Check occurrence of web shell behaviors (Webshell List)

Prev Next

Available in VPC

You can view and manage web shell behaviors that the agent detected from the client's server in the WebShell List menu.
In this menu, you can view the information such as server information, time of detection, process information, and suspicious attacker IP, which can be referenced to determine and respond to web shell behaviors. You can also view the list of suspicious web shell files that caused the detected web shell behaviors, isolate or restore them, and easily add exceptions based on the detected web shell behaviors.

View details of web shell behaviors

If you've received a notification about web shell behavior detection, you can see the details and take necessary measures on the NAVER Cloud Platform console's web shell behaviors list (Webshell List).

To view details of web shell behaviors:

  1. From the NAVER Cloud Platform console's VPC environment, navigate to i_menu > Services > Security > Webshell Behavior Detector.
  2. Navigate to Detection List > WebShell List.
  3. Click the web shell behavior item you'd like to check.
    • Details of the the web shell behavior are displayed.

The interface of the list of web shell behaviors includes the following components:
wbd-wbdwebshell-detail-vpc-ko

Component Description
Mark as exception Set an exception rule for this item.
Isolate/Restore file View the list of suspicious files.
Delete detection history Delete the web shell behavior item.
Detection time Filter items based on time of detection.
⑤ Search bar Set search conditions and click [Search] to search for items.
Filter Filter items based on response status.
⑦ Web shell behavior item View web shell behavior information, and use buttons of related features.
Details View details of web shell behaviors.

View suspicious files

You can view the list of suspicious web shell files related to detected web shell behaviors, and isolate files identified as web shells or restore isolated files.

To view files suspicious to be web shells:

  1. From the NAVER Cloud Platform console's VPC environment, navigate to i_menu > Services > Security > Webshell Behavior Detector.

  2. Navigate to Detection List > WebShell List.

  3. In the Suspicious files area of the item to check, click [View].

    • You can also click the item and then the [Isolate/Restore file] button at the top of the list.

  4. Click the file from the list popup to see the details.
    wbd-wbdwebshell-file-vpc-ko

  5. If the detected behavior is determined to be a web shell, click the [Isolate file] next to Isolate/Restore to isolate the file.

    • The file is isolated in the same path with a name that will be difficult for attackers to guess.
      (Example: /var/www/html/uploads/webshell.php.webshell_20200320012000.BC98D127F4)
    • The web shell behavior item is processed as checked (with gray icon and text), and the isolated file is added to the list of suspicious files (Quarantine).
    • When a file is isolated, the [Isolate file] button is changed to [Restore file] which allows you to restore the file if required. When you restore an isolated file, you can't isolate or restore other files anymore from that page.
Caution

Proceed with caution since the isolation of normal files may cause a service failure.

Note

There may not actually be any web shells in the list of suspicious files. See Track web shell files for conditions and circumstances to check or consider when looking for web shell files.

View suspicious IPs

You can view a list of suspicious attacker IPs related to detected web shell behaviors.

To view the list of suspicious IPs:

  1. From the NAVER Cloud Platform console's VPC environment, navigate to i_menu > Services > Security > Webshell Behavior Detector.
  2. Navigate to Detection List > WebShell List.
  3. In the Suspicious IPs area of the item to check, click [View].
  4. Check the suspicious IP information from the list popup.
    wbd-wbdwebshell-ip-vpc-ko
Note

The web shell attacker's IP may not be displayed in the list of suspicious IPs. See Track web shell attacker IP for conditions and circumstances to check or consider when looking for web shell attacker IPs.

Treat as exception

When a detected web shell behavior item turns out to be a normal action, you can treat them as an exception so that the behavior is not detected again.

To treat a web shell behavior as an exception:

  1. From the NAVER Cloud Platform console's VPC environment, navigate to i_menu > Services > Security > Webshell Behavior Detector.

  2. Navigate to Detection List > WebShell List.

  3. Click the item to treat as an exception, and click [Treat as exception].

  4. Enter a name for the rule in the settings popup, and edit the entered value if necessary.
    wbd-wbdwebshell-exception-vpc_ko

    • Only web shell behaviors that meet all the conditions of the exception rules (AND condition) are excepted.
    • Conditions that can be selected when creating exception rules are as follows:
      • START: Starting with the entered string.
      • END: Ending with the entered string.
      • NOT USE: Not using this condition.
Caution

Use the NOT USE condition with caution since it widens the range of the targets handled by the exception rule. If used excessively, then it may increase the chance of web shells not being detected.

  1. When you finish setting up, click [Yes].
    • The web shell behaviors treated as exceptions are moved to the exception rule list (Excepted List).
Note

You can see the added exception rules in the Exception Setting > Exception menu.

Treat as checked/unchecked

The newly detected web shell behaviors are marked in red for identification. If you isolate the suspicious files from the item, the red mark automatically disappears. But if the item doesn't need to be isolated, you can change the check status manually.

To change a web shell behavior's check status:

  1. From the NAVER Cloud Platform console's VPC environment, navigate to i_menu > Services > Security > Webshell Behavior Detector.
  2. Navigate to Detection List > WebShell List.
  3. In the Check area of the item to treat as checked, click wbd-wbdwebshell-check-vpc-ko.
    • The color of the icon and text is changed to gray.
    • To revert back to the unchecked status, click the icon once again.

Add memo

You can add memos to web shell behaviors, such as a brief description or additional information.

To add a memo:

  1. From the NAVER Cloud Platform console's VPC environment, navigate to i_menu > Services > Security > Webshell Behavior Detector.
  2. Navigate to Detection List > WebShell List.
  3. Click the item to add a memo to, then click the [Edit] button next to Memo in the details area.
  4. Enter the memo and click [Save].

Delete detection history

You can delete unnecessary web shell behavior items.

To delete a web shell behavior item:

  1. From the NAVER Cloud Platform console's VPC environment, navigate to i_menu > Services > Security > Webshell Behavior Detector.
  2. Navigate to Detection List > WebShell List.
  3. Click a web shell behavior item, then click [Delete detection history].
  4. In the confirmation popup, click [Yes].
Business Registration Number: 129-86-31394 E-commerce Permit Number:No. 2009-GyeonggiSeongnam-0510
CEO: Kim Yuwon Address: NAVER Green Factory 17th–26th Floors, Buljeong-ro 6, Bundang-gu, Seongnam-si, Gyeonggi-do 13561, Republic of Korea. Customer Support Number: 1544-5876
© NAVER Cloud Corp. All Rights Reserved.