Login
      Contents x
      Troubleshooting for Webshell Behavior Detector
        • Print
        • PDF
        Contents

        Troubleshooting for Webshell Behavior Detector

          • Print
          • PDF
          Article Summary

          Available in VPC

          Respond to error codes displayed while using Webshell Behavior Detector referring to the following. If the problem persists, then use the customer inquiry feature from the NAVER Cloud Platform portal.

          How to respond to each error code

          The following describes each error code and how to resolve them.

          • [5002] The path you entered could not be found.
            Cause: You've specified a webroot or upload path that doesn't exist or is inaccessible when registering detection targets.
            Resolution: Check the path and set it again.

          • [5101] Failed to isolate or restore file. The target file to isolate or restore doesn't exist.
            Cause: The target file for isolation or restoration doesn't exist. There may be different causes; e.g., you may have isolated or restored from different item, edited it directly on the server, etc.
            Resolution: Access the server and identify the situation, e.g., check the file to be isolated or restored, and respond accordingly.

          • [5102] Failed to isolate or restore file. The file name you want to use for isolation or restoration already exists.
            Cause: The name for the file to be changed to, when isolating or restoring it, is already in use. There may be different causes, such as other admins accessing the server to restore files.
            Resolution: Access the server and identify situations, e.g., checking whether there's a file that has the name to be changed upon isolation or restoration, and respond accordingly.

          • [5103] Failed to restore file. We recommend checking it on the server.
            Cause: An error occurred while changing the name to that of the original file when restoring the file.
            Resolution: Access the server and identify situations, e.g., checking the isolated file's name and whether there's a file that has the name to be changed upon restoration, and respond accordingly.

          • [5104] Failed to isolate file. We recommend checking it on the server.
            Cause: An error occurred while changing the name to that of the file to be isolated when isolating the file.
            Resolution: Access the server and identify situations such as checking the original file.

          • [5401] WAS process could not be found. Please check the WAS execution status. If you don't want to use the agent, then please disable it.
            Cause: The WAS process could not be found by the agent.
            Resolution:

            • If the error occurred while the agent was enabled, then execute WAS from the server first and enable the agent again. If you can't find the WAS process even while WAS is running, then the WAS might not be supported. Check the environments supported by the service before using it.
            • This error can also occur when the WAS process was ended while the agent was executed normally. In this case, WAS may have been temporarily ended intentionally (for update, etc.), so the agent remains enabled to avoid being exposed to the risk of web shell attacks. Execute the WAS again, or disable the agent if you don't want it executed.
            • If the error is not fixed after executing the WAS, then disable the agent and enable it again.
            • If it is not fixed by disabling/enabling the agent, then please restart the agent in the server as follows.
            # /opt/nbp/wbd/wbd_agent -s stop
# /opt/nbp/wbd/wbd_agent -s start
or 
# /opt/nbp/wbd/wbd_agent -s reload

          • [5402] The WAS process could not be found. Please check the WAS execution status. If you don't want to use the agent, then please disable it.
            Cause: The number of WAS processes allowed by the detection target server is exceeded.
            Resolution:

            • If the error occurred while the agent was enabled, then adjust the number of WASes and enable the agent again.
            • This error can also occur when the number of the WAS processes allowed was exceeded while the agent is executing normally. In this case, the number of WAS processes may have been temporarily exceeded, so the agent remains enabled to avoid being exposed to the risk of web shell attacks. However, some features may not work normally.
            • If the error is not fixed after adjusting the number of WASs to be within the allowed number, then disable the agent and enable it again.
            • If it is not fixed by disabling/enabling the agent, then please restart the agent in the server as follows.
            # /opt/nbp/wbd/wbd_agent -s stop
# /opt/nbp/wbd/wbd_agent -s start
or 
# /opt/nbp/wbd/wbd_agent -s reload
          Note

          If you have set the PHP when registering the detection target server, then only one Apache or NGINX is allowed. If you set the JSP, then only one Tomcat is allowed.
          Example: In the NGINX environment, it is recognized as one WAS in the following situation.

          nginx: master process
    nginx: worker process
    nginx: worker process
    nginx: worker process

          • [5403] Unable to access the access log file of the WAS process. Some information collection may be omitted. Please check the access log file.
            Cause: The agent is unable to access the WAS access log file in the JSP environment.
            Resolution:

            • If the error occurred while the agent was enabled, then check if you can access the access log file and enable the agent again.
            • This error can also occur when you can't access the access log while the agent is being executed normally. In this case, the number of WAS processes may have been temporarily exceeded, so the agent remains enabled to avoid being exposed to the risk of web shell attacks. However, we recommend solving the error since some features might not function properly if this error is maintained.
            • If the error is not fixed after taking measures to access the access log, then disable the agent and enable it again.
            • If it is not fixed by disabling/enabling the agent, then please restart the agent in the server as follows.
            # /opt/nbp/wbd/wbd_agent -s stop
# /opt/nbp/wbd/wbd_agent -s start
or 
# /opt/nbp/wbd/wbd_agent -s reload

          • [5404] The inotify limit has exceeded. Please refer to the guide.
            Cause: The use of the inotify limit value is restricted.
            Resolution: The inotify limit value used within the web shell product may be limited, depending on your server environment. Adjust the inotify limit value as follows.

            • Check the inotify limit value currently set in the server
            $ cat /proc/sys/fs/inotify/max_user_watches
            • Change inotify limit value temporarily (example)
            $ sudo sysctl fs.inotify.max_user_watches=8192 (desired value)
$ sudo sysctl -p
            • Change inotify limit value permanently (example)
              Add fs.inotify.max_user_watches=100000 (desired value) to the /etc/sysctl.conf file and run sudo sysctl-p.
            $ echo fs.inotify.max_user_watches=100000 | sudo tee -a /etc/sysctl.conf
$ sudo sysctl -p

            Set the inotify limit value to an appropriate value for your server environment. Restart the agent in the server after changing the inotify limit value as follows.

            # /opt/nbp/wbd/wbd_agent -s stop
# /opt/nbp/wbd/wbd_agent -s start
or 
# /opt/nbp/wbd/wbd_agent -s reload

          • [5405] Unable to access the following path. Some functions may not work properly. Please check and take the necessary measures.
            Cause: The agent is unable to access the destination, such as webroot path, upload path, or access log, to collect web shell behaviors.
            Resolution: Please make sure that the agent can access the path displayed in the error message.

          • [6007] Unable to connect to the agent. Please check the agent's operation status or server network.
            Cause: The communication to the agent has been disconnected.
            Resolution: Check the agent's execution status or the detection target server's network status. If the agent is ended, then execute the agent as follows.

            # /opt/nbp/wbd/wbd_agent -s start

          • [6008] Agent update failed. Please check the agent's operation status or server network.
            Cause: An update signal has been sent to the agent, but the update was not carried out.
            Resolution:

            • Check the agent's execution status or the detection target server's network status. If the agent is ended, then execute the agent as follows.
            # /opt/nbp/wbd/wbd_agent -s start
            • If the agent is executing normally, then end the agent and restart again as follows.
            # /opt/nbp/wbd/wbd_agent -s stop
# /opt/nbp/wbd/wbd_agent -s start
or 
# /opt/nbp/wbd/wbd_agent -s reload

          • [6021] The requested command timed out. Please try again later.
            Cause: A command to enable/disable, or isolate/restore file has been sent to the agent, but the request timed out.
            Resolution:

            • Check the agent's execution status or the detection target server's network status. If the agent is ended, then execute the agent as follows.
            # /opt/nbp/wbd/wbd_agent -s start
            • If the agent is executing normally, then end the agent and restart again as follows.
            # /opt/nbp/wbd/wbd_agent -s stop
# /opt/nbp/wbd/wbd_agent -s start
or 
# /opt/nbp/wbd/wbd_agent -s reload

          • [6023] Unable to connect to the agent. Please check the agent's operation status or server network.
            Cause: A command has been sent, but was unable to connect to the agent.
            Resolution:

            • Check the agent's execution status or the detection target server's network status. If the agent is ended, then execute the agent as follows.
            # /opt/nbp/wbd/wbd_agent -s start
            • If the agent is executing normally, then end the agent and restart again as follows.
            # /opt/nbp/wbd/wbd_agent -s stop
# /opt/nbp/wbd/wbd_agent -s start
or 
# /opt/nbp/wbd/wbd_agent -s reload

          • [8003] Failed to deliver the file isolation command. Please check the agent's operation status or server network.
            Cause: A command to isolate file has been sent, but was unable to connect to the agent.
            Resolution:

            • Check the agent's execution status or the detection target server's network status. If the agent is ended, then execute the agent as follows.
            # /opt/nbp/wbd/wbd_agent -s start
            • If the agent is executing normally, then end the agent and restart again as follows.
            # /opt/nbp/wbd/wbd_agent -s stop
# /opt/nbp/wbd/wbd_agent -s start
or 
# /opt/nbp/wbd/wbd_agent -s reload

          • [8004] Invalid request. Please refresh and proceed.
            Cause: An invalid request was made, such as a deletion request for an already deleted target or an exception request for an already excepted target.
            Resolution:

            • Refresh to check the latest content and try again.
            • If the same problem keeps occurring, then use the customer inquiry feature from the NAVER Cloud Platform portal.

          • [8005] Invalid request. Please refresh and proceed.
            Cause: The requested value is invalid.
            Resolution:

            • Refresh to check if the request is for a valid data and try again.
            • If the same problem keeps occurring, then use the customer inquiry feature from the NAVER Cloud Platform portal.

          • [8008] The file has already been isolated/restored. Please refresh and proceed.
            Cause: A request has been made to isolate a file which is already isolated, or restore a file which is already restored.
            Resolution:

            • Refresh to check the latest content and try again.
            • If the same problem keeps occurring, then use the customer inquiry feature from the NAVER Cloud Platform portal.

          • [8009] Failed to send the command to restore file. Please check the agent's operation status or server network.
            Cause: A command to restore file has been sent, but was unable to connect to the agent.
            Resolution:

            • Check the agent's execution status or the detection target server's network status. If the agent is ended, then execute the agent as follows.
            # /opt/nbp/wbd/wbd_agent -s start
            • If the agent is executing normally, then end the agent and restart again as follows.
            # /opt/nbp/wbd/wbd_agent -s stop
# /opt/nbp/wbd/wbd_agent -s start
or 
# /opt/nbp/wbd/wbd_agent -s reload

          • [8010] Failed to send a request to enable the agent. Please check the agent's operation status or server network.
            Cause: A command to enable the agent has been sent, but was unable to connect to the agent.
            Resolution:

            • Check the agent's execution status or the detection target server's network status. If the agent is ended, then execute the agent as follows.
            # /opt/nbp/wbd/wbd_agent -s start
            • If the agent is executing normally, then end the agent and restart again as follows.
            # /opt/nbp/wbd/wbd_agent -s stop
# /opt/nbp/wbd/wbd_agent -s start
or 
# /opt/nbp/wbd/wbd_agent -s reload

          • [8012] The range that can be searched or accessed at one time has been exceeded. Please try again after adjusting the search period or conditions.
            Cause: The range that can be searched or accessed at one time (10,000) has been exceeded.
            Resolution:

            • Try searching again after adjusting the search by setting the search period or conditions to be within the allowed range.
            • If the same problem keeps occurring, then use the customer inquiry feature from the NAVER Cloud Platform portal.

          • [8013] The modified detection target setting information was sent, but the delivery failed. Please check the agent's operation status or server network.
            Cause: The changed detection target setting information is sent, but was unable to connect to the agent.
            Resolution:

            • Check the agent's execution status or the detection target server's network status. If the agent is ended, then execute the agent as follows.
            # /opt/nbp/wbd/wbd_agent -s start
            • If the agent is executing normally, then end the agent and restart again as follows.
            # /opt/nbp/wbd/wbd_agent -s stop
# /opt/nbp/wbd/wbd_agent -s start
or 
# /opt/nbp/wbd/wbd_agent -s reload
          Was this article helpful?
          What's Next
          Change password!
          Changing your password will log you out immediately. Use the new password to log back in.
          Change profile
          Success!
          First name must have atleast 2 characters. Numbers and special characters are not allowed.
          Last name must have atleast 1 characters. Numbers and special characters are not allowed.
          Enter a valid email
          Enter a valid password
          Your profile has been successfully updated.
          Logout