The website is implanted into Webshell, which means that there are high risk vulnerabilities available on the website. Attackers can use these vulnerabilities to invade the website and write webshell to take over the control of the website. In order to get permission, the conventional means such as: front and back arbitrary file upload, remote command execution, Sql injection write files and so on.
The phenomenon of description
The webmaster found webshell in the directory of the site and began to analyze the intrusion process.
Webshell:
D shield_web Check and kill Webshell check in Windows: www.d99net.net/index.asp
Hippo: Supports multiple platforms, but requires a networked environment.
Method of use: wget down.shellpub.com/hm/latest/h… tar xvf hm-linux-amd64.tgz hm scan /www
Event analysis
1. Positioning time range
Create a time point from the webshell file you found, and go through the access log for the date.
2. Web log analysis
Log analysis shows that no suspicious upload is detected at the time when the file is created, but a suspicious WebService interface exists
3. Vulnerability analysis
Access the WebService interface and discover that the variables buffer, DISTINCTPach, and newfilename can be customized on the client side
4. Vulnerability recurrence
Try to reproduce the vulnerability, can successfully upload webshell, control the website server
5. Bug repair
Clean up the Webshell and code fix the WebService interface.
From webshell discovery to log analysis, to vulnerability recurrence and repair, this article does not involve the traceability forensics for the time being.