Shulou(Shulou.com)05/31 Report--

This article will explain in detail the traffic characteristics and detection ideas of common WebShell clients. The editor thinks it is very practical, so I share it with you for reference. I hope you can get something after reading this article.

01 Overview

What is the webshell client before you begin? Let me ask you a question first, what is the client and what is the server?

Very simply, it is the server that provides the service, and the client that is required to be served. So back to our scenario, if a backdoor has been planted, the program used to connect the backdoor is required to be served, such as executing a ps, in order to get a list of processes of the host where the backdoor is located, which is "serviced", so it is called the client. This article will introduce a series of traffic monitoring techniques for webshell clients in the future.

The WebShell client is a program used to communicate between the WebShell backdoor and the attacking client on the server. We can usually judge whether there is a WebShell backdoor on the server according to the traffic of the WebShell client.

There are several kinds of WebShell clients commonly used at home and abroad:

Chinese kitchen knife (the most widely used and widely used WebShell client)

Ant Sword (a commonly used WebShell client)

Ice scorpion (traffic encryption client)

Cknife (C knife, written in Java)

Weevely (Chinese kitchen knife in kali).

Next, the traffic characteristics are introduced respectively.

02 Chinese kitchen knife (Chopper)

Chinese kitchen knife has been updated in many versions since its birth, and its function and secrecy have been greatly improved with the update. There are now three mainstream versions of kitchen knives in use, namely, version 2011, version 2014 and version 2016. The functionality of these three versions has been enhanced from version 2011 to version 2014. From version 2014 to version 2016, the secrecy has been enhanced, and the 2016 version of kitchen knife traffic has added confusion, making its link traffic more confusing.

Chinese kitchen knives basically support the connection of three kinds of WebShell: PHP, JSP and ASP. The corresponding traffic of these three languages is different, and each version is not used. The following will be analyzed according to different versions and different language combinations. Among them, the flow characteristics of kitchen knives in version 2011 and version 2014 are basically the same, so they are analyzed together.

Traffic characteristics of WebShell links in different languages of Chinese kitchen knife version 2011 and 2014

(1) WebShell link traffic of PHP class

The feature is mainly in body. The traffic in body is decoded by url as follows:

The feature points have the following three parts

First: "eval", the eval function is used to execute the passed attack payload, which is essential.

Second: (base64_decode ($_ post [z0])), (base64_decode ($_ post [z0])) decode the attack payload with Base64, because the kitchen knife uses Base64 encoding of the attack payload by default to avoid detection.

Third: & z0destroy QGlua V9zZXQ. This part is the passing attack payload. This parameter Z0 corresponds to the data received by $_ post [Z0]. The parameter value is encoded by Base64, so you can see the attack plaintext using base64 decoding.

Note:

1. There are few times when the eval method is replaced by the assert method.

2.$_POST will also be replaced by $_ GET and $_ REQUEST.

3.z0 is the default parameter for kitchen knives, and this place may also be changed to other parameter names.

(2) WebShell link traffic of JSP class:

This traffic is the first link traffic of WebShell link traffic, which is mainly characterized by i=A&z0=GB2312. When a kitchen knife links a JSP Trojan horse, the first parameter defines the operation, where the parameter value is AmurQ, such as iTunes A, and the second parameter specifies the code, such as z0=GB2312. Sometimes Z0 is followed by the z1 = parameter to add the attack load.

Note: the parameter names I, Z0, Z1 will change, but the parameter value and this form will not change, the most important thing is that the first parameter value is in AmurQ, this kind of parameter is unchanged.

(3) WebShell link traffic of ASP class:

After the body traffic is decoded by URL

The feature points have the following three parts

First: "Execute", the Execute function is used to execute the passed attack payload, which is essential, which is equivalent to the eval function in the php class.

Second: OnError ResumeNext, which is a must-have traffic in most ASP clients, ensures that the following code continues to execute regardless of any previous errors.

Third: Response.Write and Response.End are necessary to improve the whole operation.

This kind of traffic mainly identifies these characteristics, and basically does not exist in the normal traffic.

Note: the OnError Resume Next feature exists in most traffic and is not found in very few cases.

Traffic characteristics of WebShell links in different languages of Chinese kitchen knife version 2016

PHP class WebShell link traffic

The features are mainly in body, and the parts of body are as follows:

The biggest change in traffic in this version is to interrupt and confuse features, which also provides us with a way to identify features.

The feature points have the following three parts

First: "Ba". "SE6". "4_dEc". "OdE", this part is to use base64 decoding and interrupting to connect.

Second: @ ev "." al, this part is also the @ eval part to break the connection, you can identify this code.

Third: this part of QGluaV9zZXQoImRpc3BsYXlf..., is a transitive attack payload,payload still uses Base64 encoding, so you can use base64 decoding to see the attack plaintext to identify.

Note: 1. There are few times when the eval method is replaced by the assert method.

JSP class WebShell link traffic:

The JSPwebshell traffic in this version is the same as in the previous version

Therefore, the analysis is as above: this traffic is the first link traffic of WebShell link traffic, in which the characteristic is mainly i=A&z0=GB2312. When the kitchen knife links the JSP Trojan horse, the first parameter definition operation, in which the parameter value is Amurq, such as iTunes A, the second parameter specifies the code, and its parameter value is coded, such as z0=GB2312. Sometimes z1 =, z2 = parameters are used to add attack load after z0.

Note: the parameter names I, Z0, Z1 will change, but the parameter value and this form will not change, the most important thing is that the first parameter value is in AmurQ, this kind of parameter is unchanged.

ASP class WebShell link traffic:

The body traffic is:

The biggest change in link traffic in version 2016 is that some characters in body are confused by unicode coding, so this feature needs to extract a form to match this confusion feature, such as "character +% u000000 + character +% u0000" to judge the traffic.

Or directly decode this part of the code by unicode, you can get the traffic shown in version 2011 or 2014 of asp. It can be judged according to the characteristics of the previous paragraph.

This kind of traffic mainly identifies these characteristics, and basically does not exist in the normal traffic.

03 Chinese ant sword (AntSword)

A lot of the code of ant sword comes from Chinese kitchen knife, so its link traffic is very similar to that of Chinese kitchen knife, but ant sword can be expandable and can be used for encryption, confusion and other bypass processing. Ant Sword supports ASP and PHP webshell links by default.

Ant sword PHP type WebShell link traffic

Body traffic is decoded by URL as follows:

The most obvious feature of the traffic is @ ini_set ("display_errors", "0"). This code is basically a kind of code for all WebShell client links PHP WebShell, but some clients will encode or encrypt it, while Ant Sword is in plaintext, so it is easier to find.

Ant sword ASP type WebShell link traffic

Body traffic is decoded by URL as follows:

We can see that the WebShell traffic of ant sword for ASP is very similar to that of kitchen knife, and the characteristics are also the same, such as OnError ResumeNext, Response.End, Response.Write, in which execute is interrupted and confused in ant sword and becomes the splicing form Ex "& cHr (101) &" cute. At the same time, the eval parameter is also used in this traffic, which can be considered as obvious characteristics.

Ant sword bypasses characteristic flow

Because Ant Sword contains a lot of encryption and bypass plug-ins, a lot of traffic cannot be identified after being encrypted. However, there is another obvious feature after Ant Sword is confused and encrypted, that is, most of the parameter names are in the form of "_ 0x.=" (underscores can be replaced with other ones), as shown below:

Therefore, the parameter name starting with _ 0x, followed by encrypted data packets can also be identified as the traffic characteristics of the ant sword.

04 ice scorpion

Ice Scorpion is a kind of WebShell client that appeared in recent years. The biggest feature of this linker is that the traffic is encrypted, and the encryption key is set by the user, but the interceptor has a high demand for WebShell and can not connect to a word Trojan horse. To sum up, the traffic of the client cannot be detected.

05Cknife

The characteristic of Cknife traffic is that the parameter values of the body part are all encoded by base64. After base64 decoding, the traffic characteristics of this part are the same as those of the Chinese kitchen knife, so it will not be analyzed separately.

06Weevely

Weevely is a powerful WebShell client in kail. The linker first generates webshell by itself. After uploading the webshell to the destination server, it links through Weevely. The link traffic belongs to encrypted traffic, but the characteristics can also be found and distinguished in the traffic.

The attack payload in this traffic exists in Referer, where the query parameter of php in the path in Referer has the following parameter names or values, that is, sa=, source=web, cd= number, url=, ei=, to determine that the traffic is client traffic.

This is the end of this article on "what are the traffic characteristics and detection ideas of common WebShell clients?". I hope the above content can be helpful to you, so that you can learn more knowledge. if you think the article is good, please share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.