CN107135199A - The detection method and device at webpage back door - Google Patents

The detection method and device at webpage back door Download PDF

Info

Publication number
CN107135199A
CN107135199A CN201710197494.0A CN201710197494A CN107135199A CN 107135199 A CN107135199 A CN 107135199A CN 201710197494 A CN201710197494 A CN 201710197494A CN 107135199 A CN107135199 A CN 107135199A
Authority
CN
China
Prior art keywords
weights
access
file
sub
address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710197494.0A
Other languages
Chinese (zh)
Other versions
CN107135199B (en
Inventor
王旭
马先
刘世良
苏蔚
李生帛
邵巍
杨莉莉
李楠芳
王有虎
金金
李晖
佟芳
张小博
秦浩
徐铁军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Corp of China SGCC
State Grid Qinghai Electric Power Co Ltd
Information and Telecommunication Branch of State Grid Qinghai Electric Power Co Ltd
Original Assignee
State Grid Corp of China SGCC
State Grid Qinghai Electric Power Co Ltd
Information and Telecommunication Branch of State Grid Qinghai Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Corp of China SGCC, State Grid Qinghai Electric Power Co Ltd, Information and Telecommunication Branch of State Grid Qinghai Electric Power Co Ltd filed Critical State Grid Corp of China SGCC
Priority to CN201710197494.0A priority Critical patent/CN107135199B/en
Publication of CN107135199A publication Critical patent/CN107135199A/en
Application granted granted Critical
Publication of CN107135199B publication Critical patent/CN107135199B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The invention discloses a kind of detection method at webpage back door and device.Wherein, this method includes:According to preparatory condition, it is determined that the weights of file are accessed, wherein, accessing file is used to conduct interviews to webpage;Judge whether weights are more than or equal to predetermined threshold value;In the case where judging that weights are more than or equal to predetermined threshold value, it is determined that it is webpage back door to access file.The present invention solves the webpage back door that deformation is detected in correlation technique, the relatively low technical problem of accuracy.

Description

The detection method and device at webpage back door
Technical field
The present invention relates to webpage detection technique field, in particular to the detection method and device at a kind of webpage back door.
Background technology
In correlation technique, the method at detection webpage back door is mainly based upon the detection method of condition code, known by collecting Each web page contents are scanned matching by the condition code at webpage back door, are judged if being matched with condition code after being webpage Door, and can be converted using grammer skill to gate code after webpage due to hacker, deform even encryption, allows trouble free service people Member can not extract condition code at all, although or extractable condition code, slightly modification can bypass killing again, therefore, to deformation Webpage back door can not timely and effectively be detected.
Webpage back door for detecting deformation in above-mentioned correlation technique, the problem of accuracy is relatively low is not yet proposed at present Effective solution.
The content of the invention
The embodiments of the invention provide a kind of detection method at webpage back door and device, at least to solve to examine in correlation technique Survey the webpage back door of deformation, the relatively low technical problem of accuracy.
One side according to embodiments of the present invention there is provided a kind of detection method at webpage back door, including:According to default Condition, it is determined that the weights of file are accessed, wherein, the access file is used to conduct interviews to webpage;Whether judge the weights More than or equal to predetermined threshold value;In the case where judging that the weights are more than or equal to predetermined threshold value, determine that the access file is Webpage back door.
Further, according to preparatory condition, it is determined that accessing the weights of file includes:According to the access file access IP The quantity of location, determines the first sub- weights of the access file;Calculate the access for accessing the same IP address of file access Frequency, obtains the first access frequency;According to first access frequency, the second sub- weights of the access file are determined;Judge It whether there is and preset characters identical content in the returned content for accessing file;If judging returning for the access file Return content in exist with preset characters identical content, determine it is described access file the 3rd sub- weights;To the described first son power Value, the second sub- weights and the 3rd sub- weights are overlapped, and obtain accessing the weights of file.
Further, according to the quantity of the access file access IP address, the first son power of the access file is determined Value includes:Count the quantity that All Files accesses IP address;Statistics accesses IP address by way of search engine reptile Quantity;The quantity of IP address is accessed according to All Files and the quantity of IP address is accessed by way of search engine reptile, Calculate the quantity of the access file access IP address;According to the quantity of the access file access IP address, it is determined that described Access the first sub- weights of file.
Further, according to the quantity of the access file access IP address, the first son power of the access file is determined Value includes:The target value model residing for the quantity of the access file access IP address is determined from multiple default value scopes Enclose, wherein, the multiple default value scope includes the first default value scope, the second default value scope and the 3rd present count It is worth scope;If the target value scope is the first default value scope, it is determined that the weights increase by first for accessing file is counted Value;If the target value scope is the second default value scope, it is determined that accessing the weights increase second value of file;If The target value scope is the 3rd default value scope, it is determined that accessing the weights increase third value of file.
Further, according to first access frequency, determining the second sub- weights of the access file includes:Described First access frequency meet it is default it is subconditional in the case of, the first access frequency institute is determined from multiple preset time ranges The object time scope at place, wherein, the multiple preset time range includes the 4th preset time range, the 5th preset time model Enclose and the 6th preset time range;If the object time scope is the 4th preset time range, the access text is determined The weights of part increase by first numerical value;If the object time scope is the 5th preset time range, the visit is determined Asking the weights of file increases the second value;If the object time scope is the 6th preset time range, institute is determined State the weights increase third value for accessing file.
Further, it is overlapped, obtains to the described first sub- weights, the second sub- weights and the 3rd sub- weights After to the weights for accessing file, methods described also includes:Judge that the IP address of the carrier of the access file comes from server; If judging, the IP address of the carrier of the access file is not from server, determines the 4th son power of the access file Value;Described first sub- weights, the second sub- weights, the 3rd sub- weights and the 4th sub- weights are overlapped, obtained To the weights of the access file.
Another aspect according to embodiments of the present invention, additionally provides a kind of storage medium, and the storage medium includes storage Program, wherein, the detection method at the webpage back door in above-described embodiment described in any one is performed when described program is run.
Another aspect according to embodiments of the present invention, additionally provides a kind of processor, and the processor is used for operation program, Wherein, the detection method at the webpage back door in above-described embodiment described in any one is performed when described program is run.
Another aspect according to embodiments of the present invention, additionally provides a kind of detection means at webpage back door, including:First is true Order member, for according to preparatory condition, it is determined that the weights of file are accessed, wherein, the access file is used to visit webpage Ask;Judging unit, for judging whether the weights are more than or equal to predetermined threshold value;Second determining unit, for judging Weights are stated more than or equal in the case of predetermined threshold value, determining that the access file is webpage back door.
Further, the first determining unit includes:First determination sub-module, for according to the access file access IP The quantity of location, determines the first sub- weights of the access file;Calculating sub module, it is same for calculating the access file access The access frequency of individual IP address, obtains the first access frequency;Second determination sub-module, for according to first access frequency, Determine the second sub- weights of the access file;Judging submodule, for judge it is described access file returned content in whether In the presence of with preset characters identical content;3rd determination sub-module, if for judging in the returned content for accessing file In the presence of with preset characters identical content, determine it is described access file the 3rd sub- weights;Submodule is superimposed, for described the One sub- weights, the second sub- weights and the 3rd sub- weights are overlapped, and obtain accessing the weights of file.
In embodiments of the present invention, it can obtain accessing the weights of file according to preparatory condition, the access file is to use In the file conducted interviews to webpage, after obtaining accessing the weights of file, it can judge whether weights are more than according to the weights Equal to predetermined threshold value, in the case where judging that weights are more than or equal to predetermined threshold value, it is webpage back door to determine access file, In the case of judging that weights are less than predetermined threshold value, determine that access file is not webpage back door., can be with according to the embodiment The weights of the access file of webpage are accessed by analyzing, whether are webpage back door, and need not rely on to judge to access file Condition code is detected to webpage back door, can improve the efficiency and accuracy at detection webpage back door, is solved in correlation technique The webpage back door of deformation is detected, the relatively low technical problem of accuracy reaches the effect for the degree of accuracy for improving detection webpage back door.
Brief description of the drawings
Accompanying drawing described herein is used for providing a further understanding of the present invention, constitutes the part of the application, this hair Bright schematic description and description is used to explain the present invention, does not constitute inappropriate limitation of the present invention.In the accompanying drawings:
Fig. 1 is the schematic diagram of the detection method at webpage back door according to embodiments of the present invention;
Fig. 2 is the schematic diagram of the detection method at another optional webpage back door according to embodiments of the present invention;And
Fig. 3 is the schematic diagram of the detection means at another optional webpage back door according to embodiments of the present invention.
Embodiment
In order that those skilled in the art more fully understand the present invention program, below in conjunction with the embodiment of the present invention Accompanying drawing, the technical scheme in the embodiment of the present invention is clearly and completely described, it is clear that described embodiment is only The embodiment of a part of the invention, rather than whole embodiments.Based on the embodiment in the present invention, ordinary skill people The every other embodiment that member is obtained under the premise of creative work is not made, should all belong to the model that the present invention is protected Enclose.
It should be noted that term " first " in description and claims of this specification and above-mentioned accompanying drawing, " Two " etc. be for distinguishing similar object, without for describing specific order or precedence.It should be appreciated that so using Data can exchange in the appropriate case, so as to embodiments of the invention described herein can with except illustrating herein or Order beyond those of description is implemented.In addition, term " comprising " and " having " and their any deformation, it is intended that cover Lid is non-exclusive to be included, for example, the process, method, system, product or the equipment that contain series of steps or unit are not necessarily limited to Those steps or unit clearly listed, but may include not list clearly or for these processes, method, product Or the intrinsic other steps of equipment or unit.
First, the part noun or term occurred during the embodiment of the present application is described is applied to following solution Release:
Reptile is a kind of program of automatic acquisition web page contents, is the important component of search engine.According to certain The program or script of rule, automatically crawl web message.
Webpage back door, is one section of web page code, and mainly based on ASP and PHP code, these codes operate in server End, attacker carries out some dangerous operations by this section of code in server end, obtains some sensitive technical information.
According to embodiments of the present invention there is provided a kind of embodiment of the detection method at webpage back door, it is necessary to explanation, The step of flow of accompanying drawing is illustrated can perform in the computer system of such as one group computer executable instructions, also, , in some cases, can be shown to be performed different from order herein although showing logical order in flow charts The step of going out or describe.
Fig. 1 is the schematic diagram of the detection method at webpage back door according to embodiments of the present invention, as shown in figure 1, this method bag Include following steps:
Step S102, according to preparatory condition, it is determined that the weights of file are accessed, wherein, accessing file is used to carry out webpage Access.
Step S104, judges whether weights are more than or equal to predetermined threshold value, wherein, preset threshold judging that weights are more than or equal to In the case of value, step S106 is performed, in the case where judging that weights are less than predetermined threshold value, step S108 is performed.
Step S106, it is determined that it is webpage back door to access file.
Step S108, it is determined that it is not webpage back door to access file.
By above-described embodiment, it can obtain accessing the weights of file according to preparatory condition, the access file is to be used for The file conducted interviews to webpage, after obtaining accessing the weights of file, can judge whether weights are more than according to the weights In predetermined threshold value, in the case where judging that weights are more than or equal to predetermined threshold value, determine that access file is webpage back door, sentencing Break and weights less than in the case of predetermined threshold value, determining that access file is not webpage back door.According to the embodiment, Ke Yitong The weights that analysis accesses file are crossed, to judge to access whether file is webpage back door, and condition code is needed not rely on and comes to net Page back door is detected, can improve the efficiency and accuracy at detection webpage back door, solves to detect the net of deformation in correlation technique Page back door, the relatively low technical problem of accuracy reaches the effect for the degree of accuracy for improving detection webpage back door.
Optionally, above-mentioned embodiment can apply in terminal or server, and which can detect by terminal Access file is webpage back door, and the degree of accuracy at detection webpage back door can be improved.
Optionally, it can be the file for accessing webpage to access file, and the access file can be polytype file, example Such as, access request identifying code or one section of fetcher code, webpage can be normally accessed by the access file, and hacker or other Personnel may be entered directly into webpage by other codes, rather than normally access webpage, wherein, it is normal to access Webpage, it may be necessary to send access request, and webpage can only be browsed, and the content of webpage can not be obtained, and by webpage after Door may be entered directly into webpage, can be directly obtained the content of webpage.
Wherein, above-mentioned predetermined threshold value may be a variety of numerical value, can be set according to actual situation, for example, set this pre- If threshold value is 0.6.
Optionally, above-mentioned weights be set be used for assess access file whether be webpage back door numerical value, the weights Producing method different weights can be set, can be evaluated according to different preparatory conditions according to actual conditions A variety of weights, finally, according to the weights in the case of a variety of, determine the size of weights.The weights can be to be less than 1 more than 0 Numerical value.
Another optional embodiment, according to preparatory condition, it is determined that accessing the weights of file includes:According to access file The quantity of IP address is accessed, it is determined that accessing the first sub- weights of file;Calculate the access for accessing the same IP address of file access Frequency, obtains the first access frequency;According to the first access frequency, it is determined that accessing the second sub- weights of file;Judge to access file Returned content in whether there is and preset characters identical content;If judge access file returned content in exist with it is pre- If character identical content, it is determined that accessing the 3rd sub- weights of file;To the first sub- weights, the second sub- weights and the 3rd sub- weights It is overlapped, obtains accessing the weights of file.
Optionally, it is above-mentioned access file access IP address can for the file that accesses webpage each address, the IP Location can be a variety of, and after visitor (such as user) accesses some webpage, server can record the IP address of the visitor, its In, a single webpage there may be multiple access IP address, and multiple webpages may also be accessed by individually accessing IP address. In above-described embodiment, record be it is all access files access IP address quantity.
It should be noted that during the webpage that gets can be included in the returned content of access file in above-described embodiment Content of the visitor when accessing webpage can be included in content, the returned content, wherein, after webpage back door access webpage, Return when, can detect whether it carries plurality of kinds of contents, for example, potentially included in returned content " ", Contents such as " rwxrwxrwx ", these may be to be probably before returned content in several characters in the character at webpage back door.Its In, above-mentioned preset characters can be stored beforehand through tables of data, can be with after the returned content for accessing file is detected Detect whether there is in several characters before it with preset characters identical content, if in the presence of determining the 3rd sub- weights.Wherein, should 3rd sub- weights can be increased numerical value, and the numerical value is set according to actual conditions, such as 0.35.
Optionally, according to the quantity for accessing file access IP address, it is determined that accessing the first sub- weights of file includes:Statistics All Files accesses the quantity of IP address;Statistics accesses the quantity of IP address by way of search engine reptile;According to institute There is the quantity of file access IP address and the quantity of IP address is accessed by way of search engine reptile, calculate access text Part accesses the quantity of IP address;According to the quantity for accessing file access IP address, it is determined that accessing the first sub- weights of file.
Quantity for the access file access IP address of above-described embodiment can be that All Files is accessed into IP address What the quantity for the address that the mode that quantity subtracts search engine reptile accesses IP was obtained, for example, setting All Files with accessing IP The quantity of location is A, and the quantity that the mode of setting search engine reptile accesses IP address is B, is set with accessing file access IP The quantity of location is C, then C=A-B.
After obtaining accessing the quantity of file access IP address, the number for accessing file access IP address daily can be calculated The weights of amount within a predetermined range.The preset range can not limited herein according to actual conditions sets itself.For example, can So that preset range is set into 25, that is, it is 25 weights to calculate and access the quantity of file access IP address daily.
For the above embodiments, according to the quantity for accessing file access IP address, it is determined that accessing the first son power of file Value includes:Determine to access the target value scope residing for the quantity of file access IP address from multiple default value scopes, its In, multiple default value scopes include the first default value scope, the second default value scope and the 3rd default value scope;If Target value scope is the first default value scope, it is determined that accessing the weights of file increases by the first numerical value;If target value scope For the second default value scope, it is determined that accessing the weights increase second value of file;If target value scope is the 3rd present count It is worth scope, it is determined that accessing the weights increase third value of file.
Optionally, the first default value scope, the second default value scope, the 3rd default value scope, the first numerical value, Two numerical value, scattered numerical value can be determined according to the quantity of above-mentioned daily access file access IP address, for example, first is pre- If number range is 1 to 8, i.e., when the first default value scope is 1 to 8, can set the numerical value of weights increases by the first numerical value (such as 0.3), the second default value may range from 8 to 16, can set the numerical value of weights and increase second value (such as 0.2), the Three default values may range from 16 to 25, can set the numerical value of weights and increase third value (such as 0.1).
Another optional embodiment, according to the first access frequency, it is determined that accessing the second sub- weights of file includes: First access frequency meet it is default it is subconditional in the case of, determined from multiple preset time ranges residing for the first access frequency Object time scope, wherein, multiple preset time ranges include the 4th preset time range, the 5th preset time range and the 6th Preset time range;If object time scope is the 4th preset time range, it is determined that accessing the weights of file increases by the first numerical value; If object time scope is the 5th preset time range, it is determined that accessing the weights increase second value of file;If object time model Enclose for the 6th preset time range, it is determined that accessing the weights increase third value of file.
Wherein, the first above-mentioned access frequency can be that same IP address is visited within a period of time (T) and the period Number of times (N) ratio is asked, it is G such as to set the first access frequency, then G=N/T.Webpage back door is detected by access frequency, is When connecting webpage back door by hack tool due to hacker, the frequency of network bag is more than the normal artificial frequency for accessing webpage.It is logical Cross test access frequency can obtain the access file whether be webpage back door weights, whether may determine that it according to the weights For webpage back door.
Wherein, above-mentioned default sub- condition can be more than the condition of default value for access frequency, and the default value is single The numerical value for access frequency solely set, such as 1, i.e., in the case where access frequency G is more than 1, judge each preset time Scope.In this application, preset time can be arranged in 0 to 1 second, the first numerical value is 0.3, even meets above-mentioned first Preset time range, can will access the weights increase by 0.3 of file;Optionally, preset time can be arranged at 1 to 10 second Interior, second value is 0.2, even meets the second above-mentioned preset time range, can will access the weights increase by 0.2 of file; Preset time can be arranged on more than 10 seconds, third value is 0.1, even meets the 3rd above-mentioned preset time range, can be with The weights increase by 0.1 of file will be accessed.
Optionally, it is overlapped to the first sub- weights, the second sub- weights and the 3rd sub- weights, obtains accessing the power of file After value, method also includes:Judge whether the IP address for accessing the carrier of file comes from server;If judging to access file The IP address of carrier comes from server, determines the 4th sub- weights for accessing file;To the first sub- weights, the second sub- weights, Three sub- weights and the 4th sub- weights are overlapped, and obtain accessing the weights of file.
For above-mentioned embodiment, visitor (IP of the carrier of i.e. above-mentioned access file) can be judged, according to The IP address for accessing the carrier of file judges whether search engine IP is public IP (such as IP of fictitious host computer provider), is judging Go out IP address for public IP and it is not search engine reptile, it may be increased for the probability at webpage back door, because, it is most of Hacker webpage will not be accessed by personal IP, typically can be by agency, so by server and be not search engine reptile Access IP for webpage back door probability increase, in this application, can set the 4th sub- weights for above-mentioned weights increase by 0.25 Or 0.27 grade numerical value.
Optionally, it is overlapped, obtains to the first sub- weights, the second sub- weights, the 3rd sub- weights and the 4th sub- weights After the weights for accessing file, including:By accessing the IP repetition rates of file in the scheduled time, the 5th sub- weights are determined, it is right First sub- weights, the second sub- weights, the 3rd sub- weights, the 4th sub- weights and the 5th sub- weights are overlapped, and obtain accessing file Weights.
Optionally, the above-mentioned scheduled time is not fixed, for example, 10 days, it can be set according to actual conditions, in this application Do not limit.All quantity A for accessing file access IP address in 10 days are counted, the quantity B of search engine reptile is counted, counts Calculate the IP quantity Ds that file is accessed in 10 days, wherein D=A-B.
Another optional embodiment, can be represented to access the number of days of file access webpage, the day in the scheduled time with U Number is more than 1 and is less than 10.The 5th sub- weights can be then calculated, wherein it is possible to when setting D=1, weights increase by the 4th numerical value, should 4th numerical value can be the product of number of days U and the 5th numerical value that file access webpage is accessed in the above-mentioned scheduled time, wherein, this 5th numerical value can be 0.05, you can in D=1, to access the weights increase U*0.05 of file;Optionally, the D can be set to be Numerical value between 1 to 10, the 4th numerical value can be the numbers of number of days U and the 6th of access file access webpage in the above-mentioned scheduled time The product of value, wherein, the 6th numerical value can be 0.03, you can during using in D as 1 to 10, access the weights increase U* of file 0.03;Optionally, it is the numerical value more than 10 that can set D, and the 4th numerical value can be access file visit in the above-mentioned scheduled time The number of days U of webpage and the product of the 7th numerical value are asked, wherein, the 7th numerical value can be 0.02, you can when D is more than 10, to visit Ask the weights increase U*0.02 of file.
By above-mentioned embodiment, the every weights for accessing file can be calculated, by the weights that calculate with it is default Threshold value is made comparisons, and whether obtain the access file is webpage back door, and visit can be more accurately judged by the judgement of weights Whether ask file is webpage back door.
Fig. 2 is the schematic diagram of the detection method at another optional webpage back door according to embodiments of the present invention, such as Fig. 2 institutes Show, the detection method includes:
Step S201, according to the access IP address for accessing file, determines the first sub- weights.
Optionally, webpage back door typically only has hacker to go to access, in a website, the IP that some file is accessed daily Location is fewer, and the access file is that the probability at webpage back door is bigger, the weights different according to IPDI address computations are accessed.
Optionally, the access IP of All Files number X can be calculated, IP of search engine reptile are judged by program Number is Y, counts the IP numbers Z (Z=X-Y) for accessing site file in addition to search engine reptile daily, and statistics is accessed daily IP (except the IP of search engine reptile number) number of file is not more than 20 carry out weight computing.
When 1<Z<When=5, weights increase by 0.3;
When 5<Z<When=10, weights increase by 0.2;
When 11<Z<When=20, weights increase by 0.1.
By above-mentioned embodiment, the first sub- weights can be calculated.
Step S203, calculates the access frequency that same IP address accesses file, second is determined according to the access frequency Sub- weights.
Optionally, the frequency that the normal frequency for accessing file and hacker connect webpage back door by instrument be it is different, its The frequency of access is more than normal access frequency, can determine the second sub- weights based on above-mentioned principle.
Optionally, the frequency (H) that same IP accesses file can be calculated, i.e., same IP is in a period of time (T) (second) Interior access times (N), H=N/T;(when hacker connects back door by hack tool, the frequency of network bag is more than normal artificial access The frequency of webpage), for example, when 0<T<When=1, H>When 1, weights increase by 0.3;When 1<T<When=10, H>When 1, weights increase 0.2;Work as T>When 10, H>When 1, weights increase by 0.1.
By above-mentioned embodiment, the second sub- weights can be calculated.
Step S205, the IP address to visitor judges, determines if to come from server, to determine the 3rd son Weights.
Optionally, most of hacker's connection webpage back door (webshell) is connected by server, is determining the access The access IP address of file comes from server, and the IP address is not from search engine reptile, it is determined that access the of file Three sub- weights.
Optionally, by the IP judgements to visitor, engine is judged according to IP to judge whether IP is public IP (virtual main IP, IDC computer room IP of machine provider etc.), in IP be public IP and the IP is not from search engine reptile, then weights increase 0.25.(90% hacker will not access webpage back door by personal IP, typically by agency).
Step S207, in the given time, calculates the frequency for the access IP for accessing file, the is determined according to the frequency Four sub- weights.
Optionally, document-frequency is accessed by non-volatile recording, calculates the quantity that All Files in 10 days accesses IP address For X, the quantity for counting the IP address of search engine reptile is Y, counts in 10 days and accesses website in addition to search engine reptile The IP numbers Z (Z=X-Y) of file, the number of days that some IP was accessed in 10 days is represented with M.
If for example, during Z=1, weights increase M*0.05;(in the case of representing nearest ten days only IP modes, should The probability that IP occurs daily is bigger, and weights are bigger);If 1<Z<When=10, weights increase M*0.03;If 10<Z<=70 When, weights increase M*0.02.
By above-mentioned embodiment, the 4th sub- weights can be calculated.
Step S209, obtains the returned content for accessing file, the 5th sub- weights is determined according to the returned content.
Optionally, after the returned content for accessing file is obtained, if before returned content there are preset characters in several characters, Can by weights increase by 0.35, wherein, the preset characters can include it is a variety of, such as " " or " .. " or “rwxrwxrwx”。
It should be noted that not limiting the first sub- weights of determination, the second sub- weights, the 3rd son power in embodiments of the present invention The sequencing of the execution of value, the 4th sub- weights and the 5th sub- weights, that is, above-mentioned steps S201 to step S209 can also be Parallel order or other serial orders.
Step S211, according to the first sub- weights, the second sub- weights, the 3rd sub- weights, the 4th sub- weights and the 5th sub- weights, It is determined that accessing whether file is webpage back door.
Optionally, can add up the first sub- weights, the second sub- weights, the 3rd sub- weights, the 4th sub- weights and the 5th son power Value, obtains total weight value;Judge whether total weight value is more than or equal to 0.6;When judging that total weight value is more than or equal to 0.6, the visit is determined It is webpage back door to ask file, and when judging that total weight value is less than 0.6, it is not webpage back door to determine the access file.
According to the embodiment, weights (including the first sub- weights, the of the access file of webpage can be accessed by analyzing Two sub- weights, the 3rd sub- weights, the 4th sub- weights and the 5th sub- weights), to judge to access whether file is webpage back door, and Need not rely on condition code to detect webpage back door, the efficiency and accuracy at detection webpage back door can be improved, solve The webpage back door of deformation is detected in correlation technique, the relatively low technical problem of accuracy reaches and improves the accurate of detection webpage back door The effect of degree.
Another aspect according to embodiments of the present invention, additionally provides a kind of storage medium, and storage medium includes the journey of storage Sequence, wherein, the detection method at the webpage back door of any one in above-described embodiment is performed when program is run.
Another aspect according to embodiments of the present invention, additionally provides a kind of processor, and processor is used for operation program, its In, program performs the detection method at the webpage back door of any one in above-described embodiment when running.
Fig. 3 is the schematic diagram of the detection means at another optional webpage back door according to embodiments of the present invention, such as Fig. 3 institutes Show, the device includes:First determining unit 31, for according to preparatory condition, it is determined that the weights of file are accessed, wherein, access text Part is used to conduct interviews to webpage;Judging unit 33, for judging whether weights are more than or equal to predetermined threshold value;Second determining unit 35, in the case where judging that weights are more than or equal to predetermined threshold value, it is determined that it is webpage back door to access file;3rd determines list Member 37, in the case where judging that weights are less than predetermined threshold value, it is determined that it is not webpage back door to access file.
By above-described embodiment, it can obtain accessing the power of file according to preparatory condition by the first determining unit 31 Value, the access file is the file for being conducted interviews to webpage, after obtaining accessing the weights of file, can be single by judging Whether member 33 judges weights more than or equal to predetermined threshold value according to the weights, is judging that weights are more than by the second determining unit 35 In the case of equal to predetermined threshold value, determine that access file is webpage back door, weights are being judged by the 3rd determining unit 37 In the case of less than predetermined threshold value, determine that access file is not webpage back door.According to the embodiment, it can be visited by analyzing The weights of the access file of webpage are asked, to judge to access whether file is webpage back door, and condition code is needed not rely on and comes pair Webpage back door is detected, can improve the efficiency and accuracy at detection webpage back door, solves detection deformation in correlation technique Webpage back door, the relatively low technical problem of accuracy reaches the effect for the degree of accuracy for improving detection webpage back door.
Optionally, the first determining unit 31 includes:First determination sub-module, for according to access file access IP address Quantity, it is determined that accessing the first sub- weights of file;Calculating sub module, the visit of the same IP address of file access is accessed for calculating Frequency is asked, the first access frequency is obtained;Second determination sub-module, for according to the first access frequency, it is determined that accessing the of file Two sub- weights;It whether there is and preset characters identical content in judging submodule, the returned content for judging to access file; 3rd determination sub-module, if for judge access file returned content in exist with preset characters identical content, it is determined that Access the 3rd sub- weights of file;Submodule is superimposed, for being folded to the first sub- weights, the second sub- weights and the 3rd sub- weights Plus, obtain accessing the weights of file.
The embodiments of the present invention are for illustration only, and the quality of embodiment is not represented.
In the above embodiment of the present invention, the description to each embodiment all emphasizes particularly on different fields, and does not have in some embodiment The part of detailed description, may refer to the associated description of other embodiment.
In several embodiments provided herein, it should be understood that disclosed technology contents, others can be passed through Mode is realized.Wherein, device embodiment described above is only schematical, such as division of described unit, Ke Yiwei A kind of division of logic function, can there is other dividing mode when actually realizing, such as multiple units or component can combine or Person is desirably integrated into another system, or some features can be ignored, or does not perform.Another, shown or discussed is mutual Between coupling or direct-coupling or communication connection can be the INDIRECT COUPLING or communication link of unit or module by some interfaces Connect, can be electrical or other forms.
The unit illustrated as separating component can be or may not be it is physically separate, it is aobvious as unit The part shown can be or may not be physical location, you can with positioned at a place, or can also be distributed to multiple On unit.Some or all of unit therein can be selected to realize the purpose of this embodiment scheme according to the actual needs.
In addition, each functional unit in each embodiment of the invention can be integrated in a processing unit, can also That unit is individually physically present, can also two or more units it is integrated in a unit.Above-mentioned integrated list Member can both be realized in the form of hardware, it would however also be possible to employ the form of SFU software functional unit is realized.
If the integrated unit is realized using in the form of SFU software functional unit and as independent production marketing or used When, it can be stored in a computer read/write memory medium.Understood based on such, technical scheme is substantially The part contributed in other words to prior art or all or part of the technical scheme can be in the form of software products Embody, the computer software product is stored in a storage medium, including some instructions are to cause a computer Equipment (can for personal computer, server or network equipment etc.) perform each embodiment methods described of the invention whole or Part steps.And foregoing storage medium includes:USB flash disk, read-only storage (ROM, Read-OnlyMemory), arbitrary access are deposited Reservoir (RAM, Random Access Memory), mobile hard disk, magnetic disc or CD etc. are various can be with store program codes Medium.
Described above is only the preferred embodiment of the present invention, it is noted that for the ordinary skill people of the art For member, under the premise without departing from the principles of the invention, some improvements and modifications can also be made, these improvements and modifications also should It is considered as protection scope of the present invention.

Claims (10)

1. a kind of detection method at webpage back door, it is characterised in that including:
According to preparatory condition, it is determined that the weights of file are accessed, wherein, the access file is used to conduct interviews to webpage;
Judge whether the weights are more than or equal to predetermined threshold value;
In the case where judging that the weights are more than or equal to predetermined threshold value, determine that the access file is webpage back door.
2. detection method according to claim 1, it is characterised in that according to preparatory condition, it is determined that accessing the weights of file Including:
According to the quantity of the access file access IP address, the first sub- weights of the access file are determined;
The access frequency for accessing the same IP address of file access is calculated, the first access frequency is obtained;According to described first Access frequency, determines the second sub- weights of the access file;
It whether there is and preset characters identical content in the returned content for judging the access file;If judging the access In the returned content of file exist with preset characters identical content, determine it is described access file the 3rd sub- weights;
Described first sub- weights, the second sub- weights and the 3rd sub- weights are overlapped, obtain accessing the power of file Value.
3. detection method according to claim 2, it is characterised in that according to the number of the access file access IP address Amount, determining the first sub- weights of the access file includes:
Count the quantity that All Files accesses IP address;
Statistics accesses the quantity of IP address by way of search engine reptile;
The quantity of IP address is accessed according to All Files and the quantity of IP address, meter are accessed by way of search engine reptile Calculate the quantity of the access file access IP address;
According to the quantity of the access file access IP address, the first sub- weights of the access file are determined.
4. detection method according to claim 3, it is characterised in that according to the number of the access file access IP address Amount, determining the first sub- weights of the access file includes:
The target value scope residing for the quantity of the access file access IP address is determined from multiple default value scopes, its In, the multiple default value scope includes the first default value scope, the second default value scope and the 3rd default value model Enclose;
If the target value scope is the first default value scope, it is determined that accessing the weights of file increases by the first numerical value;
If the target value scope is the second default value scope, it is determined that accessing the weights increase second value of file;
If the target value scope is the 3rd default value scope, it is determined that accessing the weights increase third value of file.
5. detection method according to claim 4, it is characterised in that according to first access frequency, determine the visit Asking the second sub- weights of file includes:
First access frequency meet it is default it is subconditional in the case of, described first is determined from multiple preset time ranges Object time scope residing for access frequency, wherein, the multiple preset time range includes the 4th preset time range, the 5th Preset time range and the 6th preset time range;
If the object time scope is the 4th preset time range, the weights increase described the of the access file is determined One numerical value;
If the object time scope is the 5th preset time range, the weights increase described the of the access file is determined Two numerical value;
If the object time scope is the 6th preset time range, the weights increase described the of the access file is determined Three numerical value.
6. detection method according to claim 2, it is characterised in that weighed to the described first sub- weights, second son Value and the 3rd sub- weights are overlapped, and after the weights for obtaining access file, methods described also includes:
Judge whether the IP address of the carrier of the access file comes from server;
If judging, the IP address of the carrier of the access file comes from server, determines the 4th son power of the access file Value;
Described first sub- weights, the second sub- weights, the 3rd sub- weights and the 4th sub- weights are overlapped, obtained To the weights of the access file.
7. a kind of detection means at webpage back door, it is characterised in that including:
First determining unit, for according to preparatory condition, it is determined that access the weights of file, wherein, the access file is used for pair Webpage conducts interviews;
Judging unit, for judging whether the weights are more than or equal to predetermined threshold value;
Second determining unit, in the case where judging that the weights are more than or equal to predetermined threshold value, determining the access text Part is webpage back door.
8. detection means according to claim 7, it is characterised in that the first determining unit includes:
First determination sub-module, for the quantity according to the access file access IP address, determines the of the access file One sub- weights;
Calculating sub module, the access frequency for calculating the access same IP address of file access, obtains the first access frequency Rate;Second determination sub-module, for according to first access frequency, determining the second sub- weights of the access file;
It whether there is and preset characters identical content in judging submodule, the returned content for judging the access file; 3rd determination sub-module, if for judge it is described access file returned content in exist with preset characters identical content, Determine the 3rd sub- weights of the access file;
Submodule is superimposed, for being overlapped to the described first sub- weights, the second sub- weights and the 3rd sub- weights, is obtained To the weights for accessing file.
9. a kind of storage medium, it is characterised in that the storage medium includes the program of storage, wherein, in described program operation When perform claim require the 1 webpage back door into claim 6 described in any one detection method.
10. a kind of processor, it is characterised in that the processor is used for operation program, wherein, right of execution when described program is run Profit requires the detection method at the 1 webpage back door into claim 6 described in any one.
CN201710197494.0A 2017-03-29 2017-03-29 Method and device for detecting webpage backdoor Active CN107135199B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710197494.0A CN107135199B (en) 2017-03-29 2017-03-29 Method and device for detecting webpage backdoor

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710197494.0A CN107135199B (en) 2017-03-29 2017-03-29 Method and device for detecting webpage backdoor

Publications (2)

Publication Number Publication Date
CN107135199A true CN107135199A (en) 2017-09-05
CN107135199B CN107135199B (en) 2020-05-01

Family

ID=59714897

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710197494.0A Active CN107135199B (en) 2017-03-29 2017-03-29 Method and device for detecting webpage backdoor

Country Status (1)

Country Link
CN (1) CN107135199B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107844702A (en) * 2017-11-24 2018-03-27 杭州安恒信息技术有限公司 Based on website wooden horse back door detection method and device under cloud protective environment
CN111031025A (en) * 2019-12-07 2020-04-17 杭州安恒信息技术股份有限公司 Method and device for automatically detecting and verifying Webshell
WO2021223177A1 (en) * 2020-05-07 2021-11-11 深圳市欢太科技有限公司 Abnormal file detection method and related product
CN114329456A (en) * 2020-09-27 2022-04-12 ***通信集团河南有限公司 Webpage backdoor detection method, device and equipment

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102647421A (en) * 2012-04-09 2012-08-22 北京百度网讯科技有限公司 Web back door detection method and device based on behavioral characteristics
CN104967616A (en) * 2015-06-05 2015-10-07 北京安普诺信息技术有限公司 WebShell file detection method in Web server
CN105046154A (en) * 2015-08-13 2015-11-11 浪潮电子信息产业股份有限公司 Webshell detection method and device
CN105516151A (en) * 2015-12-15 2016-04-20 北京奇虎科技有限公司 Scanning-killing method and device of backdoor file
CN105553767A (en) * 2015-12-15 2016-05-04 北京奇虎科技有限公司 Website backdoor file detection method and device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102647421A (en) * 2012-04-09 2012-08-22 北京百度网讯科技有限公司 Web back door detection method and device based on behavioral characteristics
CN104967616A (en) * 2015-06-05 2015-10-07 北京安普诺信息技术有限公司 WebShell file detection method in Web server
CN105046154A (en) * 2015-08-13 2015-11-11 浪潮电子信息产业股份有限公司 Webshell detection method and device
CN105516151A (en) * 2015-12-15 2016-04-20 北京奇虎科技有限公司 Scanning-killing method and device of backdoor file
CN105553767A (en) * 2015-12-15 2016-05-04 北京奇虎科技有限公司 Website backdoor file detection method and device

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107844702A (en) * 2017-11-24 2018-03-27 杭州安恒信息技术有限公司 Based on website wooden horse back door detection method and device under cloud protective environment
CN111031025A (en) * 2019-12-07 2020-04-17 杭州安恒信息技术股份有限公司 Method and device for automatically detecting and verifying Webshell
CN111031025B (en) * 2019-12-07 2022-04-29 杭州安恒信息技术股份有限公司 Method and device for automatically detecting and verifying Webshell
WO2021223177A1 (en) * 2020-05-07 2021-11-11 深圳市欢太科技有限公司 Abnormal file detection method and related product
CN115398861A (en) * 2020-05-07 2022-11-25 深圳市欢太科技有限公司 Abnormal file detection method and related product
CN114329456A (en) * 2020-09-27 2022-04-12 ***通信集团河南有限公司 Webpage backdoor detection method, device and equipment

Also Published As

Publication number Publication date
CN107135199B (en) 2020-05-01

Similar Documents

Publication Publication Date Title
CN103927307B (en) A kind of method and apparatus of identification website user
CN103886068B (en) Data processing method and device for Internet user&#39;s behavioural analysis
CN105808639B (en) Network access behavior identification method and device
CN104040557B (en) Online swindle detection dynamic grading aggregation system and method
CN109831465A (en) A kind of invasion detection method based on big data log analysis
CN103530365B (en) Obtain the method and system of the download link of resource
CN110210227A (en) Risk checking method, device, equipment and storage medium
CN105357195A (en) Unauthorized web access vulnerability detecting method and device
CN103593415A (en) Method and device for detecting cheating on visitor volumes of web pages
CN110099059A (en) A kind of domain name recognition methods, device and storage medium
CN107528749A (en) Website Usability detection method, apparatus and system based on cloud protection daily record
CN108009425A (en) File detects and threat level decision method, apparatus and system
CN107483381B (en) Monitoring method and device of associated account
CN106548343A (en) A kind of illegal transaction detection method and device
CN107423613A (en) The method, apparatus and server of device-fingerprint are determined according to similarity
CN104202291A (en) Anti-phishing method based on multi-factor comprehensive assessment method
CN107888602A (en) A kind of method and device for detecting abnormal user
CN105335280A (en) Program performance test method and device
CN109873832B (en) Flow identification method and device, electronic equipment and storage medium
CN106959925A (en) A kind of version method of testing and device
CN107135199A (en) The detection method and device at webpage back door
CN106649372A (en) Display method and device for advertisement clicks in thermodynamic diagram
CN107622202A (en) Webpage back door detection method and device
CN106612216A (en) Method and apparatus of detecting website access exception
CN107403251A (en) Risk checking method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant