Webshell on 办公AI智能小助手 https://blog.qife122.com/tags/webshell/ Recent content in Webshell on 办公AI智能小助手 Hugo zh-cn qife Tue, 25 Nov 2025 01:18:23 +0800 思科与Citrix零日漏洞遭活跃利用,攻击者部署Webshell https://blog.qife122.com/p/%E6%80%9D%E7%A7%91%E4%B8%8Ecitrix%E9%9B%B6%E6%97%A5%E6%BC%8F%E6%B4%9E%E9%81%AD%E6%B4%BB%E8%B7%83%E5%88%A9%E7%94%A8%E6%94%BB%E5%87%BB%E8%80%85%E9%83%A8%E7%BD%B2webshell/ Tue, 25 Nov 2025 01:18:23 +0800 https://blog.qife122.com/p/%E6%80%9D%E7%A7%91%E4%B8%8Ecitrix%E9%9B%B6%E6%97%A5%E6%BC%8F%E6%B4%9E%E9%81%AD%E6%B4%BB%E8%B7%83%E5%88%A9%E7%94%A8%E6%94%BB%E5%87%BB%E8%80%85%E9%83%A8%E7%BD%B2webshell/ <h1 id="思科与citrix零日漏洞遭活跃利用攻击者部署webshell">思科与Citrix零日漏洞遭活跃利用,攻击者部署Webshell</h1> <p>亚马逊威胁情报团队发现一项复杂的网络攻击活动,该活动利用关键企业基础设施中先前未披露的零日漏洞。高级威胁行为者正积极针对思科身份服务引擎(ISE)和Citrix系统,部署定制Webshell以获取对受感染网络的未授权管理访问权限。</p> ShadowSilk数据窃取攻击技术分析 https://blog.qife122.com/p/shadowsilk%E6%95%B0%E6%8D%AE%E7%AA%83%E5%8F%96%E6%94%BB%E5%87%BB%E6%8A%80%E6%9C%AF%E5%88%86%E6%9E%90/ Thu, 23 Oct 2025 06:28:44 +0800 https://blog.qife122.com/p/shadowsilk%E6%95%B0%E6%8D%AE%E7%AA%83%E5%8F%96%E6%94%BB%E5%87%BB%E6%8A%80%E6%9C%AF%E5%88%86%E6%9E%90/ <h1 id="shadowsilk数据窃取攻击">ShadowSilk数据窃取攻击</h1> <h2 id="概述">概述</h2> <p>定向数据窃取活动 FortiGuard Labs的网络遥测观察到攻击者积极利用Drupal Core和WP-Automatic WordPress插件中的已知漏洞进行初始访问。在系统被入侵后,攻击者部署多个Webshell和实用工具,以实现横向移动、权限提升和远程访问木马(RAT)的安装。</p> 隐藏在.well-known目录中的Webshell威胁分析 https://blog.qife122.com/p/%E9%9A%90%E8%97%8F%E5%9C%A8.well-known%E7%9B%AE%E5%BD%95%E4%B8%AD%E7%9A%84webshell%E5%A8%81%E8%83%81%E5%88%86%E6%9E%90/ Wed, 15 Oct 2025 17:21:45 +0800 https://blog.qife122.com/p/%E9%9A%90%E8%97%8F%E5%9C%A8.well-known%E7%9B%AE%E5%BD%95%E4%B8%AD%E7%9A%84webshell%E5%A8%81%E8%83%81%E5%88%86%E6%9E%90/ <h1 id="webshells-hiding-in-well-known-places">Webshells Hiding in .well-known Places</h1> <p><strong>发布:</strong> 2025-09-25<br> <strong>最后更新:</strong> 2025-09-25 14:24:49 UTC<br> <strong>作者:</strong> Johannes Ullrich(版本:1)</p> <p>通过我们的蜜罐记录,我经常看到对.well-known目录中文件的请求。例如:</p> 隐藏在.well-known目录中的Webshell威胁分析 https://blog.qife122.com/p/%E9%9A%90%E8%97%8F%E5%9C%A8.well-known%E7%9B%AE%E5%BD%95%E4%B8%AD%E7%9A%84webshell%E5%A8%81%E8%83%81%E5%88%86%E6%9E%90/ Sun, 12 Oct 2025 15:00:59 +0800 https://blog.qife122.com/p/%E9%9A%90%E8%97%8F%E5%9C%A8.well-known%E7%9B%AE%E5%BD%95%E4%B8%AD%E7%9A%84webshell%E5%A8%81%E8%83%81%E5%88%86%E6%9E%90/ <h1 id="webshells-hiding-in-well-known-places">Webshells Hiding in .well-known Places</h1> <p><strong>发布日期:</strong> 2025-09-25<br> <strong>最后更新:</strong> 2025-09-25 14:24:49 UTC<br> <strong>作者:</strong> Johannes Ullrich(版本:1)</p> <p>我们的蜜罐经常记录到对<code>.well-known</code>目录下文件的请求。例如:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">GET /.well-known/xin1.php?p </span></span><span class="line"><span class="cl">Host: [蜜罐主机名] </span></span></code></pre></td></tr></table> </div> </div><p>文件名表明攻击者很可能在寻找Webshell。我认为他们选择在<code>.well-known</code>目录中寻找的原因在于,这是一个隐藏Webshell而不被网站更新覆盖的理想位置。</p> 隐藏在.well-known目录中的Webshell威胁分析 https://blog.qife122.com/p/%E9%9A%90%E8%97%8F%E5%9C%A8.well-known%E7%9B%AE%E5%BD%95%E4%B8%AD%E7%9A%84webshell%E5%A8%81%E8%83%81%E5%88%86%E6%9E%90/ Mon, 29 Sep 2025 09:57:44 +0800 https://blog.qife122.com/p/%E9%9A%90%E8%97%8F%E5%9C%A8.well-known%E7%9B%AE%E5%BD%95%E4%B8%AD%E7%9A%84webshell%E5%A8%81%E8%83%81%E5%88%86%E6%9E%90/ <h1 id="webshells-hiding-in-well-known-places">Webshells Hiding in .well-known Places</h1> <p><strong>发布日期</strong>:2025-09-25<br> <strong>最后更新</strong>:2025-09-25 14:24:49 UTC<br> <strong>作者</strong>:Johannes Ullrich<br> <strong>版本</strong>:1</p> <p>我们的蜜罐经常记录到对<code>.well-known</code>目录下文件的请求。例如:</p> Webshell藏身于.well-known目录的隐秘威胁 https://blog.qife122.com/p/webshell%E8%97%8F%E8%BA%AB%E4%BA%8E.well-known%E7%9B%AE%E5%BD%95%E7%9A%84%E9%9A%90%E7%A7%98%E5%A8%81%E8%83%81/ Sat, 27 Sep 2025 21:56:38 +0800 https://blog.qife122.com/p/webshell%E8%97%8F%E8%BA%AB%E4%BA%8E.well-known%E7%9B%AE%E5%BD%95%E7%9A%84%E9%9A%90%E7%A7%98%E5%A8%81%E8%83%81/ <h1 id="webshell藏身于well-known目录的隐秘威胁">Webshell藏身于.well-known目录的隐秘威胁</h1> <p><strong>发布:2025-09-25 | 最后更新:2025-09-25 14:24:49 UTC</strong> 作者:Johannes Ullrich(版本:1)</p> <p>我们的蜜罐经常记录到对.well-known目录下文件的请求,例如:</p> SharePoint "ToolShell"漏洞在野利用分析与防护指南 https://blog.qife122.com/p/sharepoint-toolshell%E6%BC%8F%E6%B4%9E%E5%9C%A8%E9%87%8E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90%E4%B8%8E%E9%98%B2%E6%8A%A4%E6%8C%87%E5%8D%97/ Thu, 11 Sep 2025 14:53:57 +0800 https://blog.qife122.com/p/sharepoint-toolshell%E6%BC%8F%E6%B4%9E%E5%9C%A8%E9%87%8E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90%E4%B8%8E%E9%98%B2%E6%8A%A4%E6%8C%87%E5%8D%97/ <h1 id="sharepoint-toolshell漏洞在野利用分析">SharePoint &ldquo;ToolShell&quot;漏洞在野利用分析</h1> <h2 id="事件概述">事件概述</h2> <p>2025年7月18日,Sophos MDR(托管检测与响应)分析师观察到针对本地SharePoint实例的恶意活动激增,包括在多个环境中执行的恶意PowerShell命令。深入分析确认这些事件很可能是攻击者主动利用&quot;ToolShell&quot;漏洞链的结果。</p>