Webshell Behavior Detector 에이전트 설치 및 실행

Available in VPC

In order for Webshell Behavior Detector to start detecting web shell behaviors normally, you need to install and executing the agent in the registered detection target server. Also, remote control may be required while Webshell Behavior Detector is running, to perform actions such as executing or ending the agent remotely. Install and control the agent referring to the following:

Install and execute agent

Installing and executing the agent are done through commands in the following steps.

1. Access detection target server
2. Install agent
3. Confirm the agent execution
4. Normal detection test

1. Access detection target server

1.1 For (Host) Linux and Windows environments

To install the agent on the target server, first access the server with root (Linux) or Administrator (Windows) permissions. For how to access the server remotely, see the Server access guide.

1.2 For Kubernetes environments

To install the agent on the target server, you must have cluster access permissions. For information on accessing and managing Kubernetes clusters, see the Cluster access and management guide.

2. Install agent

2.1 For (Host) Linux environments

Enter the following commands to install the agent:

# wget https://wbd.ncloud.com:18088/agent/wbd_installer.sh -O wbd_installer.sh
# chmod a+x wbd_installer.sh
# ./wbd_installer.sh

If the agent has been successfully installed, the following message will be displayed:

2.2 For (Host) Windows environments

Enter the following command in PowerShell to install the agent:

PS > Invoke-WebRequest -Uri "https://wbd.ncloud.com:18088/agent/windows/x64/WBDAgent-setup.exe" -OutFile "WBDAgent-setup.exe"
PS > ./WBDAgent-setup.exe

If the agent has been successfully installed, the following message will be displayed:

2.3 For Kubernetes environments

Use kubectl to enter the following command to install the agent:

kubectl apply -f https://wbd.ncloud.com:18088/agent/wbd_agent_ds.yaml --kubeconfig kubeconfig.yaml

If the agent has been successfully installed, the following message will be displayed:

3. Confirm the agent execution

3.1 For (Host) Linux environments

Enter the following command to check if the agent is successfully installed and executed:

# ps -ef | grep wbd

If the agent is executed normally, the following message will be displayed:

3.2 For (Host) Windows environments

Enter the following command in PowerShell to check that the agent is successfully installed and running:

PS > Get-Process -Name "AgentService"

If the agent is executed normally, the following message will be displayed:

3.3 For Kubernetes environments

Enter the following command to check if the agent is successfully installed and executed:

# kubectl get pods --all-namespaces --kubeconfig kubeconfig.yaml | grep "wbd-daemon"

If the agent is executed normally, the following message will be displayed:

Alternatively, in the NAVER Cloud Platform console's VPC environment, click > Services > Security > Webshell Behavior Detector > Detection Setting > Configuration in order, and check if the agent status is displayed as Enabled in the detection target list.

4. Normal detection test

After confirming that the WebShell Behavior Detector agent is properly installed and running, check its ability to detect webshell behavior using a fake webshell file.

The following is an example of a fake web shell file. Please use it for reference only when creating a fake web shell file.

• PHP

<?php
system("ls -al /tmp/thereisnodir");
?>

• JSP

<%@ page import="java.io.*"%>
<% Process child = Runtime.getRuntime().exec("ls -al /tmp/thereisnodir");

InputStream in = child.getInputStream();
int c;
while ((c = in.read()) != -1) {
out.print((char)c);
}
%>

• ASP (for Classic ASP)

<%response.write server.createobject("wscript.shell").exec("cmd.exe /c ipconfig").stdout.readall%>

• ASP (for ASP.NET)

<%@ Page aspcompat=true %>
<%response.write (server.createobject("wscript.shell").exec("cmd.exe /c ipconfig").stdout.readall)%>

Save a fake web shell file similar to one shown above with a file name that can't be easily guessed in the webroot path, and then attempt to access. If the NAVER Cloud Platform console detects a web shell behavior, you can confirm that the installation and execution has been successful.

Execute or end the agent

The operation of the web shell detection function depends on the agent's activation status rather than its process status.

To use the web shell detection function, execute the agent process and enable the agent in the console. When the agent is enabled, web shell detection will start and charges will start to apply.

When you don't use the web shell detection function, you can disable the agent. However, the process is still running, so you can enable it later on the console to use it immediately. You may also end the process if you don't plan to use it for a while. You must execute the agent first if you'd like to use the service again in the future.

Run the agent process

Enter the following command to run the agent process:

[ Agent for Linux ]
# /opt/nbp/wbd/wbd_agent

[ Agent for Windows ]
> %LOCALAPPDATA%/WBDAgent/AgentService.exe

[ Agent for Kubernetes ]
# kubectl apply -f https://wbd.ncloud.com:18088/agent/wbd_agent_ds.yaml 

End the agent process

Enter the following command to end the agent process:

[ Agent for Linux ]
# /opt/nbp/wbd/wbd_agent -s stop

[ Agent for Windows ]
> %LOCALAPPDATA%/WBDAgent/AgentService.exe exit

[ Agent for Kubernetes ]
# kubectl delete -f https://wbd.ncloud.com:18088/agent/wbd_agent_ds.yaml

Delete the agent

Enter the following command to delete the agent process:

[ Agent for Linux ]
# wget https://wbd.ncloud.com:18088/agent/wbd_installer.sh -O wbd_installer.sh
# chmod a+x wbd_installer.sh
#./wbd_installer.sh uninstall

[ Windows Agent ]
C:\ > %LOCALAPPDATA%/WBDAgent/uninstall.exe

[ Agent for Kubernetes ]
# kubectl delete -f https://wbd.ncloud.com:18088/agent/wbd_agent_ds.yaml