Shulou(Shulou.com)05/31 Report--

Many novices are not very clear about how to find the hidden back door in emergency response. in order to help you solve this problem, the following editor will explain it in detail. People with this need can come and learn. I hope you can get something.

How to find hidden backdoors in millions of lines of code

Just imagine, if your website is hacked and the attacker leaves a hidden back door, can you really find it? In the face of a large and medium-sized application system, with millions of lines of code, it is impossible to manually check every piece of code in every file.

Even if it is a detection engine with 99.9% Webshell detection rate, it is still possible for Webshell to bypass. In addition, common black hat SEO techniques such as dark chain, web page hijacking and page jump are also difficult to identify by manual detection or tool detection.

The best way is to do file integrity verification. By comparing with the original code, we can quickly find out whether the file has been tampered with and where it has been tampered with. Of course, the first premise is that your team already has the ability of code version management, if you are a personal webmaster, I believe you have backed up the original code.

1. File MD5 check

When downloading the D Shield _ Web kill tool, we can notice that in addition to an exe executable file, there is also a file MD5 value in the downloaded package. This is the software author in the release of the software, through the md5 algorithm to calculate the "eigenvalues" of the exe file.

Download address: http://www.d99net.net/down/WebShellKill_V2.0.9.zip file MD5:29285decadbce3918a4f8429ec33df46 WebShellKill.exe

When users download the software, they can use the same check algorithm to calculate the eigenvalues downloaded to the exe file and compare them with the eigenvalues released by the software developer. If the two eigenvalues are the same, the downloaded exe file is considered correct. If the two eigenvalues are different, the download to the exe file is considered to have been tampered with.

In the same way, we can save the hash value of all website files once, recalculate the hash value in case of emergency, and compare it with the last saved hash value, so as to output a list of newly created, modified and deleted files.

File hash value calculation:

Def md5sum (file): m=hashlib.md5 () if os.path.isfile (file): f=open (file,'rb') for line in f:m.update (line) f.closeelse:m.update (file) return (m.hexdigest ())

Recalculate the hash value of the file, check and compare it, and test the effect:

As shown above, a new evil.php file has been added to the upload directory, and another tampered file is low.php. Using the common editor NotePad++ for comparison, you can see that a sentence webshell has been inserted into the low.php file.

2. Diff command

In linux, we often use diff to compare the differences between two text files. Similarly, we can quickly find out the difference between the two project files with one command.

Diff-c-a-r cms1 cms2

As shown in the figure below, the first three lines list the differences between the two file directories to be compared, and you can find that the low.php file has been tampered with with @ eval ($_ POST ['g']);.

Note: if you just want to see if the two files are different and don't want to show the differences, you can add the-Q option.

3. Version control tools

Version control tools, such as git, re-upload the code to git,add+commit+push, then open the project, click commits, and view the changes in the file in the history submitted version, and you can easily find where the code has been tampered with.

In addition, git diff can also be used to compare differences between files.

4. File comparison tool

Keywords: code comparison tools, you will find a lot of useful tools, here we recommend two good tools, Beyond Compare and WinMerge.

Beyond Compare

Beyond Compare is a set of file comparison tools introduced by Scooter Software. The main purpose is to compare two folders or files and color the differences. The scope of comparison includes directories, document contents and so on.

Download address: http://www.scootersoftware.com/download.php

The software uses an example to find out the differences in the folder through folder comparison.

1. Double-click Beyond Compare, open the software home page, and select folder comparison.

2. Enter the folder path in the double-sidebar, click to show the difference, and list the contents of the difference part. The purple part is the new file, and the red part is the tampered file.

3. Double-click the specific file to enter the code comparison and find the code difference section.

WinMerge

WinMerge is a file comparison and merge tool that runs on Windows systems. It makes it very easy to compare folders and files and display differences in a visual text format that is easy to understand.

Download address: https://winmerge.org/downloads/

1. File-Open, select a file or folder, and click to compare.

2. In the same interface, the folder content differences are displayed through color and text prompts.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.