A method for remote and accurate identification of webshell backdoors

Abstract

The invention relates to a method for remote and accurate identification of WebShell backdoors, which obtains the file paths of all WebShells existing in the website to be detected, completes and detects them with standard dictionaries, and gives an alarm if it is a WebShell backdoor; otherwise, it is included in the suspicious list and guessed one by one If the login is successful, it is a WebShell backdoor and an alarm will be issued; otherwise, the current path will be discarded and filtered. The present invention crawls all webpage resources by crawlers on the target website, performs whole-site matching with the common WebShell backdoor path, matches whether there is a backdoor with the WebShell backdoor rule library, accurately identifies the WebShell backdoor through a remote method, and performs violent guessing on the suspected WebShell Log in for identification, multi-latitude feature matching to accurately identify WebShell backdoors, enrich webpage backdoor inspection methods, and increase the detection rate of WebShell backdoors.

Description

technical field [0001] The present invention relates to the transmission of digital information, such as the technical field of telegram communication, and in particular to a method for remotely and accurately identifying WebShell backdoors. Background technique [0002] WebShell is a kind of web backdoor. It usually exists as a command execution environment in the form of web files such as ASP, PHP, JSP, or CGI. It is a script attack tool for hackers to intrude into web servers. The authority to operate the server to some extent, because WebShell mostly appears in the form of dynamic scripts, and some people call it the backdoor tool of the website. [0003] After a hacker invades a website and obtains permission, he usually mixes these backdoor files such as ASP and PHP with the normal webpage files in the web directory of the website server, and then accesses these backdoor files such as ASP and PHP through a browser to get command Execute the environment, and then achie...

AI Technical Summary

Problems solved by technology

[0006] (1) All need to be deployed in the network environment of the target website, such as local deployment, monitoring and analysis in the traffic, which cannot be implemented if the network system of the target website cannot be touched;

[0007] (2) WebShell is mostly written in a dynamic language, which is very easy to deform or confuse. At the same time, there are some WEB server interfaces, such as CGI or Java Servlet, which can run compiled binary programs, so it is difficult to detect source code audits locally and is prone to occurrence False report;

[0008] (3) If the WebShell backdoor has been implanted before the deployment of the traffic monitoring device and the hacker has not operated the WebShell for a long time, the traffic behavior cannot be generated or detected

[0009] (4) All belong to local inspections. After the implementation of the Cyber ​​Security Law, when the regulatory agencies, public security, and Internet Information Offices conduct network-wide inspections, they cannot obtain the source code of the target website or deploy a traffic audit system on the target network. Do remote discovery of WebShell backdoor

Images