tencent cloud

Feedback

Java Webshell

Last updated: 2024-08-13 16:29:50
    This document will introduce how to use the Java Webshell feature.

    Overview

    CWPP supports real-time monitoring, capturing unknown classes present in the memory of Java Web Service processes. It automatically identifies Webshells by using Tencent Cloud's offensive and defensive experiences along with expert knowledge. If a Java Webshell is detected, the system will provide you with real-time alarm notifications.

    Prerequisites

    The Java Webshell feature falls under the CWPP Ultimate Edition. To use this feature, you can upgrade to Ultimate Edition.

    Directions

    1. Log in to the CWPP console. In the left sidebar, choose Cyber Defense > Java Webshell to enter the Java Webshell page.
    2. Choose Plugin configuration. Plugin configuration is a prerequisite for detecting Java Webshell. You can enable and disable plugins on your Ultimate Edition hosts and observe their specific running status.
    Note:
    Once the Java Webshell plugin is enabled, CWPP will automatically scan the host for Java Web Service processes and inject detection probes into these services. Therefore, it can monitor in real-time any Java Webshells injected by hackers via vulnerabilities or shells.
    Hosts with the Java Webshell plugin deployed will continuously monitor and capture unknown classes existing in the memory of Java Web Service processes. Using Tencent Cloud's offensive and defensive experiences along with expert knowledge, it will automatically identify Webshells. If a Java Webshell is detected, the system will provide you with real-time alarm notifications.
    
    Field Description:
    Enable/Disable Plugin: The Java Webshell plugin is disabled by default. Users can manually set the switch, either for a single host or in batches for multiple hosts.
    Plugin Status: All normal, has anomalies, and not enabled.
    First Enabled: Indicates the first time the plugin was enabled.
    Update Time: Indicates the most recent time the plugin was enabled or disabled.
    Details: View the running status of the currently injected Java Webshell plugin, including process PID, main class name of process, plugin status (injecting, injection successful, plugin timeout, insertion and exit, and injection failed), and error log.
    3. After enabling the Java Webshell plugin, you can choose Alert List to view detected Java Webshell events and perform related handling operations.
    
    Field Description:
    Java Webshell Type: Includes filter type, listener type, servlet type, interceptors type, agent type, and others.
    Description: Summarize the overview of the Java Webshell.
    First Detected: The time when the Java Webshell was first detected.
    Last Checked: The last time the Java Webshell was detected.
    Status: Pending, processed, and ignored.
    Operation:
    Click Details to view the details of the Webshell event.
    
    Click View file in the Java Webshell details to see the decompiled Java files of the deployed file. Copying and downloading the decompiled Java files or the original class files are supported.
    
    Click Process to perform operations such as Mark as processed, Ignore it, or Delete the record on the event. You can process the event individually or in batch.
    
    
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support