웹 해킹과 보안

panics.egloos.com

포토로그



KISA의 웹쉘 (webshell) 시그니처 웹 해킹 징후분석

        

아래는 인터넷침해사고대응지원센터(www.krcert.or.kr)에서 피해시스템에서 수집된 웹쉘을 테스트하여, 웹쉘 실행여부를 확인할 수 있는 시그니쳐를 추출한 것.



Action=MainMenu

Action=Show1File

Action=EditFile

Action=DbManager

Action=getTerminalInfo

Action=ServerInfo

Action=Servu

Action=kmuma
Action=kmuma&act=scan
Action=Cplgm&M=2
Action=plgm
Action=PageAddToMdb >
Action=ReadREG
Action=ScanPort
Action=Cmd1Shell
Action=UpFile

(pageName|id|list|action|act)=ServiceList
(pageName|id|list|action|act)=ServiceList
(pageName|id|list|action|act)=infoAboutSrv
(pageName|id|list|action|act)=objOnSrv
(pageName|id|list|action|act)=userList
(pageName|id|list|action|act)=WsCmdRun
(pageName|id|list|action|act)=SaCmdRun
(pageName|id|list|action|act)=SaCmdRun&theAct
(pageName|id|list|action|act)=FsoFileExplorer
(pageName|id|list|action|act)=FsoFileExplorer&theAct
(pageName|id|list|action|act)=FsoFileExplorer&thePath
pageName=MsDataBase
pageName=MsDataBase&theAct=showTables
pageName=TxtSearcher
pageName=OtherTools
act=scan

Action=mainwin
action=listtb
action=listvw
action=searchfile
action=xpcmdshell
(action|act)=cmdshell
action=mainmenu
action=showfile
action=editfile
action=course

action=serverinfo
action=upfile
action=dbmanager
ex=edit&pth=
PageName=PageUpload&theAct
PageName=PageWebProxy&url=
productName=HigroupASPAdmin
PageWebProxy
aCTiON=cMd
aCTiON=ClonETiMe&SrC=
aCTiON=SqLrOotKIt
aCTiON=Reg
aCTiON=DAtA
aCTiON=Goto&SrC=C:\
aCTiON=uPFIlE&SrC=
aCTiON=NEw&SrC=
act=info
act=filemanage
act=edit&src=
act=del&src=
act=rename&src=
DirName=
Type=.*FileName=.*\
Type=.*ok=dir
FsoFileExplorer
WsCmdRun
SaCmdRun
MsDataBase

HigroupASPAdmin
=cmd
ClonETiMe
SqLrOotKIt





덧글

  • 1722875489@qq.com 2012/11/29 07:29 # 삭제 답글

    消息提示

    尊敬的用户:恭喜您,你的QQ号码已经被腾讯公司抽为幸运用户,请登陆活动主页【恭喜您获奖,登陆 8887787.com 验证码7255 已经被腾讯公司抽为幸运用户】领取您的奖金 二等奖:9.8万奖金与笔本电脑一部。 ,
    请牢记获奖码为7255(此信息归属官方活动重要信息!禁止转发,否则将追究法律责任)
댓글 입력 영역