Check the occurrence of web shell behaviors (Webshell List)
- Print
- PDF
Check the occurrence of web shell behaviors (Webshell List)
- Print
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback
Available in VPC
You can check and manage web shell behaviors that the agent detected from the customer's server in the Webshell List menu.
In this menu, you can check the information such as server information, time of detection, process information, and suspicious attacker IP, which can be referenced to determine and respond to web shell behaviors. It also provides the list of files suspected to be web shells that were found when web shell behaviors were detected. You can isolate, restore, or handle them as exceptions based on the detected web shell behaviors.
Check the details for web shell behaviors
If you've received a notification about web shell behavior detection, then you can see the details and take necessary measures in NAVER Cloud Platform console's web shell behaviors list (Webshell List).
The following describes how to check the web shell behavior details.
- From the VPC environment of the NAVER Cloud Platform console, click the Services > Security > Webshell Behavior Detector menus in this order.
- Click the Detection List > Webshell List menus in order.
- Click the web shell behavior item you'd like to check.
- Detailed information of the web shell behavior is displayed.
The following are descriptions of items in the web shell behavior list.
| Area | Description |
|---|---|
| ① Exception handling | Set exception handling rule with the item |
| ② File isolation/restoration | Check the list of suspicious files |
| ③ Delete detection history | Delete the web shell behavior item |
| ④ Detection time | Filter items based on time of detection |
| ⑤ Search window | Set search conditions, and then click the [Search] button to search for items |
| ⑥ Filter | Filter items based on response status |
| ⑦ Web shell behavior item | Check web shell behavior information, and use buttons for related features |
| ⑧ Detailed information | Check the details for web shell behaviors |
View suspicious files
You can check the list of files suspected to be web shells related to detected web shell behaviors, and then isolate files judged to be web shells or restore the isolated files.
The following describes how to check files suspected to be web shells.
From the VPC environment of the NAVER Cloud Platform console, click the Services > Security > Webshell Behavior Detector menus in this order.
Click the Detection List > Webshell List menus in order.
Click the [View] button from Suspicious files area of the item you'd like to check.
- You can also click the item and then the [File isolation/restoration] button at the top of the list.
Click the file from the list pop-up window to see the detailed information.
If the detected behavior is judged to be a web shell, then click the [Isolate file] button next to Isolate/Restore to isolate the file.
- The file will be isolated in the same path with a name that will be difficult for attackers to guess.
(Example: /var/www/html/uploads/web shell.php.web shell_20200320012000.BC98D127F4) - The web shell behavior item will be processed as checked (the icon and text will be grayed), and the isolated file will be added to the list of suspicious files (Quarantine).
- When a file is isolated, the [Isolate file] button will change to [Restore file], which allows you to restore the file if required. When you restore an isolated file, you can't isolate or restore the file anymore on that page.
- The file will be isolated in the same path with a name that will be difficult for attackers to guess.
Caution
Proceed with caution since the isolation of normal files may cause a service failure.
Note
There may not actually be any web shells in the list of suspicious files. Refer to Track web shell file for conditions and circumstances to check or consider when looking for web shell files.
See suspicious IP
You can check the list of suspicious attacker IP related to the detected web shell behaviors.
The following describes how to check the suspicious IPs.
- From the VPC environment of the NAVER Cloud Platform console, click the Services > Security > Webshell Behavior Detector menus in this order.
- Click the Detection List > Webshell List menus in order.
- Click the [View] button from Suspicious IPs area of the item you'd like to check.
- Check the suspicious IP information from the list pop-up window.
Note
The web shell attacker's IP may not be exposed on the list of suspicious IPs. Refer to Track web shell attacker IP for conditions and circumstances to check or consider when looking for web shell attacker IPs.
Exception handling
If a detected web shell behavior item turns out to be a normal action, then you can handle them as an exception so that the behavior is not detected again.
The following describes how to handle a web shell behavior item as an exception.
From the VPC environment of the NAVER Cloud Platform console, click the Services > Security > Webshell Behavior Detector menus in this order.
Click the Detection List > Webshell List menus in order.
Click the item to mark as an exception, and then click the [Handle as exception] button.
Enter a name for the rule in the settings pop-up window, and edit the entered value if necessary.
- Only web shell behaviors that meet all the conditions of the exception rules (AND condition) are excepted.
- Conditions that can be selected when creating exception rules are as follows.
- START: Starting with the entered string
- END: Ending with the entered string
- NOT USE: Not using this condition
Caution
Use the NOT USE condition with caution since it widens the range of the targets handled by the exception rule. If used excessively, then it may increase the chance of web shells not being detected.
- Click the [Yes] button once you finish setting.
- Web shell behavior items marked as exceptions are moved to the excepted rule list (Excepted List).
Note
You can see the added exception rules in the Exception Setting > Exception menu.
Handle as checked/unchecked
Newly detected web shell behavior items are marked in red for identification. If you isolate the suspicious files from the item, then the red mark automatically disappears. If the item doesn't need to be isolated, then you can change the check status directly.
The following describes how to change a web shell behavior item's check status.
From the VPC environment of the NAVER Cloud Platform console, click the Services > Security > Webshell Behavior Detector menus in this order.
Click the Detection List > Webshell List menus in order.
From the Checked area of the item you'd like to mark as checked, click
.- The color of the icon and text will change to gray.
- To revert back to the unchecked status, click the icon once again.
.Add memos
You can add memos to web shell behavior items, such as a brief description or additional information.
The following describes how to add memos.
- From the VPC environment of the NAVER Cloud Platform console, click the Services > Security > Webshell Behavior Detector menus in this order.
- Click the Detection List > Webshell List menus in order.
- Click the item to add a memo, and then click the [Edit] button next to Memo in the details area.
- Enter the memo, and then click the [Save] button.
Delete detection history
You can delete unnecessary web shell behavior items.
The following describes how to delete a web shell behavior item.
- From the VPC environment of the NAVER Cloud Platform console, click the Services > Security > Webshell Behavior Detector menus in this order.
- Click the Detection List > Webshell List menus in order.
- Click a web shell behavior item, then click the [Delete detection history] button.
- Click the [Yes] button from the confirmation pop-up window.
Was this article helpful?