Web backdoor attack is an increasingly prevalent network attack that can result in substantial losses for webmasters. During a cyber-attack, system vulnerabilities and web application flaws are usually used to implant a web shell inside victim servers. To mitigate these threats posed by web shells, research has focused on static feature detection, which has been evolved rapidly in recent years. However, static feature detection has inherent limitations and security risks. In this paper, we present TridentShell, a novel web backdoor attack that can inject an invisible backdoor into a victim server without leaving any traces of the attack. Furthermore, TridentShell can circumvent almost all static detection methods. Unlike existing approaches, which leverage traditional encryption and obfuscation technologies to avoid detection, our proposed attack is intended to blend into the web application server naturally. In this work, we introduce enhancements to the original TridentShell, which is not traceable – in theory – since it uses a blockchain-based decentralized C&C server with better presentation capability. The experimental results show that our TridentShell can effectively compromise five different types of Java application servers (covering around 87% Java application servers in the market), and can scrub any attack traces from the server, making it especially difficult to detect.

Web后门攻击是一种日益普遍的网络攻击，可能给网站管理员带来重大损失。在网络攻击期间，系统漏洞和 Web 应用程序缺陷通常被用来在受害者服务器内植入 Web shell。为了减轻 Web shell 带来的这些威胁，研究主要集中在静态特征检测上，该检测近年来发展迅速。然而，静态特征检测具有固有的局限性和安全风险。在本文中，我们提出了TridentShell，这是一种新颖的 Web 后门攻击，它可以将不可见的后门注入受害者服务器，而不会留下任何攻击痕迹。此外，TridentShell可以绕过几乎所有静态检测方法。与利用传统加密和混淆技术来避免检测的现有方法不同，我们提出的攻击旨在自然地融入 Web 应用程序服务器。在这项工作中，我们引入了对原始TridentShell 的增强功能，理论上它是不可追踪的，因为它使用基于区块链的去中心化 C&C 服务器，具有更好的呈现能力。实验结果表明，我们的TridentShell可以有效危害五种不同类型的Java应用服务器（覆盖市场上约87%的Java应用服务器），并且可以清除服务器上的任何攻击痕迹，使其特别难以检测。