Device and method for detecting webpage Trojan horse in server, and storage medium

Abstract

The invention provides a device and a method for detecting a webpage Trojan horse in a server and a storage medium, and relates to the technical field of network information security. The device comprises a file content obtaining module used for obtaining the file content of a newly added/modified file of a current server in a cluster; a suspicious file identification module which is used for identifying whether the newly added/modified file is a suspicious file according to the file content of the newly added/modified file; an instruction issuing module which is used for issuing a cluster instruction to other servers except the current server in the cluster so as to indicate the other servers to check whether the other servers have the same files as the suspicious files; and a Trojan identification module which is used for identifying the suspicious file as a Trojan file when the ratio of the number of the servers with the same file as the suspicious file to the total number of the servers in the cluster is smaller than a set threshold. According to the device, various webpage Trojans can be quickly and accurately identified under the condition of ensuring normal service operationof the server.

Description

technical field [0001] The invention relates to the technical field of network information security, in particular to a device, method and storage medium for detecting a web page Trojan horse in a server. Background technique [0002] As a script type Trojan horse, webpage Trojan horse generally exists on the website server, and is one of the important means to break through the boundary of the internal and external network, causing great harm. Once the webpage Trojan horse breaks through the boundary, it will quickly plant a back door in the relatively weak intranet, leaving long-term hidden dangers, especially in various levels of offensive and defensive drills and real network warfare, which will lead to the fall of the core system of the intranet. [0003] Existing detection methods for webpage Trojans mainly include: the host agent method, which consumes a large amount of CPU and memory during detection, and even seizes the service resources of the server to cause produ...

AI Technical Summary

Problems solved by technology

Once the webpage Trojan horse breaks through the boundary, it will quickly plant a back door in the relatively weak intranet, leaving long-term hidden dangers, especially in various levels of offensive and defensive drills and real network warfare, which will lead to the fall of the core system of the intranet

[0003] Existing detection methods for webpage Trojans mainly include: the host agent method, which consumes a large amount of CPU and memory during detection, and even seizes the service resources of the server to cause production events; the signature identification method, which completely depends on the server The local signature library cannot identify variant webpage Trojans in a timely manner, and consumes a lot of server computing resources during feature calculation and matching; the full-scale scanning and killing method requires traversing all files on the server for each scanning and killing, which takes a long time and cannot Recognizing webpage Trojan horses in a relatively short period of time also requires a large amount of server computing resources; the method of timing detection and killing also needs to scan a large number of files. In order to avoid affecting the normal operation of production business, usually only during non-business peaks Timed scanning and killing can be performed from time to time, but real-time scanning and killing cannot be performed.

[0004] The above web page Trojan detection method needs to occupy a large amount of server resources during detection, which affects the normal production and business operation of the server itself, and cannot be quickly and effectively detected and killed on the premise of ensuring that the server provides normal services

Moreover, the existing detection method is usually to check and kill each server separately, and each server often repeatedly identifies the same Trojan file, resulting in waste of resources

Images