Operation and Maintenance Bible: Webshell Emergency Response Guide

Internet 2023-06-18 20:14:09 views: null

Table of contents

Introduction to Webshell

Webshell detection method

Webshell Emergency Response Guide

1. Webshell troubleshooting

2. Determining the time of intrusion

3. Web log analysis

4. Vulnerability Analysis

5. Vulnerability recurrence

6. Clear the Webshell and fix the vulnerability

7. Webshell defense method

Introduction to Webshell

Webshell usually refers to a server executable file that exists in the form of web script files such as JSP, ASP, PHP, etc., and generally has file operation and command execution functions, and is a web backdoor. After invading the website, the attacker usually mixes the Webshell backdoor file with the normal webpage files in the web directory of the website server, and uses a browser or a dedicated client to connect to obtain a server operating environment to achieve the purpose of controlling the website server .

Webshell detection method

Traffic-based Webshell detection

Traffic-based Webshel ​​detection is easy to deploy, and we can directly analyze the original information through traffic mirroring. Based on payload behavior analysis, we can not only detect known webshells, but also identify unknown and camouflaged webshells, access characteristics (IP/UA/Cookie), payload characteristics, path characteristics, and time of webshells Correlation analysis of features, etc., with time as the index, can restore attack events.

File-based webshell detection

By detecting whether the file is encrypted (obfuscation processing), we create a Webshell sample hash library, which can compare and analyze suspicious files. Detect the creation time, modification time, and file permissions of the file to confirm whether it is a Webshell.

Log-based Webshell detection

Analyzing various common logs can help us effectively identify the uploading behavior of Webshell. Through comprehensive analysis, the entire attack process can be traced back.

Webshell Emergency Response Guide

How to judge that a webshell has been implanted?

  1. The webpage has been tampered with, or content not set by the administrator is found on the website;
  2. Attackers maliciously tamper with webpages or webpages are implanted into dark links;
  3. The security device reports to the police, or is notified by the superior department of encountering a webshell, etc.

1. Webshell troubleshooting

Use a Webshell scanning tool (such as D-shield) to scan the application deployment directory, such as the website D:\WWW\ directory, or compare the current website directory file with the previous backup file to check whether there is any new inconsistent content, and determine whether it is Contains information about the Webshell, and determines the location and creation time of the Webshell. Then use the text file to open, further analysis found suspicious content.
In the Linux system, you can also use the command:

//搜索目录下适配当前应用的网页文件,查看内容是否有Webshell特征
find ./ type f -name "*.jsp" | xargs grep "exec(" 
find ./ type f -name "*.php" | xargs grep "eval(" 
find ./ type f -name "*.asp" | xargs grep "execute(" 
find ./ type f -name "*.aspx" | xargs grep "eval(" 

//对于免杀Webshell,可以查看是否使用编码
find ./ type f -name "*.php" | xargs grep "base64_decode"

2. Determining the time of intrusion

According to the occurrence time of the abnormal phenomenon, combined with the creation time of the Webshell file in the website directory, the time period when the event occurred can be roughly located. In order to follow-up traceability analysis based on this time and trace the attacker's activity path.

3. Web log analysis

It is necessary to analyze the web logs to find the attack path and the cause of the loss, and the default addresses of common web middleware

Windows

Apache
apache\logs\error.log
apache\logs\access.log

IIS
C:\inetpub\logs\LogFiles
C:\WINDOWS\system32\LogFiles

Tomcat
tomcat\access_log

Linux

Apache
/etc/httpd/logs/access_log
/var/log/httpd/access_log

Nginx
/usr/local/nginx/logs

When checking Linux logs, in order to facilitate log retrieval and traceability analysis, common log retrieval commands are listed

Locate a specific IP address or file name

find . access_log | grep xargs ip
find . access_log | grep xargs filename

View the IP addresses of the top 10 page visits

cat access.log | cut -f1 -d " " | sort | uniq -c | sort -k 1 -r | head -10

View the top 10 URL addresses of page visits

cat access.log | cut -f4 -d " " | sort | uniq -c | sort -k 1 -r | head -10

4. Vulnerability Analysis

The problems found through the log analysis, according to the attacker's activity path, can check the loopholes in the website and analyze them

5. Vulnerability recurrence

Reproduce the attacker's attack path

6. Clear the Webshell and fix the vulnerability

  1. When processing, first disconnect the network and clean up the found Webshell
  2. If the website is linked to a black link or the homepage is tampered with, then the tampered content should be deleted, and the source code must be audited to ensure that there is no maliciously added content in the source code
  3. After checking the system, clean up the hidden backdoors in the system and the content operated by the attacker in time. If there is a rootkit backdoor, it is recommended to reinstall the system
  4. Repair the exploit points found during the investigation process, and conduct black-box penetration testing if necessary to fully discover application vulnerabilities
  5. After the above operations are completed, resume the operation of the website

7. Webshell defense method

  1. Configure necessary firewalls and enable firewall policies to prevent unnecessary services from being exposed and provide conditions for attackers to exploit
  2. Strengthen the security of the server, for example, turn off the remote desktop function, change the password regularly, prohibit the use of the highest authority user to run the program, use the HTTPS encryption protocol, etc.
  3. Strengthen permission management, set permissions for sensitive directories, limit script execution permissions for uploaded directories, and do not allow configuration of execution permissions
  4. Install the webshell detection tool, and immediately isolate and kill the suspicious webshell traces found according to the detection results, and troubleshoot vulnerabilities
  5. Check the loopholes in the program and fix the loopholes in time
  6. Back up important files such as databases from time to time to prevent bad things from happening and reinstall the system
  7. It is necessary to maintain daily maintenance, and pay attention to whether there are executable script files of unknown origin in the server. 8. Use the whitelist mechanism to upload files, and those not in the whitelist are prohibited from uploading. The upload directory permissions follow the principle of least permission

Guess you like

Origin blog.csdn.net/qq_61553520/article/details/131208576
Recommended
TIOBE May list: Fortran “resurrected” into Top 10
GCC 14.1 released
Ranking
B. Little Girl and Game【1300 / 回文字符串 博弈论】
CIKERS Shane 20190613
"Javascript advanced programming" study notes - the constructor and prototype
beeline hiveserver2 start
springboot - Automatically backup mysql data every day
Data Storage Full Solution--Detailed Persistence Technology
Detailed Explanation of Spring Web MVC DispatcherServlet—Official Original
TCP / IP protocol layers structure and function
Command type literal pos: unknown; Fallback type literal pos: unknown] with root cause
Design of multifunctional curtain controller with indoor anti-theft alarm
Daily
More
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)

Code World

© 2018 codetd.com