Shulou(Shulou.com)05/31 Report--

This article is to share with you about how to deal with webshell files, the editor thinks it is very practical, so I share it with you to learn. I hope you can get something after reading this article.

In the early hours of last night, I received security help from a new customer, saying that there was a webshell Trojan file implanted in the website. Our SINE security company immediately set up, security emergency response team, the customer provided Ali Yun's account password, and then logged in to Aliyun to check the details. Log in to Cloud Shield to see such a security prompt "website backdoor-found backdoor (Webshell) file" incident level: emergency Impact assets: Ali Cloud ECS:ID, and then posted the path address of the website Trojan file: / www/wangzhan/safe/indnx.php.

Website security event description: cloud Shield detected an attempt to write a WEBSHELL backdoor file to disk as an abnormal process, resulting in an intrusion. If you do not take the initiative to perform this behavior, please delete the corresponding file in time. Aliyun solution: please check whether WEBSHELL exists in the WWW directory and remove it in a timely manner. When you see the Trojan path and solution given by Aliyun, log in to the customer's linux server, check that there is indeed an extra indnx.php file in the www directory, download this file with SFTP and open it, and see that it is some encrypted code, as shown in the following figure:

These encrypted characters, that is, webshell, what on earth is webshell? We SINE security to everyone to popularize, that is, the website Trojan files, equivalent to the Trojan virus in our computer, you can modify the website code, upload, download and other Trojan functions. Webshell is generally named after the script execution file of asa,cer,asp,aspx,php,jsp,war and other languages, which can also be called the backdoor of the website. After invading the website, the attacker will upload the backdoor file of the webshell Trojan to the server, as well as the root directory of the website, visit the Trojan by visiting a specific URL, and control the website, tampering arbitrarily. To put it bluntly, your website has been hacked.

According to the Trojan file path address given by Ali Yundun, let's open it from the browser to have a look:

The website Trojan is shown in the picture above.

You can see the root directory of the website, as well as upload files, view basic system information, execute mysql commands, bounce rights, download files, scan server ports, hang horses in batches, rename, delete files, package files and other administrator operations. The function is too powerful, so why is the customer's website uploaded to webshell?

Generally speaking, there are loopholes in the website, and the attackers take advantage of uploading webshell vulnerabilities, such as website upload vulnerabilities, SQL injection vulnerabilities, XSS cross-site vulnerabilities, CSRF spoofing vulnerabilities, remote code execution vulnerabilities, remote containing vulnerabilities, and PHP parsing vulnerabilities, all of which will be uploaded to the website Trojan. We SINE security to the customer's website code for manual security testing, as well as website vulnerability detection, comprehensive detection. It is found that there is a remote code execution vulnerability in the customer's website, the SQL illegal injection parameters are not fully filtered in the website code, and the value of liuyan& in the message column submitted by the front-end user leads to the execution of the remote code in the process of conversion and assignment, which can be inserted by falsifying the attack statement, causing the server to execute the code and uploading a sentence to the back door of the Trojan horse.

Fix the loopholes of the customer's website, remove the Trojan back door of the website, safely filter the input of the front-end user, strengthen the digital mandatory conversion of variable assignment, website security deployment, folder permission security deployment, picture directory, cache file directory remove script execution permission.

How to solve Aliyun prompt Discovery backdoor (webshell) File

1. Forcibly delete the backdoor file path given by Ali Yundun.

two。 Use the CMS system of open source programs to upgrade and fix vulnerabilities.

3. Fix the vulnerabilities of the website, check whether there are vulnerabilities, especially upload vulnerabilities, as well as SQL injection vulnerabilities, strictly filter the input of illegal parameters.

4. Check all the code of the website, whether there is a Trojan backdoor file, you can compare the files backed up before, one by one, and then check the modification time of the file, delete it.

5. Change the backend address of the website. The default is the directory of admin,houtai,manage, etc. It is recommended to change it to a more complex name. Even if you use the sql injection loophole to obtain the account password, it is useless not knowing where the backend is.

6. The directory permissions of the website are "read", "write" and "execute" for reasonable security deployment.

The above is how to deal with webshell files. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.