CN111177722A - Webshell file detection method and device, server and storage medium - Google Patents
Webshell file detection method and device, server and storage medium Download PDFInfo
- Publication number
- CN111177722A CN111177722A CN201911026014.XA CN201911026014A CN111177722A CN 111177722 A CN111177722 A CN 111177722A CN 201911026014 A CN201911026014 A CN 201911026014A CN 111177722 A CN111177722 A CN 111177722A
- Authority
- CN
- China
- Prior art keywords
- web service
- web
- file
- service process
- webshell
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
Abstract
The invention provides a webshell file detection method, a webshell file detection device, a server and a storage medium. In the scheme, in the detection process of the webshell file, the manual participation of operation and maintenance personnel is not involved, and the whole process is automatically executed, so that the detection efficiency of the webshell file can be improved.
Description
Technical Field
The invention relates to the technical field of safety protection, in particular to a webshell file detection method, a webshell file detection device, a webshell file detection server and a storage medium.
Background
At the moment that the web systems are very popular at present, the web systems are attacked most, and generally more than 90% of attacked web systems are implanted into the webshell as a control mode of an attacker. The webshell is a command execution environment in the form of a web page file, which may also be referred to as a web page backdoor. After an attacker invades a website, the webshell and normal webpage files in a web directory of a web service are mixed together, and then the browser can be used for accessing the webshell to obtain a command execution environment so as to achieve the purpose of controlling the web service. To prevent webshells from posing security threats to web services, webshells need to be detected and deleted in advance.
Currently, webshells are often detected using web security scanning tools. Since the web security scan tool cannot automatically identify the web service and the web directory, generally, an operation and maintenance person statically configures a path of the web directory of the web service to be scanned by the web security scan tool, and then the web security scan tool starts to perform a circular traversal scan on the file under the path.
However, when the webshell in the web service is detected in the above manner, the webshell detection efficiency is low because operation and maintenance personnel need to configure the scanning path of the web security scanning tool.
Disclosure of Invention
In view of this, the invention provides a method, a device, a server and a storage medium for detecting a webshell file, so as to improve the efficiency of detecting the webshell file.
In order to achieve the above object, in one aspect, the present application provides a webshell file detection method, where the method includes:
when a preset webshell file detection starting condition is met, scanning a process list on a server, and identifying a web service process;
determining a web home directory list of the web service process based on the web service process;
and detecting the web main directory list, and determining the webshell file in the web main directory list.
In another aspect, the present application further provides a webshell file detection apparatus, where the apparatus includes:
the web service process identification unit is used for scanning a process list on the server and identifying a web service process when a preset webshell file detection starting condition is met;
the web master directory list determining unit is used for determining a web master directory list of the web service process based on the web service process;
and the detection unit is used for detecting the web main directory list and determining the webshell file in the web main directory list.
In another aspect, the present application further provides a server, including:
a processor and a memory;
wherein the processor is configured to execute a program stored in the memory;
the memory is to store a program to at least:
when a preset webshell file detection starting condition is met, scanning a process list on a server, and identifying a web service process;
determining a web home directory list of the web service process based on the web service process;
and detecting the web main directory list, and determining the webshell file in the web main directory list.
In still another aspect, the present application further provides a storage medium, where computer-executable instructions are stored, and when the computer-executable instructions are loaded and executed by a processor, the webshell file detection method as described above is implemented.
According to the technical scheme, compared with the prior art, the webshell file detection method, the webshell file detection device, the webshell file detection server and the storage medium are provided. In the scheme, in the detection process of the webshell file, the manual participation of operation and maintenance personnel is not involved, and the whole process is automatically executed, so that the detection efficiency of the webshell file can be improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a schematic diagram of an architecture of a webshell file detection system according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of a server according to an embodiment of the present invention;
fig. 3 is a flowchart of a webshell file detection method according to an embodiment of the present invention;
fig. 4 is a flowchart of another webshell file detection method according to an embodiment of the present invention;
fig. 5 is a schematic diagram of an application example of the webshell file detection method provided in the embodiment of the present invention;
fig. 6 is a schematic diagram of an interaction flow of each part in webshell file detection software according to an embodiment of the present invention;
fig. 7 is a block diagram of a webshell file detection apparatus according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
For ease of understanding, the constituent architecture of the system to which the solution of the present invention is applied will be described. For example, referring to fig. 1, a schematic diagram of an architecture of the webshell file detection system of the present invention is shown.
As shown in fig. 1, the webshell file detection system includes a client 10, a network 11, and a server 12. The network 11 serves as a medium for providing communication links between the clients 10 and the server 12. Network 11 may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others.
The client 10 interacts with the server 12 through the network 11 to receive or send a message or the like, for example, an operation and maintenance person may send a webshell file detection start instruction to the server 12 through the client 10.
The client 10 may be hardware or software. When the client 10 is hardware, it can be various electronic devices, including but not limited to smart phones, tablet computers, ultra-mobile personal computers (UMPC), netbooks, Personal Digital Assistants (PDA), laptop portable computers, desktop computers, and other electronic devices. When the client 10 is software, it can be installed in the electronic devices listed above. It may be implemented as multiple pieces of software or software modules (e.g., to provide distributed services) or as a single piece of software or software module. The embodiment of the present invention does not set any limit to the specific type of the electronic device.
The server 12 may be a server providing various services, for example, a background server providing a webshell file detection service and at least one web service for the client 10, where the background server may respond to an obtained start instruction for webshell file detection sent by the client, perform an operation according to an start instruction for webshell file detection, obtain an operation result (a webshell file detection result corresponding to each web service), and return the operation result to the client.
The server may be hardware or software. When the server is hardware, it may be implemented as a distributed server cluster formed by multiple servers, or may be implemented as a single server. When the server is software, it may be implemented as multiple pieces of software or software modules (e.g., to provide distributed services), or as a single piece of software or software module. And is not particularly limited herein.
It should be noted that the webshell file detection method provided in the embodiment of the present invention is generally executed by the server 12, and accordingly, the webshell file detection apparatus is generally disposed in the server 12.
It should be understood that the number of clients, networks, and servers in FIG. 1 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
To facilitate understanding of the hardware configuration of the client and the server, the server is described as an example. For example, referring to fig. 2, which shows a schematic structural diagram of a server according to the present invention, the application server 200 of this embodiment may include: a processor 201, a memory 202, a communication interface 203, an input unit 204, and a display 205 and communication bus 206.
The processor 201, the memory 202, the communication interface 203, the input unit 204 and the display 205 are all communicated with each other through a communication bus 206.
In the embodiment of the present invention, the processor 201 may be a Central Processing Unit (CPU), an asic, a digital signal processor, an off-the-shelf programmable gate array or other programmable logic device.
The processor may call a program stored in the memory 202. Specifically, the processor may perform operations performed by the server side in the following embodiments of the webshell file detection method.
The memory 202 is used for storing one or more programs, which may include program codes including computer operation instructions, and in the embodiment of the present invention, the memory stores at least the programs for realizing the following functions:
when a preset webshell file detection starting condition is met, scanning a process list on a server, and identifying a web service process;
determining a web home directory list of the web service process based on the web service process;
and detecting the web main directory list, and determining the webshell file in the web main directory list.
In one possible implementation, the memory 202 may include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program required by at least one function (such as a sound playing function, an image playing function, etc.), and the like; the storage data area may store data created during use of the computer, such as user data, user access data, audio data, and the like.
Further, the memory 202 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device or other volatile solid state storage device.
The communication interface 203 may be an interface of a communication module, such as an interface of a GSM module.
The present invention may also include a display 204 and an input unit 205, and the like.
Of course, the structure of the server shown in fig. 2 is not limited to the server in the embodiment of the present invention, and the server may include more or less components than those shown in fig. 2, or some components in combination in practical applications.
It will be appreciated that the hardware components of the client and server are similar, differing only in the operations performed by the processor in the client and the programs stored in the memory.
The webshell file detection method provided by the embodiment of the invention is introduced from the perspective of a server.
Fig. 3 is a flowchart of a webshell file detection method provided in an embodiment of the present invention, where the method is applicable to a server, and referring to fig. 3, the method may include:
s301: and when a preset webshell file detection starting condition is met, scanning a process list on the server, and identifying the web service process.
In this embodiment, the webshell file detection method may be triggered to start by an operation and maintenance worker, or a webshell file detection starting condition may be preset (for example, starting at a preset time point, executing in a cycle according to a preset time period, and the like), and when the preset webshell file detection starting condition is met, the webshell file detection method may be automatically started. After the webshell file detection method is started, a process list on a server is automatically scanned, and a web service process is identified. It should be noted that, in this embodiment, a process that can be matched with a mainstream web service program (for example, cache, nginx, tomcat, tomcat _ jsvc, lighttpd, qzttp, resin, jsss, glassfish, IIS) in a process list on the server is a web service process.
It should be further noted that, after one scan, it may be determined that the process list on the server does not include the web service process, but since the user may install the web service in the server at any time, in order to identify the web service at the first time, the process list on the server may be scanned cyclically according to a preset time period.
S302: based on the web service process, a web home directory list of the web service process is determined.
In this embodiment, the process list on the server may include one web service process or may include a plurality of web service processes. For each web service process, a web home directory list for the service process may be determined based on the web service process. How to determine the web home directory list of the service process based on the web service process will be described in detail by the following embodiments.
S303: and detecting the web main directory list, and determining the webshell file in the web main directory list.
In this embodiment, for the web master directory list of each web service process, the web master directory list may be detected, and the webshell file in the web master directory list is determined.
It should be noted that there may be a webshell file in the web master directory list, or there may not be a webshell file in the web master directory list, but an attacker may add the webshell file to the web master directory list at any time, so in this embodiment, the web master directory list may be circularly detected according to a preset time interval, so as to ensure that the webshell file in the web master directory list can be detected.
However, the number of files contained in the web master directory list is large, and if all files contained in the web master directory list are detected each time and the webshell file in the web master directory list is determined, the detection efficiency is inevitably affected, and the newly added webshell file cannot be detected in time. Therefore, in this embodiment, after the web master directory list is detected and the webshell file in the web master directory list is determined, the web master directory list may also be monitored to obtain a new file in the web master directory list; and detecting the newly added files in the web main directory list, and determining the webshell files in the newly added files, so that the newly added webshell files can be detected in time.
The embodiment provides a webshell file detection method which includes the steps of firstly, identifying a web service process through automatically scanning a process list on a server, then, automatically determining a web main directory list of the web service process based on the web service process, and finally, detecting the web main directory list to determine a webshell file in the web main directory list. According to the method, in the process of detecting the webshell file, the manual participation of operation and maintenance personnel is not involved at all, and the whole process is automatically executed, so that the efficiency of detecting the webshell file can be improved.
Fig. 4 is a flowchart of another webshell file detection method provided in an embodiment of the present invention, where the method is applicable to a server, and referring to fig. 4, the method may include:
s401: when a preset webshell file detection starting condition is met, scanning a process list on a server, and acquiring the process name of each process in the process list.
S402: and matching the process name of each process with a preset web service process name, and if the matching is successful, determining each process as a web service process.
In this step, after the process names of the processes in the process list are obtained, each process name is matched with the name of a main stream web service program (such as cache, nginx, tomcat, tomcat _ jsvc, lighttpd, qzttp, resin, jboss, glassfish, IIS, and the like), and if matching is successful, the process corresponding to each process name is determined to be a web service process. It should be noted that, if the matching is unsuccessful, the scanning may be performed again at the next preset time point or the next preset time period until the process name matching successfully exists, and then the subsequent steps are performed. By keeping the regular rescanning, the web service can be conveniently identified in the first time after the web service is installed on the machine, and the timeliness of acquiring the webshell file is improved.
S403: and identifying the type of the current web service according to the process name of the web service process.
In this step, the web service type corresponding to the web service process may be identified according to the process name of the web service process, where the web service type includes the types of cache, nginx, tomcat, tomcat _ jsvc, lighttpd, qzttp, resin, jboss, glassfish, IIS, and the like. As one possible implementation, if the process name of the web service process matches (is the same as or similar to) the process name of a web service process of a known web service type, then the type of the current web service is determined to be the known web service type.
S404: and acquiring the configuration file of the web service according to the process information of the web service process.
In this step, a path of a configuration file of the web service process may be obtained according to the process information of the web service process; and then acquiring the configuration file of the web service according to the path of the configuration file of the web service process.
As an implementation manner, the obtaining a path of a configuration file of the web service process according to the process information of the web service process includes: and acquiring a path of a configuration file of the web service process according to the starting parameters of the web service process. This embodiment is applicable to the case where the configuration file of the web service process is explicitly specified by the process start parameter when the web service process is started.
As another implementable embodiment, the obtaining a path of the configuration file of the web service process according to the process information of the web service process includes: acquiring a part of fixed path of the configuration file of the web service process; acquiring a relative offset path of a configuration file of the web service process; and acquiring the path of the configuration file of the web service process according to the part of the fixed path and the relative offset path.
This embodiment is applicable to the case where the configuration file of the web service process is not explicitly specified by the process start parameter at the time of the web service process start. The relative offset path may be a process start path, or a binary file path, or a path specified by a specific character string in a binary file. In this embodiment, the profile path of the web service process may be obtained by adding a portion of the fixed path and the relative offset path.
Examples are as follows: the apache type web services binary file path is/usr/local/apache/bin, plus a fixed offset path: and if the configuration file path of the acquired web service process is/usr/local/apache/conf/httpd.
S405: and analyzing the configuration file of the web service process according to the type of the web service to obtain a web main directory list of the web service process.
It should be noted that, different web service types have different formats of configuration files, and in this embodiment, the configuration file of the web service process may be analyzed according to the type of the web service to obtain a web home directory list of the web service process.
S406: traversing all the files in the web main directory list according to a preset time interval, matching the file name and/or the file content of each file with a preset webshell detection rule, and if the matching is successful, determining that each file is a webshell file.
It should be noted that the preset webshell detection rule in this step may be extracted from a preset web and shell detection policy file.
It should be further noted that after each file is determined to be a webshell file, the file information of each file may be reported and an early warning may be given, so that operation and maintenance personnel can process each file in time.
S407: monitoring the web master directory list to obtain a newly added file in the web master directory list; and matching the file name and/or the file content of the newly added file with a preset webshell detection rule, and if the matching is successful, determining that the newly added file is the webshell file.
In this step, the web home directory list may be added to a monitoring list provided by an operating system of the server to monitor the web home directory list. It should be noted that, when the operating system of the server is linux, the monitoring list adopts an inotify mechanism, and when the operating system of the server is windows, the monitoring list adopts a USN mechanism.
It should be noted that, the above steps S401 to S407 may be automatically executed repeatedly at regular time, so as to implement uninterrupted monitoring of the webshell file in the server.
The embodiment provides a webshell file detection method based on a web service process, and the method solves the problems that a traditional scheme cannot automatically identify a web directory, cannot automatically identify web services and changes of the web directory, cannot detect scene defects of newly added webshell and the like in real time. The beneficial effects produced by the method can be summarized as follows:
(1) the fault tolerance is strong, and the operability is strong: when the program is deployed, the program can be directly started without human intervention to configure the web directory; when the web directory is changed, such as change, addition, deletion and the like, the monitoring directory list can be automatically identified and updated without human intervention;
(2) the real-time performance is strong: not only supports the circular polling scanning, is convenient for discovering the historical webshell, but also supports the monitoring of the directory (the inotify mechanism is used under linux, and the USN mechanism is used under windows), discovers the changes of the directory and the files under the web directory in real time, scans the changed files in time, and can detect whether the new webshell is added in real time, thereby discovering the malicious intrusion more quickly.
On the basis of the above embodiments, the present application further provides an application example of the webshell file detection method, in which the webshell file detection method is abstracted into webshell file detection software which can be deployed in a server, as shown in fig. 5, the software includes five major parts, namely a web service scanner, a web configuration parser, a web directory polling detector, a web directory real-time monitor, and a webshell rule parser.
Based on the above, the present application also provides an interaction flow of each part in webshell file detection software, which is specifically shown in fig. 6:
s601: a web service scanner discovers web services and extracts a web service configuration file path;
s602: the web configuration analyzer analyzes the web service configuration file and extracts a web service home directory list;
s603: a web directory polling detector detects all files in a web main directory in a cyclic rotation manner;
s604: the web directory real-time monitor monitors a web main directory list by utilizing a directory change monitoring mechanism provided by an operating system, and detects changed files in the web main directory list in real time;
s605: and the webshell rule matcher performs rule matching on files detected in the web directory polling detector and the web directory real-time monitor, and performs early warning and reporting.
In the following, the webshell file detection apparatus provided by the embodiment of the present invention is introduced, and the webshell file detection apparatus described below may be referred to in correspondence with a webshell file detection method.
Fig. 7 is a block diagram of a webshell file detection apparatus provided in an embodiment of the present invention, where the counting apparatus may specifically be a server, and referring to fig. 7, the apparatus may include:
the web service process identification unit 71 is configured to scan a process list on the server and identify a web service process when a preset webshell file detection start condition is met;
a web master catalog list determining unit 72, configured to determine a web master catalog list of the web service process based on the web service process;
and the detecting unit 73 is configured to detect the web master directory list, and determine a webshell file in the web master directory list.
As an implementable manner, the web service process identifying unit 71 includes:
a process name obtaining subunit, configured to obtain a process name of each process in the process list;
and the process name matching subunit is used for matching the process name of each process with a preset web service process name, and if the matching is successful, determining that each process is a web service process.
As an implementable manner, the web master catalog list determination unit 72 includes:
the web service type identification subunit is used for identifying the type of the current web service according to the process name of the web service process;
the path acquisition subunit is used for acquiring the path of the configuration file of the web service process according to the process information of the web service process;
the configuration file acquisition subunit of the web service is used for acquiring the configuration file of the web service according to the path of the configuration file of the web service process;
and the configuration file analysis subunit is used for analyzing the configuration file of the web service process according to the type of the web service to obtain a web main directory list of the web service process.
As an implementable manner, the path obtaining subunit of the configuration file of the web service process is specifically configured to:
and acquiring a path of a configuration file of the web service process according to the starting parameters of the web service process.
As an implementable manner, the path obtaining subunit of the configuration file of the web service process is specifically configured to:
acquiring a part of fixed path of the configuration file of the web service process;
acquiring a relative offset path of a configuration file of the web service process;
and acquiring the path of the configuration file of the web service process according to the part of the fixed path and the relative offset path.
As an implementation manner, the detection unit is specifically configured to perform the following processing at preset time intervals:
and traversing all the files in the web master directory list, matching the file name and/or the file content of each file with a preset webshell detection rule, and if the matching is successful, determining that each file is a webshell file.
As an implementable manner, the detecting unit is further specifically configured to monitor the web home directory list, and obtain a new file in the web home directory list;
and matching the file name and/or the file content of the newly added file with a preset webshell detection rule, and if the matching is successful, determining that the newly added file is the webshell file.
It should be noted that specific function implementation of each unit is described in detail in the foregoing embodiment, and this embodiment is not described again.
On the other hand, an embodiment of the present application further provides a storage medium, where computer-executable instructions are stored in the storage medium, and when the computer-executable instructions are loaded and executed by a processor, the webshell file detection method executed by the server in any of the above embodiments is implemented.
It should be noted that, in the present specification, the embodiments are all described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments may be referred to each other. For the device-like embodiment, since it is basically similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
The foregoing is only a preferred embodiment of the present invention, and it should be noted that it is obvious to those skilled in the art that various modifications and improvements can be made without departing from the principle of the present invention, and these modifications and improvements should also be considered as the protection scope of the present invention.
Claims (10)
1. A webshell file detection method is characterized by comprising the following steps:
when a preset webshell file detection starting condition is met, scanning a process list on a server, and identifying a web service process;
determining a web home directory list of the web service process based on the web service process;
and detecting the web main directory list, and determining the webshell file in the web main directory list.
2. The method of claim 1, wherein scanning a list of processes on a server to identify web service processes comprises:
acquiring the process name of each process in the process list;
and matching the process name of each process with a preset web service process name, and if the matching is successful, determining each process as a web service process.
3. The method of claim 1, wherein determining a web home directory list for the web service process based on the web service process comprises:
identifying the type of the current web service according to the process name of the web service process;
acquiring a path of a configuration file of the web service process according to the process information of the web service process;
acquiring the configuration file of the web service according to the path of the configuration file of the web service process;
and analyzing the configuration file of the web service process according to the type of the web service to obtain a web main directory list of the web service process.
4. The method of claim 3, wherein the obtaining the path of the configuration file of the web service process according to the process information of the web service process comprises:
and acquiring a path of a configuration file of the web service process according to the starting parameters of the web service process.
5. The method of claim 3, wherein the obtaining the path of the configuration file of the web service process according to the process information of the web service process comprises:
acquiring a part of fixed path of the configuration file of the web service process;
acquiring a relative offset path of a configuration file of the web service process;
and acquiring the path of the configuration file of the web service process according to the part of the fixed path and the relative offset path.
6. The method of claim 1, wherein the detecting the web master directory listing and determining the webshell file in the web master directory listing comprises:
the following processing is executed according to a preset time interval:
and traversing all the files in the web master directory list, matching the file name and/or the file content of each file with a preset webshell detection rule, and if the matching is successful, determining that each file is a webshell file.
7. The method of claim 6, wherein the detecting the web master directory listing and determining the webshell file in the web master directory listing further comprises:
monitoring the web master directory list to obtain a newly added file in the web master directory list;
and matching the file name and/or the file content of the newly added file with a preset webshell detection rule, and if the matching is successful, determining that the newly added file is the webshell file.
8. A webshell file detection apparatus, the apparatus comprising:
the web service process identification unit is used for scanning a process list on the server and identifying a web service process when a preset webshell file detection starting condition is met;
the web master directory list determining unit is used for determining a web master directory list of the web service process based on the web service process;
and the detection unit is used for detecting the web main directory list and determining the webshell file in the web main directory list.
9. A server, comprising:
a processor and a memory;
wherein the processor is configured to execute a program stored in the memory;
the memory is to store a program to at least:
when a preset webshell file detection starting condition is met, scanning a process list on a server, and identifying a web service process;
determining a web home directory list of the web service process based on the web service process;
and detecting the web main directory list, and determining the webshell file in the web main directory list.
10. A storage medium having stored thereon computer-executable instructions which, when loaded and executed by a processor, carry out the webshell file detection method of any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911026014.XA CN111177722A (en) | 2019-10-25 | 2019-10-25 | Webshell file detection method and device, server and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911026014.XA CN111177722A (en) | 2019-10-25 | 2019-10-25 | Webshell file detection method and device, server and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111177722A true CN111177722A (en) | 2020-05-19 |
Family
ID=70653683
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911026014.XA Pending CN111177722A (en) | 2019-10-25 | 2019-10-25 | Webshell file detection method and device, server and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111177722A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112118089A (en) * | 2020-09-18 | 2020-12-22 | 广州锦行网络科技有限公司 | Webshell monitoring method and system |
| CN113660259A (en) * | 2021-08-13 | 2021-11-16 | 杭州安恒信息技术股份有限公司 | Webshell detection method, system, computer and readable storage medium |
-
2019
- 2019-10-25 CN CN201911026014.XA patent/CN111177722A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112118089A (en) * | 2020-09-18 | 2020-12-22 | 广州锦行网络科技有限公司 | Webshell monitoring method and system |
| CN113660259A (en) * | 2021-08-13 | 2021-11-16 | 杭州安恒信息技术股份有限公司 | Webshell detection method, system, computer and readable storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109688097B (en) | Website protection method, website protection device, website protection equipment and storage medium | |
| US9208309B2 (en) | Dynamically scanning a web application through use of web traffic information | |
| CN111400722B (en) | Method, apparatus, computer device and storage medium for scanning small program | |
| CN108664793B (en) | Method and device for detecting vulnerability | |
| US9584541B1 (en) | Cyber threat identification and analytics apparatuses, methods and systems | |
| CN106484611B (en) | Fuzzy test method and device based on automatic protocol adaptation | |
| CN111783096B (en) | Method and device for detecting security hole | |
| CN110855676A (en) | Network attack processing method and device and storage medium | |
| US20160234238A1 (en) | System and method for web-based log analysis | |
| CN113489713A (en) | Network attack detection method, device, equipment and storage medium | |
| CN111008405A (en) | Website fingerprint identification method based on file Hash | |
| CN110059007B (en) | System vulnerability scanning method and device, computer equipment and storage medium | |
| CN105577799A (en) | Method and device for detecting fault of database cluster | |
| CN111221625A (en) | File detection method, device and equipment | |
| CN111177722A (en) | Webshell file detection method and device, server and storage medium | |
| CN112261046A (en) | Industrial control honeypot identification method based on machine learning | |
| CN116389099A (en) | Threat detection method, threat detection device, electronic equipment and storage medium | |
| CN114465741B (en) | Abnormality detection method, abnormality detection device, computer equipment and storage medium | |
| CN109474567B (en) | DDOS attack tracing method and device, storage medium and electronic equipment | |
| CN111314326B (en) | Method, device, equipment and medium for confirming HTTP vulnerability scanning host | |
| CN110457900B (en) | Website monitoring method, device and equipment and readable storage medium | |
| US20190132348A1 (en) | Vulnerability scanning of attack surfaces | |
| CN115051867A (en) | Detection method and device for illegal external connection behaviors, electronic equipment and medium | |
| CN116155519A (en) | Threat alert information processing method, threat alert information processing device, computer equipment and storage medium | |
| KR102001814B1 (en) | A method and apparatus for detecting malicious scripts based on mobile device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |