CN110909350A - Method for remotely and accurately identifying WebShell backdoor - Google Patents
Method for remotely and accurately identifying WebShell backdoor Download PDFInfo
- Publication number
- CN110909350A CN110909350A CN201911123265.XA CN201911123265A CN110909350A CN 110909350 A CN110909350 A CN 110909350A CN 201911123265 A CN201911123265 A CN 201911123265A CN 110909350 A CN110909350 A CN 110909350A
- Authority
- CN
- China
- Prior art keywords
- webshell
- backdoor
- dictionary
- paths
- remotely
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/563—Static detection by source code analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/95—Retrieval from the web
- G06F16/951—Indexing; Web crawling techniques
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/95—Retrieval from the web
- G06F16/955—Retrieval from the web using information identifiers, e.g. uniform resource locators [URL]
- G06F16/9566—URL specific, e.g. using aliases, detecting broken or misspelled links
Abstract
The invention relates to a method for remotely and accurately identifying a WebShell backdoor, which comprises the steps of obtaining all file paths of WebShell in a website to be detected, completing and detecting by using a standard dictionary, directly alarming if the WebShell backdoor exists, otherwise, listing in a suspicious list and carrying out guess-solving login successively, alarming if the login succeeds, identifying the WebShell backdoor, and otherwise, discarding and filtering the current path. According to the method, all webpage resources are crawled by crawlers of a target website, the target website is subjected to total station matching with a common WebShell backdoor path, whether the WebShell backdoor exists in a backdoor is matched through a WebShell backdoor rule base, the WebShell backdoor is accurately identified in a remote mode, suspected WebShell is subjected to violence guess login for identification, the WebShell backdoor is accurately identified through multi-latitude feature matching, a webpage backdoor inspection method is enriched, and the WebShell backdoor inspection rate is improved.
Description
Technical Field
The invention relates to the technical field of digital information transmission, such as telegraph communication, in particular to a method for remotely and accurately identifying a WebShell backdoor.
Background
WebShell is a kind of web backdoor, usually is the command execution environment existing in the form of web page files such as ASP, PHP, JSP or CGI, etc., it is a script attack tool for hackers to invade the website server, often called the authority of the intruder to operate the website server to some extent through the website port, because WebShell appears mostly in the form of dynamic script, also called the backdoor tool of the website.
After a hacker invades a website and obtains the authority, the backdoor files such as ASP, PHP and the like are usually mixed with normal webpage files under a Web directory of a website server, and then the backdoor files such as ASP, PHP and the like are accessed through a browser to obtain a command execution environment, so that the purpose of controlling the website server is achieved; the WebShell backdoor can execute operations including file deletion, file name modification, file content modification, file downloading, system drive letter browsing, intranet-connected database, system command execution and the like, is rich in functions and extremely harmful, and once implanted, if not discovered and eliminated as soon as possible, the WebShell backdoor can continue to execute harmful behaviors on a target website even after website vulnerabilities are repaired.
The WebShell backdoor is implanted as the simplest and most hidden measure for controlling a target website for a long time after a hacker invades the website to obtain the right, and on the basis, numerous safety products for detecting the WebShell backdoor are also derived, such as WebShell backdoor check and kill software which is deployed in a local scanning source code for analysis, audit products which adopt flow to obtain WebShell characteristics and behavior characteristics for analysis and judgment, and the like.
However, the prior art has the following disadvantages:
(1) all the network systems need to be deployed in the network environment of the target website, and if the network systems are deployed locally and monitored and analyzed in flow, the network systems cannot be implemented under the condition that the network systems of the target website cannot be reached;
(2) WebShell is mostly written by adopting a dynamic language, deformation or confusion is very easy to carry out, and interfaces of some WEB servers, such as CGI or Java Servlet, can run a compiled binary program, so that source code auditing is difficult to detect locally and report omission is easy to occur;
(3) if the WebShell backdoor is implanted before the flow monitoring device is deployed and a hacker does not operate the WebShell for a long time, the flow behavior cannot be generated and the detection cannot be performed.
(4) After the network security method is implemented, when the whole network inspection is performed on units such as a supervision organization, public security, network letter and the like, the source code of a target website cannot be obtained or a flow audit system cannot be deployed in a target network, so that the WebShell backdoor cannot be remotely discovered.
Disclosure of Invention
The invention solves the problems in the prior art and provides an optimized method for remotely and accurately identifying the WebShell backdoor.
The technical scheme adopted by the invention is that the method for remotely and accurately identifying the WebShell backdoor comprises the following steps:
step 1: acquiring all WebShell file paths existing in a website to be detected;
step 2: completing and detecting all paths by using a standard dictionary, if the paths are Webshell backdoors, giving an alarm, and if the paths are Webshell backdoors, listing the paths in a suspicious list and carrying out the next step;
and step 3: guessing and logging the paths in the suspicious list, if the logging is successful, judging that the paths are WebShell backdoors, and alarming, otherwise, carrying out the next step;
and 4, step 4: discarding and filtering the current path;
and 5: and if all the paths are detected, exiting, otherwise, returning to the step 3.
Preferably, in step 1, the file path includes a URL link of any web page, a link in an attachment, and/or a directory list.
Preferably, in the step 2, the standard dictionary includes a URL dictionary for complementing a file path of the incomplete WebShell and a feature dictionary for complementing features of the WebShell page.
Preferably, the step 2 comprises the steps of:
step 2.1: matching and completing any path through a URL dictionary;
step 2.2: performing request attempt based on the link of the completion URL, if the returned request response code is 404, filtering the current path, returning to the step 2.1, otherwise, performing the next step;
step 2.3: and (3) matching the data packet returned by the current URL request with the feature dictionary, if the conditions are met, warning the WebShell backdoor, and otherwise, listing in a suspicious list and performing the step 3.
Preferably, in step 2.3, when the current URL request matches the URL dictionary and the header and the body of the data packet returned by the current URL request both match the feature dictionary, the condition is met, the WebShell backdoor is reached, and an alarm is given.
Preferably, in the step 2.3, when one or two of matching of the current URL request and the URL dictionary, matching of the title of the data packet returned by the current URL request and the feature dictionary, and matching of the main body of the data packet returned by the current URL request and the feature dictionary are satisfied, the data packet is listed in the suspicious list.
Preferably, in the step 2, the standard dictionary further includes a password dictionary for attempting to log in to the WebShell backdoor.
Preferably, in the step 3, the login parameters are reconstructed for the paths in the suspicious list, login is performed by using the password dictionary, if the login is successful, the WebShell backdoor is performed, and an alarm is given, otherwise, the step 4 is performed.
The invention provides an optimized method for remotely and accurately identifying a WebShell backdoor, which is characterized by acquiring all file paths of WebShell in a website to be detected, completing and detecting by using a standard dictionary, directly alarming if the WebShell backdoor exists, otherwise, listing in a suspicious list, carrying out guessing and logging successively, alarming if the logging is successful, identifying the WebShell backdoor, and otherwise, discarding and filtering the current path.
The method includes the steps that crawlers are conducted on a target website to obtain all webpage resources, total station matching is conducted on the webpage resources and a standard dictionary of a common WebShell backdoor path, and whether backdoors exist or not is matched through a WebShell backdoor rule base. The method accurately identifies the WebShell backdoor in a remote mode, identifies the suspected WebShell by violence guess login, and accurately identifies the WebShell backdoor through multi-latitude feature matching, thereby enriching the inspection method of the webpage backdoor and improving the detection rate of the WebShell backdoor.
Drawings
FIG. 1 is a flow chart of the present invention.
Detailed Description
The present invention is described in further detail with reference to the following examples, but the scope of the present invention is not limited thereto.
The invention relates to a method for remotely and accurately identifying a WebShell backdoor.
The method comprises the following steps.
Step 1: and acquiring all WebShell file paths existing in the website to be detected.
In step 1, the file path includes a URL link of any web page, a link in an attachment, and/or a directory list.
In the invention, a crawler function is adopted to crawl the file path of WebShell possibly existing in a website, for example, a hacker can upload file names such as WebShell. Of course, there are also a large portion of WebShell's filename that has been modified, such as by the uncommon WebShell name wswbs12.php, or WebShell that has been uploaded through a news-publishing function, such as a jsp appearing on a web page, in which case, although the uncommon WebShell address, it can also be found in the page by a crawler. Typically, the crawler function is implemented as a scanner. In the invention, because WebShell does not have mutually linked URL links, is hidden and cannot find isolated links from known pages, so that a general crawler cannot crawl, the WebShell also needs to obtain links uploaded in news attachments through an uploading function and WebShell backdoor links directly obtained from websites with directory list bugs. For example, some websites may have directory list holes, such as http:// demo. aisec. cn/demo/aisec/admin/, accessing this link can see DB _ connection. php, when crawled by crawler alone, this php file cannot be crawled, there is no URL linked to each other in the page, but crawler can find DB _ connection. php this php file by trying to access admin directory, i.e. it is possible to find a hidden WebShell backdoor.
In the invention, the acquired link of the total station is stored in a database for storage.
Step 2: and (5) complementing and detecting all paths by using a standard dictionary, if the paths are Webshell backdoors, giving an alarm, and otherwise, listing the paths in a suspicious list and carrying out the next step.
In the step 2, the standard dictionary comprises a URL dictionary for complementing file paths of incomplete WebShell and a feature dictionary for complementing features of WebShell pages.
The step 2 comprises the following steps:
step 2.1: matching and completing any path through a URL dictionary;
step 2.2: performing request attempt based on the link of the completion URL, if the returned request response code is 404, filtering the current path, returning to the step 2.1, otherwise, performing the next step;
step 2.3: and (3) matching the data packet returned by the current URL request with the feature dictionary, if the condition is met, judging that the data packet is a WebShell backdoor, and giving an alarm, otherwise, listing the data packet in a suspicious list, and performing the step 3.
In the step 2.3, when the current URL request is matched with the URL dictionary and the title and the main body of the data packet returned by the current URL request are both matched with the feature dictionary, the condition is satisfied, the WebShell backdoor is reached, and an alarm is given.
In the step 2.3, when one or two items of matching between the current URL request and the URL dictionary, matching between the title of the data packet returned by the current URL request and the feature dictionary, and matching between the main body of the data packet returned by the current URL request and the feature dictionary are satisfied, the data packet is listed in the suspicious list.
In step 2, the standard dictionary further includes a password dictionary for attempting to log in to the WebShell backdoor.
In the invention, usually, the WebShell backdoor is hidden in a secret directory or exists in an isolated chain mode, a crawler may not be capable of crawling to a file path of the WebShell, and the URL dictionary collects a default file name of the WebShell and a named file name of the WebShell commonly used by a hacker, so that the crawling of the link can be completed.
In the invention, the completion means that the whole station links are crawled by a crawler first, some WebShell links which cannot be crawled can be completed by using a URL dictionary, for example, 1.php, 2.php and 3.php are accessed after a website address, and if the 3.php exists, the links are put in storage together for further characteristic analysis. For example, if www.baidu.com, the URL dictionary contains phpspy. php and heike. php, then the dictionary file is added after www.baidu.com to obtain www.baidu.com/phpspy. php and www.baidu.com/heike. php.
In the invention, the URL dictionary is a dictionary of a WebShell path, a user crawler does not crawl to the URL dictionary, such as phpspy. php, and the crawler does not crawl when crawling a website, but a hacker is already placed in a website root directory, the path can be accessed through the URL dictionary, if the path does not exist, the request state is returned 404, and if the path exists, the request state is returned 200.
In the invention, the feature dictionary refers to features presented by the WebShell page, such as title (title) and body (body).
In the invention, the password dictionary collects common WebShell backdoor login passwords and is used for trying to login the WebShell backdoor. In the detection process, whether the obtained path is a WebShell backdoor or not is judged, and a URL dictionary is used for matching and completing suspicious WebShell links which are not crawled by a crawler; requesting the path, if the request return response code is 404, indicating that the server cannot normally provide information, or the server cannot respond and does not know the reason, and performing non-WebShell backdoor link and filtering; matching the data packets returned by all the obtained existing URL requests with the feature dictionary, wherein if the file simultaneously meets the following 3 characteristics, the file is a WebShell backdoor: (1) matching with a URL dictionary; (2) the title (title) of the request return response data packet is matched with the feature dictionary;
(3) the body of the request return response packet matches the feature dictionary. And step 3: guessing and logging the paths in the suspicious list, if the logging is successful, judging that the paths are WebShell backdoors, and alarming, otherwise, carrying out the next step.
In the step 3, the path in the suspicious list is reconstructed into login parameters, a password dictionary is used for login, if the login is successful, the WebShell backdoor is used, and an alarm is given, otherwise, the step 4 is carried out.
In the invention, if only one or two of the 3 characteristics are met, a suspicious list of a suspicious WebShell file is listed, the backdoor file is tried to be logged in through brute force guess, and if the logging is successful, the file is the WebShell backdoor file.
In the invention, the step of reconstructing the login parameters of the paths in the suspicious list means that if a suspicious path www.baidu.com/hack.php is found, the open access is a blank page, the matching of title and body with the feature dictionary is not satisfied, but the matching of the URL dictionary is satisfied, the open access is suspicious, the login parameters are constructed, a short code contains a password, the password is tried to be logged in and a command is executed, and when the password is tried to be matched, the command can be successfully executed, and the blank hack.php page can be judged to be a back door page.
And 4, step 4: the current path is discarded and filtered.
And 5: and if all the paths are detected, exiting, otherwise, returning to the step 3.
The method comprises the steps of obtaining all file paths of the WebShell in a website to be detected, completing and detecting the file paths by using a standard dictionary, directly alarming if the file paths are at a WebShell backdoor, otherwise, listing the file paths in a suspicious list, carrying out guessing and logging successively, alarming if the logging is successful, and discarding and filtering the current paths. The method includes the steps that crawlers are conducted on a target website to obtain all webpage resources, total station matching is conducted on the webpage resources and a standard dictionary of a common WebShell backdoor path, and whether backdoors exist or not is matched through a WebShell backdoor rule base. The method accurately identifies the WebShell backdoor in a remote mode, identifies the suspected WebShell by violence guess login, and accurately identifies the WebShell backdoor through multi-latitude feature matching, thereby enriching the inspection method of the webpage backdoor and improving the detection rate of the WebShell backdoor.
Claims (8)
1. A method for remotely and accurately identifying a WebShell backdoor is characterized by comprising the following steps: the method comprises the following steps:
step 1: acquiring all WebShell file paths existing in a website to be detected;
step 2: completing and detecting all paths by using a standard dictionary, if the paths are Webshell backdoors, giving an alarm, and if the paths are Webshell backdoors, listing the paths in a suspicious list and carrying out the next step;
and step 3: guessing and logging the paths in the suspicious list, if the logging is successful, judging that the paths are WebShell backdoors, and alarming, otherwise, carrying out the next step;
and 4, step 4: discarding and filtering the current path;
and 5: and if all the paths are detected, exiting, otherwise, returning to the step 3.
2. The method for remotely and accurately identifying the WebShell backdoor as claimed in claim 1, wherein: in step 1, the file path includes a URL link of any web page, a link in an attachment, and/or a directory list.
3. The method for remotely and accurately identifying the WebShell backdoor as claimed in claim 1, wherein: in the step 2, the standard dictionary comprises a URL dictionary for complementing file paths of incomplete WebShell and a feature dictionary for complementing features of WebShell pages.
4. The method for remotely and accurately identifying the WebShell backdoor as claimed in claim 3, wherein: the step 2 comprises the following steps:
step 2.1: matching and completing any path through a URL dictionary;
step 2.2: performing request attempt based on the link of the completion URL, if the returned request response code is 404, filtering the current path, returning to the step 2.1, otherwise, performing the next step;
step 2.3: and (3) matching the data packet returned by the current URL request with the feature dictionary, if the conditions are met, warning the WebShell backdoor, and otherwise, listing in a suspicious list and performing the step 3.
5. The method for remotely and accurately identifying the WebShell backdoor as claimed in claim 4, wherein: in the step 2.3, when the current URL request is matched with the URL dictionary and the title and the main body of the data packet returned by the current URL request are both matched with the feature dictionary, the condition is satisfied, the WebShell backdoor is reached, and an alarm is given.
6. The method for remotely and accurately identifying the WebShell backdoor as claimed in claim 4, wherein: in the step 2.3, when one or two items of matching between the current URL request and the URL dictionary, matching between the title of the data packet returned by the current URL request and the feature dictionary, and matching between the main body of the data packet returned by the current URL request and the feature dictionary are satisfied, the data packet is listed in the suspicious list.
7. The method for remotely and accurately identifying the WebShell backdoor as claimed in claim 1, wherein: in step 2, the standard dictionary further includes a password dictionary for attempting to log in to the WebShell backdoor.
8. The method for remotely and accurately identifying the WebShell backdoor as claimed in claim 7, wherein: in the step 3, the path in the suspicious list is reconstructed into login parameters, a password dictionary is used for login, if the login is successful, the WebShell backdoor is used, and an alarm is given, otherwise, the step 4 is carried out.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911123265.XA CN110909350B (en) | 2019-11-16 | 2019-11-16 | Method for remotely and accurately identifying WebShell backdoor |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911123265.XA CN110909350B (en) | 2019-11-16 | 2019-11-16 | Method for remotely and accurately identifying WebShell backdoor |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110909350A true CN110909350A (en) | 2020-03-24 |
CN110909350B CN110909350B (en) | 2022-02-11 |
Family
ID=69816738
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201911123265.XA Active CN110909350B (en) | 2019-11-16 | 2019-11-16 | Method for remotely and accurately identifying WebShell backdoor |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110909350B (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111523118A (en) * | 2020-04-15 | 2020-08-11 | 北京升鑫网络科技有限公司 | Webshell detection method, device, storage medium and equipment |
CN111800405A (en) * | 2020-06-29 | 2020-10-20 | 深信服科技股份有限公司 | Detection method, detection device and storage medium |
CN113225357A (en) * | 2021-07-08 | 2021-08-06 | 北京搜狐新媒体信息技术有限公司 | Evidence obtaining method and related device for webpage backdoor |
Citations (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20130120168A1 (en) * | 2011-11-15 | 2013-05-16 | Abhishek Kumar | Systems and methods for load balancing and virtual private networking for sms center |
CN103294952A (en) * | 2012-11-29 | 2013-09-11 | 北京安天电子设备有限公司 | Method and system for detecting webshell based on page relation |
CN103905422A (en) * | 2013-12-17 | 2014-07-02 | 哈尔滨安天科技股份有限公司 | Method and system for searching for webshell with assistance of local simulation request |
CN104468477A (en) * | 2013-09-16 | 2015-03-25 | 杭州迪普科技有限公司 | WebShell detection method and system |
CN105760379A (en) * | 2014-12-16 | 2016-07-13 | 中国移动通信集团公司 | Webshell page detection method and device based on intra-domain page association |
CN105933268A (en) * | 2015-11-27 | 2016-09-07 | 中国银联股份有限公司 | Webshell detection method and apparatus based on total access log analysis |
CN106951784A (en) * | 2017-02-23 | 2017-07-14 | 南京航空航天大学 | A kind of Web application conversed analysis methods towards XSS Hole Detections |
CN106992981A (en) * | 2017-03-31 | 2017-07-28 | 北京知道创宇信息技术有限公司 | A kind of website back door detection method, device and computing device |
CN107566371A (en) * | 2017-09-05 | 2018-01-09 | 成都知道创宇信息技术有限公司 | A kind of WebShell method for digging towards massive logs |
CN107622202A (en) * | 2017-09-20 | 2018-01-23 | 杭州安恒信息技术有限公司 | Webpage back door detection method and device |
CN108337269A (en) * | 2018-03-28 | 2018-07-27 | 杭州安恒信息技术股份有限公司 | A kind of WebShell detection methods |
CN110135162A (en) * | 2019-05-27 | 2019-08-16 | 深信服科技股份有限公司 | The recognition methods of the back door WEBSHELL, device, equipment and storage medium |
-
2019
- 2019-11-16 CN CN201911123265.XA patent/CN110909350B/en active Active
Patent Citations (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20130120168A1 (en) * | 2011-11-15 | 2013-05-16 | Abhishek Kumar | Systems and methods for load balancing and virtual private networking for sms center |
CN104054316A (en) * | 2011-11-15 | 2014-09-17 | 思杰系统有限公司 | Systems And Methods For Compressing Short Text By Dictionaries In A Network |
CN103294952A (en) * | 2012-11-29 | 2013-09-11 | 北京安天电子设备有限公司 | Method and system for detecting webshell based on page relation |
CN104468477A (en) * | 2013-09-16 | 2015-03-25 | 杭州迪普科技有限公司 | WebShell detection method and system |
CN103905422A (en) * | 2013-12-17 | 2014-07-02 | 哈尔滨安天科技股份有限公司 | Method and system for searching for webshell with assistance of local simulation request |
CN105760379A (en) * | 2014-12-16 | 2016-07-13 | 中国移动通信集团公司 | Webshell page detection method and device based on intra-domain page association |
CN105933268A (en) * | 2015-11-27 | 2016-09-07 | 中国银联股份有限公司 | Webshell detection method and apparatus based on total access log analysis |
CN106951784A (en) * | 2017-02-23 | 2017-07-14 | 南京航空航天大学 | A kind of Web application conversed analysis methods towards XSS Hole Detections |
CN106992981A (en) * | 2017-03-31 | 2017-07-28 | 北京知道创宇信息技术有限公司 | A kind of website back door detection method, device and computing device |
CN107566371A (en) * | 2017-09-05 | 2018-01-09 | 成都知道创宇信息技术有限公司 | A kind of WebShell method for digging towards massive logs |
CN107622202A (en) * | 2017-09-20 | 2018-01-23 | 杭州安恒信息技术有限公司 | Webpage back door detection method and device |
CN108337269A (en) * | 2018-03-28 | 2018-07-27 | 杭州安恒信息技术股份有限公司 | A kind of WebShell detection methods |
CN110135162A (en) * | 2019-05-27 | 2019-08-16 | 深信服科技股份有限公司 | The recognition methods of the back door WEBSHELL, device, equipment and storage medium |
Non-Patent Citations (5)
Title |
---|
"《Secure and easy website logon via mobile device》", 6 August 2013 * |
丁岩等: "基于URL混淆技术识别的钓鱼网页检测方法", 《计算机工程与应用》 * |
刘建军: "WEB入侵检测技术研究", 《中国优秀硕士学位论文》 * |
张宝军: "《Kali安全渗透测试实践教程》", 30 April 2019 * |
米沃奇: "隐藏在网站之下的潘多拉魔盒", 《电脑知识与技术(经验技巧)》 * |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111523118A (en) * | 2020-04-15 | 2020-08-11 | 北京升鑫网络科技有限公司 | Webshell detection method, device, storage medium and equipment |
CN111523118B (en) * | 2020-04-15 | 2021-04-06 | 北京升鑫网络科技有限公司 | Webshell detection method, device, storage medium and equipment |
CN111800405A (en) * | 2020-06-29 | 2020-10-20 | 深信服科技股份有限公司 | Detection method, detection device and storage medium |
CN113225357A (en) * | 2021-07-08 | 2021-08-06 | 北京搜狐新媒体信息技术有限公司 | Evidence obtaining method and related device for webpage backdoor |
Also Published As
Publication number | Publication date |
---|---|
CN110909350B (en) | 2022-02-11 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11057427B2 (en) | Method for identifying phishing websites and hindering associated activity | |
US9596255B2 (en) | Honey monkey network exploration | |
US8566945B2 (en) | System and method for testing web applications with recursive discovery and analysis | |
EP1269286B1 (en) | System for determining web application vulnerabilities | |
US8601586B1 (en) | Method and system for detecting web application vulnerabilities | |
CN110909350B (en) | Method for remotely and accurately identifying WebShell backdoor | |
US9055093B2 (en) | Method, system and computer program product for detecting at least one of security threats and undesirable computer files | |
CN107911355B (en) | Website backdoor utilization event identification method based on attack chain | |
US20100251371A1 (en) | Real-time malicious code inhibitor | |
Elia et al. | Comparing SQL injection detection tools using attack injection: An experimental study | |
KR101902747B1 (en) | Method and Apparatus for Analyzing Web Vulnerability for Client-side | |
CA3093021A1 (en) | Automated security testing system and method | |
CN113726790A (en) | Network attack source identification and blocking method, system, device and medium | |
Rodríguez et al. | Cookie scout: An analytic model for prevention of cross-site scripting (XSS) using a cookie classifier | |
CN108040036A (en) | A kind of industry cloud Webshell safety protecting methods | |
CN107124386B (en) | Method and device for detecting and analyzing black industry content | |
Nguyen et al. | An Improving Way For Website Security Assessment | |
AU2018101260A4 (en) | Automated Security Testing System and Method | |
CN117579292A (en) | Social engineering safety assessment method and device, electronic equipment and storage medium | |
CN117896082A (en) | Tracking method and device for APT attack | |
CN117336098A (en) | Network space data security monitoring and analyzing method | |
CN116582319A (en) | Security alarm information processing method, device, server and storage medium | |
Ismail | Alarm aggregation architecture for identifying one way XSS attacks | |
CN113254926A (en) | Method and device for monitoring automatic indexing website based on information security | |
Krishnaveni et al. | Efficient prediction of cross-site scripting web pages using extreme learning machine |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |