in isolated area from continuing to destroy this web server, reaches the object of protection web server.
In step 207 to step 208, the 3rd weighted value that the script file m calculated as above-mentioned steps 206 and script file n is corresponding is respectively 0.82 and 0.93, be greater than the standard value 0.59 determined in step 203, therefore, script file m and script file n is defined as webshell, and then script file m and script file can be moved to isolated area, the script file m and the script file n that are transferred to isolated area do not allow to be opened or to perform.
Whether step 209, detecting the website being transferred to the webshell of isolated area corresponding and report an error, performing step 210 when result is for being.
In the present embodiment, the possibility missed by normal file and survey as webshell can not be got rid of, therefore, detect the website being transferred to the script file of isolated area corresponding whether report an error by arranging detection module, namely detect and whether occur surveying the situation normal foot presents under this web server directory web site being transferred to isolated area by mistake.
Step 210, according to error information, recovers corresponding script file by associated rights from isolated area.
Corresponding script file is replied according to error information, such as, after script file m and script file are transferred to isolated area, the website that script file m is corresponding reports an error, error information is lack the script file that file is called date, when keeper determines that the file that script file m is corresponding is called date, relevant supervisor authority can be utilized to recover this script file m from this isolated area, normally work with the website enabling script file corresponding.
As shown in Figure 3, embodiments provide a kind of webshell pick-up unit, can comprise:
Determining unit 301, for determining plural target abnormal information to be detected, determining the first weighted value that each target abnormal information is corresponding and confirmed standard value according to webshell Sample Storehouse;
Acquiring unit 302, for obtaining the whole script files under web server directory web site;
First detecting unit 303, for detecting target abnormal information included in each script file;
Computing unit 304, calculates the 3rd weighted value corresponding to script file described in each for each target abnormal information of comprising according to script file described in each and the first weighted value corresponding to each target abnormal information described;
Judging unit 305, judges whether the 3rd weighted value of script file described in each is more than or equal to described standard value, and if so, then the script file determining to be more than or equal to the 3rd weighted value of described standard value corresponding comprises webshell.
As shown in Figure 4, embodiments provide another kind of webshell pick-up unit,
In one mode in the cards, also comprise:
Setting unit 401, for arranging isolated area;
Processing unit 402, when comprising webshell for the script file corresponding when the 3rd weighted value determining to be more than or equal to described standard value, is transferred to described isolated area by described webshell.
In one mode in the cards, also comprise:
Whether the second detecting unit 403, report an error for detecting website corresponding to described webshell.
Recovery unit 404, for when the testing result of described detecting unit is for being, the isolated area arranged from described first setting unit recovers corresponding webshell.
In one in mode in the cards,
Described determining unit 301, at least two kinds in following abnormal information being defined as plural target abnormal information to be detected:
File provide upload or download function, had by file acquisition infosystem information, file other file of amendment function, to be performed the command and control information systems such as shell, cmd by file, by file infosystem inquired about or revise, file is greater than 100k or file is less than 10k.
In one in mode in the cards,
Described determining unit 301, also for adding up the total degree occurring described plural target abnormal information in number of times and described webshell Sample Storehouse that each target abnormal information occurs in described webshell Sample Storehouse, for each target abnormal information, the first weighted value that the number of times current target abnormal information occurred in described webshell Sample Storehouse is corresponding as current target abnormal information with the business of the total degree occurring described plural target abnormal information in described webshell Sample Storehouse;
Described determining unit 301, also for the target complete abnormal information that each webshell added up in described webshell Sample Storehouse comprises, the first weighted value that the target complete abnormal information comprised by current webshell is corresponding and as the second weighted value corresponding to current webshell;
Contrast the second weighted value that sample webshell described in each is corresponding, determine that wherein minimum second weighted value comprises standard value.
The content such as information interaction, implementation between each unit in said apparatus, due to the inventive method embodiment based on same design, particular content can see in the inventive method embodiment describe, repeat no more herein.
The embodiment of the present invention at least has following beneficial effect:
1, by obtaining the whole script files under web server directory web site, whole abnormal informations of each script file are obtained according to the abnormal information detected by the predetermined needs of webshell Sample Storehouse, and the 3rd weighted value of each script file is calculated according to the first weighted value corresponding by the predetermined abnormal information of this webshell Sample Storehouse, if there is the 3rd weighted value to be greater than the standard value determined by this webshell Sample Storehouse, then determine that the script file that the 3rd weighted value is corresponding is webshell, thus detect the webshell in web server, and then improve detection efficiency.
2, isolated area is set, webshell is moved to isolated area can not be checked to make this webshell or perform, thus ensure that this webshell can not continue to damage web server, meanwhile, the script file by survey is webshell by mistake can be recovered from this isolated area.
It should be noted that, in this article, the relational terms of such as first and second and so on is only used for an entity or information and another entity or data separation to come, and not necessarily requires or imply the relation or order that there is any this reality between these entities or information.And, term " comprises ", " comprising " or its any other variant are intended to contain comprising of nonexcludability, thus make to comprise the process of a series of key element, method, article or equipment and not only comprise those key elements, but also comprise other key elements clearly do not listed, or also comprise by the intrinsic key element of this process, method, article or equipment.When not more restrictions, the key element " being comprised " limited by statement, and be not precluded within process, method, article or the equipment comprising described key element and also there is other same factor.
Finally it should be noted that: the foregoing is only preferred embodiment of the present invention, only for illustration of technical scheme of the present invention, be not intended to limit protection scope of the present invention.All any amendments done within the spirit and principles in the present invention, equivalent replacement, improvement etc., be all included in protection scope of the present invention.
Claims (10)
1. a webshell detection method, is characterized in that, comprising: determine plural target abnormal information to be detected according to webshell Sample Storehouse, determine the first weighted value that each target abnormal information is corresponding and confirmed standard value, also comprise:
S1: obtain the whole script files under web server directory web site;
S2: detect target abnormal information included in each script file;
S3: each the target abnormal information comprised according to script file described in each and the first weighted value corresponding to each target abnormal information described calculate the 3rd weighted value corresponding to script file described in each;
S4: judge whether the 3rd weighted value of script file described in each is more than or equal to described standard value, if so, then the script file determining to be more than or equal to the 3rd weighted value of described standard value corresponding comprises webshell.
2. method according to claim 1, is characterized in that, also comprises after described step S4:
Isolated area is set;
When the script file that the 3rd weighted value determining to be more than or equal to described standard value is corresponding comprises webshell, described webshell is transferred to described isolated area.
3. method according to claim 2, is characterized in that, after described webshell is transferred to isolated area, also comprises:
Detect website corresponding to described webshell whether to report an error, if so, then recover corresponding webshell according to error information from described isolated area.
4. want arbitrary described method in 1-3 according to right, it is characterized in that, describedly determine that plural target abnormal information to be detected comprises: at least two kinds in following abnormal information are defined as plural target abnormal information to be detected:
File provide upload or download function, had by file acquisition infosystem information, file other file of amendment function, to be performed the command and control information systems such as shell, cmd by file, by file infosystem inquired about or revise, file is greater than 100k or file is less than 10k.
5. method according to claim 4, is characterized in that,
Describedly determine the first weighted value that each target abnormal information is corresponding, comprise: add up the total degree occurring described plural target abnormal information in the number of times and described webshell Sample Storehouse that each target abnormal information occurs in described webshell Sample Storehouse, for each target abnormal information, the first weighted value that the number of times current target abnormal information occurred in described webshell Sample Storehouse is corresponding as current target abnormal information with the business of the total degree occurring described plural target abnormal information in described webshell Sample Storehouse;
Described confirmed standard value, comprise: the target complete abnormal information comprised according to each webshell in described webshell Sample Storehouse, the first weighted value that each the target abnormal information comprised by current webshell is corresponding and as the second weighted value corresponding to current webshell; Contrast the second weighted value that webshell in webshell Sample Storehouse described in each is corresponding, determine that wherein minimum second weighted value comprises standard value.
6. a webshell pick-up unit, is characterized in that, comprising:
Determining unit, for determining plural target abnormal information to be detected, determining the first weighted value that each target abnormal information is corresponding and confirmed standard value according to webshell Sample Storehouse;
Acquiring unit, for obtaining the whole script files under web server directory web site;
First detecting unit, for detecting target abnormal information included in each script file;
Computing unit, calculates the 3rd weighted value corresponding to script file described in each for each target abnormal information of comprising according to script file described in each and the first weighted value corresponding to each target abnormal information described;
Judging unit, judges whether the 3rd weighted value of script file described in each is more than or equal to described standard value, and if so, then the script file determining to be more than or equal to the 3rd weighted value of described standard value corresponding comprises webshell.
7. device according to claim 5, is characterized in that, also comprises:
Setting unit, for arranging isolated area;
Processing unit, when comprising webshell for the script file corresponding when the 3rd weighted value determining to be more than or equal to described standard value, is transferred to described isolated area by described webshell.
8. device according to claim 7, is characterized in that, also comprises:
Whether the second detecting unit, report an error for detecting website corresponding to described webshell;
Recovery unit, for when the testing result of described detecting unit is for being, the isolated area arranged from described first setting unit recovers corresponding webshell.
9., according to described device arbitrary in claim 6-8, it is characterized in that,
Described determining unit, at least two kinds in following abnormal information being defined as plural target abnormal information to be detected:
File provide upload or download function, had by file acquisition infosystem information, file other file of amendment function, to be performed the command and control information systems such as shell, cmd by file, by file infosystem inquired about or revise, file is greater than 100k or file is less than 10k.
10. device according to claim 9, is characterized in that,
Described determining unit, also for adding up the total degree occurring described plural target abnormal information in number of times and described webshell Sample Storehouse that each target abnormal information occurs in described webshell Sample Storehouse, for each target abnormal information, the first weighted value that the number of times current target abnormal information occurred in described webshell Sample Storehouse is corresponding as current target abnormal information with the business of the total degree occurring described plural target abnormal information in described webshell Sample Storehouse;
Described determining unit, target complete abnormal information also for comprising according to each webshell in described webshell Sample Storehouse, the first weighted value that each the target abnormal information comprised by current webshell is corresponding and as the second weighted value corresponding to current webshell; Contrast the second weighted value that sample webshell described in each is corresponding, determine that wherein minimum second weighted value comprises standard value.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510496802.0A CN105046154A (en) | 2015-08-13 | 2015-08-13 | Webshell detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510496802.0A CN105046154A (en) | 2015-08-13 | 2015-08-13 | Webshell detection method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105046154A true CN105046154A (en) | 2015-11-11 |
Family
ID=54452691
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510496802.0A Pending CN105046154A (en) | 2015-08-13 | 2015-08-13 | Webshell detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105046154A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106850617A (en) * | 2017-01-25 | 2017-06-13 | 余洋 | Webshell detection method and device |
| CN106911686A (en) * | 2017-02-20 | 2017-06-30 | 杭州迪普科技股份有限公司 | WebShell detection methods and device |
| CN107135199A (en) * | 2017-03-29 | 2017-09-05 | 国家电网公司 | The detection method and device at webpage back door |
| CN109933977A (en) * | 2019-03-12 | 2019-06-25 | 北京神州绿盟信息安全科技股份有限公司 | A kind of method and device detecting webshell data |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101924762A (en) * | 2010-08-18 | 2010-12-22 | 奇智软件(北京)有限公司 | Cloud security-based active defense method |
| CN102291394A (en) * | 2011-07-22 | 2011-12-21 | 网宿科技股份有限公司 | Security defense system based on network accelerating equipment |
| CN102647421A (en) * | 2012-04-09 | 2012-08-22 | 北京百度网讯科技有限公司 | Web back door detection method and device based on behavioral characteristics |
| CN102970309A (en) * | 2012-12-25 | 2013-03-13 | 苏州山石网络有限公司 | Detection method, detection device and firewall for zombie host |
| CN103634306A (en) * | 2013-11-18 | 2014-03-12 | 北京奇虎科技有限公司 | Security detection method and security detection server for network data |
| CN103853979A (en) * | 2010-12-31 | 2014-06-11 | 北京奇虎科技有限公司 | Program identification method and device based on machine learning |
| US20140337310A1 (en) * | 2006-08-08 | 2014-11-13 | CastTV Inc. | Facilitating video search |
-
2015
- 2015-08-13 CN CN201510496802.0A patent/CN105046154A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140337310A1 (en) * | 2006-08-08 | 2014-11-13 | CastTV Inc. | Facilitating video search |
| CN101924762A (en) * | 2010-08-18 | 2010-12-22 | 奇智软件(北京)有限公司 | Cloud security-based active defense method |
| CN103853979A (en) * | 2010-12-31 | 2014-06-11 | 北京奇虎科技有限公司 | Program identification method and device based on machine learning |
| CN102291394A (en) * | 2011-07-22 | 2011-12-21 | 网宿科技股份有限公司 | Security defense system based on network accelerating equipment |
| CN102647421A (en) * | 2012-04-09 | 2012-08-22 | 北京百度网讯科技有限公司 | Web back door detection method and device based on behavioral characteristics |
| CN102970309A (en) * | 2012-12-25 | 2013-03-13 | 苏州山石网络有限公司 | Detection method, detection device and firewall for zombie host |
| CN103634306A (en) * | 2013-11-18 | 2014-03-12 | 北京奇虎科技有限公司 | Security detection method and security detection server for network data |
Non-Patent Citations (1)
| Title |
|---|
| 孙飞帆: ""基于动态分析的网页恶意脚本检测技术研究"", 《中国优秀博硕士学位论文全文数据库 信息科技辑》 * |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106850617A (en) * | 2017-01-25 | 2017-06-13 | 余洋 | Webshell detection method and device |
| CN106911686A (en) * | 2017-02-20 | 2017-06-30 | 杭州迪普科技股份有限公司 | WebShell detection methods and device |
| CN106911686B (en) * | 2017-02-20 | 2020-07-07 | 杭州迪普科技股份有限公司 | WebShell detection method and device |
| CN107135199A (en) * | 2017-03-29 | 2017-09-05 | 国家电网公司 | The detection method and device at webpage back door |
| CN107135199B (en) * | 2017-03-29 | 2020-05-01 | 国家电网公司 | Method and device for detecting webpage backdoor |
| CN109933977A (en) * | 2019-03-12 | 2019-06-25 | 北京神州绿盟信息安全科技股份有限公司 | A kind of method and device detecting webshell data |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107241296B (en) | Webshell detection method and device | |
| KR101337874B1 (en) | System and method for detecting malwares in a file based on genetic map of the file | |
| CN113489713B (en) | Network attack detection method, device, equipment and storage medium | |
| CN102567546B (en) | Structured query language (SQL) injection detection method and SQL injection detection device | |
| WO2017107853A1 (en) | Data monitoring management method, and data monitoring method and system | |
| CN103001946B (en) | Website security detection method and equipment | |
| CN112491602B (en) | Behavior data monitoring method and device, computer equipment and medium | |
| CN102541729A (en) | Detection device and method for security vulnerability of software | |
| CN105046154A (en) | Webshell detection method and device | |
| CN102647421A (en) | Web back door detection method and device based on behavioral characteristics | |
| CN104298923B (en) | Leak type identification method and device | |
| CN102970282A (en) | Website security detection system | |
| CN104462985A (en) | Detecting method and device of bat loopholes | |
| CN111953697A (en) | APT attack identification and defense method | |
| CN109815697B (en) | Method and device for processing false alarm behavior | |
| CN104935601A (en) | Cloud-based method, device and system for analyzing website log safety | |
| Singh et al. | Sql injection detection and correction using machine learning techniques | |
| CN113132311A (en) | Abnormal access detection method, device and equipment | |
| CN105430001A (en) | Detecting method, terminal device, server and system of APT (Advanced Persistent Threat) attack | |
| CN111680104A (en) | Data synchronization method and device, computer equipment and readable storage medium | |
| CN107819758A (en) | A kind of IP Camera leak remote detecting method and device | |
| CN110751116A (en) | Target identification method and device | |
| CN114461864A (en) | Alarm tracing method and device | |
| CN110012000A (en) | Order detection method, device, computer equipment and storage medium | |
| CN112256532A (en) | Test interface generation method and device, computer equipment and readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20151111 |
|
| WD01 | Invention patent application deemed withdrawn after publication |