MENU
      GetWebshell

        GetWebshell


        Article summary

        Available in VPC

        Get the history of webshell suspicious behavior detected on a resource registered for detection.

        Request

        The following describes the request format for the endpoint. The request format is as follows:

        MethodURI
        GET/detections

        Request headers

        For headers common to all Webshell Behavior Detector APIs, see Common Webshell Behavior Detector headers.

        Request query parameters

        The following describes the parameters.

        FieldTypeRequiredDescription
        pageIndexIntegerRequiredPage number
        pageSizeIntegerRequiredNumber of page outputs

        Request example

        The following is a sample request.

        curl --location --request GET 'https://wbd.apigw.ntruss.com/api/v1/detections?pageIndex=1&pageSize=3' \
        --header 'x-ncp-apigw-timestamp: {Timestamp}' \
        --header 'x-ncp-iam-access-key: {Access Key}' \
        --header 'x-ncp-apigw-signature-v2: {API Gateway Signature}' \
        --header 'Content-Type: application/json' \
        --header 'X-NCP-USE_PLATFORM_TYPE: VPC'
        Shell

        Response

        The following describes the response format.

        Response body

        The following describes the response body.

        FieldTypeRequiredDescription
        successBoolean-Request handling status
        codeInteger-Response code
        messageString-Response message
        resultObject-Response result
        contentArray-List of web shell behavior detection history
        totalCountInteger-Number of response results
        pageSizeInteger-Number of page outputs
        pageIndexInteger-Page number
        totalPagesInteger-Total number of pages

        content

        The following describes content.

        FieldTypeRequiredDescription
        detectionIdString-Web shell behavior detection history ID
        instanceNoString-VM's instance number
        hostNameString-VM's host name
        serverNameString-VM's server name
        containerNameString-VM's container name
        privateIPofServerString-VM's private IP
        commandString-File execution command
        processNameString-Process name
        processArgString-Process argument value
        processIdString-Process ID
        executorString-Process account
        processIdOfParentString-Parent process ID
        processNameOfParentString-Parent process name
        processArgOfParentString-Parent process argument value
        executorOfParentString-Parent process account
        uidString-Detection process UID
        euidString-Process EUID
        gidString-Process GID
        egidString-Process EGID
        actionStatusString-Response status for the issue
        • confirmed | blank
          • confirmed: confirmed
          • blank: not confirmed
        memoString-Notes
        actionTimeInteger-Webshell behavior occurrence date and time (timestamp)
        detectTimeInteger-Webshell behavior detection date and time (timestamp)
        collectTimeInteger-Webshell behavior collection date and time (timestamp)
        lastUpdatedTimeInteger-Last detection history record date and time (timestamp)
        isCheckedBoolean-Verification status for detection history
        • true | false
          • true: verified
          • false: not verified
        memberNoInteger-Member ID for VM usage
        detectionRuleIdString-Detection policy ID
        suspicionFilesArray-List of suspicious files
        suspicionIpsArray-List of suspicious IPs
        osTypeString-VM's OS type

        suspicionFiles

        The following describes suspicionFiles.

        FieldTypeRequiredDescription
        suspicionFileIdString-File ID
        fileOriginNameString-File name
        fileOwnerString-File owner
        weightInteger-Score
        • The higher the score, the more likely it is a webshell
        accessTimeInteger-File access date and time (timestamp)
        modifyTimeInteger-File change date and time (timestamp)
        changeTimeInteger-File modification date and time (timestamp)
        detectionIdString-Web shell behavior detection history ID

        suspicionIps

        The following describes suspicionIps.

        FieldTypeRequiredDescription
        suspicionIpIdString-Suspicious IP's ID
        detectionIdString-Web shell behavior detection history ID
        suspicionIpString-Suspicious IP
        countryString-Suspicious IP's country
        platformString-VM environment
        • VPC | CLASSIC

        Response status codes

        For response status codes common to all Webshell Behavior Detector APIs, see Common Webshell Behavior Detector response status codes.

        Response example

        The following is a sample example.

        {
            "success": true,
            "code": 0,
            "message": "success",
            "result": {
                "content": [
                    {
                        "detectionId": "2024072323595700000436",
                        "instanceNo": "25****97",
                        "hostName": "{hostname}",
                        "serverName": "{servername}",
                        "containerName": "",
                        "privateIPofServer": "***.***.***.***",
                        "command": "{command}",
                        "processName": "{process}",
                        "processArg": "{process-and-arguments}",
                        "processId": "{command-process-id}",
                        "executor": "DefaultAppPool",
                        "processIdOfParent": "{command-process-id}",
                        "processNameOfParent": "{process}",
                        "processArgOfParent": "{process-and-arguments}",
                        "executorOfParent": "DefaultAppPool",
                        "uid": "33",
                        "euid": "33",
                        "gid": "33",
                        "egid": "33",
                        "actionStatus": "confirmed",
                        "actionTime": 1721742708822,
                        "detectTime": 1721740066493,
                        "collectTime": 1721740067452,
                        "lastUpdatedTime": 1721742708822,
                        "isChecked": true,
                        "memberNo": 26***90,
                        "detectionRuleId": "2024072318114600000013",
                        "suspicionFiles": [
                            {
                                "suspicionFileId": "2024072323595800000443",
                                "fileOriginName": "{web-root-path}/{suspicious-object-name}",
                                "fileOwner": "S-1-5-32-544",
                                "weight": 29,
                                "accessTime": 1721742550000,
                                "modifyTime": 1721742550000,
                                "changeTime": 1721742542000,
                                "detectionId": "2024072323595700000436"
                            }
                        ],
                        "suspicionIps": [
                            {
                                "suspicionIpId": "2024072323595800000386",
                                "detectionId": "2024072323595700000436",
                                "suspicionIp": "***.***.***.***",
                                "country": "KR",
                                "platform": "VPC"
                            }
                        ],
                        "osType": "LINUX"
                    }
                ],
                "totalCount": 51,
                "pageSize": 1,
                "pageIndex": 22,
                "totalPages": 51
            }
        }
        JSON

        Was this article helpful?

        Changing your password will log you out immediately. Use the new password to log back in.
        First name must have atleast 2 characters. Numbers and special characters are not allowed.
        Last name must have atleast 1 characters. Numbers and special characters are not allowed.
        Enter a valid email
        Enter a valid password
        Your profile has been successfully updated.