Shulou(Shulou.com)06/01 Report--

Received a text message from Aliyun reminding that there is a backdoor on the website, webshell malicious communication behavior, urgent security situation, I immediately logged in Aliyun to check the details, click on Cloud Shield dynamic perception, to view the detailed path of the website Trojan and the characteristics of webshell, the site has never seen this situation, a face confused, helpless to ask du Niang, Baidu searched what is webshell, in order to solve this problem I made a lot of efforts, and finally understood and solved the problem of Ali Yun prompting the back door of the website, and recorded my process of solving the problem.

First of all, we need to know what is the back door of the website? (also called webshell)

The website backdoor is a website Trojan that is implanted into the website directory and in the server path. It mainly uses the scripting language of the website code to run through the backdoor, such as the script file format of the asp,aspx,php,jsp language, which can be run through the backdoor in the website. A lot of powerful webshell, encryption immunity is better, a lot of security software can not find out, some can be traced through the WAF website firewall, the use of website loopholes to upload the back door, can be bypassed and directly uploaded to the website directory, the server antivirus software is not aware of.

The backdoor of the website uses port 80 of the website to access, and uses the convenience of the script language to write the backdoor code. a complete backdoor usually has a code that is actively connected to the website, which can upload, download and modify the website. create a new directory, execute system commands, change file names and other administrator operations.

From the above, we can get a general idea of what is the back door of the website, so how to find it?

First of all, let's look at the modification time of the website code. in general, the time of the website code files is about the same. suddenly, several files can see from the last modification time that the date has been modified in recent days. that means that this file is likely to be implanted into the backdoor code, click on the code file to see if there is any special encrypted code in the last few lines.

The backstage of Aliyun will also show the path of the website Trojan, which can be deleted and isolated according to the display of Ariyun's backstage, but how the backdoor of the website is uploaded. It is generally because there are loopholes in the website, and the server security has not done a good job. If the website loophole is not repaired, it will continue to be uploaded to the backdoor, the website loophole repair. You can compare the version of the program system to upgrade, you can also find programmers to repair, if you write your own website familiar with it, not your own, it is recommended to find a professional website security company to deal with the problem of the back door of the website, such as Sine security, Green Alliance, Qiming Star which specializes in website security to help deal with.

In addition, we look at each code file and search for the signature that contains eval, as well as the signature of POST {}, execute (request, and so on). If the code contains it, it can basically be determined to be the back door of the website. Compare the backup of the previous website to see if there are any tampered code files, and if so, please delete the extra added code. The last way to find the back door of the website is to look at the access log of the website. If each website has a log, you can contact the server provider, and the host business requires them to provide the log of the website for the most recent period of time. Through the log, we can find some illegal visits, especially some visit addresses that we are not familiar with. Generally, attackers will visit the following self-set backdoor, through the log can find clues.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.