CN113761527A - Rebound shell process detection method, device, equipment and storage medium - Google Patents
Rebound shell process detection method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN113761527A CN113761527A CN202010627419.5A CN202010627419A CN113761527A CN 113761527 A CN113761527 A CN 113761527A CN 202010627419 A CN202010627419 A CN 202010627419A CN 113761527 A CN113761527 A CN 113761527A
- Authority
- CN
- China
- Prior art keywords
- detected
- candidate
- file
- shell
- descriptor
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 428
- 230000008569 process Effects 0.000 title claims abstract description 393
- 238000001514 detection method Methods 0.000 title claims abstract description 34
- 230000000903 blocking effect Effects 0.000 claims description 21
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical group CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 claims description 10
- 238000004590 computer program Methods 0.000 claims description 7
- 238000010586 diagram Methods 0.000 description 7
- 230000003287 optical effect Effects 0.000 description 6
- 238000004458 analytical method Methods 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 238000004891 communication Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 241000282326 Felis catus Species 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 239000000284 extract Substances 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 239000013307 optical fiber Substances 0.000 description 2
- 230000002093 peripheral effect Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 241000109539 Conchita Species 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000035515 penetration Effects 0.000 description 1
- 238000004886 process control Methods 0.000 description 1
- 230000001681 protective effect Effects 0.000 description 1
- 230000008707 rearrangement Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
Abstract
The embodiment of the invention discloses a method, a device, equipment and a storage medium for detecting a rebound shell process. The method comprises the following steps: acquiring a process to be detected; acquiring file description contents corresponding to the set file descriptor of the process to be detected, and judging whether the process to be detected is a rebound shell process or not according to the file description contents: and when the process to be detected is a rebound shell process, extracting the source information of the process to be detected so as to block the process to be detected according to the source information. According to the detection method of the rebounding shell process, the source information of the rebounding shell process is blocked when the process to be detected is determined to be the rebounding shell process, and therefore the source tracing detection of the rebounding shell process is achieved.
Description
Technical Field
The embodiment of the invention relates to the technical field of computers, in particular to a rebound shell process detection method, a rebound shell process detection device, rebound shell process detection equipment and a rebound shell process detection storage medium.
Background
Rebound shell is a commonly used attack technique in the penetration test process. In an enterprise environment, due to the existence of protective measures such as a firewall and the like, it is often infeasible for an attacker to actively connect a port of a target machine with a machine of the attacker, so that the technology of the bounce shell is produced. The bounce shell technology mainly monitors a certain TCP/IP port at a control end, a controlled end actively initiates a request to connect the port monitored by the control end, and an execution result of a command is output to a remote control end, so that the limitation of a firewall is broken through. And an attacker executes the vulnerability exploitation program by using the shell terminal which is rebounded remotely to carry out privilege escalation, so that the server or the remote host is completely controlled. In the process of implementing the invention, the inventor finds that at least the following technical problems exist in the prior art: the detection skill of the rebound shell can resist the attack of the current rebound shell, but the source cannot be traced, and the detection result has certain limitation.
Disclosure of Invention
The embodiment of the invention provides a method, a device, equipment and a storage medium for detecting a rebound shell process, which are used for realizing the source tracing detection of the rebound shell process.
In a first aspect, an embodiment of the present invention provides a method for detecting a resilient shell process, including:
acquiring a process to be detected;
acquiring file description contents corresponding to the set file descriptor of the process to be detected, and judging whether the process to be detected is a rebound shell process or not according to the file description contents:
and when the process to be detected is a rebound shell process, extracting the source information of the process to be detected so as to block the process to be detected according to the source information.
In a second aspect, an embodiment of the present invention further provides a resilient shell process detecting apparatus, including:
the process acquisition module to be detected is used for acquiring the process to be detected;
the rebound shell process judging module is used for acquiring the file description content corresponding to the set file descriptor of the process to be detected, and judging whether the process to be detected is the rebound shell process according to the file description content:
and the rebounding shell process blocking module is used for extracting the source information of the process to be detected when the process to be detected is a rebounding shell process so as to block the process to be detected according to the source information.
In a third aspect, an embodiment of the present invention further provides a computer device, where the computer device includes:
one or more processors;
storage means for storing one or more programs;
when executed by one or more processors, cause the one or more processors to implement a method of resilient shell process detection as provided by any of the embodiments of the present invention.
In a fourth aspect, an embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the method for detecting a resilient shell process according to any embodiment of the present invention.
The embodiment of the invention obtains the process to be detected; acquiring file description contents corresponding to the set file descriptor of the process to be detected, and judging whether the process to be detected is a rebound shell process or not according to the file description contents: when the process to be detected is the rebounding shell process, the source information of the process to be detected is extracted so as to block the process to be detected according to the source information, and when the process to be detected is determined to be the rebounding shell process, the source tracing detection of the rebounding shell process is realized based on the source information of the rebounding shell process for blocking.
Drawings
Fig. 1 is a flowchart of a method for detecting a resilient shell process according to an embodiment of the present invention;
fig. 2a is a flowchart of a method for detecting a resilient shell process according to a second embodiment of the present invention;
fig. 2b is a schematic diagram illustrating characteristics of a partially resilient shell process according to a second embodiment of the present invention;
fig. 3 is a flowchart of a method for detecting a resilient shell process according to a third embodiment of the present invention;
fig. 4 is a schematic structural diagram of a resilient shell process detecting apparatus according to a fourth embodiment of the present invention;
fig. 5 is a schematic structural diagram of a computer device according to a fifth embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting of the invention. It should be further noted that, for the convenience of description, only some of the structures related to the present invention are shown in the drawings, not all of the structures.
Example one
Fig. 1 is a flowchart of a method for detecting a resilient shell process according to an embodiment of the present invention. The embodiment can be applied to the situation when detecting whether the process is the bounce shell process. The method can be executed by a rebounding shell process detection device, which can be implemented in software and/or hardware, for example, the rebounding shell process detection device can be configured in a computer device. As shown in fig. 1, the method includes:
and S110, acquiring the process to be detected.
In this embodiment, the action of the currently running shell program may be captured from the system kernel according to the running system, and the captured shell process may be used as the process to be detected. Taking the Linux system as an example, a shell process under a virtual file system (/ proc directory) can be acquired. The virtual file system comprises a plurality of directories named by process identifiers (ids), and the information of the currently running process can be viewed through the directories. For example, the current process may be obtained from the system kernel and judged to search for the bash process, and the bounce shell process is detected through the characteristics of the bash process.
S120, obtaining file description contents corresponding to the set file descriptor of the process to be detected, and judging whether the process to be detected is a rebound shell process or not according to the file description contents.
Based on the analysis of the attack means commonly used at present, the rebound shell characteristics of all scenes are not the same. For example, if some bounce shells are connected through a pipe, then descriptors 0, 1 point to pipe at the same time. However, the input and output handles of the bash process on the target drone corresponding to the partial bounce shell (e.g., bash bounce, Python bounce, Perl bounce, nc bounce, PHP bounce, etc.) are all redirected to the remote socket, but the remote input stream is redirected to/bin/bash through the pipeline, and the corresponding host process characteristics are slightly different. Therefore, the judging scheme of the rebounding shell can be determined based on the current rebounding shell mechanism. Optionally, each process corresponds to a plurality of file descriptors, a file descriptor associated with the bounce shell mechanism can be predetermined as a set file descriptor, and after the process to be detected is obtained, whether the process to be detected is the bounce shell process is judged based on file description content corresponding to the set descriptor of the process to be detected.
For example, the file descriptors pointing to the input handle and the output handle may be used as the setting descriptors, the input file content corresponding to the file descriptor pointing to the input handle of the process to be detected and the output file content corresponding to the file descriptor pointing to the output handle are obtained, and whether the process to be detected is the bounce shell process is determined based on the input file content and the output file content.
And S130, when the process to be detected is the rebounding shell process, extracting the source information of the process to be detected so as to block the process to be detected according to the source information.
In this embodiment, when the process to be detected is a bounce shell process, source information of the process to be detected is extracted, and the source information of the process to be detected in the bash operation is recorded in the system log by using the characteristic that the bash process supports the outgoing of the operation log, so that the process to be detected is blocked according to the source information recorded in the system log, and further source tracing analysis is performed. The source information of the Process to be detected may include field information such as a Process Identification (PID), a source Identification (source IP), and a port Identification of the Process to be detected. Optionally, the process to be detected is blocked according to the source information, and the process to be detected is blocked according to the process PID.
Optionally, after the source information of the process to be detected is extracted, alarm information may be generated based on the source information, and the alarm information is sent to an operator in a form of a short message or a mail to alarm.
The embodiment of the invention obtains the process to be detected; acquiring file description contents corresponding to set file descriptors of a process to be detected, and judging whether the process to be detected is a rebound shell process or not according to the file description contents: when the process to be detected is the rebounding shell process, source information of the process to be detected is extracted so as to block the process to be detected according to the source information, and the source tracing detection of the rebounding shell process is realized by blocking based on the source information of the rebounding shell process when the process to be detected is determined to be the rebounding shell process.
Example two
Fig. 2a is a flowchart of a method for detecting a resilient shell process according to a second embodiment of the present invention. The embodiment is further optimized on the basis of the scheme. As shown in fig. 2a, the method comprises:
s210, acquiring the process to be detected.
S220, acquiring the input file content corresponding to the file descriptor pointing to the input handle by the process to be detected and the output file content corresponding to the file descriptor pointing to the output handle by the process to be detected.
In this embodiment, it is determined whether the process to be detected is a bounce shell. Optionally, it may be determined whether the process to be detected is the bounce shell process according to the input handle and the output handle of the process to be detected. Generally, file descriptors 0, 1 and 2 of a shell process normally started by a terminal are tty. A common bounce shell attack redirects both file descriptors 0 (i.e., input handle) and 1 (i.e., output handle) to the remote socket connection.
Fig. 2b is a schematic diagram of a partially resilient shell process according to a second embodiment of the present invention. In fig. 2b, the tail part of the arrow is the file descriptor of the normal shell process started by the terminal, and the arrow points to the file descriptor of the partially rebounded shell process. As can be seen from fig. 2b, the file descriptors 0, 1, and 2 of the normal shell process started by the terminal all point to tty, and the file descriptors 0, 1, and 2 of the partial bounce shell process point to dev/tcp/ip/port, etc. Therefore, the input file content corresponding to the file descriptor pointing to the input handle and the output file content corresponding to the file descriptor pointing to the output handle can be obtained, and whether the process to be detected is the bounce shell process or not can be judged based on the input file content and the output file content. Optionally, each file descriptor of the process to be detected can be viewed through an "ll/proc/xxxx/fd" command, wherein "xxxx" is a process id, and file description content corresponding to the file descriptor of the corresponding process can be viewed after the process id is replaced by the process id. Illustratively, the file description content of each file descriptor corresponding to the process with the process number 4733 can be viewed through'll/proc/4733/fd'. The content pointed to by file descriptor 0 may be taken as the input file content and the content pointed to by file descriptor 1 may be taken as the output file content.
And S230, if the input file content and the output file content point to the same socket, judging that the process to be detected is a rebound shell process.
When the input file content and the output file content point to the same socket, indicating that the input and output handles of the process to be detected are associated with the same socket, and judging that the process to be detected is a rebound shell process.
S240, if the input file content is redirected to the set pipeline, continuously acquiring the candidate file content corresponding to the candidate file descriptor of the process to be detected, and judging whether the process to be detected is the rebounding shell process or not according to the candidate file content.
In the embodiment, the characteristic of the bounce shell process considering partial pipeline execution is that input and output handles are not associated to the same socket, but a standard input (i.e. an input handle) is redirected to a pipe, and a file descriptor redirected to the socket exists. Therefore, in this embodiment, it is further required to detect whether the content of the input file is redirected to the set pipe (pipe). And when the input file content is redirected to the pipe, continuously acquiring the candidate file content corresponding to the candidate file descriptor, and judging whether the process to be detected is the rebounding shell process or not according to the candidate file content. Optionally, whether the process to be detected is a bounce shell process is determined according to whether the content of the candidate file is redirected to a socket (socket). It will be appreciated that the candidate file descriptors may be set according to the characteristics of the actual bounce shell.
In an embodiment of the present invention, the candidate file descriptor includes a first candidate descriptor, a second file descriptor, and a third file descriptor, obtains candidate file content corresponding to the candidate file descriptor of the process to be detected, and determines whether the process to be detected is a resilient shell process according to the candidate file content, including: and acquiring first candidate content corresponding to the first candidate descriptor, second candidate content corresponding to the second candidate descriptor and third candidate content corresponding to the third candidate descriptor, and if at least one of the first candidate content, the second candidate content and the third candidate content is redirected to the socket, judging that the process to be detected is a rebounding shell process. Optionally, by summarizing the existing bounce shell process, the bounce shell characteristics executed by the pipe are: the standard input is redirected to pipe, and a file descriptor redirected to socket exists, so that when the input file content is redirected to pipe, first candidate content corresponding to the first candidate descriptor, second candidate content corresponding to the second candidate descriptor and third candidate content corresponding to the third candidate descriptor are continuously obtained, and when any one of the first candidate content, the second candidate content and the third candidate content is redirected to socket, the process to be detected is judged to be a rebounding shell process. Alternatively, the first candidate descriptor may be the file descriptor 3, the second candidate descriptor may be the file descriptor 4, and the third candidate descriptor may be the file descriptor 5. In addition, the manner of obtaining the candidate file content corresponding to the candidate descriptor may refer to the manner of obtaining the input file content corresponding to the file descriptor pointing to the input handle, and is not described herein again.
On the basis of the scheme, acquiring first candidate content corresponding to a first candidate descriptor, second candidate content corresponding to a second candidate descriptor and third candidate content corresponding to a third candidate descriptor, and if at least one of the first candidate content, the second candidate content and the third candidate content is redirected to a socket, determining that the process to be detected is a rebounding shell process, wherein the method comprises the following steps: acquiring first candidate content corresponding to the first candidate descriptor, judging whether the first candidate content is redirected to a socket, and if the first candidate content is redirected to the socket, judging that the process to be detected is a rebound shell process; if the first candidate content is not redirected to the socket, acquiring second candidate content corresponding to the second candidate descriptor, judging whether the second candidate content is redirected to the socket or not, and if the second candidate content is redirected to the socket, judging that the process to be detected is a rebounding shell process; and if the second candidate content is not redirected to the socket, acquiring third candidate content corresponding to the third candidate descriptor, judging whether the third candidate content is redirected to the socket or not, and if the third candidate content is redirected to the socket, judging that the process to be detected is a rebounding shell process.
Specifically, whether the candidate file content corresponding to the candidate descriptor is redirected to the socket may be sequentially determined according to the order of the candidate descriptor. For example, the file description contents corresponding to the file descriptor 3, the file descriptor 4, the file descriptor 5, and the file descriptor 6 may be sequentially determined, and if there is a file descriptor redirected to the socket, the process to be detected may be considered as a bounce shell process.
And S250, when the process to be detected is a rebound shell process, determining a process identifier of the process to be detected according to the content of the file redirected to the socket, and blocking the process to be detected according to the process identifier.
After the process to be detected is determined to be a rebound shell process, extracting source information from the file descriptor redirected to the socket, recording the source information of the process to be detected in the bash operation in a system log, blocking the process to be detected according to the source information recorded in the system log, and performing further traceability analysis. The source information of the process to be detected may include a process identifier (i.e., process pid) of the process to be detected. Optionally, the source information of the process to be detected may be obtained by calling the response instruction. Taking centros as an example, the lsof | grep sh command can be executed to check process communication, and the source information (including pid, source ip and port information) of the process to be detected is obtained based on the process communication.
In this embodiment, after the process identifier of the process to be detected is obtained, the process to be detected is directly blocked according to the process identifier, and the source tracing can be performed according to other source information. In one embodiment, the method further comprises: acquiring a starting command parameter of the process to be detected, and judging a starting environment of the process to be detected according to the starting command parameter; and if the starting environment is the server port authority environment, acquiring a starting instruction of the process to be detected, determining the position of the Trojan file based on the starting instruction, and clearing the Trojan file. Specifically, tracing the process to be detected may specifically be: judging whether the starting environment of the process to be detected is a server port authority (webshell) environment, if the process to be detected is started by the webshell, checking a starting instruction of the process to be detected, further searching the position of the Trojan file according to the starting instruction, and clearing the Trojan. And judging whether the starting environment of the process to be detected is a webshell environment or not through a system instruction. Illustratively, the parameter of the start command line can be checked through pstree-asp [ pid ] to determine whether the process to be detected is started by webshell. The start instruction of the process to be detected can be viewed through the cat/proc/pid/cmdlene command.
The method and the device for detecting the rebound shell process have the advantages that the file description content corresponding to the set file descriptor of the process to be detected is obtained, whether the process to be detected is the rebound shell process is determined according to the file description content, whether the process to be detected is the rebound shell process is determined through sequentially detecting the file description content corresponding to the set file descriptor, the rebound shell process can be detected through detection of the rebound shell process, and detection accuracy of the rebound shell process is improved.
EXAMPLE III
Fig. 3 is a flowchart of a method for detecting a resilient shell process according to a third embodiment of the present invention. The present embodiment provides a preferred embodiment based on the above-described embodiments.
At present, detection aiming at the bounce shell is mainly started from a host layer, judgment is carried out according to a terminal attribute file descriptor of a program, and if a standard input character and a standard output character in a process descriptor point to socket connection at the same time, the bounce shell is judged to be the bounce shell. But not all bounce shell features of various scenes are the same, such as bounce shell connections through pipes, then descriptors 0, 1 point to pipe at the same time. On one hand, the rebound shells have various forms, and if the process characteristics cannot be accurately summarized, more false alarms are generated, so that the monitoring scheme cannot be operated. On the other hand, if the process characteristics cannot be considered carefully, there will also be false positives. And from the implementation of falling to the ground, technical cost is higher and the transformation cost is great. Therefore, the attack can be blocked, and the tracing to the attack is also important.
In order to solve the technical problems of missed report detection and incapability of tracing in the resilient shell in the prior art, the embodiment provides a method for detecting a resilient shell process, as shown in fig. 3, where the method includes:
s310, acquiring the current process.
And acquiring the current process, judging to search the bash process, and detecting the rebound shell according to the characteristics of the bash process. Optionally, judging whether a process is a bash process may start from two aspects: 1. capturing actions of the shell program from the kernel; 2. and querying the running shell program. For the consider/proc directory under Linux system, this directory is called a virtual file system, and includes a stack of directories named by process id through which the information of the currently running process can be viewed.
In one embodiment, the execution action of the shell process can be captured and executed from the kernel, the terminal attribute of the process is acquired at the same time, and the shell process is acquired based on the terminal attribute. It will be appreciated that each process has a process control block in the kernel that maintains process-related information. Illustratively, all processes can be traversed through a kernel function for _ reach _ process, wherein a task _ struct- > comm field in the structure body represents a process name, and bash or sh is a shell process.
S320, judging whether the input and output of the process are socket connection.
Optionally, each file descriptor of the bash process can be viewed through the ll/proc/xxxx/fd command. Whether the input and output of the process is socket connection is judged based on the file descriptor 0 and the file descriptor 1.
If the input and output of the process are socket connection, executing S340; if the input/output of the process is not socket connection, S330 is executed.
S330, judging whether fd is 0 or not, and redirecting to socket if fd is more than or equal to 3.
In this embodiment, fd is a nonnegative integer in form, and is an index value pointing to the record table maintained by the kernel for each process that the process opens the file.
According to analysis of a currently common attack means, input and output handles of a bash process on a target drone, which correspond to bash rebound, Python rebound, Perl rebound, nc rebound, PHP rebound and the like, are found to be redirected to a remote socket; however, by redirecting the remote input stream to/bin/bash through the pipeline, the corresponding host process characteristics are slightly different. Therefore, whether the process is a bounce shell process can be judged by the following processes: if the input and output handles are associated to the same socket, the rebounding shell is considered to exist at the moment; if the standard input is redirected to pipe, the file descriptors 3, 4, 5, 6 and the like are sequentially judged, and if the file descriptor redirected to socket exists, the process can be regarded as a rebound shell process.
If fd is 0 and is pipe, and there is redirection to socket of fd ≧ 3, then execute S340; otherwise, executing S360 to obtain the parent and child processes and the brother process of the process to continuously judge again.
And S340, extracting ip and port for alarming, and recording the ip and port into a syslog.
In this embodiment, syslog is a system log or system record, which is a standard for passing log messages over internet protocol (TCP/IP) networks. Specifically, fields such as PID, source IP, and port are extracted from the socket file descriptor in S330, and an alarm is given and recorded in the log. Since bash-4.1, bash already supports the operation log to be sent out through SYSLOG, and the configuration can be started by modifying the config-top.h file and canceling the SYSLOG-HISTORY annotation.
And S350, blocking by combining a blocking module.
In the embodiment, the process blocking module of the third party can be inherited for blocking, and blocking can also be performed by taking kill-9pid as a core statement development blocking module. On the basis, the blocking module can directly carry out kill according to the progress pid; or determining the starting environment of the rebound shell, if the rebound shell is started by the webshell, viewing the starting instruction of the current shell through a cat/proc/pid/cmdlene command, further searching the position of the Trojan file, and clearing the Trojan.
In the embodiment of the invention, a relatively comprehensive detection scheme is obtained by finely dividing the attack scene, so that the detection missing report of the rebound shell is avoided, in addition, the bash log is forwarded through syslog, and the shell process is killed by the process blocking module, so that the detection, disposal and traceability processes aiming at the rebound shell attack are realized.
Example four
Fig. 4 is a schematic structural diagram of a resilient shell process detecting apparatus according to a fourth embodiment of the present invention. The rebounding shell process detection device can be implemented in software and/or hardware, and for example, the rebounding shell process detection device can be configured in a computer device. As shown in fig. 4, the apparatus includes a to-be-responded information acquiring module 410, an output result acquiring module 420, and a response information outputting module 430, wherein:
a to-be-detected process obtaining module 410, configured to obtain a to-be-detected process;
the bounce shell process judging module 420 is configured to obtain file description content corresponding to a set file descriptor of a process to be detected, and judge whether the process to be detected is a bounce shell process according to the file description content;
the bounce shell process blocking module 430 is configured to, when the process to be detected is a bounce shell process, extract source information of the process to be detected, so as to block the process to be detected according to the source information.
The embodiment of the invention obtains the process to be detected through the process to be detected obtaining module; the rebound shell process judging module acquires file description contents corresponding to set file descriptors of the process to be detected, and judges whether the process to be detected is a rebound shell process or not according to the file description contents: the rebounding shell process blocking module extracts the source information of the process to be detected when the process to be detected is the rebounding shell process, so that the process to be detected is blocked according to the source information, and the source detection of the rebounding shell process is realized by blocking based on the source information of the rebounding shell process when the process to be detected is determined to be the rebounding shell process.
Optionally, on the basis of the foregoing scheme, the rebounding shell process determining module 420 includes:
the file content acquisition unit is used for acquiring input file content corresponding to a file descriptor pointing to an input handle by the process to be detected and output file content corresponding to a file descriptor pointing to an output handle by the process to be detected;
and the socket judging unit is used for judging that the process to be detected is a rebound shell process if the input file content and the output file content point to the same socket.
Optionally, on the basis of the foregoing scheme, the rebounding shell process determining module 420 further includes:
the candidate content judging unit is used for continuously acquiring candidate file content corresponding to the candidate file descriptor of the process to be detected if the input file content is redirected to the set pipeline, and judging whether the process to be detected is a rebound shell process or not according to the candidate file content;
optionally, on the basis of the foregoing scheme, the candidate file descriptor includes a first candidate descriptor, a second file descriptor, and a third file descriptor, and the candidate content determining unit is specifically configured to:
and acquiring first candidate content corresponding to the first candidate descriptor, second candidate content corresponding to the second candidate descriptor and third candidate content corresponding to the third candidate descriptor, and if at least one of the first candidate content, the second candidate content and the third candidate content is redirected to the socket, judging that the process to be detected is a rebounding shell process.
Optionally, on the basis of the foregoing scheme, the candidate content determining unit is specifically configured to:
acquiring first candidate content corresponding to the first candidate descriptor, judging whether the first candidate content is redirected to a socket, and if the first candidate content is redirected to the socket, judging that the process to be detected is a rebound shell process;
if the first candidate content is not redirected to the socket, acquiring second candidate content corresponding to the second candidate descriptor, judging whether the second candidate content is redirected to the socket or not, and if the second candidate content is redirected to the socket, judging that the process to be detected is a rebounding shell process;
and if the second candidate content is not redirected to the socket, acquiring third candidate content corresponding to the third candidate descriptor, judging whether the third candidate content is redirected to the socket or not, and if the third candidate content is redirected to the socket, judging that the process to be detected is a rebounding shell process.
Optionally, on the basis of the above scheme, the source information includes a process identifier, and the resilient shell process blocking module 430 is specifically configured to:
and determining the process identification of the process to be detected according to the content of the file redirected to the socket, and blocking the process to be detected according to the process identification.
Optionally, on the basis of the above scheme, the bounce shell process blocking module 430 is further configured to:
acquiring a starting command parameter of the process to be detected, and judging a starting environment of the process to be detected according to the starting command parameter;
and if the starting environment is the server port authority environment, acquiring a starting instruction of the process to be detected, determining the position of the Trojan file based on the starting instruction, and clearing the Trojan file.
The rebound shell process detection device provided by the embodiment of the invention can execute the rebound shell process detection method provided by any embodiment of the invention, and has corresponding functional modules and beneficial effects of the execution method.
EXAMPLE five
Fig. 5 is a schematic structural diagram of a computer device according to a fifth embodiment of the present invention. FIG. 5 illustrates a block diagram of an exemplary computer device 512 suitable for use in implementing embodiments of the present invention. The computer device 512 shown in FIG. 5 is only an example and should not bring any limitations to the functionality or scope of use of embodiments of the present invention.
As shown in FIG. 5, computer device 512 is in the form of a general purpose computing device. Components of computer device 512 may include, but are not limited to: one or more processors 516, a system memory 528, and a bus 518 that couples the various system components including the system memory 528 and the processors 516.
The system memory 528 may include computer system readable media in the form of volatile memory, such as Random Access Memory (RAM)530 and/or cache memory 532. The computer device 512 may further include other removable/non-removable, volatile/nonvolatile computer system storage media. By way of example only, storage 534 may be used to read from and write to non-removable, nonvolatile magnetic media (not shown in FIG. 5, and commonly referred to as a "hard drive"). Although not shown in FIG. 5, a magnetic disk drive for reading from and writing to a removable, nonvolatile magnetic disk (e.g., a "floppy disk") and an optical disk drive for reading from or writing to a removable, nonvolatile optical disk (e.g., a CD-ROM, DVD-ROM, or other optical media) may be provided. In these cases, each drive may be connected to bus 518 through one or more data media interfaces. Memory 528 may include at least one program product having a set (e.g., at least one) of program modules that are configured to carry out the functions of embodiments of the invention.
A program/utility 540 having a set (at least one) of program modules 542, including but not limited to an operating system, one or more application programs, other program modules, and program data, may be stored in, for example, the memory 528, each of which examples or some combination may include an implementation of a network environment. The program modules 542 generally perform the functions and/or methods of the described embodiments of the invention.
The computer device 512 may also communicate with one or more external devices 514 (e.g., keyboard, pointing device, display 524, etc.), with one or more devices that enable a user to interact with the computer device 512, and/or with any devices (e.g., network card, modem, etc.) that enable the computer device 512 to communicate with one or more other computing devices. Such communication may occur via input/output (I/O) interfaces 522. Also, computer device 512 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network such as the Internet) via network adapter 520. As shown, the network adapter 520 communicates with the other modules of the computer device 512 via the bus 518. It should be appreciated that although not shown, other hardware and/or software modules may be used in conjunction with the computer device 512, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.
The processor 516 executes various functional applications and data processing by running a program stored in the system memory 528, for example, implementing the bounce shell process detection method provided by the embodiment of the present invention, the method includes:
acquiring a process to be detected;
acquiring file description contents corresponding to the set file descriptor of the process to be detected, and judging whether the process to be detected is a rebound shell process or not according to the file description contents:
and when the process to be detected is a rebound shell process, extracting the source information of the process to be detected so as to block the process to be detected according to the source information.
Of course, those skilled in the art can understand that the processor can also implement the technical solution of the bounce shell process detection method provided by any embodiment of the present invention.
EXAMPLE six
The sixth embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the method for detecting a resilient shell process provided in the sixth embodiment of the present invention, where the method includes:
acquiring a process to be detected;
acquiring file description contents corresponding to the set file descriptor of the process to be detected, and judging whether the process to be detected is a rebound shell process or not according to the file description contents:
and when the process to be detected is a rebound shell process, extracting the source information of the process to be detected so as to block the process to be detected according to the source information.
Of course, the computer program stored on the computer-readable storage medium provided by the embodiments of the present invention is not limited to the method operations described above, and may also perform operations related to the bounce shell process detection method provided by any embodiments of the present invention.
Computer storage media for embodiments of the invention may employ any combination of one or more computer-readable media. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
A computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
It is to be noted that the foregoing is only illustrative of the preferred embodiments of the present invention and the technical principles employed. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present invention has been described in greater detail by the above embodiments, the present invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present invention, and the scope of the present invention is determined by the scope of the appended claims.
Claims (10)
1. A method for detecting a rebound shell process is characterized by comprising the following steps:
acquiring a process to be detected;
acquiring file description contents corresponding to the set file descriptor of the process to be detected, and judging whether the process to be detected is a rebound shell process or not according to the file description contents:
and when the process to be detected is a rebound shell process, extracting the source information of the process to be detected so as to block the process to be detected according to the source information.
2. The method according to claim 1, wherein the obtaining of the file description content corresponding to the set file descriptor of the process to be detected and the determining of whether the process to be detected is a resilient shell process according to the file description content comprises:
acquiring input file content corresponding to the file descriptor pointing to the input handle by the process to be detected and output file content corresponding to the file descriptor pointing to the output handle by the process to be detected;
and if the input file content and the output file content point to the same socket, judging that the process to be detected is a rebound shell process.
3. The method of claim 2, further comprising:
and if the input file content is redirected to a set pipeline, continuously acquiring the candidate file content corresponding to the candidate file descriptor of the process to be detected, and judging whether the process to be detected is a rebound shell process or not according to the candidate file content.
4. The method according to claim 3, wherein the candidate file descriptors include a first candidate descriptor, a second file descriptor and a third file descriptor, the obtaining of candidate file contents corresponding to the candidate file descriptors of the process to be detected, and the determining, according to the candidate file contents, whether the process to be detected is a resilient shell process include:
and acquiring a first candidate content corresponding to the first candidate descriptor, a second candidate content corresponding to the second candidate descriptor and a third candidate content corresponding to the third candidate descriptor, and if at least one of the first candidate content, the second candidate content and the third candidate content is redirected to a socket, determining that the process to be detected is a rebounding shell process.
5. The method according to claim 4, wherein the obtaining a first candidate content corresponding to the first candidate descriptor, a second candidate content corresponding to the second candidate descriptor, and a third candidate content corresponding to a third candidate descriptor, and if at least one of the first candidate content, the second candidate content, and the third candidate content is redirected to a socket, determining that the process to be detected is a bouncing shell process comprises:
acquiring first candidate content corresponding to the first candidate descriptor, judging whether the first candidate content is redirected to a socket, and if the first candidate content is redirected to the socket, judging that the process to be detected is a rebounding shell process;
if the first candidate content is not redirected to the socket, acquiring second candidate content corresponding to the second candidate descriptor, judging whether the second candidate content is redirected to the socket or not, and if the second candidate content is redirected to the socket, judging that the process to be detected is a rebound shell process;
if the second candidate content is not redirected to the socket, obtaining third candidate content corresponding to the third candidate descriptor, judging whether the third candidate content is redirected to the socket or not, and if the third candidate content is redirected to the socket, judging that the process to be detected is a rebounding shell process.
6. The method according to claim 5, wherein the source information includes a process identifier, and the extracting the source information of the process to be detected to block the process to be detected according to the source information includes:
and determining the process identification of the process to be detected according to the content of the file redirected to the socket, and blocking the process to be detected according to the process identification.
7. The method of claim 6, further comprising:
acquiring a starting command parameter of the process to be detected, and judging a starting environment of the process to be detected according to the starting command parameter;
and if the starting environment is a server port authority environment, acquiring a starting instruction of the process to be detected, determining the position of the Trojan file based on the starting instruction, and clearing the Trojan file.
8. A resilient shell process detection apparatus, comprising:
the process acquisition module to be detected is used for acquiring the process to be detected;
the rebound shell process judging module is used for acquiring the file description content corresponding to the set file descriptor of the process to be detected, and judging whether the process to be detected is the rebound shell process according to the file description content:
and the rebounding shell process blocking module is used for extracting the source information of the process to be detected when the process to be detected is a rebounding shell process so as to block the process to be detected according to the source information.
9. A computer device, the device comprising:
one or more processors;
storage means for storing one or more programs;
when executed by the one or more processors, cause the one or more processors to implement the resilient shell process detection method of any of claims 1-7.
10. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the method of resilient shell process detection according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010627419.5A CN113761527A (en) | 2020-07-01 | 2020-07-01 | Rebound shell process detection method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010627419.5A CN113761527A (en) | 2020-07-01 | 2020-07-01 | Rebound shell process detection method, device, equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113761527A true CN113761527A (en) | 2021-12-07 |
Family
ID=78785461
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010627419.5A Pending CN113761527A (en) | 2020-07-01 | 2020-07-01 | Rebound shell process detection method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113761527A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111988302A (en) * | 2020-08-14 | 2020-11-24 | 苏州浪潮智能科技有限公司 | Method, system, terminal and storage medium for detecting rebound program |
| CN114244599A (en) * | 2021-12-15 | 2022-03-25 | 杭州默安科技有限公司 | Method for interfering malicious program |
| CN114722396A (en) * | 2022-05-18 | 2022-07-08 | 北京长亭未来科技有限公司 | Method, system and equipment for detecting rebound Shell process |
| CN115801305A (en) * | 2022-09-08 | 2023-03-14 | 武汉思普崚技术有限公司 | Network attack detection and identification method and related equipment |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20130080399A1 (en) * | 2011-09-26 | 2013-03-28 | International Business Machines Corporation | Dynamically redirecting a file descriptor |
| CN107423119A (en) * | 2017-03-31 | 2017-12-01 | 合肥民众亿兴软件开发有限公司 | A kind of running software system and its operation method |
| CN107423622A (en) * | 2017-07-04 | 2017-12-01 | 上海高重信息科技有限公司 | A kind of method and system for detecting and taking precautions against bounce-back shell |
| CN110166420A (en) * | 2019-03-28 | 2019-08-23 | 江苏通付盾信息安全技术有限公司 | Rebound shell blocking-up method and device |
| CN110287696A (en) * | 2018-03-19 | 2019-09-27 | 华为技术有限公司 | A kind of detection method, device and the equipment of the shell process that rebounds |
-
2020
- 2020-07-01 CN CN202010627419.5A patent/CN113761527A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20130080399A1 (en) * | 2011-09-26 | 2013-03-28 | International Business Machines Corporation | Dynamically redirecting a file descriptor |
| CN107423119A (en) * | 2017-03-31 | 2017-12-01 | 合肥民众亿兴软件开发有限公司 | A kind of running software system and its operation method |
| CN107423622A (en) * | 2017-07-04 | 2017-12-01 | 上海高重信息科技有限公司 | A kind of method and system for detecting and taking precautions against bounce-back shell |
| CN110287696A (en) * | 2018-03-19 | 2019-09-27 | 华为技术有限公司 | A kind of detection method, device and the equipment of the shell process that rebounds |
| CN110166420A (en) * | 2019-03-28 | 2019-08-23 | 江苏通付盾信息安全技术有限公司 | Rebound shell blocking-up method and device |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111988302A (en) * | 2020-08-14 | 2020-11-24 | 苏州浪潮智能科技有限公司 | Method, system, terminal and storage medium for detecting rebound program |
| CN114244599A (en) * | 2021-12-15 | 2022-03-25 | 杭州默安科技有限公司 | Method for interfering malicious program |
| CN114244599B (en) * | 2021-12-15 | 2023-11-24 | 杭州默安科技有限公司 | Method for interfering malicious program |
| CN114722396A (en) * | 2022-05-18 | 2022-07-08 | 北京长亭未来科技有限公司 | Method, system and equipment for detecting rebound Shell process |
| CN114722396B (en) * | 2022-05-18 | 2022-09-23 | 北京长亭未来科技有限公司 | Method, system and equipment for detecting rebound Shell process |
| CN115801305A (en) * | 2022-09-08 | 2023-03-14 | 武汉思普崚技术有限公司 | Network attack detection and identification method and related equipment |
| CN115801305B (en) * | 2022-09-08 | 2023-11-07 | 武汉思普崚技术有限公司 | Network attack detection and identification method and related equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113761527A (en) | Rebound shell process detection method, device, equipment and storage medium | |
| CN107004088B (en) | Determining device, determining method and recording medium | |
| CN109918907B (en) | Method, controller and medium for obtaining evidence of malicious codes in process memory of Linux platform | |
| WO2012065551A1 (en) | Method for cloud security download | |
| US7216364B2 (en) | System security approaches using state tables | |
| WO2021189257A1 (en) | Malicious process detection method and apparatus, electronic device, and storage medium | |
| CN107666464B (en) | Information processing method and server | |
| CN113079151B (en) | Abnormality processing method and device, electronic equipment and readable storage medium | |
| CN113810408A (en) | Network attack organization detection method, device, equipment and readable storage medium | |
| CN112035354A (en) | Method, device and equipment for positioning risk code and storage medium | |
| CN114448830A (en) | Equipment detection system and method | |
| CN112565278A (en) | Attack capturing method and honeypot system | |
| CN114760106A (en) | Network attack determination method, system, electronic device and storage medium | |
| CN113507461A (en) | Network monitoring system and network monitoring method based on big data | |
| CN111859374A (en) | Method, device and system for detecting social engineering attack event | |
| CN110012000B (en) | Command detection method and device, computer equipment and storage medium | |
| CN109286684B (en) | Communication connection processing method and device, proxy server and storage medium | |
| CN114036526A (en) | Vulnerability testing method and device, computer equipment and storage medium | |
| CN113132393A (en) | Abnormality detection method, abnormality detection device, electronic apparatus, and storage medium | |
| CN114465741B (en) | Abnormality detection method, abnormality detection device, computer equipment and storage medium | |
| CN110955890B (en) | Method and device for detecting malicious batch access behaviors and computer storage medium | |
| CN110888791A (en) | Log processing method, device, equipment and storage medium | |
| CN113569240B (en) | Method, device and equipment for detecting malicious software | |
| CN114510717A (en) | ELF file detection method and device and storage medium | |
| CN109274676B (en) | Method, system and storage device for acquiring IP address of Trojan control terminal based on self-learning mode |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |