Ant sword ：

ini_set
ini_set_time
ini_set_limit
@ini_set(“display_errors”,“0”)
Part of the code is transmitted in clear text , Better identification

kitchen knife ：

The old version adopts plaintext transmission , It's very recognizable
The new version uses base64 encryption , The detection idea is to analyze traffic packets , Find a lot of base64 You need to pay attention to encrypting ciphertext

Ice scorpion ：

Ice scorpion 1： Ice scorpion 1 There is a key negotiation process , This process is plaintext transmission , And there are two flows , Used to verify
Ice scorpion 2： Because there are many built-in UA head , So when one is the same IP Repeated requests , however UA You need to pay attention when your head is different
Ice scorpion 3： Because the negotiation process is omitted , So you can bypass a lot of traffic , But other features remain , such as ua head
Ice scorpion packets are always accompanied by a large number of content-type：application What, what , No matter what GET still POST, Requested http in ,content-type by application/octet-stream
And their accept Such lengths are always equal , Normally, according to the application scenario and different files , The length is different

Godzilla ：

cookie There is a small mistake in this value , Is a normal request cookie There is no semicolon at the end , Subsequent authors may make adjustments
And response , Godzilla will respond three times , And I think there is another place to pay attention to webshell Connect , Therefore, a long-term connection is usually set , therefore connection It's going to be here keep-alive