CN110855698B - Terminal information obtaining method, device, server and storage medium - Google Patents

Terminal information obtaining method, device, server and storage medium Download PDF

Info

Publication number
CN110855698B
CN110855698B CN201911138196.XA CN201911138196A CN110855698B CN 110855698 B CN110855698 B CN 110855698B CN 201911138196 A CN201911138196 A CN 201911138196A CN 110855698 B CN110855698 B CN 110855698B
Authority
CN
China
Prior art keywords
bait
information
terminal
mail
terminal equipment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201911138196.XA
Other languages
Chinese (zh)
Other versions
CN110855698A (en
Inventor
喻俊仁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chengdu Knownsec Information Technology Co ltd
Original Assignee
Chengdu Knownsec Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chengdu Knownsec Information Technology Co ltd filed Critical Chengdu Knownsec Information Technology Co ltd
Priority to CN201911138196.XA priority Critical patent/CN110855698B/en
Publication of CN110855698A publication Critical patent/CN110855698A/en
Application granted granted Critical
Publication of CN110855698B publication Critical patent/CN110855698B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1491Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L51/00User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
    • H04L51/42Mailbox-related aspects, e.g. synchronisation of mailboxes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The application provides a terminal information obtaining method, a device, a server and a storage medium, wherein the method is applied to the server and comprises the following steps: receiving a mail request sent by terminal equipment; sending a bait mail to the terminal device, wherein the bait mail comprises a bait attachment or information indicating the bait attachment, and when the bait attachment is executed by the terminal device, the information of the execution device is returned; and receiving terminal information of the terminal equipment, which is sent by the terminal equipment. In the implementation process, the server sends the bait mail to the terminal equipment so that the terminal equipment executes the bait attachment in the bait mail to obtain the terminal information of the terminal equipment, thereby effectively solving the problem that an owner of the personal mailbox or an administrator of the mailbox is difficult to acquire the terminal information of an attacker after an account and a password of the personal mailbox are stolen by the attacker.

Description

Terminal information obtaining method, device, server and storage medium
Technical Field
The present application relates to the technical field of computer information processing, and in particular, to a method, an apparatus, a server, and a storage medium for obtaining terminal information.
Background
Currently, account and password protection measures of personal mailboxes are, for example: after the login failure of the account and the password of the personal mailbox reaches a certain number of times, locking the account, and locking the account by a mail system within a specified time period, namely, the account and the password cannot be logged in within the specified time period; another example is: after the login failure of the account and the password of the personal mailbox reaches a certain number of times, the verification code is added during login so as to prevent an attacker from exhaustively cracking the account and the password.
In particular practice, it is found that if an attacker obtains an account and a password of a personal mailbox, it is difficult for an owner of the personal mailbox or an administrator of the mailbox to know stolen information of the personal mailbox. That is, after the account and the password of the personal mailbox are stolen by an attacker, it is difficult for the owner of the personal mailbox or the administrator of the mailbox to know the terminal information of the attacker.
Disclosure of Invention
An object of the embodiments of the present application is to provide a terminal information obtaining method, an apparatus, a server, and a storage medium, which are used to solve the problem that an owner of a personal mailbox or an administrator of the personal mailbox cannot easily obtain terminal information of an attacker after an account and a password of the personal mailbox are stolen by the attacker.
The embodiment of the application provides a terminal information obtaining method, which is applied to a server and comprises the following steps: receiving a mail request sent by terminal equipment; sending a bait mail to the terminal equipment, wherein the bait mail comprises a bait attachment or information indicating the bait attachment, and the information of an execution equipment is returned when the bait attachment is executed by the equipment; and receiving the terminal information of the terminal equipment sent by the terminal equipment. In the implementation process, the server sends the bait mail to the terminal equipment so that the terminal equipment executes the bait attachment in the bait mail to obtain the terminal information of the terminal equipment, thereby effectively solving the problem that an owner of the personal mailbox or an administrator of the mailbox is difficult to acquire the terminal information of an attacker after an account and a password of the personal mailbox are stolen by the attacker.
Optionally, in this embodiment of the application, before sending the bait mail to the terminal device, the method further includes: and determining that the terminal equipment is in an abnormal state according to the history of the terminal equipment. In the implementation process, the decoy mail is sent only by judging that the terminal equipment logged in by the personal mailbox is in an abnormal state, so that the disturbance to the user of the personal mailbox is reduced as much as possible, and the possibility of the leakage of the privacy information is also reduced.
Optionally, in this embodiment of the present application, the history record includes a login record, and determining that the terminal device is in an abnormal state according to the history record of the terminal device includes: and if the login address of the terminal equipment is determined to be an uncommon address according to the login record, determining that the terminal equipment is in an abnormal state. In the implementation process, the login address of the terminal device is an uncommon address, and the terminal device in which the personal mailbox is logged is determined to be in an abnormal state, and then the bait mail is sent, so that the disturbance to the user of the personal mailbox is reduced as much as possible, and the possibility of the leakage of the private information is also reduced.
Optionally, in this embodiment of the present application, the terminal information includes identification information of the terminal device, and after receiving the terminal information of the terminal device sent by the terminal device, the method further includes: and adding the identification information into a blacklist, wherein the blacklist is used for stopping responding to the mail request of the terminal equipment corresponding to the identification information in the blacklist. In the implementation process, after the identification information of the terminal device is obtained through the decoy mail, the identification information of the terminal device is added into the blacklist, so that the possibility of being attacked by the terminal device again is reduced.
Optionally, in this embodiment of the application, after the receiving the terminal information of the terminal device sent by the terminal device, the method further includes: generating alarm information according to the terminal information; and displaying the warning information to the server, or sending the warning information to the terminal equipment. In the implementation process, the possibility of the leakage of the privacy information is further reduced by generating the alarm information according to the terminal information and sending the alarm information to the terminal equipment.
Optionally, in this embodiment of the application, the information indicating the bait attachment includes a bait link, and before sending the bait mail to the terminal device, the method further includes: generating a bait link according to the bait attachment; setting the bait link in the content of the bait mail. In the implementation process, the bait link is set in the bait mail, the attacker clicks the bait link and downloads the bait attachment to obtain the terminal information of the attacker, so that the probability of obtaining the terminal information is increased.
Optionally, in this embodiment of the application, after the sending the bait mail to the terminal device, the method further includes: receiving an attachment request sent by the terminal device, wherein the attachment request is sent when the terminal device accesses the bait link; sending the bait attachment to the terminal device. In the implementation process, the accessory request is sent when the receiving terminal device accesses the bait link, and the bait accessory is downloaded to obtain the terminal information of the attacker, so that the probability of obtaining the terminal information is increased.
Optionally, in an embodiment of the present application, the method further includes: the bait attachment executes the bait attachment when clicked and sends information of the execution equipment to the server; or the information indicating the bait attachment downloads and executes the bait attachment when clicked, and sends the information of the execution device to the server. In the implementation process, the bait attachment is executed through the bait attachment or the information indicating the bait attachment when being clicked, so that the problem that an owner of the personal mailbox or an administrator of the personal mailbox is difficult to acquire terminal information of an attacker after an account number and a password of the personal mailbox are stolen by the attacker is effectively solved.
The embodiment of the present application further provides a terminal information obtaining apparatus, which is applied to a server, and includes: the request receiving module is used for receiving a mail request sent by the terminal equipment; a mail sending module, configured to send a bait mail to the terminal device, where the bait mail includes a bait attachment or information indicating the bait attachment, and when the bait attachment is executed by the terminal device, the information of the execution device is returned; and the information receiving module is used for receiving the terminal information of the terminal equipment, which is sent by the terminal equipment.
Optionally, in an embodiment of the present application, the method further includes: and the first determining module is used for determining that the terminal equipment is in an abnormal state according to the history of the terminal equipment.
Optionally, in an embodiment of the present application, the history record includes a login record, and the first determining module includes: and the second determining module is used for determining that the terminal equipment is in an abnormal state if the login address of the terminal equipment is determined to be an uncommon address according to the login record.
Optionally, in this embodiment of the application, the terminal information includes identification information of the terminal device, and further includes: and the information adding module is used for adding the identification information into a blacklist, and the blacklist is used for stopping responding to the mail request of the terminal equipment corresponding to the identification information in the blacklist.
Optionally, in an embodiment of the present application, the method further includes: the information generating module is used for generating alarm information according to the terminal information; and the display sending module is used for displaying the alarm information to the server or sending the alarm information to the terminal equipment.
Optionally, in this embodiment of the application, the information indicating the bait accessory includes a bait link, and further includes: the link generation module is used for generating a bait link according to the bait accessory; a mail obtaining module for setting the bait link in the content of the bait mail.
Optionally, in an embodiment of the present application, the method further includes: a request receiving module, configured to receive an accessory request sent by the terminal device, where the accessory request is sent when the terminal device accesses the bait link; and the accessory sending module is used for sending the bait accessories to the terminal equipment.
Optionally, in an embodiment of the present application, the method further includes: the first sending module is used for executing the bait attachment when the bait attachment is clicked and sending the information of the executing equipment to the server; or the second sending module is used for downloading and executing the bait attachment when the information indicating the bait attachment is clicked, and sending the information of the execution equipment to the server.
An embodiment of the present application further provides a server, including: a processor and a memory storing machine-readable instructions executable by the processor, the machine-readable instructions when executed by the processor performing the method as described above.
Embodiments of the present application further provide a storage medium, on which a computer program is stored, and when the computer program is executed by a processor, the computer program performs the method described above.
Drawings
To more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a schematic diagram of a terminal information obtaining system provided in an embodiment of the present application;
fig. 2 is a schematic flow chart of a terminal information obtaining method provided in an embodiment of the present application;
fig. 3 is a schematic flowchart illustrating a method for obtaining terminal information when a terminal device is in an abnormal state according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of a terminal information obtaining apparatus according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of a server provided in an embodiment of the present application.
An icon: 110-terminal information acquisition system; 120-a terminal device; 130-a server; 131-a processor; 132-a memory; 133-a storage medium; 400-terminal information obtaining means; 410-a request receiving module; 420-mail sending module; 430-information receiving module.
Detailed Description
The technical solution in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application.
Before introducing the method for obtaining terminal information provided in the embodiment of the present application, some concepts related to the embodiment of the present application are introduced, and some concepts related to the embodiment of the present application are as follows:
intrusion Detection Systems (IDS) monitor the operation status of networks and Systems through software and hardware according to a certain security policy, and discover various attack attempts, attack behaviors or attack results as much as possible to ensure the confidentiality, integrity and availability of network system resources.
Distributed Denial of Service (DDoS) attacks are one type of attack that is relatively common and prone to being launched into a smart device. DDoS attacks refer to launching DDoS attacks on one or more targets by combining multiple computers as an attack platform with the aid of a client/server technology, thereby exponentially improving the power of denial of service. Typically, an attacker installs a DDoS master on a computer using a stolen account number, and at a set time the master will communicate with a number of agents that have been installed on many computers on the network. The agent program starts the attack when receiving the instruction, thus hundreds of times of running of the agent program can be activated within a few seconds, thereby causing the crash of the attacked device, and the attacked device can not be accessed normally by the user.
A Virus program, also known as a Computer Virus (Computer Virus), refers to a set of Computer instructions or program code that a programmer inserts into a Computer program to destroy Computer functions or data, and that affects the use of the Computer and that is self-replicating. The computer virus has a back door program with special functions of destroying and deleting files, sending passwords, recording keyboards, attacking DDoS and the like.
Trojan (Trojan) refers to a program that controls another computer by a specific program, and Trojan (Trojan horse program) is generally called as Trojan code, malicious code, etc., and refers to a program that is hidden in a computer and can be controlled by an external user to steal native information or control. The trojan generally has two executable programs, one being a control end and the other being a controlled end. The name of Trojan comes from the ancient greek to say the marmot story in the historic horse history of the lotus horse, and the Trojan horse of Trojan is originally Trojan, i.e. refers to the Trojan horse, i.e. the marmot story. The Trojan horse program is a virus file which is popular at present, is different from general viruses, cannot propagate by itself and cannot infect other files intentionally, and provides a portal for opening a seeded host for a seed applicator by disguising itself to attract users to download and execute, so that the seed applicator can arbitrarily destroy and steal the files of the seeded host and even remotely control the seeded host.
Before introducing the terminal information obtaining method provided by the embodiment of the present application, an application scenario applicable to the terminal information obtaining method is introduced, where the application scenario includes but is not limited to a terminal information obtaining system; the application scenario herein may further include: the terminal information obtaining method is used on the mail management server to reduce the loss of the mailbox account in the mail management server; and a scenario in which the terminal information obtaining method is used in the IDS system to increase the functions of the IDS system, and the like.
Please refer to fig. 1, which is a schematic diagram of a terminal information obtaining system provided in the embodiment of the present application; the terminal information obtaining system 110 includes: terminal device 120 and server 130; the terminal device 120 may communicate with the server 130, one terminal device 120 may communicate with a plurality of servers 130, one server 130 may also communicate with a plurality of terminal devices 120, and a specific communication manner between the terminal device 120 and the server 130 may be wireless network communication (as shown in the left side of fig. 1), wired network communication (as shown in the middle of fig. 1), or internet communication in which a wired network and a wireless network are mixed (as shown in the right side of fig. 1). Here, the terminal device refers to a device terminal or a server having a function of executing a computer program, and the device terminal includes, for example: a smart phone, a Personal Computer (PC), a tablet computer, a Personal Digital Assistant (PDA), a Mobile Internet Device (MID), a network switch or a network router, and the like.
The server mentioned above refers to a device that provides a computing service through a network, and the server includes, for example: an x86 server and a non-x 86 server, the non-x 86 server comprising: mainframe, minicomputer, and UNIX server. Certainly, in a specific implementation process, the server may specifically select a mainframe or a minicomputer, where the mainframe refers to a dedicated processor that mainly supports a closed and dedicated device for providing Computing service of a UNIX operating system, and that uses Reduced Instruction Set Computing (RISC), single-length fixed-point Instruction average execution speed (MIPS), and the like; a mainframe, also known as a mainframe, refers to a device that provides computing services using a dedicated set of processor instructions, an operating system, and application software. In a specific implementation, the device may be a mail server, where the mail server is a device responsible for email sending and receiving management.
Please refer to fig. 2, which is a schematic flow chart of a terminal information obtaining method provided in the embodiment of the present application; the terminal information obtaining method is applied to the server, and the method can comprise the following steps:
step S210: the server receives the mail request sent by the terminal equipment.
The mail request refers to a request sent by the terminal device for receiving an email sent by the server, where the mail request may include a unique identifier of the mail, such as: the server receives a mail request sent by the terminal device, wherein the mail request is used for requesting the e-mail with the unique identifier 0210, and then the server can search the e-mail with the unique identifier 0210.
The specific implementation of the server receiving the mail request sent by the terminal device is as follows: the Server may directly receive the mail request sent by the terminal device, and of course, the Server may also receive the mail request sent by the terminal device through a Proxy Server, where the Proxy Server (Proxy Server) may refer to a device from which the Proxy Server obtains the mail request; the proxy server is a transfer station of network information, an intermediate proxy mechanism between a source host and a destination host, for example, an intermediate proxy mechanism between a host in a personal network and a server of an Internet service provider, and is responsible for forwarding legal network information, controlling and registering forwarding, and the like.
After step S210, step S220 is performed: the server sends a bait mail to the terminal device.
Wherein the bait mail comprises a bait attachment and/or information indicating the bait attachment; that is, there are three situations for decoy mail: in the first case, the decoy mail includes a decoy attachment which, when executed by the device, returns information of the executing device; in the second case, the bait mail includes information indicating the bait attachment, for example, a bait link that can download and/or execute the bait attachment, and then the bait link can indicate the information of the bait attachment for downloading and executing the bait attachment, that is, when the user clicks the bait link, the terminal device is triggered to download and execute the bait attachment, and the device information at execution is returned; in a third aspect, a bait mail includes: a bait accessory and information indicating the bait accessory; here, the information indicating the bait attachment triggers execution of the content of the bait attachment in the bait mail when clicked, the content of the bait attachment is information for sending an execution device to the server, and the execution device refers to a device when the bait is executed.
In the embodiment of the present application, corresponding to the above description, before sending the bait mail to the terminal device, that is, before step S220, the bait mail may be obtained first, and then the obtaining manner of the bait mail may include three types: in the first mode, a bait attachment is arranged in a bait mail, and the bait mail comprising the bait attachment is obtained; in the second mode, a bait link for downloading a bait attachment is set in a bait mail, and the bait attachment comprising the bait link is obtained; in the third mode, a bait link for downloading a bait attachment is set in a bait mail, and the bait attachment is set in the bait mail, thereby obtaining a bait mail including the bait attachment and the bait link. For convenience of explanation, the third method for obtaining bait mails is only used as an example, and the third method for obtaining bait mails may further include the following steps:
step S221: the server obtains the bait attachment.
As described above, the decoy attachment refers to an attachment file that can be attached to the decoy mail and that returns information of the execution device when being executed by the electronic device; specifically, it may be program code written by a program editor, and the function of the program code is to obtain information on a device in which the program code is located. The bait accessory also has contents to attract people to click, such as: titles, links, pictures or video content, etc. that the person wants to click on.
The specific way in which the server obtains the bait attachment is various: first, a copy of the bait attachment is copied from other already running systems in the server, such as: intrusion detection systems, honeypot systems or security systems, etc.; the honeypot system is a software application system, which is called as an intrusion bait and is used for attracting a hacker to attack. After the attacker invades, the attacker can know how the attacker invades through monitoring and analyzing, and can know the latest attack and vulnerability launched by the organization server at any time. It is also possible to gather all kinds of tools used by hackers and master their social network by eavesdropping on the connections between the hackers. In the second mode, a source code is downloaded from the internet by using crawler software, and the code file is interpreted or compiled into an executable file, if the executable file can be executed by the electronic device, the information of the electronic device where the executable file is located is sent to a server, the executable file is determined as a bait attachment, or the executable file capable of completing the functions is directly downloaded from the internet. And thirdly, writing a code file by using a program language, interpreting or compiling the code file into an executable file, and if the executable file can be executed by the electronic equipment, sending information of the electronic equipment where the executable file is located to a server, determining the executable file as the bait attachment.
Step S222: the server generates a bait link from the bait attachment.
As described above, the decoy link herein may refer to a link triggering execution of a decoy attachment, or may refer to a link triggering download and execution of the decoy attachment, and is specifically determined according to whether the decoy mail includes the decoy mail; specifically, for example: in the first case, if the decoy mail includes a decoy attachment, the decoy link may refer to a link that triggers execution of the decoy attachment; in the second case, if the bait mail does not include a bait attachment, the bait link may refer to a link that triggers downloading and execution of the bait attachment.
As described above, the specific way in which the server generates the bait link based on the bait attachment also falls into two cases: in the first case, if the bait mail includes the bait attachment, the relative address of the bait mail and the bait attachment, namely the file address of the bait mail relative to the bait attachment, is obtained, and the file address of the bait mail relative to the bait attachment is determined as the bait link; in the second situation, if the decoy mail does not comprise the decoy attachment, acquiring a domain name of a server, opening a port number capable of downloading the decoy attachment and a root directory of a website service or a file transmission service, acquiring a file address of the decoy attachment relative to the root directory according to the root directory, and determining the decoy address according to the domain name, the port number, the root directory, the file address and the decoy attachment name; specifically, for example: assuming that the domain name of the server is a.com, the port number is 80 ports, the file address of the used bait attachment relative to the root directory of the website service is/test, and the file name of the bait attachment is getinfo.bat or getinfo.sh; then the bait link should be http:// a.com:80/test/getinfo.bat or http:// a.com: 80/test/getinfo.sh.
Step S223: the server sets the bait link in the content of the bait mail and sets the bait attachment as a mail attachment for the bait mail.
Examples of embodiments in which the server places the bait link in the content of the bait mail are: the above-mentioned bait link http:// a.com:80/test/getinfo.bat or http:// a.com:80/test/getinfo.sh is added to the content of the bait mail. Examples of embodiments in which the bait attachment is set as a mail attachment for bait mail are: bat or getinfo.sh is set as an attachment file for the bait mail. In the implementation process, the bait link is set in the bait mail, the attacker clicks the bait link and downloads the bait attachment to obtain the terminal information of the attacker, so that the probability of obtaining the terminal information is increased. Meanwhile, the bait attachment is executed when the information of the bait attachment or the information indicating the bait attachment is clicked, so that the problem that an owner of the personal mailbox or an administrator of the personal mailbox is difficult to know the terminal information of an attacker after an account number and a password of the personal mailbox are stolen by the attacker is effectively solved.
As described above, after the server sends the bait mail to the terminal apparatus, it is also possible to send the bait attachment to the apparatus where the bait link is located according to the request of the bait link. That is, the decoy link may refer to a link that triggers downloading and execution of the decoy attachment, which may trigger downloading of the decoy attachment when the decoy link is clicked. Therefore, after step S220, the method for triggering downloading of the bait attachment may further include the steps of:
step S224: the server receives an attachment request sent by the terminal equipment.
The accessory request here is a request sent when the terminal device accesses the bait link, and the accessory request is used for requesting the above-mentioned bait accessory. The specific implementation of the server receiving the attachment request sent by the terminal device is as follows: the server may directly receive the attachment request sent by the terminal device, and of course, the server may also receive the attachment request sent by the terminal device through the proxy server, where the proxy server may refer to a device for which the proxy server obtains the attachment request.
Step S225: the server sends the bait attachment to the terminal device.
The server sends the bait attachment to the terminal device in the following way: if the terminal device sends an attachment request to the server through the browser, the server sends a bait attachment to a process corresponding to the browser of the terminal device, wherein the browser refers to a software tool for accessing data on the server, and the browser comprises: firefox browser, Chrome browser, Safari browser, Internet Explorer (IE) browser, etc. In the implementation process, the accessory request is sent when the receiving terminal device accesses the bait link, and the bait accessory is downloaded to obtain the terminal information of the attacker, so that the probability of obtaining the terminal information is increased.
After step S220, step S230 is performed: and the server receives the terminal information of the terminal equipment sent by the terminal equipment.
The embodiments of the server receiving the terminal information of the terminal device sent by the terminal device are, for example: the server receives terminal information of the terminal device sent by the terminal device through a Transmission Control Protocol/Internet Protocol (TCP/IP), also called a network communication Protocol, which refers to the most basic Protocol of the Internet and the foundation of the Internet, and is composed of an Internet Protocol (IP) of a network layer and a TCP Protocol of a transport layer. The communication may be based on transmission control protocol/internet protocol (TCP/IP) or hypertext transfer protocol (http/IP).
In the implementation process, the server sends the bait mail to the terminal equipment so that the terminal equipment executes the bait attachment in the bait mail to obtain the terminal information of the terminal equipment, thereby effectively solving the problem that an owner of the personal mailbox or an administrator of the mailbox is difficult to know the terminal information of an attacker after an account number and a password of the personal mailbox are stolen by the attacker.
Please refer to fig. 3, which is a schematic flowchart of a method for obtaining terminal information when a terminal device is in an abnormal state according to an embodiment of the present application; in this embodiment, before the server sends the bait mail to the terminal device, it may be determined that the terminal device is in an abnormal state and then sends the bait mail, and the terminal information obtaining method may include the following steps, for example:
step S310: the server receives the mail request sent by the terminal equipment.
The implementation principle of step S310 is similar to that of step S210, and specific unclear points may refer to the explanation and description of step S210, so that the step is not explained and illustrated in detail here.
Step S320: and the server determines that the terminal equipment is in an abnormal state according to the history of the terminal equipment.
Wherein the history record may include: log-in records, send mail records, and the like; the login record refers to that when the device logs in the server, the server records the login time, the login place, the external network login IP address, the unique identifier of the device and other information of the device every time; the sending mail record means that when the terminal device sends a mail to a specified mailbox address after logging in, the mail sent each time is recorded and stored on the server, so that a plurality of mail sending records of the terminal are obtained, and the plurality of mail sending records can be understood as sending mail records.
There are many embodiments for determining that the terminal device is in an abnormal state: the first mode is that the terminal equipment is determined to be in an abnormal state according to address information in a log-in history of the terminal equipment; the second mode is that the terminal equipment is determined to be in an abnormal state according to the login failure times in the login history of the terminal equipment; and in the third mode, the terminal equipment is determined to be in an abnormal state according to the mail sending record of the terminal equipment. First, a first mode is described, and the first mode may include the following steps:
step S321: and if the login address of the terminal equipment is determined to be the uncommon address according to the login record, the server determines that the terminal equipment is in an abnormal state.
The login address refers to an address of the device in the network when the device logs in, and the address may be, for example, an IP address of a public network, or an area corresponding to the IP address; the unusual address refers to an address where the user logs in infrequently, for example: areas where users are not logged on frequently. The abnormal state here is a normal state of the mail user, and means that the mail user is in an abnormal state.
If the login address of the terminal device is determined to be the uncommon address according to the login record, the server determines that the terminal device is in the abnormal state, for example: if the user logs in the Sichuan province frequently, if the account of the user logs in the Shanghai, the terminal device corresponding to the user can be judged to be in an abnormal state. In the implementation process, the login address of the terminal equipment is an uncommon address, and the terminal equipment which logs in the personal mailbox is judged to be in an abnormal state, and then the bait mail is sent, so that the disturbance to the user of the personal mailbox is reduced as much as possible, and the possibility of the leakage of the private information is also reduced.
As described above, there are various embodiments for determining that the terminal device is in an abnormal state, the first embodiment is described above, and the second embodiment is described below, and the second embodiment may include the following steps:
step S322: and if the login failure times of the terminal equipment are determined to be larger than the preset threshold value according to the login record, the server determines that the terminal equipment is in an abnormal state.
The login failure times refer to that the terminal device records the login operation of the terminal device every time the terminal device logs in the server, and the server records the times when the terminal device fails to log in. The preset threshold here refers to a preset threshold, and the preset threshold here may be set according to specific practical situations, and may be set to 3, 5, or 10, for example.
If the login failure times of the terminal device are determined to be larger than the preset threshold according to the login record, the server determines that the terminal device is in an abnormal state, for example: determining that the login failure times of the terminal equipment are 2 and the preset threshold value is 3 according to the login record, and determining that the terminal equipment is in a normal state if the login failure times are smaller than the preset threshold value; correspondingly, if the login failure frequency of the terminal equipment is determined to be 4 according to the login record and the preset threshold value is 3, the login failure frequency is smaller than the preset threshold value, and the terminal equipment is determined to be in an abnormal state.
As described above, there are various embodiments for determining that the terminal device is in an abnormal state, the second manner is described above, and the third manner is described below, and the third manner may include the following steps:
step S323: and if the mail sent by the terminal equipment contains the Trojan horse program or/and the virus program according to the mail sending record, the server determines that the terminal equipment is in an abnormal state.
The specific meanings of the trojan horse programs and the virus programs have been explained in the above description, and common trojan horse programs and virus programs are as follows: such as BackOrifice, BackOrifice2000, Netspy, Picture, Netbus, Asylum, glacier, etc. It is understood that the Trojan horse program or/and the virus program includes three cases: in the first case, the mail contains a trojan program; in the second case, the mail contains a virus program; in the third case, the mail contains a Trojan horse program and a virus program.
If the mail sent by the terminal device is determined to contain the Trojan program or/and the virus program according to the mail sending record, the server determines that the terminal device is in the abnormal state, for example: and if the mail sent by the terminal equipment is determined to contain BackOrifice, BackOrifice2000, Netply, Picture, Netbus, payload and the like according to the sent mail record, the server determines that the terminal equipment is in an abnormal state.
In the implementation process, the decoy mail is sent only by judging that the terminal equipment logged in by the personal mailbox is in an abnormal state, so that the disturbance to the user of the personal mailbox is reduced as much as possible, and the possibility of the leakage of the privacy information is also reduced.
After step S320, step S330 is performed: the server sends a bait mail to the terminal device.
The implementation principle of step S330 is similar to that of step S220, and specific unclear points may refer to the explanation and description of step S220, so that the step is not explained and illustrated in detail here.
After step S320, step S340 is performed: and the server receives the terminal information of the terminal equipment sent by the terminal equipment.
The implementation principle of step S330 is similar to that of step S220, and specific unclear points may refer to the explanation and description of step S220, so that the step is not explained and illustrated in detail here.
Optionally, in this embodiment of the present application, the terminal information may include identification information of the terminal device, and after receiving the terminal information of the terminal device sent by the terminal device, that is, after step S340, the method may further include the following steps:
step S350: and the server adds the identification information of the terminal equipment into a blacklist.
The identification information here is unique identification information of the terminal device, and the unique identification information includes, for example: an IP Address, a Media Access Control (MAC) Address, a hard disk serial number, a product identification number of Windows, a machine guid, or a motherboard smBIOSUUID, etc. Here, the blacklist refers to a mail request for stopping responding to the terminal device corresponding to the identification information in the blacklist, for example: and adding the IP address of the terminal equipment with the IP address of 10.0.0.1 into a blacklist.
The implementation manner in which the server adds the identification information of the terminal device to the blacklist is, for example: in the lan environment, the MAC address of the terminal device may be added to the blacklist, and certainly in specific practice, if the hard disk serial number, the product identification number of Windows, the machine guid, or the motherboard smBIOSUUID, etc. can be obtained, the hard disk serial number, the product identification number of Windows, the machine guid, or the motherboard smbiosuid may also be added to the blacklist.
In the implementation process, after the identification information of the terminal device is obtained through the decoy mail, the identification information of the terminal device is added into the blacklist, so that the possibility of being attacked by the terminal device again is reduced.
Optionally, in this embodiment of the application, after receiving the terminal information of the terminal device sent by the terminal device, that is, after step S340, the method may further include the following steps:
step S370: and the server generates alarm information according to the terminal information.
The alarm information here means that related personnel are informed that the mail account has the risk of revealing sensitive information or invading a server mailbox account, so that there are two situations in generating alarm information here: in the first situation, the server generates alarm information according to the terminal information, wherein the alarm information is used for informing an owner of the mailbox account or an administrator of the server that the mailbox account has the risk of sensitive information leakage; in the second case, the server generates alarm information according to the terminal information, wherein the alarm information is used for informing the risk of the user of the terminal equipment to invade the mailbox account of the server. The first case is described below, and may include the following steps:
after step S370, step S380 is performed: and displaying the alarm information to the server.
The embodiments of displaying the warning information to the server are as follows: the terminal equipment with the IP address of 10.0.0.1 is displayed on the server to the administrator to log in a different place, and the risk of sensitive information leakage exists. The embodiment of displaying the warning information to the server is, for example: and displaying to the owner of the mailbox account on the server, logging in the mailbox account at the IP address of 10.0.0.1, logging in the mailbox account at a different place, and if the user does not operate the mailbox account, asking the user to change the password in time, and the like.
As described above, there are two cases of generating the alarm information, and then the first case is described above, and the second case is described below, and the second case may include the following steps:
after step S370, step S390 is performed: and the server sends alarm information to the terminal equipment.
The implementation manner of sending the warning information to the terminal device by the server is, for example: your mailbox account logs in at the IP address of 10.0.0.1, the mailbox account logs in at a different place, the risk of being invaded into the mailbox account exists, and if the mailbox account is not operated by the user, the user needs to change the password in time. In the implementation process, the possibility of the leakage of the privacy information is further reduced by generating the alarm information according to the terminal information and sending the alarm information to the terminal equipment.
Please refer to fig. 4, which is a schematic structural diagram of a terminal information obtaining apparatus provided in the embodiment of the present application; the embodiment of the present application provides a terminal information obtaining apparatus 400, applied to a server 130, including:
a request receiving module 410, configured to receive a mail request sent by a terminal device.
A mail sending module 420, configured to send a bait mail to the terminal device, where the bait mail includes a bait attachment or information indicating the bait attachment, and when the bait attachment is executed by the terminal device, the bait attachment returns information of the execution device.
The information receiving module 430 is configured to receive terminal information of the terminal device sent by the terminal device.
Optionally, in this embodiment of the present application, the method may further include:
and the first determining module is used for determining that the terminal equipment is in an abnormal state according to the history of the terminal equipment.
Optionally, in this embodiment of the present application, the history record includes a login record, and the first determining module includes:
and the second determining module is used for determining that the terminal equipment is in an abnormal state if the login address of the terminal equipment is determined to be the unusual address according to the login record.
Optionally, in this embodiment of the application, the terminal information includes identification information of the terminal device, and further includes:
and the information adding module is used for adding the identification information into a blacklist, and the blacklist is used for stopping responding to the mail request of the terminal equipment corresponding to the identification information in the blacklist.
Optionally, in an embodiment of the present application, the apparatus further includes:
and the information generation module is used for generating alarm information according to the terminal information.
And the display sending module is used for displaying the alarm information to the server or sending the alarm information to the terminal equipment.
Optionally, in this embodiment of the application, the information indicating the bait attachment includes a bait link, and further includes:
and the link generation module is used for generating a bait link according to the bait accessory.
A mail obtaining module for setting the bait link in the content of the bait mail.
Optionally, in this embodiment of the present application, the apparatus may further include:
and the request receiving module is used for receiving an accessory request sent by the terminal equipment, wherein the accessory request is sent when the terminal equipment accesses the bait link.
And the accessory sending module is used for sending the bait accessory to the terminal equipment.
Optionally, in this embodiment of the present application, the terminal information obtaining apparatus further includes:
the first sending module is used for executing the bait attachment when the bait attachment is clicked and sending information of the executing equipment to the server;
or the terminal information obtaining apparatus further includes:
and the second sending module is used for indicating the information of the bait attachment to download and execute the bait attachment when the information of the bait attachment is clicked, and sending the information of the execution equipment to the server.
It should be understood that the apparatus corresponds to the above method embodiment, and can perform the steps related to the above method embodiment, and the specific functions of the apparatus can be referred to the above description, and the detailed description is appropriately omitted here to avoid redundancy. The device includes at least one software function that can be stored in memory in the form of software or firmware (firmware) or solidified in the Operating System (OS) of the device.
Please refer to fig. 5, which illustrates a schematic structural diagram of a server according to an embodiment of the present application. An embodiment of the present application provides a server 130, including: a processor 131 and a memory 132, the memory 132 storing machine readable instructions executable by the processor 131, the machine readable instructions when executed by the processor 131 performing the method as above.
The embodiment of the present application further provides a storage medium 133, where the storage medium 133 stores thereon a computer program, and the computer program is executed by the processor 131 to perform the above method.
The storage medium 133 may be implemented by any type of volatile or nonvolatile storage device or combination thereof, such as a Static Random Access Memory (SRAM), an Electrically Erasable Programmable Read-Only Memory (EEPROM), an Erasable Programmable Read-Only Memory (EPROM), a Programmable Read-Only Memory (PROM), a Read-Only Memory (ROM), a magnetic Memory, a flash Memory, a magnetic disk, or an optical disk.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The apparatus embodiments described above are merely illustrative, and for example, the flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems that perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
In this document, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions.
The above description is only an alternative embodiment of the embodiments of the present application, but the scope of the embodiments of the present application is not limited thereto, and any person skilled in the art can easily conceive of changes or substitutions within the technical scope of the embodiments of the present application, and all the changes or substitutions should be covered by the scope of the embodiments of the present application.

Claims (9)

1. A terminal information obtaining method is applied to a server and comprises the following steps:
receiving a mail request sent by terminal equipment;
determining that the terminal equipment is in an abnormal state according to the history record of the terminal equipment, wherein the history record comprises a mail sending record;
sending a bait mail to the terminal equipment, wherein the bait mail comprises a bait attachment or information indicating the bait attachment, when the bait attachment is executed by the terminal equipment, the information of the terminal equipment is returned, and the information indicating the bait attachment is used for downloading the bait attachment;
receiving terminal information of the terminal equipment, which is sent by the terminal equipment;
generating alarm information according to the terminal information; and
and displaying the warning information to the server, or sending the warning information to the terminal equipment.
2. The method of claim 1, wherein the history further comprises a log-in record, and wherein the determining that the terminal device is in an abnormal state according to the history of the terminal device comprises:
and if the login address of the terminal equipment is determined to be the uncommon address according to the login record, determining that the terminal equipment is in an abnormal state.
3. The method of any of claims 1-2, wherein the information indicating the bait attachment includes a bait link, and further comprising, prior to the sending of the bait mail to the terminal device:
generating a bait link according to the bait attachment;
setting the bait link in the content of the bait mail.
4. The method of claim 3, further comprising, after said sending decoy mail to said terminal device:
receiving an attachment request sent by the terminal device, wherein the attachment request is sent when the terminal device accesses the bait link;
sending the bait attachment to the terminal device.
5. The method of any of claims 1-2, further comprising:
the bait attachment executes the bait attachment when clicked and sends information of the terminal equipment to the server; or
And the information indicating the bait attachment downloads and executes the bait attachment when clicked, and sends the information of the terminal equipment to the server.
6. The method according to any one of claims 1-2, wherein the terminal information includes identification information of the terminal device, and after the receiving the terminal information of the terminal device sent by the terminal device, the method further includes:
and adding the identification information into a blacklist, wherein the blacklist is used for stopping responding to the mail request of the terminal equipment corresponding to the identification information in the blacklist.
7. A terminal information obtaining apparatus, applied to a server, includes:
the first determining module is used for determining that the terminal equipment is in an abnormal state, wherein the abnormal state is determined according to the history of the terminal equipment;
the request receiving module is used for receiving a mail request sent by the terminal equipment;
a mail sending module, configured to send a bait mail to the terminal device, where the bait mail includes a bait attachment or information indicating the bait attachment, and when the bait attachment is executed by the terminal device, the bait attachment returns information of the terminal device;
the information receiving module is used for receiving the terminal information of the terminal equipment, which is sent by the terminal equipment;
the information generating module is used for generating alarm information according to the terminal information;
and the display sending module is used for displaying the alarm information to the server or sending the alarm information to the terminal equipment.
8. A server, comprising: a processor and a memory, the memory storing machine-readable instructions executable by the processor, the machine-readable instructions, when executed by the processor, performing the method of any of claims 1-6.
9. A storage medium, characterized in that the storage medium has stored thereon a computer program which, when being executed by a processor, carries out the method according to any one of claims 1-6.
CN201911138196.XA 2019-11-19 2019-11-19 Terminal information obtaining method, device, server and storage medium Active CN110855698B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911138196.XA CN110855698B (en) 2019-11-19 2019-11-19 Terminal information obtaining method, device, server and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911138196.XA CN110855698B (en) 2019-11-19 2019-11-19 Terminal information obtaining method, device, server and storage medium

Publications (2)

Publication Number Publication Date
CN110855698A CN110855698A (en) 2020-02-28
CN110855698B true CN110855698B (en) 2022-07-05

Family

ID=69602686

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911138196.XA Active CN110855698B (en) 2019-11-19 2019-11-19 Terminal information obtaining method, device, server and storage medium

Country Status (1)

Country Link
CN (1) CN110855698B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111814144B (en) * 2020-07-14 2023-11-07 深信服科技股份有限公司 Leakage data processing method, device, equipment and medium
CN113037725B (en) * 2021-02-26 2022-04-22 上海钧正网络科技有限公司 Riding test method, server, test pile and readable storage medium
CN113645237A (en) * 2021-08-10 2021-11-12 东方财富信息股份有限公司 Information acquisition method, system, medium, and apparatus for terminal device
CN114143105B (en) * 2021-12-06 2023-12-26 安天科技集团股份有限公司 Source tracing method and device for network air threat behavior bodies, electronic equipment and storage medium

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4077336B2 (en) * 2003-02-26 2008-04-16 富士通株式会社 Anomaly detection method, anomaly detection program, server, computer
CN102448061B (en) * 2011-11-18 2015-07-22 王黎明 Method and system for preventing phishing attack on basis of mobile terminal
CN103701825A (en) * 2013-12-31 2014-04-02 工业和信息化部电子第五研究所 Security testing system oriented to mobile intelligent terminal IPv6 protocol and application of protocol
CN104980469A (en) * 2014-04-10 2015-10-14 阿里巴巴集团控股有限公司 E-mail extraction method and system
CN106209765A (en) * 2016-06-15 2016-12-07 维沃移动通信有限公司 A kind of method and device of integrated mailbox configurations information

Also Published As

Publication number Publication date
CN110855698A (en) 2020-02-28

Similar Documents

Publication Publication Date Title
US11550909B2 (en) Tracking malicious software movement with an event graph
CN110855698B (en) Terminal information obtaining method, device, server and storage medium
US20230216869A1 (en) Method and system for detecting restricted content associated with retrieved content
US20230032874A1 (en) Realtime event detection
AU2017249322B2 (en) Forensic analysis of computing activity and malware detection using an event graph
US9942263B2 (en) Mitigation of anti-sandbox malware techniques
US11381578B1 (en) Network-based binary file extraction and analysis for malware detection
US8090852B2 (en) Managing use of proxies to access restricted network locations
US20160285914A1 (en) Exploit detection system
US8607347B2 (en) Network stream scanning facility
US20110078497A1 (en) Automated recovery from a security event
GB2549545A (en) Forensic analysis of computing activity
US11853425B2 (en) Dynamic sandbox scarecrow for malware management
US20080256634A1 (en) Target data detection in a streaming environment
US20180152470A1 (en) Method of improving network security by learning from attackers for detecting network system's weakness
US20220198009A1 (en) Tracking malware root causes with an event graph
US11785044B2 (en) System and method for detection of malicious interactions in a computer network
WO2022208045A1 (en) Encrypted cache protection
CA3020559C (en) Forensic analysis of computing activity and malware detection using an event graph
GB2573076A (en) Endpoint malware detection using an event graph

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP02 Change in the address of a patent holder
CP02 Change in the address of a patent holder

Address after: 9/F, Block C, No. 28 Tianfu Avenue North Section, Chengdu High tech Zone, China (Sichuan) Pilot Free Trade Zone, Chengdu City, Sichuan Province, 610000

Patentee after: CHENGDU KNOWNSEC INFORMATION TECHNOLOGY Co.,Ltd.

Address before: 610000, 11th floor, building 2, no.219, Tianfu Third Street, Chengdu pilot Free Trade Zone, hi tech Zone, Chengdu, Sichuan Province 610000

Patentee before: CHENGDU KNOWNSEC INFORMATION TECHNOLOGY Co.,Ltd.