WebShell and Threat Intelligence

Good image, hope it could be useful for u.

And then, four points you need to pay a little attention:

Traffic monitor

”CaiDao” ‘s payload are all in request body.

“Weevely“‘s payload are all in cookie and spreate to make up again.

File moitor

Always include system method

Encrypt is very common

Attack origin

Tor network , proxy server is the common attack origin.

Night is the high frequency time

Someone do batch scan at night, unexpectedly it work.

Attack method

Web leak and config issue occupy more.

One sentence Webshell and rebound shell occupy more.

Finally :

Created with Raphaël 2.1.0Threat IntelligenceThreat IntelligenceWebshell MonitorWebshell MonitorDefender websiteDefender websiteSirpSirpAttacker featurewebshell feature.Analyze system leakEmergency measuresCommunity dataLeak database