CN113434861B - WebShell detection method and system - Google Patents

WebShell detection method and system Download PDF

Info

Publication number
CN113434861B
CN113434861B CN202110985872.8A CN202110985872A CN113434861B CN 113434861 B CN113434861 B CN 113434861B CN 202110985872 A CN202110985872 A CN 202110985872A CN 113434861 B CN113434861 B CN 113434861B
Authority
CN
China
Prior art keywords
dynamic script
file
script file
decryption
successful
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110985872.8A
Other languages
Chinese (zh)
Other versions
CN113434861A (en
Inventor
覃锦端
刘隽良
柳遵梁
刘聪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Meichuang Technology Co ltd
Original Assignee
Hangzhou Meichuang Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Meichuang Technology Co ltd filed Critical Hangzhou Meichuang Technology Co ltd
Priority to CN202110985872.8A priority Critical patent/CN113434861B/en
Publication of CN113434861A publication Critical patent/CN113434861A/en
Application granted granted Critical
Publication of CN113434861B publication Critical patent/CN113434861B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/563Static detection by source code analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Bioethics (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the invention discloses a WebShell detection method and a WebShell detection system. The method comprises the following steps: deploying an encryption tool and a decryption tool; extracting relevant information of the Web application program; judging whether a newly added dynamic script file exists in all file directories in the related information; if so, judging whether call chain information exists or not; if the new dynamic script file exists, isolating the newly added dynamic script file, and performing malicious Webshell alarm; if not, encrypting the dynamic script file to obtain an encryption result; judging whether the encryption is successful; if the encryption is successful, decrypting the encrypted dynamic script file to obtain a decryption result; judging whether the decryption is successful; if not, isolating the dynamic script file which fails in decryption; and generating a malicious WebShell alarm. By implementing the method provided by the embodiment of the invention, the changeable WebShell backdoor can be effectively identified.

Description

WebShell detection method and system
Technical Field
The invention relates to the technical field of webpage security analysis, in particular to a WebShell detection method and a WebShell detection system.
Background
The traditional WebShell detection and identification is based on the known WebShell code characteristics and the WebShell flow characteristics, the WebShell code is detected, whether the WebShell code is matched with the existing common WebShell code characteristic library or not is detected, and meanwhile, the function used in the code is detected to obtain judgment; and detecting the WebShell flow characteristics, wherein one detection is carried out based on commands executed by the WebShell and the payload characteristics, and the other detection is carried out based on the flow characteristics of common WebShell management tools, such as a kitchen knife, an ice scorpion and the like. Because the method depends on the own relevant matching rules or strategies, a large amount of false reports and missed reports often appear on the aspect of safety problems, and disadvantages often exist on the aspects of information updating and threat sniffing; meanwhile, the safety judgment is based on rules which are often a known threat arrangement set, so that WebShell can bypass detection to attack. Therefore, the current WebShell detection and identification method cannot effectively identify the changeable WebShell backdoor.
Therefore, it is necessary to design a new method for effectively identifying the changeable WebShell backdoor.
Disclosure of Invention
The invention aims to overcome the defects of the prior art and provides a WebShell detection method and a WebShell detection system.
In order to achieve the purpose, the invention adopts the following technical scheme: a WebShell detection method, comprising:
deploying the encryption tool and the decryption tool in the same directory as the Web application program;
extracting relevant information of the Web application program;
judging whether a newly added dynamic script file exists in all file directories in the related information;
if the newly added dynamic script file exists, judging whether calling chain information exists or not;
if the calling chain information exists, isolating the newly added dynamic script file, and performing malicious Webshell alarm;
if the calling chain information does not exist, encrypting the dynamic script file in the dynamic script file collection in the related information to obtain an encryption result;
judging whether the encryption result is successful or not;
if the encryption result is successful, decrypting the encrypted dynamic script file to obtain a decryption result;
judging whether the decryption result is successful or not;
if the decryption result is not successful, isolating the dynamic script file which fails in decryption;
and generating a malicious WebShell alarm according to the isolated dynamic script file.
The further technical scheme is as follows: the related information includes: the dynamic script file type, the middleware type, all file directories of the Web application program, all files of the Web application program, all dynamic script files of the Web application program and the call chain information of the dynamic script files.
The further technical scheme is as follows: the extracting the relevant information of the Web application program comprises the following steps:
searching all Web application folders under a directory where the Web application program is located by using the encryption tool, and sequentially extracting all file directories of the Web application program, all files under each file directory and the types of the dynamic script files;
calculating all dynamic script files under a single file directory for each file directory to generate a collection of all dynamic script files;
and calculating the front and back calling information in each dynamic script file according to the collection of all the dynamic script files, and generating the calling chain information of the dynamic script files.
The further technical scheme is as follows: the calculating the front and back calling information in each dynamic script file according to the collection of all the dynamic script files and generating the calling chain information of the dynamic script files comprises the following steps:
acquiring a content data set of each dynamic script file from all dynamic script file collections;
extracting the dynamic script files repeatedly from all the dynamic script files in the dynamic script file collection, wherein the extraction rule is that two dynamic script files form a group;
calculating the calling sequence of each group of dynamic script files for all the groups to obtain a calling sequence set;
and determining the calling chain information of the dynamic script file according to the calling sequence collection.
The further technical scheme is as follows: the judging whether the newly added dynamic script file exists in all the file directories in the related information includes:
calculating the increment of the dynamic script file under each file directory;
determining whether the increment is greater than zero;
if the increment is larger than zero, a newly-added dynamic script file exists;
and if the increment is not larger than zero, no newly added dynamic script file exists.
The further technical scheme is as follows: the judging whether the encryption result is successful or not comprises the following steps:
and comparing the encrypted dynamic script file with the dynamic script file before encryption, wherein when the encrypted dynamic script file is different from the dynamic script file before encryption, the encryption result is successful, and when the encrypted dynamic script file is the same as the dynamic script file before encryption, the encryption result is not successful.
The further technical scheme is as follows: the decrypting the encrypted dynamic script file to obtain a decryption result includes:
and decrypting the encrypted dynamic script file according to the calling chain information to obtain a decryption result.
The further technical scheme is as follows: the judging whether the decryption result is successful or not comprises the following steps:
acquiring an encrypted fingerprint collection of all file directories;
matching the file fingerprint obtained by decryption with the encrypted fingerprint collection to obtain a matching result;
judging whether the matching result is successful;
if the matching result is successful, the decryption result is successful;
and if the matching result is not successful, the decryption result is not successful.
The further technical scheme is as follows: the isolating the dynamic script file with the decryption failure comprises the following steps:
and placing the dynamic script file with the decryption failure in the exclusive buffer area.
The invention also provides a WebShell detection system, which comprises:
the deployment unit is used for deploying the encryption tool and the decryption tool in the same directory as the Web application program;
an extraction unit configured to extract related information of the Web application;
a newly-added judging unit, configured to judge whether a newly-added dynamic script file exists in all file directories in the relevant information;
the calling chain judging unit is used for judging whether calling chain information exists or not if a newly added dynamic script file exists;
the first isolation unit is used for isolating the newly-added dynamic script file and carrying out malicious Webshell alarm if the calling chain information exists;
the encryption unit is used for encrypting the dynamic script file in the dynamic script file collection in the related information to obtain an encryption result if the calling chain information does not exist;
an encryption judgment unit for judging whether the encryption result is successful or not;
the decryption unit is used for decrypting the encrypted dynamic script file to obtain a decryption result if the encryption result is successful;
a decryption judgment unit for judging whether the decryption result is a successful decryption;
the second isolation unit is used for isolating the dynamic script file which fails in decryption if the decryption result is not successful;
and the alarm generating unit is used for generating the malicious WebShell alarm according to the isolated dynamic script file.
Compared with the prior art, the invention has the beneficial effects that: the method comprises the steps of monitoring script files in a Web application program directory, carrying out encryption and decryption operations on the webpage script files, and detecting abnormal webpage script files; and when the decryption abnormal webpage script file exists, judging whether the file is a malicious WebShell file, and finally isolating and providing an alarm to effectively identify the changeable WebShell backdoor.
The invention is further described below with reference to the accompanying drawings and specific embodiments.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a schematic flow diagram of a WebShell detection method according to an embodiment of the present invention;
fig. 2 is a schematic subflow diagram of a WebShell detection method according to an embodiment of the present invention;
fig. 3 is a schematic subflow diagram of a WebShell detection method according to an embodiment of the present invention;
fig. 4 is a schematic subflow diagram of a WebShell detection method according to an embodiment of the present invention;
fig. 5 is a schematic sub-flow diagram of a WebShell detection method according to an embodiment of the present invention;
fig. 6 is a schematic block diagram of a WebShell detection system according to an embodiment of the present invention;
fig. 7 is a schematic block diagram of an extraction unit of a WebShell detection system according to an embodiment of the present invention;
fig. 8 is a schematic block diagram of a call chain generation subunit of the WebShell detection system according to the embodiment of the present invention;
fig. 9 is a schematic block diagram of a newly added determining unit of the WebShell detection system according to the embodiment of the present invention;
fig. 10 is a schematic block diagram of a decryption determining unit of the WebShell detecting system according to an embodiment of the present invention;
FIG. 11 is a schematic block diagram of a computer device provided by an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It will be understood that the terms "comprises" and/or "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
It is also to be understood that the terminology used in the description of the invention herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in the specification of the present invention and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
It should be further understood that the term "and/or" as used in this specification and the appended claims refers to and includes any and all possible combinations of one or more of the associated listed items.
Referring to fig. 1, fig. 1 is a schematic flow chart of a WebShell detection method according to an embodiment of the present invention. The WebShell detection method is applied to the terminal.
Fig. 1 is a schematic flow diagram of a WebShell detection method provided by an embodiment of the present invention. As shown in fig. 1, the method includes the following steps S110 to S210.
And S110, deploying the encryption tool and the decryption tool in the same directory as the Web application program.
In the embodiment, the encryption tool and the decryption tool perform encryption and decryption operations on the Web application dynamic script file. And performing encryption and decryption operations by using encryption and decryption algorithms in the calling execution process of the Web application dynamic script file, wherein the encryption and decryption operations comprise but are not limited to asymmetric encryption algorithms such as RSA, Elgamal, knapsack algorithm, Rabin and D-H, ECC, and symmetric encryption algorithms such as DES, 3DES, TDEA, Blowfish, RC5, IDEA and the like. And intervening in the analysis process of the dynamic script file. The encryption tool and the decryption tool are separately deployed and are respectively applied to different operation stages of the Web application program. Before the encryption tool is applied to the Web application program and started, the encryption tool carries out encryption operation on the dynamic script file under the file directory of the Web application program in an independent tool mode; the decryption tool is applied to the running of the Web application program, is deployed along with the starting of the Web application program in the forms of instrumentation, configuration files and the like, and decrypts the running encrypted dynamic script file.
For example: the system of the Web application Server is a Windows Server and has three file drives of C, D and E, wherein the Web application is deployed under the C drive, the middleware used by the Web application is Apache, and the Web application type is JavaWeb application.
Under the condition that the service normally runs, the Web application runs and interacts in an Apache server, and the Apache analyzes and executes all dynamic script files in the Web application.
In this example, the user does not define the monitoring time interval U by himself, that is, U is a default interval of 30 seconds, that is, the monitoring of the newly added dynamic script file is performed every 30 seconds.
Specifically, the Web application is deployed under the C: \ File directory, the Web application folder is C: \ File \ WebApp, and the encryption and decryption Tool folder is C: \ File \ Tool. An encryption tool encrypt tool jar and a decryption tool decrypt tool jar exist under the encryption and decryption tool folder. Jar is independently operated; jar configures in Apache configuration file to run with Web application start.
And S120, extracting the related information of the Web application program.
In this embodiment, the related information includes: the dynamic script file type, the middleware type, all file directories of the Web application program, all files of the Web application program, all dynamic script files of the Web application program and the call chain information of the dynamic script files.
In the present embodiment, the dynamic script file types include, but are not limited to, jsp, jspx, asp, aspx, php, and the like; middleware types include, but are not limited to, Tomcat, Apache, Nginx, and the like.
In an embodiment, referring to fig. 2, the step S120 may include steps S121 to S123.
And S121, retrieving all Web application folders in the directory where the Web application program is located by using the encryption tool, and sequentially extracting all file directories of the Web application program, all files in each file directory and the types of the dynamic script files.
In this embodiment, the encryption tool will retrieve all the Web application folders under C: \ File directory. The first extracted information is that the root directory of the folder of the Web application program is C: \ File \ WebApp, and further 3 folder models, views and controllers exist under the root directory of the Web application program. Three files of m1.jsp, m2.jsp and m3.jsp exist in the Model directory, two files of v1.jsp and v2.html exist in the View directory, and one file of c1.png exists in the Controller directory. The type of the dynamic script file extracted to the Web application at this time is jsp.
And S122, calculating all dynamic script files under a single file directory for each file directory to generate a collection of all dynamic script files.
In this embodiment, the dynamic scenario file collection refers to a collection composed of all dynamic scenario files and corresponding file directories.
Specifically, there is an algorithm T1 that determines, for the obtained dynamic scenario file type D, whether the files in the file directory belong to a dynamic scenario file, and generates a collection S of all dynamic scenario files in a single directoryi
The algorithm T1 is specifically implemented as follows, and aiming at a Web application program file directory collection F, obtaining each file directory data set { F1, F2, … … Fn }; aiming at a Web application program file collection L, acquiring each file data set { L1, L2 … … Ln }, calculating the number of all dynamic script files in a single file directory, and generating a dynamic script file collection Sx. Let the current file directory be FxIf all the files below the file are LxThe dynamic script file type is DxNamely, calculating T1{ (F)x,Lx),Dx}; if T1{ (F)x,Lx),Dx} =0, i.e. representing a file directory FxThe dynamic script file does not exist, and the dynamic script file is collected SxAll files in the file directory are not required to be encrypted by an encryption tool because the files are empty sets; if T1{ (F)x,Lx),Dx} =1, i.e. representing a file directory FxAt least one dynamic script file exists, and the dynamic script files are collected SxAs directory FxThe dynamic script file collection is determined by adopting the mode for each file directory, and all the dynamic script file collections S are formedi
And S123, calculating front and back calling information in each dynamic script file according to the collection of all the dynamic script files, and generating calling chain information of the dynamic script files.
In this embodiment, the call chain information is information of the sequential configuration of the call file.
In an embodiment, referring to fig. 3, the step S123 may include steps S1231 to S1234.
S1231, acquiring a content data set of each dynamic script file from all dynamic script file collections;
in the present embodiment, the content data set refers to the dynamic scenario files in each dynamic scenario file collection.
S1232, extracting the dynamic script files repeatedly from all the dynamic script files in the dynamic script file collection, wherein the extraction rule is that two dynamic script files form a group;
s1233, calculating the calling sequence of each group of dynamic script files for all the extracted groups to obtain a calling sequence set;
and S1234, determining the call chain information of the dynamic script file according to the call sequence collection.
For the process of generating the call chain information, an algorithm T2 exists, the algorithm calculates the front and back call information in each dynamic script file aiming at all dynamic script file collections Si, and generates a dynamic script file call chain Xi;
the algorithm T2 is implemented as follows, aiming at all dynamic script file collections SiAcquiring each dynamic script file content data set { Si1,Si2,……Sii}; to SiCollecting all dynamic script files to extract 2 files as a group without repetition, namely calculating mathematical combination; calculating the calling sequence of each group of files, wherein the calling sequence is collected as CiThe calling order data set is { C1,C2,……Ci}. Setting the current collection of all dynamic script files as SxIf the corresponding calling order set is CxI.e. calculating T2(Sx,Cx) (ii) a If T2(Sx,Cx) =0, i.e. meaning that there is no mutual call for all dynamic scenario files, when X is presentxIs an empty set; if T2(Sx,Cx) =1, namely, it means that at least two dynamic scenario files exist in all dynamic scenario files and have a mutual call relationship, in this case, XxA chain is called for all dynamic script files.
S130, judging whether a newly added dynamic script file exists in all file directories in the related information.
In an embodiment, referring to fig. 4, the step S130 may include steps S131 to S134.
S131, calculating the increment of the dynamic script file under each file directory;
s132, judging whether the increment is larger than zero;
s133, if the increment is larger than zero, a newly added dynamic script file exists;
and S134, if the increment is not greater than zero, no newly added dynamic script file exists.
Specifically, the existence algorithm T3 calculates, for the file directory F, the dynamic script file increment under the directory, and determines whether there is a newly added dynamic script file;
the algorithm T3 is specifically implemented as follows, for the file directory F, the directory F monitors all dynamic script files S of the time node at the next timeuAnd calculating whether a newly added dynamic script file exists or not, wherein the monitoring time interval is U. Let the current file directory be FxLast time all dynamic script files S of time node are monitoreduxWith a monitoring time interval of UxI.e. calculating T3{(Fx,Sux),Ux}; if T3{(Fx,Sux),Ux=0, namely, it represents that no newly added dynamic script file exists under the current directory; if T3{(Fx,Sux),Ux=1, i.e. representing the current eyeAt least one newly added dynamic script file is recorded.
S140, if a newly added dynamic script file exists, judging whether call chain information exists or not;
s150, if the calling chain information exists, isolating the newly added dynamic script file, and performing malicious Webshell alarm;
and isolating the newly added dynamic script file, and performing malicious Webshell alarm.
T3{(Fx,Sux),UxAnd =1 shows that a new dynamic script file exists outside the call chain, the new dynamic script file is placed in a buffer area, and malicious WebShell alarm is performed.
If no new dynamic script file exists, directly executing step S160;
and S160, if the call chain information does not exist, encrypting the dynamic script file in the dynamic script file collection in the related information to obtain an encryption result.
In this embodiment, the encryption result refers to a result obtained by encrypting the dynamic scenario file.
In particular, the encryption process exists an algorithm T4The algorithm aims at all dynamic script file collections S under a single directoryiAnd a unique encrypted fingerprint E of the current directoryiiGenerating an encrypted dynamic script file collection Fei
The algorithm T4 is implemented as follows, aiming at all dynamic script file collections S under a single file directoryiObtaining each dynamic script file set { Si1,Si2,……Sii}; and generates a unique encrypted fingerprint E for the file directoryiiUsing EiiAnd carrying out encryption operation on each dynamic script file in the file set. Set all dynamic script files collection S of current directoryxThe encrypted fingerprint of the current directory is EixI.e. calculating T4(Sx,Eix) (ii) a If T4(Sx,Eix) =0, i.e. it means that no dynamic scenario file is encrypted under the current directory, and the encrypted dynamic scenario is in the momentScript file FexIf the directory is empty, the dynamic script file in the directory will not execute decryption operation before execution; if T4(Sx,Eix) =1, i.e. it means that at least 1 dynamic scenario file in the current directory is encrypted, and the encrypted dynamic scenario file FexThe middle is an encrypted dynamic script file.
S170, judging whether the encryption result is successful or not.
In this embodiment, the encrypted dynamic scenario file is compared with the dynamic scenario file before encryption, and when the encrypted dynamic scenario file is different from the dynamic scenario file before encryption, the encryption result is successful, and when the encrypted dynamic scenario file is the same as the dynamic scenario file before encryption, the encryption result is not successful.
Specifically, the encryption result judgment process exists in an algorithm T5The algorithm T5For all dynamic script files under a single file directoryiAnd an encrypted dynamic scenario file collection F of the current directoryeiComparing the file characteristics before and after encryption and judging whether the encryption is successful;
the algorithm T5 is specifically implemented as follows, and obtains each dynamic scenario file set { S } for all dynamic scenario file sets Si under a single directoryi1,Si2,……Sii}; and aiming at the encrypted dynamic script file collection F of the current directoryeiObtaining each encrypted dynamic script file set { Fei1,Fei2,……Feii}; and comparing each file corresponding to the encrypted file one by one. Set a certain dynamic script file collection S of the current directoryixThe file after the file encryption is FeixI.e. calculating T5(Six,Feix) (ii) a If T5(Six,Feix) =0, i.e. indicating that the dynamic scenario file was not successfully encrypted; if T5(Six,Feix) =1, namely, it represents that the dynamic scenario file is successfully encrypted; T5T5(Six,Feix) The result of (A) constitutes T4 (S)x,Eix) Is determined.
If the encryption result is not successful, executing the step S160;
and S180, if the encryption result is successful, decrypting the encrypted dynamic script file to obtain a decryption result.
In this embodiment, the decryption result refers to a result obtained by decrypting the encrypted dynamic scenario file.
Specifically, the encrypted dynamic script file is decrypted according to the call chain information to obtain a decryption result.
And S190, judging whether the decryption result is successful or not.
In an embodiment, referring to fig. 5, the step S190 may include steps S191 to S195.
S191, acquiring an encrypted fingerprint collection of all file directories;
and S192, matching the file fingerprint obtained by decryption with the encrypted fingerprint collection to obtain a matching result.
In this embodiment, the matching result indicates whether the file fingerprint obtained by decryption is consistent with the corresponding fingerprint in the encrypted fingerprint collection.
S193, judging whether the matching result is successful;
s194, if the matching result is successful, the decryption result is successful;
and S195, if the matching result is not the matching success, the decryption result is not the decryption success.
In particular, it is judged that algorithm T exists for the decryption result6The algorithm aims at all the encrypted dynamic script files in a single directory to be collected FeiEncrypted fingerprint collection of all file directories EiAnd all dynamic script file call chains XiDecrypting the encrypted dynamic script file according to the call chain and based on the encrypted fingerprint EiJudging whether decryption is successful; encrypted fingerprint collection EiBy the above-mentioned unique encrypted fingerprint E of each file directoryiiAnd (4) forming.
Algorithm T6The specific implementation is as follows, aiming at all the encrypted dynamic script file collections FeiAcquiring each encrypted dynamic script file set { Fei1, Fei2, … … Feii }; and calls chain X against dynamic script filesiObtaining the calling sequence { X of each encrypted dynamic script fileFei1,XFei2,……XFeii}; decrypting one by one according to the sequence of the call chain, and collecting E according to the decrypted file fingerprints and the encrypted fingerprintsiAnd (6) carrying out comparison. Setting all the enciphered dynamic script file as FeixThe dynamic script file call chain is XixThe encrypted fingerprint is EixNamely, calculating T6{ (F)eix,Xix),Eix}; if T6{(Feix,Xix),Eix=0, that is, it represents that the encrypted dynamic script file is not decrypted successfully, and there is an abnormal decryption; if T6{ (F)eix,Xix),EixAnd =1, that is, the encrypted dynamic script file is decrypted successfully, and the fingerprints of the file before and after encryption and decryption are matched successfully.
And if the decryption result is that the decryption is successful, entering an end step.
S200, if the decryption result is not successful, isolating the dynamic script file which fails in decryption.
Specifically, the dynamic script file with the decryption failure is placed in the exclusive buffer.
And S210, generating a malicious WebShell alarm according to the isolated dynamic script file.
When calling chain XiIf not, the decryption tool acquires the monitored newly added dynamic script files in real time and decrypts all encrypted dynamic script files according to a random sequence, and if a file T exists at the moment6=0, the file is placed in the buffer, and malicious WebShell alarm is performed; if there is a call chain XiWhen the dynamic script file is encrypted, the decryption tool decrypts the encrypted dynamic script file in sequence according to the sequence of the call chain, and if the file T exists6=0, will decrypt abnormal alarm after placing the buffer, if T this moment3=1, i.e. it means there is a new dynamic script file added outside the call chain, the new file is placed in the buffer, and then go onAnd (4) warning the WebShell with malicious lines.
For example: the system of the Web application Server is a Windows Server and has three file drives of C, D and E, wherein the Web application is deployed under the C drive, the middleware used by the Web application is Apache, and the Web application type is JavaWeb application. Under the condition that the service normally runs, the Web application runs and interacts in an Apache server, and the Apache analyzes and executes all dynamic script files in the Web application. In this example, the user does not define the monitoring time interval U by himself, that is, U is a default interval of 30 seconds, that is, the monitoring of the newly added dynamic script file is performed every 30 seconds.
The encryption and decryption Tool is deployed in the same directory as the Web application, in the embodiment, the Web application is deployed in a C: \ File directory, the Web application folder is C: \ File \ WebApp, and the encryption and decryption Tool folder is C: \ File \ Tool. An encryption tool encrypt tool jar and a decryption tool decrypt tool jar exist under the encryption and decryption tool folder. Jar is independently operated; jar configures in Apache configuration file to run with Web application start.
Further, the encryption tool will retrieve all the Web application folders under C: \ File directory. The first extracted information is that the root directory of the Web application folder is C: \ File \ WebApp, and further 3 folders Model, View and Controller exist in the Web application root directory. Three files of m1.jsp, m2.jsp and m3.jsp exist in the Model directory, two files of v1.jsp and v2.html exist in the View directory, and one file of c1.png exists in the Controller directory. The type of the dynamic script file extracted to the Web application at this time is jsp.
Using said algorithm T based on the above extracted information1Performing an analysis, the Web application File directory dataset FxIs { Model, View, Controller }, and the corresponding Web application file data set LxAnd the dynamic script file type Dx of the Web application is jsp, wherein the dynamic script file type Dx of the Web application is jsp, and the dynamic script file type Dx of the Web application is { m1.jsp, m2.jsp, m3.jsp }, { v1.jsp, v2.html }, and { c1.png }. I.e. the result of the calculation T1{ (Fx, Lx), Dx } = { ({ Model, View, Controller }, { { m1.jsp, m2.jsp, m3.jsp }, { v1.jsp, v2.html }, { c1.png } }), jsp }. At this point, a dynamic script file box is obtainedCollection SxIs { m1.jsp, m2.jsp, m3.jsp }, { v1.jsp }, { } }. Collecting S according to the extracted dynamic script filexUsing said algorithm T2Performing an analysis of SxThe dynamic script files in the system are not repeatedly extracted for 2 to form a group, and a calling sequence set C is obtainedxFor { { m1.jsp, m2.jsp }, { m3.jsp, v1.jsp } }, in this example, the m1.jsp file does not contain calls to other dynamic script files, the m2.jsp file contains calls to m1.jsp and m3.jsp, the m3.jsp file contains calls to m1.jsp, and the v1.jsp file contains calls to m1.jsp, m2.jsp, and m3. jsp. I.e. the result of the calculation T2(Sx,Cx) ({ { m1.jsp, m2.jsp, m3.jsp }, { v1.jsp }, { } }, { { m1.jsp, m2.jsp }, { m3.jsp, v1.jsp } }) =1, and generates a call chain X, and a call chain X is generatedx = {v1.jsp,m2.jsp,m3.jsp,m1.jsp}。
The analysis was performed using the algorithm T3, with a default monitoring interval of U, i.e. U is 30 seconds. SuxFor the first 30 seconds of the dynamic script file set, SuxCalculated by the algorithm T1, Fx is the file directory result set. In this example, a dynamic script file test.jsp is added to the Controller directory in the monitoring interval of U = U-30, and at this time Sux-30 = {{m1.jsp,m2.jsp,m3.jsp},{v1.jsp},{test.jsp}},T3{(Fx,Sux-30),U-30} = 1。
Using the algorithm T4 for analysis, the encryption tool first gathers F from the file directoriesxGenerating an encrypted fingerprint collection ExThe encrypted fingerprint is unique for each directory, and the encrypted fingerprints for different file directories are also different. And the encrypted fingerprint is invisible to the execution of the dynamic script file, and the encrypted fingerprint does not influence the analysis execution result of the dynamic script file. In this example, File directory Collection FxIs { Model, View, Controller }, then corresponding to the generated encrypted fingerprint collection ExIs { Em1,Ev1,Ec1}. Dynamic script file under Model file directory uses encrypted fingerprint Em1Encrypting, encrypting the dynamic script file under the View file directory by using the encryption fingerprint Ev1, and encrypting the dynamic script file under the Controller file directory by addingThe secret fingerprint Ec1 is encrypted. Namely, the encryption result T4 is calculated (S)x,Eix) =0 or T4 (S)x,Eix) =1, and generate encrypted dynamic scenario file collection Fex. Here T4 (S)x,Eix) = T4({ { m1.jsp, m2.jsp, m3.jsp }, { v1.jsp }, { } }, { Em1, Ev1, Ec1}), and the generated collection Fex of the encrypted dynamic script file is { { Em1.jsp, Em2.jsp, Em3.jsp }, { Ev1.jsp }, { } }. The generated encrypted dynamic script files { { Em1.jsp, Em2.jsp, Em3.jsp }, { Ev1.jsp }, and { } are placed according to the directory where the original file is located, and the encryption tool backs up the original file and the directory to a specified directory.
The encryption result calculated by the T4 algorithm is obtained by synthesizing the encryption result of each dynamic script file under each file directory, so the result subset of the T4 algorithm needs to be calculated by the corresponding algorithm. Using said algorithm T5Analyzing and judging whether a certain dynamic script file is successfully encrypted, wherein Six is a certain dynamic script file, Feix is a dynamic script file corresponding to Six after encryption, taking m1.jsp file under a file directory Model as an example, the dynamic script file corresponding to the file after encryption is Em1.jsp, and calculating T5(Six,Feix) = (m1.jsp, em1.jsp) = 0) when T5(m1.jsp, em1.jsp) =0, it means that the m1.jsp file has not been successfully encrypted; when T5(m1.jsp, em1.jsp) =0, it indicates that the m1.jsp file encryption is successful. And carrying out encryption result judgment on each dynamic script file of the Web application by using the T5 algorithm so as to obtain a result subset of the T4 algorithm.
Before the middleware analyzes and executes the dynamic script file, the decryption tool decrypts the encrypted dynamic script file. Decrypting the encrypted dynamic script file and using the algorithm T6Analyzing, wherein F is a certain encrypted dynamic script file of a certain directory under the Web applicationeixThe dynamic script file call chain is Xix,FeixThe corresponding encrypted fingerprint is Eix, i.e. T is calculated6{(Feix,Xix),Eix} =0 or T6{(Feix,Xix),Eix=1 and generates a decrypted dynamic scenario file. In thatIn this example, taking the Em2.jsp file under the file directory Model as an example, the call chain XixIs { v1.jsp, m2.jsp, m3.jsp, m1.jsp }, i.e. decryption of the m2.jsp file will be performed after decryption of v1.jsp, and the encrypted fingerprint corresponding to Em2.jsp will be Em1, i.e. calculating T6{(Feix,Xix),Eix}= T6{ (Em2.jsp, { v1.jsp, m2.jsp, m3.jsp, m1.jsp }, Em1}, and generate a decrypted dynamic script file dem2. jsp.
And judging whether the decryption of the encrypted dynamic script file is successful or not. In this example, if T6{(Feix,Xix),Eix}= T6{ (Em2.jsp, { v1.jsp, m2.jsp, m3.jsp, m1.jsp }, Em1} =0 indicates that the decryption of the Em2.jsp file fails, and if T is greater than or equal to T, the decryption of the Em2.jsp file fails, or if T is greater than or equal to M, the decryption of the Em2.jsp file fails, or if T is greater than or equal to T, the decryption of the M, or T is greater than or equal to T, or less than T, or less than T, or less than T, m, or less than T, or less than T, m, less than or less than T, m, and (less than or less than 1, m6{(Feix,Xix),Eix}= T6{ (Em2.jsp, { v1.jsp, m2.jsp, m3.jsp, m1.jsp }, Em1} =1, it means that the decryption of the Em2.jsp file is successful, and the generated decrypted dynamic script file dem2.jsp will be directly renamed to m2.jsp and will overwrite the original m2.jsp file in the original directory, and the middleware Apache parses the decrypted m2.jsp script file.
Isolating the dynamic script file with the decryption failure, and isolating Em2. jsp; in this example, decryption of v1.jsp, m2.jsp, and m3.jsp is successful, decryption of m1.jsp is failed, a call chain { v1.jsp, m2.jsp, m3.jsp, m1.jsp } exists, and a newly added dynamic script file test. jsp exists at a monitoring interval of U = U-30. Then m1.jsp will be subjected to decryption exception alarm due to m1.jsp decryption failure; because of the existence of the call chain, the test.jsp is not in the call chain, the test.jsp can be judged as WebShell, and WebShell malicious backdoor alarm can be carried out on the test.jsp. If there is no call chain in this example, m1.jsp will be determined as WebShell because m1.jsp decryption fails; jsp is directly placed in a Web file directory and is not encrypted, so that decryption inevitably fails, the test jsp is judged to be WebShell, and WebShell malicious backdoor alarm is carried out on m1.jsp and the test. jsp. After the alarm, the above step S130 is repeated.
In the WebShell detection method, the script files in the Web application program directory are monitored, the webpage script files are encrypted and decrypted, and abnormal webpage script files are detected; and when the decryption abnormal webpage script file exists, judging whether the file is a malicious WebShell file, and finally isolating and providing an alarm to effectively identify the changeable WebShell backdoor.
Fig. 6 is a schematic block diagram of a WebShell detection system 300 according to an embodiment of the present invention. As shown in fig. 6, the present invention further provides a WebShell detection system 300 corresponding to the above WebShell detection method. The WebShell detection system 300, which includes means for performing one of the above-described WebShell detection methods, may be configured in a desktop computer, a tablet computer, a laptop computer, or the like. Specifically, referring to fig. 6, the WebShell detection system 300 includes a deployment unit 301, an extraction unit 302, a new addition judgment unit 303, a call chain judgment unit 304, a first isolation unit 305, an encryption unit 306, an encryption judgment unit 307, a decryption unit 308, a decryption judgment unit 309, a second isolation unit 310, and an alarm generation unit 311.
A deployment unit 301, configured to deploy the encryption tool and the decryption tool in the same directory as the Web application; an extracting unit 302, configured to extract relevant information of the Web application; a newly added judgment unit 303, configured to judge whether a newly added dynamic script file exists in all file directories in the relevant information; a call chain determining unit 304, configured to determine whether call chain information exists if a newly added dynamic script file exists; a first isolating unit 305, configured to isolate the newly added dynamic script file and perform malicious Webshell alarm if there is call chain information; an encrypting unit 306, configured to encrypt the dynamic script file in the dynamic script file collection in the relevant information to obtain an encryption result if there is no call chain information; an encryption judgment unit 307 for judging whether the encryption result is successful; a decryption unit 308, configured to decrypt the encrypted dynamic script file to obtain a decryption result if the encryption result is successful; a decryption judgment unit 309 configured to judge whether the decryption result is a successful decryption; a second isolating unit 310, configured to isolate the dynamic script file that fails to be decrypted if the decryption result is not that the decryption is successful; and the alarm generating unit 311 is configured to generate a malicious WebShell alarm according to the isolated dynamic script file.
In an embodiment, as shown in fig. 7, the extracting unit 302 includes a retrieving subunit 3021, a calculating subunit 3022, and a call chain generating subunit 3023.
A retrieving subunit 3021, configured to retrieve all Web application folders in the directory where the Web application program is located by using the encryption tool, and sequentially extract all file directories of the Web application program, all files in each file directory, and types of dynamic script files; a calculating subunit 3022, configured to calculate all dynamic scenario files in a single file directory for each file directory, and generate a collection of all dynamic scenario files; and the call chain generation subunit 3023 is configured to calculate the front-back call information in each dynamic script file according to the collection of all dynamic script files, and generate call chain information of the dynamic script file.
In an embodiment, as shown in fig. 8, the call chain generation subunit 3023 includes a data set acquisition module 30231, a decimation module 30232, an order calculation module 30233, and a determination module 30234.
A data set acquiring module 30231, configured to acquire a content data set of each dynamic script file for all dynamic script file collections; an extraction module 30232, configured to extract dynamic script files from all dynamic script files in the dynamic script file collection without repetition, where an extraction rule is that two dynamic script files form a group; a sequence calculating module 30233, configured to calculate, for all extracted groups, a call sequence of each group of dynamic script files, so as to obtain a call sequence set; the determining module 30234 is configured to determine the call chain information of the dynamic script file according to the call order collection.
In one embodiment, as shown in fig. 9, the newly added judgment unit 303 includes an increment calculation sub-unit 3031 and an increment judgment sub-unit 3032.
The increment operator unit 3031 is used for calculating the increment of the dynamic script file under each file directory; an increment judgment subunit 3032, configured to judge whether the increment is greater than zero; if the increment is larger than zero, a newly-added dynamic script file exists; and if the increment is not larger than zero, no newly added dynamic script file exists.
In an embodiment, the encryption determining unit 307 is configured to compare the encrypted dynamic scenario file with the dynamic scenario file before encryption, and when the encrypted dynamic scenario file is different from the dynamic scenario file before encryption, the encryption result is successful, and when the encrypted dynamic scenario file is the same as the dynamic scenario file before encryption, the encryption result is not successful.
In an embodiment, the decryption unit 306 is configured to decrypt the encrypted dynamic scenario file according to the call chain information to obtain a decryption result.
In one embodiment, as shown in fig. 10, the decryption determining unit 309 comprises a fingerprint collection obtaining sub-unit 3091, a matching sub-unit 3092 and a result determining sub-unit 3093.
A fingerprint collection obtaining subunit 3091, configured to obtain an encrypted fingerprint collection of all file directories; the matching subunit 3092 is configured to match the file fingerprint obtained through decryption with the encrypted fingerprint collection to obtain a matching result; a result judgment subunit 3093, configured to judge whether the matching result is a successful matching; if the matching result is successful, the decryption result is successful; and if the matching result is not successful, the decryption result is not successful.
In an embodiment, the second isolation unit 310 is configured to place the dynamic script file that fails to be decrypted in a dedicated buffer.
It should be noted that, as can be clearly understood by those skilled in the art, the specific implementation process of the WebShell detection system 300 and each unit may refer to the corresponding description in the foregoing method embodiment, and for convenience and brevity of description, no further description is provided herein. A WebShell detection system 300 as described above may be implemented in the form of a computer program that can be run on a computer device as shown in fig. 11.
Referring to fig. 11, fig. 11 is a schematic block diagram of a computer device according to an embodiment of the present application. The computer device 500 may be a terminal, wherein the terminal may be an electronic device with a communication function, such as a smart phone, a tablet computer, a notebook computer, a desktop computer, a personal digital assistant, and a wearable device.
Referring to fig. 11, the computer device 500 includes a processor 502, memory, and a network interface 505 connected by a system bus 501, where the memory may include a non-volatile storage medium 503 and an internal memory 504.
The non-volatile storage medium 503 may store an operating system 5031 and a computer program 5032. The computer programs 5032 include program instructions that, when executed, cause the processor 502 to perform a WebShell detection method.
The processor 502 is used to provide computing and control capabilities to support the operation of the overall computer device 500.
The internal memory 504 provides an environment for the execution of the computer program 5032 in the non-volatile storage medium 503, and when the computer program 5032 is executed by the processor 502, the processor 502 may be caused to perform a WebShell detection method.
The network interface 505 is used for network communication with other devices. Those skilled in the art will appreciate that the configuration shown in fig. 11 is a block diagram of only a portion of the configuration associated with the present application and does not constitute a limitation of the computer device 500 to which the present application may be applied, and that a particular computer device 500 may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
Wherein the processor 502 is configured to run the computer program 5032 stored in the memory to implement the following steps:
deploying the encryption tool and the decryption tool in the same directory as the Web application program; extracting relevant information of the Web application program; judging whether a newly added dynamic script file exists in all file directories in the related information; if the newly added dynamic script file exists, judging whether calling chain information exists or not; if the calling chain information exists, isolating the newly added dynamic script file, and performing malicious Webshell alarm; if the calling chain information does not exist, encrypting the dynamic script file in the dynamic script file collection in the related information to obtain an encryption result; judging whether the encryption result is successful or not; if the encryption result is successful, decrypting the encrypted dynamic script file to obtain a decryption result; judging whether the decryption result is successful or not; if the decryption result is not successful, isolating the dynamic script file which fails in decryption; and generating a malicious WebShell alarm according to the isolated dynamic script file.
Wherein the related information comprises: the dynamic script file type, the middleware type, all file directories of the Web application program, all files of the Web application program, all dynamic script files of the Web application program and the call chain information of the dynamic script files.
In an embodiment, when the processor 502 implements the step of extracting the relevant information of the Web application, the following steps are specifically implemented:
searching all Web application folders under a directory where the Web application program is located by using the encryption tool, and sequentially extracting all file directories of the Web application program, all files under each file directory and the types of the dynamic script files; calculating all dynamic script files under a single file directory for each file directory to generate a collection of all dynamic script files; and calculating the front and back calling information in each dynamic script file according to the collection of all the dynamic script files, and generating the calling chain information of the dynamic script files.
In an embodiment, when implementing the steps of calculating the front-back call information in each dynamic script file according to the collection of all dynamic script files and generating the call chain information of the dynamic script file, the processor 502 specifically implements the following steps:
acquiring a content data set of each dynamic script file from all dynamic script file collections; extracting the dynamic script files repeatedly from all the dynamic script files in the dynamic script file collection, wherein the extraction rule is that two dynamic script files form a group; calculating the calling sequence of each group of dynamic script files for all the groups to obtain a calling sequence set; and determining the calling chain information of the dynamic script file according to the calling sequence collection.
In an embodiment, when the step of determining whether there is a newly added dynamic scenario file for all file directories in the related information is implemented by the processor 502, the following steps are specifically implemented:
calculating the increment of the dynamic script file under each file directory; determining whether the increment is greater than zero; if the increment is larger than zero, a newly-added dynamic script file exists; and if the increment is not larger than zero, no newly added dynamic script file exists.
In an embodiment, when implementing the step of determining whether the encryption result is an encryption success, the processor 502 specifically implements the following steps:
and comparing the encrypted dynamic script file with the dynamic script file before encryption, wherein when the encrypted dynamic script file is different from the dynamic script file before encryption, the encryption result is successful, and when the encrypted dynamic script file is the same as the dynamic script file before encryption, the encryption result is not successful.
In an embodiment, when the processor 502 implements the step of decrypting the encrypted dynamic script file to obtain a decryption result, the following steps are specifically implemented:
and decrypting the encrypted dynamic script file according to the calling chain information to obtain a decryption result.
In an embodiment, when the processor 502 implements the step of determining whether the decryption result is a successful decryption, the following steps are specifically implemented:
acquiring an encrypted fingerprint collection of all file directories; matching the file fingerprint obtained by decryption with the encrypted fingerprint collection to obtain a matching result; judging whether the matching result is successful; if the matching result is successful, the decryption result is successful; and if the matching result is not successful, the decryption result is not successful.
In an embodiment, when implementing the step of isolating the dynamic script file with a decryption failure, the processor 502 specifically implements the following steps:
and placing the dynamic script file with the decryption failure in the exclusive buffer area.
It should be understood that in the embodiment of the present Application, the Processor 502 may be a Central Processing Unit (CPU), and the Processor 502 may also be other general-purpose processors, Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components, and the like. Wherein a general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
It will be understood by those skilled in the art that all or part of the flow of the method implementing the above embodiments may be implemented by a computer program instructing associated hardware. The computer program includes program instructions, and the computer program may be stored in a storage medium, which is a computer-readable storage medium. The program instructions are executed by at least one processor in the computer system to implement the flow steps of the embodiments of the method described above.
Accordingly, the present invention also provides a storage medium. The storage medium may be a computer-readable storage medium. The storage medium stores a computer program, wherein the computer program, when executed by a processor, causes the processor to perform the steps of:
deploying the encryption tool and the decryption tool in the same directory as the Web application program; extracting relevant information of the Web application program; judging whether a newly added dynamic script file exists in all file directories in the related information; if the newly added dynamic script file exists, judging whether calling chain information exists or not; if the calling chain information exists, isolating the newly added dynamic script file, and performing malicious Webshell alarm; if the calling chain information does not exist, encrypting the dynamic script file in the dynamic script file collection in the related information to obtain an encryption result; judging whether the encryption result is successful or not; if the encryption result is successful, decrypting the encrypted dynamic script file to obtain a decryption result; judging whether the decryption result is successful or not; if the decryption result is not successful, isolating the dynamic script file which fails in decryption; and generating a malicious WebShell alarm according to the isolated dynamic script file.
Wherein the related information comprises: the dynamic script file type, the middleware type, all file directories of the Web application program, all files of the Web application program, all dynamic script files of the Web application program and the call chain information of the dynamic script files.
In an embodiment, when the processor executes the computer program to implement the step of extracting the relevant information of the Web application, the processor specifically implements the following steps:
searching all Web application folders under a directory where the Web application program is located by using the encryption tool, and sequentially extracting all file directories of the Web application program, all files under each file directory and the types of the dynamic script files;
calculating all dynamic script files under a single file directory for each file directory to generate a collection of all dynamic script files;
and calculating the front and back calling information in each dynamic script file according to the collection of all the dynamic script files, and generating the calling chain information of the dynamic script files.
In an embodiment, when the processor executes the computer program to implement the steps of calculating the front-back call information in each dynamic script file according to the collection of all dynamic script files and generating the call chain information of the dynamic script file, the following steps are specifically implemented:
acquiring a content data set of each dynamic script file from all dynamic script file collections; extracting the dynamic script files repeatedly from all the dynamic script files in the dynamic script file collection, wherein the extraction rule is that two dynamic script files form a group; calculating the calling sequence of each group of dynamic script files for all the groups to obtain a calling sequence set; and determining the calling chain information of the dynamic script file according to the calling sequence collection.
In an embodiment, when the processor executes the computer program to determine whether there is a newly added dynamic scenario file for all file directories in the related information, the following steps are specifically implemented:
calculating the increment of the dynamic script file under each file directory;
determining whether the increment is greater than zero;
if the increment is larger than zero, a newly-added dynamic script file exists;
and if the increment is not larger than zero, no newly added dynamic script file exists.
In an embodiment, when the processor executes the computer program to implement the step of determining whether the encryption result is a successful encryption, the following steps are specifically implemented:
and comparing the encrypted dynamic script file with the dynamic script file before encryption, wherein when the encrypted dynamic script file is different from the dynamic script file before encryption, the encryption result is successful, and when the encrypted dynamic script file is the same as the dynamic script file before encryption, the encryption result is not successful.
In an embodiment, when the processor executes the computer program to implement the step of decrypting the encrypted dynamic script file to obtain a decryption result, the following steps are specifically implemented:
and decrypting the encrypted dynamic script file according to the calling chain information to obtain a decryption result.
In an embodiment, when the processor executes the computer program to implement the step of determining whether the decryption result is a successful decryption, the following steps are specifically implemented:
acquiring an encrypted fingerprint collection of all file directories; matching the file fingerprint obtained by decryption with the encrypted fingerprint collection to obtain a matching result; judging whether the matching result is successful; if the matching result is successful, the decryption result is successful; and if the matching result is not successful, the decryption result is not successful.
In an embodiment, when the processor executes the computer program to implement the step of isolating the dynamic script file with the decryption failure, the following steps are specifically implemented:
and placing the dynamic script file with the decryption failure in the exclusive buffer area.
The storage medium may be a usb disk, a removable hard disk, a Read-Only Memory (ROM), a magnetic disk, or an optical disk, which can store various computer readable storage media.
Those of ordinary skill in the art will appreciate that the elements and algorithm steps of the examples described in connection with the embodiments disclosed herein may be embodied in electronic hardware, computer software, or combinations of both, and that the components and steps of the examples have been described in a functional general in the foregoing description for the purpose of illustrating clearly the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
In the embodiments provided in the present invention, it should be understood that the disclosed system and method can be implemented in other ways. For example, the system embodiments described above are merely illustrative. For example, the division of each unit is only one logic function division, and there may be another division manner in actual implementation. For example, various elements or components may be combined or may be integrated into another system, or some features may be omitted, or not implemented.
The steps in the method of the embodiment of the invention can be sequentially adjusted, combined and deleted according to actual needs. The units in the system of the embodiment of the invention can be merged, divided and deleted according to actual needs. In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a storage medium. Based on such understanding, the technical solution of the present invention essentially or partially contributes to the prior art, or all or part of the technical solution can be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a terminal, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention.
While the invention has been described with reference to specific embodiments, the invention is not limited thereto, and various equivalent modifications and substitutions can be easily made by those skilled in the art within the technical scope of the invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (8)

1. A WebShell detection method is characterized by comprising the following steps:
deploying the encryption tool and the decryption tool in the same directory as the Web application program;
extracting relevant information of the Web application program;
judging whether a newly added dynamic script file exists in all file directories in the related information;
if the newly added dynamic script file exists, judging whether calling chain information exists or not;
if the calling chain information exists, isolating the newly added dynamic script file, and performing malicious Webshell alarm;
if the calling chain information does not exist, encrypting the dynamic script file in the dynamic script file collection in the related information to obtain an encryption result;
judging whether the encryption result is successful or not;
if the encryption result is successful, decrypting the encrypted dynamic script file to obtain a decryption result;
judging whether the decryption result is successful or not;
if the decryption result is not successful, isolating the dynamic script file which fails in decryption;
generating a malicious WebShell alarm according to the isolated dynamic script file;
wherein the determining whether the encryption result is successful comprises:
comparing the encrypted dynamic script file with the dynamic script file before encryption, wherein when the encrypted dynamic script file is different from the dynamic script file before encryption, the encryption result is successful, and when the encrypted dynamic script file is the same as the dynamic script file before encryption, the encryption result is not successful;
the judging whether the decryption result is successful or not comprises the following steps:
acquiring an encrypted fingerprint collection of all file directories;
matching the file fingerprint obtained by decryption with the encrypted fingerprint collection to obtain a matching result;
judging whether the matching result is successful;
if the matching result is successful, the decryption result is successful;
and if the matching result is not successful, the decryption result is not successful.
2. The WebShell detection method of claim 1, wherein the relevant information includes: the dynamic script file type, the middleware type, all file directories of the Web application program, all files of the Web application program, all dynamic script files of the Web application program and the call chain information of the dynamic script files.
3. The WebShell detection method of claim 2, wherein the extracting the relevant information of the Web application comprises:
searching all Web application folders under a directory where the Web application program is located by using the encryption tool, and sequentially extracting all file directories of the Web application program, all files under each file directory and the types of the dynamic script files;
calculating all dynamic script files under a single file directory for each file directory to generate a collection of all dynamic script files;
and calculating the front and back calling information in each dynamic script file according to the collection of all the dynamic script files, and generating the calling chain information of the dynamic script files.
4. The WebShell detection method according to claim 3, wherein the calculating the call information before and after each dynamic script file according to the collection of all dynamic script files and generating the call chain information of the dynamic script files comprises:
acquiring a content data set of each dynamic script file from all dynamic script file collections;
extracting the dynamic script files repeatedly from all the dynamic script files in the dynamic script file collection, wherein the extraction rule is that two dynamic script files form a group;
calculating the calling sequence of each group of dynamic script files for all the groups to obtain a calling sequence set;
and determining the calling chain information of the dynamic script file according to the calling sequence collection.
5. The WebShell detection method of claim 1, wherein the determining whether there is a newly added dynamic scenario file for all file directories in the related information comprises:
calculating the increment of the dynamic script file under each file directory;
determining whether the increment is greater than zero;
if the increment is larger than zero, a newly-added dynamic script file exists;
and if the increment is not larger than zero, no newly added dynamic script file exists.
6. The WebShell detection method according to claim 1, wherein decrypting the encrypted dynamic scenario file to obtain a decryption result comprises:
and decrypting the encrypted dynamic script file according to the calling chain information to obtain a decryption result.
7. The WebShell detection method according to claim 1, wherein the isolating the dynamic script file that fails to be decrypted includes:
and placing the dynamic script file with the decryption failure in the exclusive buffer area.
8. A WebShell detection system, comprising:
the deployment unit is used for deploying the encryption tool and the decryption tool in the same directory as the Web application program;
an extraction unit configured to extract related information of the Web application;
a newly-added judging unit, configured to judge whether a newly-added dynamic script file exists in all file directories in the relevant information;
the calling chain judging unit is used for judging whether calling chain information exists or not if a newly added dynamic script file exists;
the first isolation unit is used for isolating the newly-added dynamic script file and carrying out malicious Webshell alarm if the calling chain information exists;
the encryption unit is used for encrypting the dynamic script file in the dynamic script file collection in the related information to obtain an encryption result if the calling chain information does not exist;
an encryption judgment unit for judging whether the encryption result is successful or not;
the decryption unit is used for decrypting the encrypted dynamic script file to obtain a decryption result if the encryption result is successful;
a decryption judgment unit for judging whether the decryption result is a successful decryption;
the second isolation unit is used for isolating the dynamic script file which fails in decryption if the decryption result is not successful;
the warning generation unit is used for generating a malicious WebShell warning according to the isolated dynamic script file;
wherein, judging whether the encryption result is successful comprises:
comparing the encrypted dynamic script file with the dynamic script file before encryption, wherein when the encrypted dynamic script file is different from the dynamic script file before encryption, the encryption result is successful, and when the encrypted dynamic script file is the same as the dynamic script file before encryption, the encryption result is not successful;
judging whether the decryption result is successful or not, including:
acquiring an encrypted fingerprint collection of all file directories;
matching the file fingerprint obtained by decryption with the encrypted fingerprint collection to obtain a matching result;
judging whether the matching result is successful;
if the matching result is successful, the decryption result is successful;
and if the matching result is not successful, the decryption result is not successful.
CN202110985872.8A 2021-08-26 2021-08-26 WebShell detection method and system Active CN113434861B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110985872.8A CN113434861B (en) 2021-08-26 2021-08-26 WebShell detection method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110985872.8A CN113434861B (en) 2021-08-26 2021-08-26 WebShell detection method and system

Publications (2)

Publication Number Publication Date
CN113434861A CN113434861A (en) 2021-09-24
CN113434861B true CN113434861B (en) 2021-11-16

Family

ID=77798012

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110985872.8A Active CN113434861B (en) 2021-08-26 2021-08-26 WebShell detection method and system

Country Status (1)

Country Link
CN (1) CN113434861B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114329462A (en) * 2021-11-22 2022-04-12 网宿科技股份有限公司 Malicious file detection method, device and equipment and readable storage medium

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101808093B (en) * 2010-03-15 2013-08-07 北京安天电子设备有限公司 System and method for automatically detecting WEB security
CN103607413B (en) * 2013-12-05 2017-01-18 北京奇虎科技有限公司 Method and device for detecting website backdoor program
KR102382889B1 (en) * 2019-11-28 2022-04-05 네이버클라우드 주식회사 Method and system for detecting web shell using process information
CN113190849B (en) * 2021-04-28 2023-03-03 重庆邮电大学 Webshell script detection method and device, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN113434861A (en) 2021-09-24

Similar Documents

Publication Publication Date Title
Shaukat et al. RansomWall: A layered defense system against cryptographic ransomware attacks using machine learning
EP3139297B1 (en) Malware determination device, malware determination system, malware determination method, and program
EP3622402A1 (en) Real time detection of cyber threats using behavioral analytics
US10929258B1 (en) Method and system for model-based event-driven anomalous behavior detection
Nguyen et al. Detecting repackaged android applications using perceptual hashing
CN113434861B (en) WebShell detection method and system
CN111222181B (en) AI model supervision method, system, server and storage medium
KR102000133B1 (en) Apparatus and method for detecting malicious code based on collecting event information
KR102386330B1 (en) Apparutus and method for analyzing user process based on standard process
CN114218561A (en) Weak password detection method, terminal equipment and storage medium
US12105809B2 (en) Non-intrusive method of detecting security flaws of a computer program
CN109214179B (en) Program module security detection method and device
WO2017028459A1 (en) Program monitoring method and apparatus
CN114095238A (en) Attack early warning system and method for mobile terminal application program
Iqbal et al. Forensic investigation of small-scale digital devices: a futuristic view
CN113065168A (en) Method, device and storage medium for storing and verifying authenticity of video data
KR102145289B1 (en) Ransomware dectection appartus and operating method thereof
CN108229968B (en) Credit investigation data acquisition system and method
Schlegel et al. A framework for incident response in industrial control systems
US20240184887A1 (en) Activity trace extraction device, activity trace extraction method, and activity trace extraction program
CN113672927A (en) Method and system for detecting malicious agent software
JPWO2020170345A1 (en) History output device, control method, and program
CN108880785A (en) A kind of detection C++ void table is by the method, apparatus, terminal and readable medium of hook
Patil et al. Impact of PCA Feature Extraction Method used in Malware Detection for Security Enhancement
US20240348623A1 (en) Unauthorized Activity Detection Based on User Agent String

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP03 Change of name, title or address

Address after: 311100 Rooms 103-27, Building 19, No. 1399 Liangmu Road, Cangqian Street, Yuhang District, Hangzhou City, Zhejiang Province

Patentee after: Hangzhou Meichuang Technology Co.,Ltd.

Address before: 310013 floor 12, building 7, Tianxing International Center, No. 508, Fengtan Road, Gongshu District, Hangzhou, Zhejiang Province

Patentee before: HANGZHOU MEICHUANG TECHNOLOGY CO.,LTD.

CP03 Change of name, title or address