Method for remotely and accurately identifying WebShell back door

Abstract

The invention relates to a method for remotely and accurately identifying a WebShell back door. The method includes the steps: obtaining all file paths of WebShell existing in the website to be detected; complementing and detecting by using the standard dictionary, if the current path is a WebShell back door, directly alarming, otherwise, listing into a suspicious list and successively guessing and logging in, and if the login is successful, judging that the current path is the WebShell back door, and alarming, otherwise, discarding and filtering the current path. The method carries out crawler crawling on the target website to obtain all webpage resources, performs total station matching with a common WebShell backdoor path, judges whether a backdoor exists or not is matched through a WebShell backdoor rule base, accurately recognizes the WebShell backdoor in a remote mode, conducts violent guessing login on the suspected WebShell for recognition, accurately recognizes the WebShell backdoor through multi-latitude feature matching, enriches webpage backdoor checking methods, and increases the WebShell backdoor detection rate.

Description

technical field [0001] The present invention relates to the transmission of digital information, such as the technical field of telegram communication, and in particular to a method for remotely and accurately identifying WebShell backdoors. Background technique [0002] WebShell is a kind of web backdoor. It usually exists as a command execution environment in the form of web files such as ASP, PHP, JSP, or CGI. It is a script attack tool for hackers to intrude into web servers. The authority to operate the server to some extent, because WebShell mostly appears in the form of dynamic scripts, and some people call it the backdoor tool of the website. [0003] After a hacker invades a website and obtains permission, he usually mixes these backdoor files such as ASP and PHP with the normal webpage files in the web directory of the website server, and then accesses these backdoor files such as ASP and PHP through a browser to get command Execute the environment, and then achie...

AI Technical Summary

Problems solved by technology

[0006] (1) All need to be deployed in the network environment of the target website, such as local deployment, monitoring and analysis in the traffic, which cannot be implemented if the network system of the target website cannot be touched;

[0007] (2) WebShell is mostly written in a dynamic language, which is very easy to deform or confuse. At the same time, there are some WEB server interfaces, such as CGI or Java Servlet, which can run compiled binary programs, so it is difficult to detect source code audits locally and is prone to occurrence False report;

[0008] (3) If the WebShell backdoor has been implanted before the deployment of the traffic monitoring device and the hacker has not operated the WebShell for a long time, the traffic behavior cannot be generated or detected

[0009] (4) All belong to local inspections. After the implementation of the Cyber ​​Security Law, when the regulatory agencies, public security, and Internet Information Offices conduct network-wide inspections, they cannot obtain the source code of the target website or deploy a traffic audit system on the target network. Do remote discovery of WebShell backdoor

Images