tencent cloud

Cloud Workload Protection Platform

Release Notes and Announcements
Release Notes
Announcements
Getting Started
Product Introduction
Overview
Advantages
Basic Concepts
Scenarios
Associated Products
Features in Different Editions
Purchase Guide
Purchase Security Protection Licenses
Purchasing Log Analysis Service
Quick Start
Operation Guide
Security Dashboard
Asset Overview
Server List
Asset Fingerprint
Vulnerability Management
Baseline Management
Malicious File Scan
Unusual Login
Password Cracking
Malicious Requests
High-risk Commands
Local Privilege Escalation
Reverse Shell
Java Webshell
Critical File Monitor
Network Attack
A Ransomware Defense
Log Analysis
License Management
Alarm Setting
Cloud Access Management
Hybrid Cloud Installation Guide
FAQs for Beginners
Cloud Workload Protection Description
Feature Description
Agent Process Description
A Security Baseline Detection List
Parsing of JSON Format Alarm Data
Log Field Data Parsing
Agent Installation Guide
Security Score Overview
Practical Tutorial
Auto Fix of Vulnerabilities
Malicious File Processing
Troubleshooting
Intrusions on Linux
Intrusions on Windows
Offline Agent on Linux
Offline Agent on Windows
An Abnormal Log-in Notification
API Documentation
History
Introduction
API Category
Asset Management APIs
Virus Scanning APIs
Abnormal Log-in APIs
Password Cracking APIs
Malicious Request APIs
High-Risk Command APIs
Local Privilege Escalation APIs
Reverse Shell APIs
Vulnerability Management APIs
New Baseline Management APIs
Baseline Management APIs
Advanced Defense APIs
Security Operation APIs
Expert Service APIs
Other APIs
Overview Statistics APIs
Settings Center APIs
Making API Requests
Intrusion Detection APIs
Data Types
Error Codes
FAQs
Agreements
Terms of Service
Service Level Agreement
Data Processing And Security Agreement
Contact Us
Glossary
DocumentationCloud Workload Protection PlatformOperation GuideJava Webshell

Java Webshell

PDF
Focus Mode
Font Size
Last updated: 2024-08-13 16:29:50
This document will introduce how to use the Java Webshell feature.

Overview

CWPP supports real-time monitoring, capturing unknown classes present in the memory of Java Web Service processes. It automatically identifies Webshells by using Tencent Cloud's offensive and defensive experiences along with expert knowledge. If a Java Webshell is detected, the system will provide you with real-time alarm notifications.

Prerequisites

The Java Webshell feature falls under the CWPP Ultimate Edition. To use this feature, you can upgrade to Ultimate Edition.

Directions

1. Log in to the CWPP console. In the left sidebar, choose Cyber Defense > Java Webshell to enter the Java Webshell page.
2. Choose Plugin configuration. Plugin configuration is a prerequisite for detecting Java Webshell. You can enable and disable plugins on your Ultimate Edition hosts and observe their specific running status.
Note:
Once the Java Webshell plugin is enabled, CWPP will automatically scan the host for Java Web Service processes and inject detection probes into these services. Therefore, it can monitor in real-time any Java Webshells injected by hackers via vulnerabilities or shells.
Hosts with the Java Webshell plugin deployed will continuously monitor and capture unknown classes existing in the memory of Java Web Service processes. Using Tencent Cloud's offensive and defensive experiences along with expert knowledge, it will automatically identify Webshells. If a Java Webshell is detected, the system will provide you with real-time alarm notifications.

Field Description:
Enable/Disable Plugin: The Java Webshell plugin is disabled by default. Users can manually set the switch, either for a single host or in batches for multiple hosts.
Plugin Status: All normal, has anomalies, and not enabled.
First Enabled: Indicates the first time the plugin was enabled.
Update Time: Indicates the most recent time the plugin was enabled or disabled.
Details: View the running status of the currently injected Java Webshell plugin, including process PID, main class name of process, plugin status (injecting, injection successful, plugin timeout, insertion and exit, and injection failed), and error log.
3. After enabling the Java Webshell plugin, you can choose Alert List to view detected Java Webshell events and perform related handling operations.

Field Description:
Java Webshell Type: Includes filter type, listener type, servlet type, interceptors type, agent type, and others.
Description: Summarize the overview of the Java Webshell.
First Detected: The time when the Java Webshell was first detected.
Last Checked: The last time the Java Webshell was detected.
Status: Pending, processed, and ignored.
Operation:
Click Details to view the details of the Webshell event.

Click View file in the Java Webshell details to see the decompiled Java files of the deployed file. Copying and downloading the decompiled Java files or the original class files are supported.

Click Process to perform operations such as Mark as processed, Ignore it, or Delete the record on the event. You can process the event individually or in batch.


Previous Topic: Reverse ShellNext Topic: Monitoring Rules Configuration

Help and Support

Was this page helpful?

Help us improve! Rate your documentation experience in 5 mins.

Feedback