CN108616538A - Attacker's formation gathering method, system, terminal, server and its storage medium - Google Patents
Attacker's formation gathering method, system, terminal, server and its storage medium Download PDFInfo
- Publication number
- CN108616538A CN108616538A CN201810404822.4A CN201810404822A CN108616538A CN 108616538 A CN108616538 A CN 108616538A CN 201810404822 A CN201810404822 A CN 201810404822A CN 108616538 A CN108616538 A CN 108616538A
- Authority
- CN
- China
- Prior art keywords
- attacker
- information collection
- browser
- service server
- collection module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
- H04L63/302—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information gathering intelligence information for situation awareness or reconnaissance
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
- H04L63/308—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information retaining data, e.g. retaining successful, unsuccessful communication attempts, internet access, or e-mail, internet telephony, intercept related information or call content
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
- H04N7/00—Television systems
- H04N7/18—Closed-circuit television [CCTV] systems, i.e. systems in which the video signal is not broadcast
Abstract
The invention discloses a kind of attacker's formation gathering methods, are applied to the service server being connect with terminal network;Wherein, browser is installed in the terminal;Attacker's formation gathering method includes:The service server is implanted into information collection module to webpage back door;Wherein, the webpage back door is to be arranged in the safety auditing system at service server end to detect;When attacker uses the browser by service server described in the webpage back door access, the service server sends described information collection module to the browser, so that the browser loads described information collection module;Wherein, described information collection module is for collecting the information loaded in browser, and/or the camera of the unlatching terminal, and the information of collection and/or the information obtained by camera are sent to the service server and/or information collecting server.
Description
Technical field
The present invention relates to technical field of network security, and in particular to a kind of attacker's formation gathering method, system, terminal,
Server and its storage medium.
Background technology
With the continuous development of computer information technology, earth-shaking variation has occurred in people’s lives.In enjoyment section
While skill development offers convenience, Cyberthreat also becomes a kind of more and more common social phenomenon.Many hackers or network
Attacker utilize the grasp of oneself computer technology, enterprise information system is attacked by means of network, reach destruction or
The purpose made profit.
On the market, disparate networks safety product also comes into being, and goes to carry out Prevention-Security from various different dimensions, safeguards net
The safety of network.Meanwhile national law enforcement agency has also put into effect relevant regulations, hits disparate networks criminal offence.But since network is attacked
It hits source to be difficult to recall, true attacker's information can not be obtained, many difficulties are brought to the processing of network event.
Webshell be in the form of the web page files such as asp, php, jsp or cgi existing for a kind of order performing environment,
It is a kind of webpage back door that can be referred to as.Hacker is after having invaded a website, it will usually by asp or php backdoor files with
Normal web page files mix under Website server Web catalogues, then can using browser come access asp or
The back doors php obtain an order performing environment, to achieve the purpose that control Website server.
Attacker is leaked when carrying out webshell attacks to Website once finding that Website is uploaded there are arbitrary file
Hole can carry out malice webshell file upload operations, to obtain the control authority of Website using auxiliary tool.
Network security manager is when having found such attack, it will usually use following disposition means:
1, after confirmation is there are malice Webshell files, the malice webshell files that hacker uploads are deleted;
2, using webshell killing tools, disk Web catalogues is investigated and whether other Path-sensitives also have other malice
Webshell files.If it find that malicious file, repeats the 1st operation.
3, after ensuring on disk without malice webshell files, program file upload code, patching bugs are changed.
4, Subsequent secure safeguard procedures, such as:Network safety prevention software etc. is disposed on destination server.
Above be common attack disposal options, be the mode for taking " mending the fold after the sheep is lost ", avoid Website by into
The attack and loss of one step.But the information that positive counter tracking can not be carried out to attacker, obtain attacker as far as possible, to
It realizes and retrieves a loss or hit the delinquent possibility of network.
Invention content
The purpose of the present invention is to provide a kind of attacker's formation gathering method, system, terminal, server and its storages to be situated between
Matter, to solve the problems, such as that attacker's personal information can not be collected in the prior art.
To achieve the above object, the first aspect of the present invention provides a kind of attacker's formation gathering method, be applied to
The service server of terminal network connection;Wherein, browser is installed in the terminal;Attacker's formation gathering method packet
It includes:The service server is implanted into information collection module to webpage back door;Wherein, the webpage back door is to be arranged in business service
What the safety auditing system at device end detected;When attacker passes through industry described in the webpage back door access using the browser
When business server, the service server sends described information collection module to the browser, so that the browser loads
Described information collection module;Wherein, described information collection module is for collecting the information loaded in browser, and/or unlatching institute
State the camera of terminal, and by the information of collection and/or the information obtained by camera be sent to the service server and/
Or information collecting server.
In one possible implementation, described information collection module is JavaScript code file.
Second aspect of the present invention provides a kind of attacker's formation gathering method, is applied to the end being connect with server network
End;Wherein, browser is installed in the terminal;Attacker's formation gathering method includes:The browser passes through webpage
Service server described in back door access;The webpage back door is implanted with information collection module;Wherein, the webpage back door is arranged in
What the safety auditing system at service server end detected;The browser receives described information from the service server and receives
Collect module, and loads described information collection module;Wherein, described information collection module is for collecting the letter loaded in browser
Breath, and/or the camera of the terminal is opened, and the information of collection and/or the information obtained by camera are sent to institute
State service server and/or information collecting server.
In one possible implementation, described information collection module is JavaScript code file.
Third aspect present invention provides a kind of attacker's Information Collection System, is applied to the service being connect with terminal network
Device;Wherein, browser is installed in the terminal;Attacker's Information Collection System includes:Unit is known, for knowing net
Page back door;Wherein, the webpage back door is to be arranged in the safety auditing system at service server end to detect;Implantation is single
Member, for being implanted into information collection module to the webpage back door;First communication unit, when attacker is passed through using the browser
Described in the webpage back door access when service server, first communication unit is used to send described information to the browser
Collection module, so that the browser loads described information collection module;Wherein, described information collection module is browsed for collecting
The information loaded in device, and/or the camera of the terminal is opened, and obtained by the information of collection and/or by camera
Information is sent to the service server and/or information collecting server.
In one possible implementation, described information collection module is JavaScript code file.
Fourth aspect present invention provides a kind of attacker's Information Collection System, is applied to the end being connect with server network
End;Wherein, browser is installed in the terminal;Attacker's Information Collection System includes:Second communication unit is used for institute
It states browser and passes through service server described in webpage back door access;The webpage back door is implanted with information collection module;Wherein, institute
It is to be arranged in the safety auditing system at service server end to detect to state webpage back door;Second communication unit, is also used
In the browser described information collection module is received from the service server;Loading unit is loaded for the browser
Described information collection module;Wherein, described information collection module is for collecting the information loaded in browser, and/or unlatching institute
State the camera of terminal, and by the information of collection and/or the information obtained by camera be sent to the service server and/
Or information collecting server.
In one possible implementation, described information collection module is JavaScript code file.
Fifth aspect present invention provides a kind of service server, and system is collected using attacker's information described in the third aspect
System.
Sixth aspect present invention provides a kind of terminal, and browser is equipped in the terminal;The terminal uses the 4th
Attacker's collection system described in aspect.
Seventh aspect present invention provides a kind of computer readable storage medium, is stored up on the computer readable storage medium
Have a computer program, the computer program be executed by processor attacker's formation gathering method as described in relation to the first aspect or
Attacker's formation gathering method described in second aspect.
The invention has the advantages that:Implantation information is collected in the back door that the present invention leaves when attacker invades server
Module asks information collection module to local browser when attacker is by the browser access back door, then automatic to receive
Collect the identity information in the browser of attacker, if camera, automatically turns on camera capture attacker and draw a portrait and believe
Breath, and these information are reported into server or information collecting server automatically;So as to get the internet of attacker
Platform account, for example, Baidu's account, microblog account etc., can also obtain attacker's portrait information, to follow up attacker
Identity provides effective clue.
Description of the drawings
Fig. 1 is a kind of application architecture figure of attacker's formation gathering method provided in an embodiment of the present invention.
Fig. 2 is a kind of flow chart of attacker's formation gathering method provided in an embodiment of the present invention.
Fig. 3 is a kind of theory structure schematic diagram of attacker's Information Collection System provided in an embodiment of the present invention.
Fig. 4 is a kind of theory structure schematic diagram of attacker's Information Collection System provided in an embodiment of the present invention.
Specific implementation mode
The following examples are used to illustrate the present invention, but are not intended to limit the scope of the present invention..
It should be noted that the diagram provided in following embodiment only illustrates the basic structure of the present invention in a schematic way
Think, component count, shape and size when only display is with related component in the present invention rather than according to actual implementation in schema then
Draw, when actual implementation kenel, quantity and the ratio of each component can be a kind of random change, and its assembly layout kenel
It is likely more complexity.
The thinking of the present invention is as follows:
1, after confirmation is there are malice Webshell files, it is implanted into information collection module in malice Webshell files,
Information collection module includes two script files:File monitor script and attacker break through script.
2, using webshell killing tools, disk Web catalogues is investigated and whether other Path-sensitives also have other malice
Webshell files.If it find that malicious file, repeats the 1st operation.
3, after ensuring on disk without malice webshell files, program file upload code, patching bugs are changed
4, Subsequent secure safeguard procedures, such as:Network safety prevention software etc. is disposed on destination server.
After the completion of disposition, as long as attacker attempts a connection to the malice Webshell files of its upload, further attacked
When hitting operation, i.e., it can trigger following operation:
1, attacker is when using browser access malice Webshell files, if on the computer that attacker uses
When through logging in the third party softwares such as Baidu, microblogging, mailbox, the attacker being implanted into breaks through script file meeting automatic running, simultaneously
Complete two kinds of operations:
1) by calling api interface disclosed in above-mentioned third party software, account information (the user name letter of attacker is got
Breath).
2) it utilizes the existing component of browser to open the camera on attacker's computer, and automatically snaps the photograph of attacker
Piece.
2, after completing the above operation, account information and picture data will be back to specified server automatically.
3, file monitor shell script will delete the malice Webshell files of attacker's implantation immediately, it is ensured that be attacked
The safety of Website.
Next, the present invention is specifically described.
Fig. 1 shows the application architecture figure of attacker's formation gathering method provided in an embodiment of the present invention.As shown in Figure 1,
Application architecture may include that service server 11, at least one terminal 12 can also include in one example that information collects clothes
Business device 13;Wherein, service server 11 and terminal 12 can be communicated by network, terminal 12 and information collecting server 13
It can be communicated by network.It is wireless that terminal 12 is specifically as follows mobile phone (mobile phone), tablet computer (Pad), band
The computer of transmission-receiving function, smartwatch, the wireless terminal in smart city (smart city), wisdom family (smart home)
In wireless terminal etc., browser is installed.Service server 11 is the service server of internet platform, such as micro-
Rich, Alipay Batch Processing server.Information collecting server 13 is used to collect and store the attacker's of the acquisition of terminal 11
Information, and public security or other law enforcement agencies are supplied to, with pursuit attack person trace and determine attacker.
Embodiment 1
Next, being illustrated to attacker's formation gathering method provided in this embodiment in conjunction with Fig. 2.Attacker's letter
It ceases collection method and is applied to service server 11 and terminal 12, specifically include following steps.
Step 21, the service server 11 are implanted into information collection module to the webpage back door;Wherein, after the webpage
What door detected to be arranged in the safety auditing system at service server end 11.
Webpage back door is the webpage back door that attacker invades that service server 11 leaves.Safety auditing system can be scorpio
The existing safety auditing systems such as server threat detection system, 360 web portal security detections, WebShellkiller, Ke Yijian
Survey the webpage back door that attacker leaves.When safety auditing system discovery webpage back door, alarm can be sent out, with reminding business service
Then device maintenance personnel is implanted into information collection module by service server at webpage back door.
In one example, at webpage back door, implantation information collection module includes being write the code of information collection module as one
A file, and this file is quoted in webpage back door.
Step 22, when attacker using the browser by service server 11 described in the webpage back door access when,
The service server 11 sends described information collection module to the browser, so that browser load described information is received
Collect module.
When attacker uses browser by the webpage back door access service server 11, browser can be from business service
Relevant HTML is arrived in request on device 11, and CSS, picture, JS files etc., information collection module can be also accessed in browser therewith
It executes.
Described information collection module is used to collect the information loaded in browser, and/or opens the camera of the terminal,
And the information of collection and/or the information obtained by camera are sent to the service server 11 and/or information collection clothes
Business device 13.
The information that information collection module is collected into from browser may include the account information that attacker uses, such as
The login interface of social platform, wherein having the account informations such as the login username for obtaining and retaining in browser;Can also include
The picture of browser-presented;It can also include the operation information etc. of the title and version, terminal 12 of browser.
The information that camera obtains may include the personal portrait letter such as the face feature information of attacker, physical characteristic information
Breath and place environmental characteristic information etc..
Safety officer by information collecting server extracting attack person's information, be supplied to public security or other law enforcement agencies into
One step pursuit attack person's trace carries out related law enforcement.
Service server 11 and terminal 12 can support HTTP transport protocol and HTTPS transport protocols.
In one example, information collection module includes two script files:File monitor script and attacker break through foot
This.
Attacker is when using browser by webpage back door access service server 11, if the calculating that attacker uses
When having logged on the third party softwares such as Baidu, microblogging, mailbox on machine, the attacker's counter script file being implanted into can be transported automatically
Row, is completed at the same time two kinds of operations:
1) by calling api interface disclosed in above-mentioned third party software, account information (the user name letter of attacker is got
Breath).
2) it utilizes the existing component of browser to open the camera on attacker's computer, and automatically snaps the photograph of attacker
Piece.
Information collection module can be JavaScript code file.
Information collection module can call in HTML, and following code can be placed on HTML's
<head>With</head>Between, it can also be placed on<body>With</body>Between,
<Script type=" text/javascript "
Src="/web/src/apps/counter/templates/counterTemp.js "></script>
Information collection module can also be quoted in another JS file, the example specially in the case where the top for calling file is added
Code
document.write("<Script language='javascript'
Src='/web/src/apps/counter/templates/counterTemp.js'></script>");
Information collection module can also be in PHP, and specific code is as follows:
<Script type=" text/javascript "
Src="/web/src/apps/counter/templates/counterTemp.js "></script>
Or include or include_once or require or require_once is used in PHP
Function call, specific code are as follows successively:
<php
include('/web/src/apps/counter/templates/counterTemp.js')>
<Php
include_once('/web/src/apps/counter/templates/counterTemp.js')>
<php
require('/web/src/apps/counter/templates/counterTemp.js')>
<php
require_once('/web/src/apps/counter/templates/counterTemp.js')>
Can also in ASP recalls information collection module, it is specific as follows:
<script
Language=javascript src="/web/src/apps/counter/templates/
counterTemp.js"></script>
Can also in JSP recalls information collection module, it is specific as follows:
<Script type=" text/javascript "
Src="/web/src/apps/counter/templates/counterTemp.js "></script>
It is implanted into the back door that attacker's formation gathering method provided in this embodiment leaves when attacker invades server
Information collection module asks information collection module to local browser, so when attacker is by the browser access back door
It collects the identity information in the browser of attacker automatically afterwards, if camera, automatically turns on camera capture attack
Person's portrait information, and these information are reported into server or information collecting server automatically;So as to get attacker
Internet platform account can also obtain attacker and draw a portrait information, further to chase after for example, Baidu's account, microblog account etc.
Track attacker's identity provides effective clue.
Embodiment 2
The embodiment of the present invention additionally provides a kind of attacker's formation gathering method, is applied to and service server network connection
Terminal;Wherein, browser is installed in the terminal;Attacker's formation gathering method includes:The browser passes through
Service server described in webpage back door access;The webpage back door is implanted with information collection module;Wherein, webpage back door cloth
Set what the safety auditing system in server end detected;The browser receives described information from the service server and receives
Collect module, and loads described information collection module;Wherein, described information collection module is for collecting the letter loaded in browser
Breath, and/or the camera of the terminal is opened, and the information of collection and/or the information obtained by camera are sent to institute
State service server and/or information collecting server.
Described information collection module is JavaScript code file.
The content that information collection module provided in this embodiment can be loaded with reference implementation example 1 is realized, is not being repeated this time.
It is implanted into the back door that attacker's formation gathering method provided in this embodiment leaves when attacker invades server
Information collection module asks information collection module to local browser, so when attacker is by the browser access back door
It collects the identity information in the browser of attacker automatically afterwards, if camera, automatically turns on camera capture attack
Person's portrait information, and these information are reported into server or information collecting server automatically;So as to get attacker
Internet platform account can also obtain attacker and draw a portrait information, further to chase after for example, Baidu's account, microblog account etc.
Track attacker's identity provides effective clue.
Embodiment 3
A kind of attacker's Information Collection System 3 is present embodiments provided, attacker's Information Collection System 3 is applied to and terminal
The service server 11 of 12 network connections;Wherein, browser is installed in the terminal 11.
As shown in figure 3, attacker's Information Collection System includes:
It is implanted into unit 31, for being implanted into information collection module to webpage back door;Wherein, the webpage back door is to be arranged in industry
What the safety auditing system at 11 end of business server detected;
First communication unit 32, when attacker passes through business service described in the webpage back door access using the browser
When device 11, first communication unit is used to send described information collection module to the browser, so that the browser adds
Carry described information collection module;
Wherein, described information collection module is used to collect the information loaded in browser, and/or opens taking the photograph for the terminal
It is sent to the service server 11 and/or information receipts as head, and by the information of collection and/or the information obtained by camera
Collect server 13.
The content that attacker's Information Collection System 3 can be recorded with reference implementation example 1 realizes that details are not described herein again.
A kind of service server is present embodiments provided, using attacker's Information Collection System 3.
Attacker's Information Collection System provided in this embodiment, service server leave when attacker invades server
Information collection module is implanted into back door, when attacker is by the browser access back door, by information collection module request to originally
Then ground browser collects the identity information in the browser of attacker automatically, if camera, automatically turn on camera shooting
Head capture attacker's portrait information, and these information are reported into server or information collecting server automatically;So as to obtain
The internet platform account of attacker is got, for example, Baidu's account, microblog account etc., can also obtain attacker's portrait information,
Effective clue is provided to follow up attacker's identity.
Embodiment 4
A kind of attacker's Information Collection System 4 is present embodiments provided, attacker's Information Collection System 4 is applied to and business
The terminal 12 of 11 network connection of server;Wherein, browser is installed in the terminal 12.
As shown in figure 4, attacker's Information Collection System includes:
Second communication unit 41 passes through service server described in webpage back door access for the browser;The webpage
Back door is implanted with information collection module;Wherein, the webpage back door is the safety auditing system inspection for being arranged in service server end
It measures;
Second communication unit 41 is additionally operable to the browser and receives described information collection mould from the service server
Block;
Loading unit 42 loads described information collection module for the browser;
Wherein, described information collection module is used to collect the information loaded in browser, and/or opens taking the photograph for the terminal
It is sent to the service server 11 and/or information receipts as head, and by the information of collection and/or the information obtained by camera
Collect server 13.
The content that attacker's Information Collection System 4 can be recorded with reference implementation example 2 realizes that details are not described herein again.
A kind of terminal is present embodiments provided, using attacker's Information Collection System 4.
In the back door that attacker's Information Collection System provided in this embodiment, terminal leave when attacker invades server
It is implanted into information collection module, when attacker is by the browser access back door, by information collection module request to local browsing
Then device collects the identity information in the browser of attacker automatically, if camera, automatically turn on camera capture
Attacker's portrait information, and these information are reported into server or information collecting server automatically;It is attacked so as to get
The internet platform account for the person of hitting, for example, Baidu's account, microblog account etc., can also obtain attacker's portrait information, be into one
It walks pursuit attack person's identity and effective clue is provided.
Method and step in the embodiment of the present invention can execute the mode of software instruction to realize by processor.Software refers to
Order can be made of corresponding software module, and software module can be stored on random access memory (Random Access
Memory, RAM), flash memory, read-only memory (Read-Only Memory, ROM), programmable read only memory
(Programmable ROM, PROM), Erasable Programmable Read Only Memory EPROM (Erasable PROM, EPROM), electric erasable
Programmable read only memory (Electrically EPROM, EEPROM), register, hard disk, mobile hard disk, CD-ROM or sheet
In the storage medium of any other form known to field.A kind of illustrative storage medium is coupled to processor, to make place
Managing device can be from the read information, and information can be written to the storage medium.Certainly, storage medium can also be place
Manage the component part of device.Pocessor and storage media can be located in ASIC.In addition, the ASIC can be located at terminal and business
In server.
It is understood that the processor in the embodiment of the present invention can be central processing unit (Central
Processing Unit, CPU), it can also be other general processors, digital signal processor (Digital Signal
Processor, DSP), it is application-specific integrated circuit (Application Specific Integrated Circuit, ASIC), existing
Field programmable gate array (Field Programmable Gate Array, FPGA) or other programmable logic device, crystal
Pipe logical device, hardware component or its arbitrary combination.General processor can be microprocessor, can also be any conventional
Processor.
In the above-described embodiments, can come wholly or partly by software, hardware, firmware or its arbitrary combination real
It is existing.When implemented in software, it can entirely or partly realize in the form of a computer program product.The computer program
Product includes one or more computer instructions.When loading on computers and executing the computer program instructions, all or
It partly generates according to the flow or function described in the embodiment of the present invention.The computer can be all-purpose computer, special meter
Calculation machine, computer network or other programmable devices.The computer instruction can be stored in computer readable storage medium
In, or be transmitted by the computer readable storage medium.The computer instruction can be from a web-site, meter
Calculation machine, server or data center are (such as red by wired (such as coaxial cable, optical fiber, Digital Subscriber Line (DSL)) or wireless
Outside, wirelessly, microwave etc.) mode is transmitted to another web-site, computer, server or data center.The calculating
Machine readable storage medium storing program for executing can be that any usable medium that computer can access either includes one or more usable mediums
The data storage devices such as integrated server, data center.The usable medium can be magnetic medium, (for example, floppy disk, hard
Disk, tape), optical medium (for example, DVD) or semiconductor medium (such as solid state disk (Solid State Disk, SSD))
Deng.
The above-described embodiments merely illustrate the principles and effects of the present invention, and is not intended to limit the present invention.It is any ripe
The personage for knowing this technology can all carry out modifications and changes to above-described embodiment without violating the spirit and scope of the present invention.Cause
This, institute is complete without departing from the spirit and technical ideas disclosed in the present invention by those of ordinary skill in the art such as
At all equivalent modifications or change, should by the present invention claim be covered.
The above, the only specific implementation mode of the embodiment of the present invention, any technology people for being familiar with the art
Member is in the technical scope that the application discloses exposure, the change or replacement that can be readily occurred in, and should all cover the implementation in the present invention
Within the protection domain of example.
Claims (11)
1. a kind of attacker's formation gathering method, which is characterized in that be applied to the service server being connect with terminal network;Its
In, browser is installed in the terminal;Attacker's formation gathering method includes:
The service server is implanted into information collection module to webpage back door;Wherein, the webpage back door is to be arranged in business clothes
What the safety auditing system at business device end detected;
When attacker uses the browser by service server described in the webpage back door access, the service server
Described information collection module is sent to the browser, so that the browser loads described information collection module;
Wherein, described information collection module is for collecting the information loaded in browser, and/or the camera shooting of the unlatching terminal
Head, and the information of collection and/or the information obtained by camera are sent to the service server and/or information collection clothes
Business device.
2. attacker's formation gathering method according to claim 1, which is characterized in that described information collection module is
JavaScript code file.
3. a kind of attacker's formation gathering method, which is characterized in that be applied to the terminal with service server network connection;Its
In, browser is installed in the terminal;Attacker's formation gathering method includes:
The browser passes through service server described in webpage back door access;The webpage back door is implanted with information collection module;
Wherein, what the safety auditing system that the webpage back door is arranged in service server end detected;
The browser receives described information collection module from the service server, and loads described information collection module;
Wherein, described information collection module is for collecting the information loaded in browser, and/or the camera shooting of the unlatching terminal
Head, and the information of collection and/or the information obtained by camera are sent to the service server and/or information collection clothes
Business device.
4. attacker's formation gathering method according to claim 1, which is characterized in that described information collection module is
JavaScript code file.
5. a kind of attacker's Information Collection System, which is characterized in that be applied to the service server being connect with terminal network;Its
In, browser is installed in the terminal;Attacker's Information Collection System includes:
It is implanted into unit, for being implanted into information collection module to webpage back door;Wherein, the webpage back door is to be arranged in business service
What the safety auditing system at device end detected;
First communication unit, when attacker uses the browser by service server described in the webpage back door access,
First communication unit is used to send described information collection module to the browser, so that the browser loads the letter
Cease collection module;
Wherein, described information collection module is for collecting the information loaded in browser, and/or the camera shooting of the unlatching terminal
Head, and the information of collection and/or the information obtained by camera are sent to the service server and/or information collection clothes
Business device.
6. attacker's Information Collection System according to claim 5, which is characterized in that described information collection module is
JavaScript code file.
7. a kind of attacker's Information Collection System, which is characterized in that be applied to the terminal with service server network connection;Its
In, browser is installed in the terminal;Attacker's Information Collection System includes:
Second communication unit passes through service server described in webpage back door access for the browser;It plants at the webpage back door
Enter to have information collection module;Wherein, the webpage back door is to be arranged in the safety auditing system at service server end to detect to obtain
's;
Second communication unit is additionally operable to the browser and receives described information collection module from the service server;
Loading unit loads described information collection module for the browser;
Wherein, described information collection module is for collecting the information loaded in browser, and/or the camera shooting of the unlatching terminal
Head, and the information of collection and/or the information obtained by camera are sent to the service server and/or information collection clothes
Business device.
8. attacker's Information Collection System according to claim 7, which is characterized in that described information collection module is
JavaScript code file.
9. a kind of service server, which is characterized in that use attacker's Information Collection System described in claim 5 or 6.
10. a kind of terminal, which is characterized in that be equipped with browser in the terminal;The terminal uses claim 7 or 8 institutes
The attacker's collection system stated.
11. a kind of computer readable storage medium, which is characterized in that store computer on the computer readable storage medium
Program, the computer program are executed by processor attacker's formation gathering method as described in any one of claim 1-2
Or attacker's formation gathering method described in any one of claim 3-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810404822.4A CN108616538A (en) | 2018-04-28 | 2018-04-28 | Attacker's formation gathering method, system, terminal, server and its storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810404822.4A CN108616538A (en) | 2018-04-28 | 2018-04-28 | Attacker's formation gathering method, system, terminal, server and its storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN108616538A true CN108616538A (en) | 2018-10-02 |
Family
ID=63661583
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810404822.4A Pending CN108616538A (en) | 2018-04-28 | 2018-04-28 | Attacker's formation gathering method, system, terminal, server and its storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108616538A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110839039A (en) * | 2019-11-20 | 2020-02-25 | 成都知道创宇信息技术有限公司 | Intruder countercheck method and device |
| CN114363022A (en) * | 2021-12-22 | 2022-04-15 | 西安四叶草信息技术有限公司 | Attack tracing method and device, electronic equipment and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1370296A (en) * | 1999-06-14 | 2002-09-18 | 株式会社日本商业情报处理中心 | Information collection system and information collection method on network, each uisng technique of internet, and recording medium in which information collection method is recorded |
| KR20130035600A (en) * | 2011-09-30 | 2013-04-09 | 주식회사 엔피코어 | Method and apparatus for preventing data loss |
| CN104468477A (en) * | 2013-09-16 | 2015-03-25 | 杭州迪普科技有限公司 | WebShell detection method and system |
| CN105094786A (en) * | 2014-05-21 | 2015-11-25 | 广州市动景计算机科技有限公司 | Method and system for customizing page based on JavaScript |
| CN107231364A (en) * | 2017-06-13 | 2017-10-03 | 深信服科技股份有限公司 | A kind of website vulnerability detection method and device, computer installation and storage medium |
-
2018
- 2018-04-28 CN CN201810404822.4A patent/CN108616538A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1370296A (en) * | 1999-06-14 | 2002-09-18 | 株式会社日本商业情报处理中心 | Information collection system and information collection method on network, each uisng technique of internet, and recording medium in which information collection method is recorded |
| KR20130035600A (en) * | 2011-09-30 | 2013-04-09 | 주식회사 엔피코어 | Method and apparatus for preventing data loss |
| CN104468477A (en) * | 2013-09-16 | 2015-03-25 | 杭州迪普科技有限公司 | WebShell detection method and system |
| CN105094786A (en) * | 2014-05-21 | 2015-11-25 | 广州市动景计算机科技有限公司 | Method and system for customizing page based on JavaScript |
| CN107231364A (en) * | 2017-06-13 | 2017-10-03 | 深信服科技股份有限公司 | A kind of website vulnerability detection method and device, computer installation and storage medium |
Non-Patent Citations (2)
| Title |
|---|
| 九天科技: "《黑客攻防入门到精髓 实战秘笈版》", 31 December 2017 * |
| 赵彬: "《黑客攻防 Web安全实战详解》", 31 December 2014 * |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110839039A (en) * | 2019-11-20 | 2020-02-25 | 成都知道创宇信息技术有限公司 | Intruder countercheck method and device |
| CN110839039B (en) * | 2019-11-20 | 2022-03-29 | 成都知道创宇信息技术有限公司 | Intruder countercheck method and device |
| CN114363022A (en) * | 2021-12-22 | 2022-04-15 | 西安四叶草信息技术有限公司 | Attack tracing method and device, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Pastrana et al. | Crimebb: Enabling cybercrime research on underground forums at scale | |
| KR101689297B1 (en) | Automated verification method of security event and automated verification apparatus of security event | |
| CN103634306B (en) | The safety detection method and safety detection server of network data | |
| US9838419B1 (en) | Detection and remediation of watering hole attacks directed against an enterprise | |
| Tien et al. | KubAnomaly: Anomaly detection for the Docker orchestration platform with neural network approaches | |
| EP2080317B1 (en) | Apparatus and a security node for use in determining security attacks | |
| CN111931166B (en) | Application program anti-attack method and system based on code injection and behavior analysis | |
| CN109688097A (en) | Website protection method, website protective device, website safeguard and storage medium | |
| EP3533199B1 (en) | Detection of fraudulent account usage in distributed computing systems | |
| CN109039987A (en) | A kind of user account login method, device, electronic equipment and storage medium | |
| CN103746992B (en) | Based on reverse intruding detection system and method thereof | |
| CN104246785A (en) | System and method for crowdsourcing of mobile application reputations | |
| CN102741839A (en) | URL filtering based on user browser history | |
| KR100912794B1 (en) | Web hacking management system and manegement method thereof for real time web server hacking analysis and homepage hacking search | |
| Wazid et al. | Hacktivism trends, digital forensic tools and challenges: A survey | |
| CN109831429A (en) | A kind of Webshell detection method and device | |
| CN107800686A (en) | A kind of fishing website recognition methods and device | |
| Singh et al. | Automated versus manual approach of web application penetration testing | |
| CN107644161A (en) | Safety detecting method, device and the equipment of sample | |
| CN108616538A (en) | Attacker's formation gathering method, system, terminal, server and its storage medium | |
| EP3647982B1 (en) | Cyber attack evaluation method and cyber attack evaluation device | |
| JP5791548B2 (en) | Address extraction device | |
| CN107509200A (en) | Equipment localization method and device based on wireless network invasion | |
| Alazab et al. | A Review on the Internet of Things (IoT) Forensics: Challenges, Techniques, and Evaluation of Digital Forensic Tools | |
| CN113987508A (en) | Vulnerability processing method, device, equipment and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20181002 |
|
| RJ01 | Rejection of invention patent application after publication |