Track web shell attacker's IP

Available in VPC

Refer to the following when tracking web shell attacker's IP in the case of a security incident caused by web shells.

Check the list of suspicious attacker IPs provided by the console
The list of suspicious IPs collected along with the detected web shell behavior is based on various conditions at the time of the web shell behavior's occurrence. It provides the IP and country information by comparing various conditions such as the customer's VM and communication status at the time of web shell behavior occurrence.

It is relatively likely that the attacker's IP will be in the list of suspicious IPs. You can refer to that list when tracking the attacker's IP.
Suspicious IPs may not be collected depending on the circumstances. Track attacker IPs through the access log referring to the following regardless of the collection status.

Track the web shell attacker's IP through access logs
You can find the web shell behavior in the WAS access log to track the web shell attacker's IP. When you look for the IP accessed to execute web shell files from the access log, refer to the following conditions.

• You can suspect those who accessed at the time when the web shell was detected as attackers.
  If the extension of the file accessed is an extension that can be executed in WAS, or an unintended file, then it could be a web shell.
• If there is access history to a file in the path where the file can be uploaded, then you can suspect it to be an access attempt to execute a web shell.
• If commands executed by a web shell remain in the URL query string, then you can suspect it to be an access attempt to execute a web shell.
  Example: webshell.php?cmd=cat%20/etc/hosts