[AF] Business risk: WebShell backdoor compromise occurs. Check Backdoor to see if Logs has been rejected.

Problem Description

The customer's business risk interface shows a WebShell Backdoor compromise, but the actual log shows that access is denied;

Warning Info

Info warning message shows rejection;

Effective troubleshooting steps

By analyzing the Logs data packets, we found that the request field in the detailed Info the data packet carries the statement field of the response;

Root cause

The WebShell Backdoor scanning and the real WebShell Backdoor communication are the same in terms of traffic characteristics, except that one URL does not Sensitive and the other Sensitive. Because Local has intercepted the request packet of the WebShell attack scan, it is impossible to determine whether the URL Sensitive. As a result, if there is a response field in the request packet, the device will determine that the scanning behavior has actual communication behavior, and thus determine the scanning behavior as a Backdoor.

solution

The existing recognition engine does not support modification, and the relevant reasons need to be explained to the customer

Original Link

https://support.sangfor.com.cn/cases/list?product_id=13&type=1&category_id=1949&isOpen=true