CN110868410B - Method and device for acquiring webpage Trojan horse connection password, electronic equipment and storage medium - Google Patents

Method and device for acquiring webpage Trojan horse connection password, electronic equipment and storage medium Download PDF

Info

Publication number
CN110868410B
CN110868410B CN201911094658.2A CN201911094658A CN110868410B CN 110868410 B CN110868410 B CN 110868410B CN 201911094658 A CN201911094658 A CN 201911094658A CN 110868410 B CN110868410 B CN 110868410B
Authority
CN
China
Prior art keywords
trojan
webpage trojan
webpage
determining
connection password
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201911094658.2A
Other languages
Chinese (zh)
Other versions
CN110868410A (en
Inventor
胡付博
周忠义
刘新鹏
张红宝
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Eversec Beijing Technology Co Ltd
Original Assignee
Eversec Beijing Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Eversec Beijing Technology Co Ltd filed Critical Eversec Beijing Technology Co Ltd
Priority to CN201911094658.2A priority Critical patent/CN110868410B/en
Publication of CN110868410A publication Critical patent/CN110868410A/en
Application granted granted Critical
Publication of CN110868410B publication Critical patent/CN110868410B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/951Indexing; Web crawling techniques
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/955Retrieval from the web using information identifiers, e.g. uniform resource locators [URL]
    • G06F16/9566URL specific, e.g. using aliases, detecting broken or misspelled links
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/23Clustering techniques
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Databases & Information Systems (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • General Physics & Mathematics (AREA)
  • Artificial Intelligence (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Evolutionary Biology (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Evolutionary Computation (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The embodiment of the disclosure discloses a method, a device, electronic equipment and a storage medium for acquiring a webpage Trojan horse connection password, wherein the method comprises the following steps: detecting flow data between a server and a client of a target website, and judging whether the flow data hits webpage Trojan detection rules in a preset webpage Trojan detection rule set; if the webpage Trojan is hit, determining that the webpage Trojan is detected, grabbing a hit PCAP package, determining the file type of the webpage Trojan according to a hit webpage Trojan detection rule, and determining the family of the webpage Trojan according to the data content of the PCAP package; and determining the position information and the coding information of the connection password of the webpage Trojan according to the file type and the family of the webpage Trojan, and acquiring the connection password of the webpage Trojan according to the PCAP packet, the position information and the coding information. The technical scheme of the embodiment of the disclosure can extract the connection password of the webpage trojan.

Description

Method and device for acquiring webpage Trojan horse connection password, electronic equipment and storage medium
Technical Field
The embodiment of the disclosure relates to the technical field of network security, in particular to a method and a device for acquiring a webpage Trojan horse connection password, electronic equipment and a storage medium.
Background
The web page trojan (Webshell) is an attack script used by hackers, and after controlling a backdoor left by a server by the hackers, the hackers often access and upgrade the server by means of the web page trojan, which is a command execution environment existing in web page file types such as asp, php, jsp, cgi, and the like, and can also be called a web page backdoor. The function of the webpage trojan includes not only executing shell commands and codes, but also viewing a database and the like. After deployment is successful, an intruder can obtain certain operation authority and the like for the WEB server through the website port. When the Trojan horse is visited, a certain data submission record is left in the log of the WEB server.
The DPI technology, that is, the DPI (deep Packet inspection) deep Packet inspection technology, is an application-layer-based traffic inspection and control technology, and when an IP Packet, a TCP or a UDP data stream passes through a DPI-technology-based bandwidth management system, the system reassembles application-layer information in an OSI seven-layer protocol by deeply reading the content of the IP Packet payload, thereby obtaining the content of the entire application program, and then performs a shaping operation on the traffic according to a management policy defined by the system.
The existing web Trojan detection mainly detects flow data between a server and a client to judge whether suspicious data with web Trojan characteristics or web Trojan behavior characteristics exist in the flow data, but further detailed information of the web Trojan cannot be acquired.
Disclosure of Invention
In view of this, the present disclosure provides a method, an apparatus, an electronic device, and a storage medium for obtaining a webpage trojan connection password, so as to obtain the webpage trojan connection password.
Additional features and advantages of the disclosed embodiments will be set forth in the detailed description which follows, or in part will be obvious from the description, or may be learned by practice of the disclosed embodiments.
In a first aspect, an embodiment of the present disclosure provides a method for obtaining a webpage trojan connection password, including:
detecting flow data between a server and a client of a target website, and judging whether the flow data hits webpage Trojan detection rules in a preset webpage Trojan detection rule set, wherein each webpage Trojan detection rule in the webpage Trojan detection rule set is respectively used for identifying a webpage Trojan of one file type;
if yes, determining that the webpage Trojan is detected, grabbing a hit PCAP (personal computer application protocol) package, determining the file type of the webpage Trojan according to a hit webpage Trojan detection rule, and determining the family of the webpage Trojan according to the data content of the PCAP package;
and determining the position information and the coding information of the connection password of the webpage Trojan according to the file type and the family of the webpage Trojan, and acquiring the connection password of the webpage Trojan according to the PCAP packet, the position information and the coding information.
In an embodiment, the method further includes, after fetching the hit PCAP packet, acquiring an access address of the web Trojan according to the content of the HOST field and the content of the URL field of the PCAP packet.
In an embodiment, after obtaining the connection password of the web Trojan, the method further includes:
actively connecting the webpage trojan according to the access address and the connection password;
if the returned result indicates that the network is not reachable, determining that the webpage trojan is deleted or is not authorized to be connected with the webpage trojan;
and if the returned result shows that the server cannot normally provide information or the server cannot respond, determining that the webpage Trojan is the webpage Trojan with false alarm.
In an embodiment, before detecting traffic data between the server and the client of the target website, the method further includes:
acquiring webpage Trojan sample sets of various Trojan families;
performing clustering analysis on the webpage Trojan sample set according to file types to obtain the webpage Trojan detection rule set;
and performing clustering analysis on the webpage Trojan sample set of each file type according to the family to which the webpage Trojan sample set belongs to obtain the file type, the family to which the webpage Trojan sample set belongs, and the position information and the associated information of the coding information of the connection password.
In an embodiment, the determining the location information and the encoding information of the link password of the web Trojan according to the file type and the family of the web Trojan includes:
and inquiring the file type of the webpage Trojan horse and the corresponding position information and the corresponding coding information of the family from the associated information.
In an embodiment, the determining whether the traffic data hits the predetermined webpage Trojan detection rule includes:
and judging whether the flow data hits webpage Trojan detection rules in a preset webpage Trojan detection rule set or not according to whether the header content of each PCAP packet in the flow data contains a preset language segment or not.
In an embodiment, the detecting traffic data between the server and the client of the target website includes:
and detecting the traffic data between the server and the client of the target website through the DPI equipment.
In a second aspect, an embodiment of the present disclosure further provides an apparatus for obtaining a webpage trojan connection password, including:
the rule matching unit is used for detecting flow data between a server and a client of a target website and judging whether the flow data hit webpage Trojan detection rules in a preset webpage Trojan detection rule set or not, wherein each webpage Trojan detection rule in the webpage Trojan detection rule set is respectively used for identifying the webpage Trojan of one file type;
the family determining unit is used for determining that the webpage Trojan horse is detected if the webpage Trojan horse is hit, grabbing a hit PCAP (personal computer application) package, determining the file type of the webpage Trojan horse according to a hit webpage Trojan horse detection rule, and determining the family to which the webpage Trojan horse belongs according to the data content of the PCAP package;
and the connection password acquisition unit is used for determining the position information and the coding information of the connection password of the web Trojan according to the file type and the family of the web Trojan and acquiring the connection password of the web Trojan according to the PCAP packet, the position information and the coding information.
In an embodiment, the apparatus further includes an access address obtaining unit, configured to, after fetching the hit PCAP packet, obtain an access address of the web Trojan according to the content of the HOST field and the content of the URL field of the PCAP packet.
In an embodiment, the apparatus further includes an authentication unit, configured to, after obtaining the connection password of the web Trojan:
actively connecting the webpage trojan according to the access address and the connection password;
if the returned result indicates that the network is not reachable, determining that the webpage trojan is deleted or is not authorized to be connected with the webpage trojan;
and if the returned result shows that the server cannot normally provide information or the server cannot respond, determining that the webpage Trojan is the webpage Trojan with false alarm.
In one embodiment, the apparatus further comprises a pre-analysis unit, the pre-analysis unit comprising:
the system comprises a sample set acquisition subunit, a data acquisition unit and a data acquisition unit, wherein the sample set acquisition subunit is used for acquiring webpage Trojan sample sets of various Trojan families before detecting traffic data between a server and a client of a target website;
a rule set obtaining subunit, configured to perform cluster analysis on the webpage Trojan horse sample set according to file types to obtain the webpage Trojan horse detection rule set;
and the associated information acquisition subunit is used for performing cluster analysis on the webpage Trojan horse sample sets of each file type according to the families to which the webpage Trojan horse sample sets belong to obtain the associated information of the file types, the families to which the webpage Trojan horse sample sets belong, the position information of the connection passwords and the coding information.
In one embodiment, the connection password obtaining unit is configured to: and inquiring the file type of the webpage Trojan horse and the corresponding position information and the corresponding coding information of the family from the associated information.
In one embodiment, the rule matching unit is configured to: and judging whether the flow data hits webpage Trojan detection rules in a preset webpage Trojan detection rule set or not according to whether the header content of each PCAP packet in the flow data contains a preset language segment or not.
In one embodiment, the rule matching unit is configured to: and detecting the traffic data between the server and the client of the target website through the DPI equipment.
In a third aspect, an embodiment of the present disclosure further provides an electronic device, including:
one or more processors;
a memory for storing one or more programs;
when executed by the one or more processors, cause the one or more processors to implement the instructions of the method of any one of the first aspects.
In a fourth aspect, the disclosed embodiments also provide a computer-readable storage medium, on which a computer program is stored, which when executed by a processor implements the steps of the method according to any one of the first aspect.
The method comprises the steps of judging whether flow data hit webpage Trojan detection rules in a preset webpage Trojan detection rule set or not by detecting the flow data between a server and a client of a target website, determining that the webpage Trojan is detected if the flow data hit the webpage Trojan detection rules, capturing a hit PCAP (personal computer application protocol) packet, determining the file type of the webpage Trojan according to the hit webpage Trojan detection rules, and determining the family to which the webpage Trojan belongs according to the data content of the PCAP packet; and then, the position information and the coding information of the connection password of the webpage Trojan horse are determined and extracted according to the file type and the family to which the file type belongs, so that the connection password of the webpage Trojan horse can be extracted.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present disclosure, the drawings required to be used in the description of the embodiments of the present disclosure will be briefly described below, and it is obvious that the drawings in the description below are only some of the embodiments of the present disclosure, and for those skilled in the art, other drawings may be obtained according to the contents of the embodiments of the present disclosure and the drawings without creative efforts.
Fig. 1 is a schematic flowchart of a method for obtaining a web Trojan horse connection password according to an embodiment of the present disclosure;
fig. 2 is a schematic flowchart of another method for obtaining a web Trojan horse connection password according to an embodiment of the present disclosure;
fig. 3 is a schematic structural diagram of an apparatus for obtaining a web Trojan horse connection password according to an embodiment of the present disclosure;
fig. 4 is a schematic structural diagram of another apparatus for acquiring a web Trojan horse connection password according to an embodiment of the present disclosure;
fig. 5 is a schematic structural diagram of another apparatus for obtaining a web Trojan horse connection password according to an embodiment of the present disclosure;
FIG. 6 shows a schematic structural diagram of an electronic device suitable for use in implementing embodiments of the present disclosure.
Detailed Description
In order to make the technical problems solved, technical solutions adopted and technical effects achieved by the embodiments of the present disclosure clearer, the technical solutions of the embodiments of the present disclosure will be described in further detail below with reference to the accompanying drawings, and it is obvious that the described embodiments are only some embodiments, but not all embodiments, of the embodiments of the present disclosure. All other embodiments, which can be obtained by a person skilled in the art without making creative efforts based on the embodiments of the present disclosure, belong to the protection scope of the embodiments of the present disclosure.
It should be noted that the terms "system" and "network" are often used interchangeably in the embodiments of the present disclosure. Reference to "and/or" in embodiments of the present disclosure is meant to include any and all combinations of one or more of the associated listed items. The terms "first", "second", and the like in the description and claims of the present disclosure and in the drawings are used for distinguishing between different objects and not for limiting a particular order.
It should also be noted that, in the embodiments of the present disclosure, each of the following embodiments may be executed alone, or may be executed in combination with each other, and the embodiments of the present disclosure are not limited specifically.
The names of messages or information exchanged between devices in the embodiments of the present disclosure are for illustrative purposes only, and are not intended to limit the scope of the messages or information.
The technical solutions of the embodiments of the present disclosure are further described by the following detailed description in conjunction with the accompanying drawings.
Fig. 1 is a flowchart illustrating a method for obtaining a web Trojan connection password according to an embodiment of the present disclosure, where this embodiment is applicable to a situation where a web Trojan in traffic data is detected and a connection password of the web Trojan is obtained, and the method may be executed by an apparatus configured in an electronic device for obtaining a web Trojan connection password, as shown in fig. 1, the method for obtaining a web Trojan connection password according to this embodiment includes:
in step S110, traffic data between the server and the client of the target website is detected, and it is determined whether the traffic data hits a webpage Trojan detection rule in a predetermined webpage Trojan detection rule set.
The webpage Trojan horse detection rule set comprises a webpage Trojan horse detection rule set, a webpage Trojan horse detection rule set and a webpage Trojan horse detection rule set, wherein the webpage Trojan horse detection rule set is used for identifying the webpage Trojan horse of one file type.
The traffic data detection method can comprise various methods, for example, the traffic data between the server and the client of the target website can be detected through the DPI equipment.
The determining whether the traffic data hits the predetermined webpage Trojan detection rule may include multiple methods, for example, determining whether the traffic data hits the webpage Trojan detection rule in the predetermined webpage Trojan detection rule set according to whether the packet header content of each PCAP packet in the traffic data includes a predetermined field.
In step S120, it is determined that the web Trojan is detected if hit occurs, the hit PCAP package is fetched, the file type of the web Trojan is determined according to the hit web Trojan detection rule, and the family to which the web Trojan belongs is determined according to the data content of the PCAP package.
In step S130, the location information and the encoding information of the connection password of the web Trojan are determined according to the file type and the family of the web Trojan, and the connection password of the web Trojan is obtained according to the PCAP packet, the location information and the encoding information.
The step is based on the fact that the storage positions of the connection passwords of the web Trojan horses with the same file type and the same family are the same. Based on the characteristics, the association information of the position information and the coding information of the Trojan horse files of various file types and various families can be stored in advance.
The obtaining mode of the associated information may include multiple modes, for example, before detecting traffic data between a server and a client of a target website, obtaining webpage Trojan sample sets of multiple Trojan families, performing cluster analysis on the webpage Trojan sample sets according to file types to obtain the webpage Trojan detection rule sets, and performing cluster analysis on the webpage Trojan sample sets of each file type according to the family to obtain the file types, the families to which the webpage Trojan sample sets belong, and the location information and the associated information of the coding information of the connection password.
Based on the associated information, the step of determining the position information and the coding information of the connection password of the web Trojan horse according to the file type and the family of the web Trojan horse comprises or comprises the step of inquiring the file type and the position information and the coding information corresponding to the family of the web Trojan horse from the associated information.
Further, after the hit PCAP packet is captured, the access address of the webpage trojan can be further acquired according to the content of the HOST field and the content of the URL field of the PCAP packet.
Further, after obtaining the access address and the connection password of the webpage trojan, the authenticity and the validity of the webpage trojan can be verified.
For example, the web Trojan horse can be actively connected according to the access address and the connection password. If the returned result indicates that the network is not reachable, determining that the webpage trojan is deleted or is not authorized to be connected with the webpage trojan; and if the returned result shows that the server cannot normally provide information or the server cannot respond, determining that the webpage Trojan is the webpage Trojan with false alarm.
In this embodiment, by detecting traffic data between a server and a client of a target website, it is determined whether the traffic data hits a web Trojan detection rule in a predetermined set of web Trojan detection rules, if so, it is determined that a web Trojan is detected, a hit PCAP packet is fetched, a file type of the web Trojan is determined according to the hit web Trojan detection rule, and a family to which the web Trojan belongs is determined according to data content of the PCAP packet; and then, the position information and the coding information of the connection password of the webpage Trojan horse are determined and extracted according to the file type and the family to which the file type belongs, so that the connection password of the webpage Trojan horse can be extracted.
Fig. 2 is a schematic flow chart illustrating another method for obtaining a web Trojan horse connection password according to an embodiment of the present disclosure, and the embodiment is based on the foregoing embodiment and is optimized. As shown in fig. 2, the method for obtaining a web Trojan horse connection password in this embodiment includes:
in step S210, a sample set of web page trojans of various trojan families is obtained.
In step S220, performing cluster analysis on the web Trojan horse sample set according to file types to obtain the web Trojan horse detection rule set.
For example, a php-type web page Trojan, containing the paragraph "<? php @ eval ($ _ POST [ value ]); is there a And > ".
Asp type web page trojans, containing the speech segment "<% eval request (" value ")% >" or "<% execute (" value "))% >.
aspx-type web Page Trojan contains a field "<% @ Page Language ═ Jscript"% > <% eval (request. item [ "value" ])% > <? php fputs (fopen (' xie. php ', ' w '), ' <; is there a And > ".
In step S230, the web Trojan horse sample sets of each file type are respectively subjected to clustering analysis according to the family to which the file type belongs, and the associated information of the position information and the encoding information of the connection password.
In step S240, traffic data between the server and the client of the target website is detected, and it is determined whether the traffic data hits the web Trojan detection rule in the web Trojan detection rule set.
In step S250, it is determined that the web Trojan is detected if hit occurs, the hit PCAP package is crawled, the file type of the web Trojan is determined according to the hit web Trojan detection rule, and the family to which the web Trojan belongs is determined according to the data content of the PCAP package.
In step S260, the file type of the web trojan and the position information and the encoding information corresponding to the family are queried from the related information.
In step S270, a connection password of the web Trojan is obtained according to the PCAP packet, the location information, and the encoding information.
Further, after the hit PCAP packet is captured, the access address of the webpage trojan can be obtained according to the content of the HOST field and the content of the URL field of the PCAP packet.
Further, after the connection password of the webpage trojan is acquired, the webpage trojan can be actively connected according to the access address and the connection password. If the returned result indicates that the network is not reachable, determining that the webpage trojan is deleted or is not authorized to be connected with the webpage trojan; and if the returned result shows that the server cannot normally provide information or the server cannot respond, determining that the webpage Trojan is the webpage Trojan with false alarm.
On the basis of the previous embodiment, the embodiment further discloses that a webpage trojan sample is obtained and analyzed to obtain a webpage trojan rule set for detecting the webpage trojan and determining the file type of the detected webpage trojan. And analyzing the Trojan horse sample to obtain the file type, the family to which the Trojan horse belongs and the position information and the associated information of the coding information of the connection password, so as to obtain the connection password for obtaining the webpage Trojan horse according to the detected file type of the webpage Trojan horse and the position information and the coding information corresponding to the family to which the webpage Trojan horse belongs.
As an implementation of the methods shown in the above figures, the present application provides an embodiment of an apparatus for obtaining a web Trojan connection password, and fig. 3 illustrates a schematic structural diagram of the apparatus for obtaining a web Trojan connection password provided in this embodiment, where the embodiment of the apparatus corresponds to the embodiment of the methods shown in fig. 1 and fig. 2, and the apparatus may be specifically applied to various electronic devices. As shown in fig. 3, the apparatus for acquiring a web trojan connection password according to the embodiment includes a rule matching unit 310, an affiliation family determining unit 320, and a connection password acquiring unit 330.
The rule matching unit 310 is configured to detect traffic data between a server and a client of a target website, and determine whether the traffic data hits a webpage Trojan detection rule in a predetermined webpage Trojan detection rule set, where each webpage Trojan detection rule in the webpage Trojan detection rule set is used to identify a webpage Trojan of a file type.
The family determining unit 320 is configured to determine that the web Trojan is detected if there is a hit, fetch the hit PCAP package, determine a file type of the web Trojan according to a hit web Trojan detection rule, and determine a family to which the web Trojan belongs according to data content of the PCAP package.
The connection password obtaining unit 330 is configured to determine location information and encoding information of a connection password of the web Trojan according to the file type and the family of the web Trojan, and obtain the connection password of the web Trojan according to the PCAP packet, the location information and the encoding information.
Further, the rule matching unit 310 is configured to determine whether the traffic data hits a webpage Trojan detection rule in a predetermined webpage Trojan detection rule set according to whether the header content of each PCAP packet in the traffic data contains a predetermined field.
Further, the rule matching unit 310 is configured to detect traffic data between the server and the client of the target website through a DPI device.
The device for acquiring the webpage Trojan horse connection password provided by the embodiment can execute the method for acquiring the webpage Trojan horse connection password provided by the embodiment of the method, and has corresponding functional modules and beneficial effects of the execution method.
Fig. 4 is a schematic structural diagram of another apparatus for acquiring a web Trojan connection password according to an embodiment of the present disclosure, and as shown in fig. 4, the apparatus for acquiring a web Trojan connection password according to this embodiment includes a rule matching unit 410, an affiliated family determining unit 420, a connection password acquiring unit 430, an access address acquiring unit 440, and a verifying unit 450.
The rule matching unit 410 is configured to detect traffic data between a server and a client of a target website, and determine whether the traffic data hits a webpage Trojan detection rule in a predetermined webpage Trojan detection rule set, where each webpage Trojan detection rule in the webpage Trojan detection rule set is used to identify a webpage Trojan of a file type.
The family determining unit 420 is configured to determine that the web Trojan is detected if hit, grab a hit PCAP package, determine a file type of the web Trojan according to a hit web Trojan detection rule, and determine a family to which the web Trojan belongs according to data content of the PCAP package.
The connection password obtaining unit 430 is configured to determine location information and encoding information of a connection password of the web Trojan according to the file type and the family of the web Trojan, and obtain the connection password of the web Trojan according to the PCAP packet, the location information and the encoding information.
The access address obtaining unit 440 is configured to, after the hit PCAP packet is crawled, obtain an access address of the web Trojan according to the content of the HOST field and the content of the URL field of the PCAP packet.
The authentication unit 450 is configured to, after acquiring the connection password of the web Trojan:
actively connecting the webpage trojan according to the access address and the connection password;
if the returned result indicates that the network is not reachable, determining that the webpage trojan is deleted or is not authorized to be connected with the webpage trojan;
and if the returned result shows that the server cannot normally provide information or the server cannot respond, determining that the webpage Trojan is the webpage Trojan with false alarm.
Further, the connection password obtaining unit 430 is configured to query, from the association information, the file type of the web Trojan horse and the location information and the encoding information corresponding to the family to which the web Trojan horse belongs.
Further, the rule matching unit 410 is configured to determine whether the traffic data hits a webpage Trojan detection rule in a predetermined webpage Trojan detection rule set according to whether the header content of each PCAP packet in the traffic data contains a predetermined field.
Further, the rule matching unit 410 is configured to detect traffic data between the server and the client of the target website through the DPI device.
The device for acquiring the webpage Trojan horse connection password provided by the embodiment can execute the method for acquiring the webpage Trojan horse connection password provided by the embodiment of the method, and has corresponding functional modules and beneficial effects of the execution method.
Fig. 5 is a schematic structural diagram illustrating another apparatus for obtaining a web Trojan connection password according to an embodiment of the present disclosure, and as shown in fig. 5, the apparatus for obtaining a web Trojan connection password according to this embodiment includes a pre-analysis unit 510, a rule matching unit 520, a family determining unit 530, and a connection password obtaining unit 540. The pre-analysis unit 510 includes a sample set obtaining sub-unit 511, a rule set obtaining sub-unit 512, and an associated information obtaining sub-unit 513.
The sample set acquiring subunit 511 is configured to acquire a webpage trojan sample set of multiple trojan families before detecting traffic data between a server and a client of a target website.
The rule set obtaining subunit 512 is configured to perform cluster analysis on the webpage Trojan horse sample set according to file types to obtain the webpage Trojan horse detection rule set.
The associated information obtaining subunit 513 is configured to perform clustering analysis on the web Trojan sample sets of the file types respectively according to the families to which the web Trojan sample sets belong, so as to obtain associated information of the file types, the families to which the web Trojan sample sets belong, and position information and encoding information of the connection passwords.
The rule matching unit 520 is configured to detect traffic data between a server and a client of a target website, and determine whether the traffic data hits a web Trojan detection rule in the web Trojan detection rule set.
The family determining unit 530 is configured to determine that the web Trojan is detected if hit, grab a hit PCAP package, determine a file type of the web Trojan according to a hit web Trojan detection rule, and determine a family to which the web Trojan belongs according to data content of the PCAP package.
The connection password obtaining unit 540 is configured to query the file type of the web Trojan and the location information and the encoding information corresponding to the family to which the web Trojan belongs from the association information, and obtain the connection password of the web Trojan according to the PCAP packet, the location information and the encoding information.
The device for acquiring the webpage Trojan horse connection password provided by the embodiment can execute the method for acquiring the webpage Trojan horse connection password provided by the embodiment of the method, and has corresponding functional modules and beneficial effects of the execution method.
Referring now to FIG. 6, a block diagram of an electronic device 600 suitable for use in implementing embodiments of the present disclosure is shown. The terminal device in the embodiments of the present disclosure may include, but is not limited to, a mobile terminal such as a mobile phone, a notebook computer, a digital broadcast receiver, a PDA (personal digital assistant), a PAD (tablet computer), a PMP (portable multimedia player), a vehicle terminal (e.g., a car navigation terminal), and the like, and a stationary terminal such as a digital TV, a desktop computer, and the like. The electronic device shown in fig. 6 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present disclosure.
As shown in fig. 6, electronic device 600 may include a processing means (e.g., central processing unit, graphics processor, etc.) 601 that may perform various appropriate actions and processes in accordance with a program stored in a Read Only Memory (ROM)602 or a program loaded from a storage means 608 into a Random Access Memory (RAM) 603. In the RAM 603, various programs and data necessary for the operation of the electronic apparatus 600 are also stored. The processing device 601, the ROM 602, and the RAM 603 are connected to each other via a bus 604. An input/output (I/O) interface 605 is also connected to bus 604.
Generally, the following devices may be connected to the I/O interface 605: input devices 606 including, for example, a touch screen, touch pad, keyboard, mouse, camera, microphone, accelerometer, gyroscope, etc.; output devices 607 including, for example, a Liquid Crystal Display (LCD), a speaker, a vibrator, and the like; storage 608 including, for example, tape, hard disk, etc.; and a communication device 609. The communication means 609 may allow the electronic device 600 to communicate with other devices wirelessly or by wire to exchange data. While fig. 6 illustrates an electronic device 600 having various means, it is to be understood that not all illustrated means are required to be implemented or provided. More or fewer devices may alternatively be implemented or provided.
In particular, according to an embodiment of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method illustrated by the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network via the communication means 609, or may be installed from the storage means 608, or may be installed from the ROM 602. The computer program, when executed by the processing device 601, performs the above-described functions defined in the methods of the embodiments of the present disclosure.
It should be noted that the computer readable medium described above in the embodiments of the present disclosure may be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the disclosed embodiments, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In contrast, in the disclosed embodiments, a computer readable signal medium may comprise a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: electrical wires, optical cables, RF (radio frequency), etc., or any suitable combination of the foregoing.
The computer readable medium may be embodied in the electronic device; or may exist separately without being assembled into the electronic device.
The computer readable medium carries one or more programs which, when executed by the electronic device, cause the electronic device to:
detecting flow data between a server and a client of a target website, and judging whether the flow data hits webpage Trojan detection rules in a preset webpage Trojan detection rule set, wherein each webpage Trojan detection rule in the webpage Trojan detection rule set is respectively used for identifying a webpage Trojan of one file type;
if yes, determining that the webpage Trojan is detected, grabbing a hit PCAP (personal computer application protocol) package, determining the file type of the webpage Trojan according to a hit webpage Trojan detection rule, and determining the family of the webpage Trojan according to the data content of the PCAP package;
and determining the position information and the coding information of the connection password of the webpage Trojan according to the file type and the family of the webpage Trojan, and acquiring the connection password of the webpage Trojan according to the PCAP packet, the position information and the coding information.
Computer program code for carrying out operations for embodiments of the present disclosure may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C + +, and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units described in the embodiments of the present disclosure may be implemented by software or hardware. Where the name of a unit does not in some cases constitute a limitation of the unit itself, for example, the first retrieving unit may also be described as a "unit for retrieving at least two internet protocol addresses".
The foregoing description is only a preferred embodiment of the disclosed embodiments and is illustrative of the principles of the technology employed. It will be appreciated by those skilled in the art that the scope of the disclosure in the embodiments of the present disclosure is not limited to the particular combination of the above-described features, but also encompasses other embodiments in which any combination of the above-described features or their equivalents is possible without departing from the scope of the present disclosure. For example, the above features and (but not limited to) the features with similar functions disclosed in the embodiments of the present disclosure are mutually replaced to form the technical solution.

Claims (9)

1. A method for obtaining a webpage Trojan horse connection password is characterized by comprising the following steps:
detecting flow data between a server and a client of a target website, and judging whether the flow data hits webpage Trojan detection rules in a preset webpage Trojan detection rule set, wherein each webpage Trojan detection rule in the webpage Trojan detection rule set is respectively used for identifying a webpage Trojan of one file type;
if yes, determining that the webpage Trojan is detected, grabbing a hit PCAP (personal computer application protocol) package, determining the file type of the webpage Trojan according to a hit webpage Trojan detection rule, and determining the family of the webpage Trojan according to the data content of the PCAP package;
determining the position information and the coding information of the connection password of the webpage Trojan according to the file type and the family of the webpage Trojan, and acquiring the connection password of the webpage Trojan according to the PCAP packet, the position information and the coding information;
the method further comprises the following steps before detecting the traffic data between the server of the target website and the client:
acquiring webpage Trojan sample sets of various Trojan families;
performing clustering analysis on the webpage Trojan sample set according to file types to obtain the webpage Trojan detection rule set;
and performing clustering analysis on the webpage Trojan sample set of each file type according to the family to which the webpage Trojan sample set belongs to obtain the file type, the family to which the webpage Trojan sample set belongs, and the position information and the associated information of the coding information of the connection password.
2. The method as claimed in claim 1, further comprising, after fetching the hit PCAP packet, obtaining an access address of the web trojan according to contents of the HOST field and contents of the URL field of the PCAP packet.
3. The method of claim 2, further comprising, after obtaining the connection password of the web Trojan horse:
actively connecting the webpage trojan according to the access address and the connection password;
if the returned result indicates that the network is not reachable, determining that the webpage trojan is deleted or is not authorized to be connected with the webpage trojan;
and if the returned result shows that the server cannot normally provide information or the server cannot respond, determining that the webpage Trojan is the webpage Trojan with false alarm.
4. The method of claim 1, wherein the determining the location information and the encoding information of the link password of the web Trojan according to the file type and the family of the web Trojan comprises:
and inquiring the file type of the webpage Trojan horse and the corresponding position information and the corresponding coding information of the family from the associated information.
5. The method of claim 1, wherein determining whether the traffic data hits in a predetermined web Trojan detection rule comprises:
and judging whether the flow data hits webpage Trojan detection rules in a preset webpage Trojan detection rule set or not according to whether the header content of each PCAP packet in the flow data contains a preset language segment or not.
6. The method of claim 1, wherein the detecting traffic data between the server and the client of the target website comprises:
and detecting the traffic data between the server and the client of the target website through the DPI equipment.
7. An apparatus for obtaining a Trojan horse connection password of a webpage, comprising:
the rule matching unit is used for detecting flow data between a server and a client of a target website and judging whether the flow data hit webpage Trojan detection rules in a preset webpage Trojan detection rule set or not, wherein each webpage Trojan detection rule in the webpage Trojan detection rule set is respectively used for identifying the webpage Trojan of one file type;
the family determining unit is used for determining that the webpage Trojan horse is detected if the webpage Trojan horse is hit, grabbing a hit PCAP (personal computer application) package, determining the file type of the webpage Trojan horse according to a hit webpage Trojan horse detection rule, and determining the family to which the webpage Trojan horse belongs according to the data content of the PCAP package;
the connection password acquiring unit is used for determining the position information and the coding information of the connection password of the webpage Trojan according to the file type and the family of the webpage Trojan and acquiring the connection password of the webpage Trojan according to the PCAP packet, the position information and the coding information;
the device further comprises a pre-analysis unit comprising:
the system comprises a sample set acquisition subunit, a data acquisition unit and a data acquisition unit, wherein the sample set acquisition subunit is used for acquiring webpage Trojan sample sets of various Trojan families before detecting traffic data between a server and a client of a target website;
a rule set obtaining subunit, configured to perform cluster analysis on the webpage Trojan horse sample set according to file types to obtain the webpage Trojan horse detection rule set;
and the associated information acquisition subunit is used for performing cluster analysis on the webpage Trojan horse sample sets of each file type according to the families to which the webpage Trojan horse sample sets belong to obtain the associated information of the file types, the families to which the webpage Trojan horse sample sets belong, the position information of the connection passwords and the coding information.
8. An electronic device, comprising:
one or more processors;
a memory for storing one or more programs;
instructions which, when executed by the one or more processors, cause the one or more processors to carry out the method of any one of claims 1-6.
9. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 6.
CN201911094658.2A 2019-11-11 2019-11-11 Method and device for acquiring webpage Trojan horse connection password, electronic equipment and storage medium Active CN110868410B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911094658.2A CN110868410B (en) 2019-11-11 2019-11-11 Method and device for acquiring webpage Trojan horse connection password, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911094658.2A CN110868410B (en) 2019-11-11 2019-11-11 Method and device for acquiring webpage Trojan horse connection password, electronic equipment and storage medium

Publications (2)

Publication Number Publication Date
CN110868410A CN110868410A (en) 2020-03-06
CN110868410B true CN110868410B (en) 2022-05-10

Family

ID=69654622

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911094658.2A Active CN110868410B (en) 2019-11-11 2019-11-11 Method and device for acquiring webpage Trojan horse connection password, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN110868410B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113297525B (en) * 2021-06-17 2023-12-12 恒安嘉新(北京)科技股份公司 Webpage classification method, device, electronic equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104468477A (en) * 2013-09-16 2015-03-25 杭州迪普科技有限公司 WebShell detection method and system
CN107104924A (en) * 2016-02-22 2017-08-29 阿里巴巴集团控股有限公司 The verification method and device of website backdoor file
CN108234484A (en) * 2017-12-30 2018-06-29 广东世纪网通信设备股份有限公司 For tracing the wooden horse source traceability system of the computer readable storage medium in wooden horse source and the application medium
CN108322420A (en) * 2017-01-17 2018-07-24 阿里巴巴集团控股有限公司 The detection method and device of backdoor file
CN108366043A (en) * 2017-07-20 2018-08-03 北京安天网络安全技术有限公司 A kind of method and system of detection a word wooden horse

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10454691B2 (en) * 2016-05-24 2019-10-22 Arizona Board Of Regents On Behalf Of Northern Arizona University Systems implementing hierarchical levels of security

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104468477A (en) * 2013-09-16 2015-03-25 杭州迪普科技有限公司 WebShell detection method and system
CN107104924A (en) * 2016-02-22 2017-08-29 阿里巴巴集团控股有限公司 The verification method and device of website backdoor file
CN108322420A (en) * 2017-01-17 2018-07-24 阿里巴巴集团控股有限公司 The detection method and device of backdoor file
CN108366043A (en) * 2017-07-20 2018-08-03 北京安天网络安全技术有限公司 A kind of method and system of detection a word wooden horse
CN108234484A (en) * 2017-12-30 2018-06-29 广东世纪网通信设备股份有限公司 For tracing the wooden horse source traceability system of the computer readable storage medium in wooden horse source and the application medium

Also Published As

Publication number Publication date
CN110868410A (en) 2020-03-06

Similar Documents

Publication Publication Date Title
CN108768943B (en) Method and device for detecting abnormal account and server
US9749341B2 (en) Method, device and system for recognizing network behavior of program
US8805995B1 (en) Capturing data relating to a threat
CN112468520B (en) Data detection method, device and equipment and readable storage medium
CN109862003B (en) Method, device, system and storage medium for generating local threat intelligence library
CN108965267B (en) Network attack processing method and device and vehicle
CN111163095B (en) Network attack analysis method, network attack analysis device, computing device, and medium
CN108134816B (en) Access to data on remote device
CN110888838A (en) Object storage based request processing method, device, equipment and storage medium
CN116303290B (en) Office document detection method, device, equipment and medium
CN110808997B (en) Method and device for remotely obtaining evidence of server, electronic equipment and storage medium
CN109818972B (en) Information security management method and device for industrial control system and electronic equipment
CN109688096B (en) IP address identification method, device, equipment and computer readable storage medium
CN110868410B (en) Method and device for acquiring webpage Trojan horse connection password, electronic equipment and storage medium
CN112685255A (en) Interface monitoring method and device, electronic equipment and storage medium
CN111262842B (en) Webpage tamper-proofing method and device, electronic equipment and storage medium
CN113709136B (en) Access request verification method and device
CN113037784B (en) Flow guiding method and device and electronic equipment
CN107995167B (en) Equipment identification method and server
CN116028917A (en) Authority detection method and device, storage medium and electronic equipment
CN113839912B (en) Method, device, medium and equipment for analyzing abnormal host by active and passive combination
CN109714371B (en) Industrial control network safety detection system
CN111371745B (en) Method and apparatus for determining SSRF vulnerability
CN114221797A (en) External network access method, device, equipment and readable storage medium
CN117640159A (en) Abnormal access detection method, device, equipment, medium and program product

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant