網頁伺服器通常被視為一個企業相當重要的門面。然而,由於網際網路上日益 變化、種類繁多的攻擊手段,網頁伺服器也往往淪為企業整體系統中的資安弱 點。在這些複雜的攻擊手段中,又以 webshell 攻擊最令人困擾。攻擊者可以經 由合法的途徑上傳 webshell 檔案,並且透過與一般使用者相似的流量行為發起 webshell 攻擊。 目前學術界有大量研究在探討如何偵測 webshell 攻擊,包含靜 態檔案分析以及 HTTP 流量分析,但攻擊者仍可以透過加密 webshell 檔案以及 加密其操作 webshell 的 HTTP 封包內容來躲避偵測。 為了達成偵測與防禦 webshell 攻擊的目的,我們提出一個架構名叫 HoneyContainer。此架構可以偵測 攻擊、反向追蹤攻擊者的來源並且把惡意的流量導向到 honeypot 容器環境中。 如此一來,HoneyContainer 可以有效的保護網頁伺服器免於遭受攻擊者入侵。 我們實作了 HoneyContainer 的基本架構並使用 214 個真實的 webshell 檔案來驗 證其功能,結果顯示 HoneyContainer 可以順利的偵測到所有的攻擊並且將惡意 流量導向到 honeypot 環境中。另外,我們的評估結果顯示 HoneyContainer 僅會 對整體網頁伺服器系統造成一般使用者無法察覺的細微效能負擔。;The web server is considered as the face of a company. However, it is exposed to users on the internet, so the web server is also a weak point in the enterprise’s system because of the variety of attack strategies. Among those strategies, webshell attack is one of the most frustrating issues. Webshell can be uploaded through legal path and launched with the network traffic that is similar to other normal user’s. Although plenty of research works focus on detecting webshell attacks with various methods including analyzing source file or content of HTTP requests, the adversary can encode the source file or encrypt the communications between the webshell in a server and his browser. To detect and defend webshell-based command injection attacks, we propose an architecture, namely HoneyContainer, which detects attack event, backtracks the source of adversary, and redirects the malicious traffic to a honeypot container. It can efficiently protect the web service from adversary’s in- trusion. A prototype of HoneyContainer is implemented and validated with 214 webshell files, and the results show that HoneyContainer can detect all of the shell command injection events and redirect malicious traffic. Furthermore, our evalua- tions indicate that the overhead caused by HoneyContainer is hardly noticeable for normal users.
