CN114861182A - Method, device and medium for detecting rebound shell attack - Google Patents

Method, device and medium for detecting rebound shell attack Download PDF

Info

Publication number
CN114861182A
CN114861182A CN202210576271.6A CN202210576271A CN114861182A CN 114861182 A CN114861182 A CN 114861182A CN 202210576271 A CN202210576271 A CN 202210576271A CN 114861182 A CN114861182 A CN 114861182A
Authority
CN
China
Prior art keywords
shell
shell process
suspicious
detecting
file
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210576271.6A
Other languages
Chinese (zh)
Inventor
徐扬赫
胡涛涛
许仁浩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
DBAPPSecurity Co Ltd
Original Assignee
DBAPPSecurity Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by DBAPPSecurity Co Ltd filed Critical DBAPPSecurity Co Ltd
Priority to CN202210576271.6A priority Critical patent/CN114861182A/en
Publication of CN114861182A publication Critical patent/CN114861182A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The application discloses a method, a device and a medium for detecting rebound shell attacks, and relates to the technical field of computers, in order to improve the accuracy rate of detecting rebound shell processes, the method for detecting rebound shell attacks provided by the application is characterized in that if a file descriptor is connected to a remote socket or the file descriptor is connected to the remote socket through a pipeline, the file descriptor is marked as a suspicious shell process, further data analysis is carried out on the suspicious shell process, whether the suspicious shell process is abnormal or not is judged, the accuracy rate of detecting rebound shell is improved through multiple screening, the situation that the remote socket is redirected only through judging the file descriptor is avoided, the suspicious shell process is judged as a rebound shell, and the rebound shell process which leads to hiding the socket through the pipeline is not detected is solved.

Description

Method, device and medium for detecting rebound shell attack
Technical Field
The present application relates to the field of computer technologies, and in particular, to a method, an apparatus, and a medium for detecting a resilient shell attack.
Background
Under the condition that a controlled end is limited by a firewall, has insufficient authority and is occupied by a port, a hacker usually utilizes the rebound shell to enable an invaded host to be reversely connected with the own invading host, and remote control is carried out through a standard input and output redirection technology. In the Linux system, a file descriptor can be understood as a digital handle allocated by the system to track an open file, and the digital handle is essentially a file handle, so that the read-write operation of the file can be realized through the handle. And opening a new file after the process is started, and automatically and sequentially increasing the descriptors. Each new process inherits the file descriptor of its parent process, so all shell commands have three file descriptors by default, namely standard input, standard output and standard error output descriptors. The shell is located between the operating system and the application program, is an interface of the operating system and the application program, and is mainly responsible for interpreting input command information of the application program to the operating system and interpreting a result after an instruction of the operating system is processed to the application program. And the shell provides the ability for user interaction, which is essentially a command interpreter. The Linux supports the standard input and output to be reassigned to other files, socket numbers or pipe pipelines, and the rebound shell command realizes the remote control of the controlled end by utilizing the reorientation standard input and output. The method for realizing the rebound shell is various, but the rebound shell is finally externally connected to an intrusion host through a socket or pipe.
Currently, in order to avoid remote control of a host, a file process is monitored and whether a corresponding file descriptor is redirected to a socket is judged, if the current file descriptor is redirected to the socket, the socket is judged to be a bounce shell, and because a plurality of bounce shells can hide connection of the socket at present, for example, a layer of pipeline connection is realized first in use, so that the socket in the file descriptor is hidden. In this case, the bouncing shell process will not be successfully detected.
Therefore, how to improve the accuracy of detecting the rebounding shell process is a technical problem to be urgently solved by the people in the field.
Disclosure of Invention
The application aims to provide a method for detecting the rebound shell attack, which can improve the accuracy of detecting the rebound shell process.
In order to solve the above technical problem, the present application provides a method for detecting a resilient shell attack, including:
capturing a user process and screening out a shell process to be tested;
screening the shell process to be tested meeting preset conditions according to a file descriptor in the shell process to be tested, and marking the shell process to be tested as a suspicious shell process, wherein the preset conditions are that the file descriptor is connected to a remote socket or the file descriptor is connected to the remote socket through a pipeline;
analyzing whether the suspicious shell process has abnormity or not;
and if so, marking the current suspicious shell process as a rebound shell process.
Preferably, the method for detecting a rebound shell attack, where the shell process to be detected meeting a preset condition is screened according to the file descriptor in the shell process to be detected and marked as a suspicious shell process, includes:
judging whether the file descriptors are connected through a socket;
if the file descriptor is connected through a socket, judging whether the file descriptor is redirected to the remote socket;
if the file descriptor is redirected to the remote socket, marking the current shell process to be tested as a suspicious shell process;
if the file descriptors are not connected through the socket, judging whether the file descriptors are connected through a layer of pipeline;
if the file descriptor is connected through the pipeline, entering the step of judging whether the file descriptor is redirected to the remote socket;
if the file descriptors are not connected through the pipeline, judging whether the file descriptors are connected through another pipeline;
and if the file descriptors are connected through another pipeline, marking the current shell process to be tested as the suspicious shell process.
Preferably, the method for detecting a rebound shell attack, where analyzing whether the suspicious shell process has an exception, includes:
analyzing whether the flow transmitted in the suspicious shell process contains preset data information or not, whether a violation instruction is contained in a command executed by the suspicious shell process or not, whether the suspicious shell process violates an important file or generates a malicious file or not;
and if so, entering the step of marking the current suspicious shell process as a rebound shell process.
Preferably, the method for detecting a rebound shell attack, where capturing the user process and screening out the shell process to be detected, includes:
traversing the process in the proc folder;
judging whether the process is a shell process;
if so, judging whether the process name of the shell process is consistent with a preset shell process name or not;
and if so, marking the current shell process as the shell process to be tested.
Preferably, the method for detecting a bounce shell attack, after marking the current suspicious shell process as a bounce shell process, further includes:
and reporting the information of the rebounding shell process through a log system, clearing the rebounding shell process and other processes related to the rebounding shell process, and clearing files generated by the rebounding shell process.
Preferably, the method for detecting a resilient shell attack, the pipeline includes: anonymous pipes and pipe files.
Preferably, in the method for detecting a rebound shell attack, the file descriptor includes: a standard input descriptor and a standard output descriptor.
In order to solve the above technical problem, the present application further provides a device for detecting a bounce shell attack, including:
the screening module is used for capturing the user process and screening out the shell process to be tested;
the judging module is used for screening the shell process to be tested meeting preset conditions according to the file descriptor in the shell process to be tested and marking the shell process to be tested as a suspicious shell process, wherein the preset conditions are that the file descriptor is connected to a remote socket or the file descriptor is connected to the remote socket through a pipeline;
the analysis module is used for analyzing whether the suspicious shell process is abnormal or not; if yes, triggering a marking module;
and the marking module is used for marking the current suspicious shell process as a rebound shell process.
In order to solve the above technical problem, the present application further provides a device for detecting a bounce shell attack, including:
a memory for storing a computer program;
and the processor is used for realizing the steps of the method for detecting the rebound shell attack when the computer program is executed.
In order to solve the above technical problem, the present application further provides a computer-readable storage medium, where a computer program is stored, and the computer program, when executed by a processor, implements the steps of the method for detecting a bounce shell attack.
The application provides a method for detecting a rebound shell attack, which comprises the following steps: capturing a user process and screening out a shell process to be tested; screening the shell process to be tested meeting preset conditions according to the file descriptor in the shell process to be tested, and marking the shell process to be tested as a suspicious shell process, wherein the preset conditions are that the file descriptor is connected to a remote socket or the file descriptor is connected to the remote socket through a pipeline; analyzing whether the suspicious shell process is abnormal or not; and if so, marking the current suspicious shell process as a rebound shell process. According to the method for detecting the rebound shell attack, if the file descriptor is connected to the remote socket or the file descriptor is connected to the remote socket through the pipeline, the file is marked as a suspicious shell process, further data analysis is carried out on the suspicious shell process, whether abnormity exists in the suspicious shell process is judged, the accuracy rate of detecting the rebound shell is improved through multiple screening, the situation that the remote socket is redirected only through judging the file descriptor and is judged as the rebound shell is avoided, and the problem that the rebound shell process of hiding the socket through the pipeline is not detected is caused.
In addition, the application also provides a device and a medium, which correspond to the method and have the same effects.
Drawings
In order to more clearly illustrate the embodiments of the present application, the drawings needed for the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings can be obtained by those skilled in the art without inventive effort.
Fig. 1 is a flowchart of a method for detecting a resilient shell attack according to an embodiment of the present application;
fig. 2 is a flowchart of another method for detecting a resilient shell attack according to an embodiment of the present application;
fig. 3 is a flowchart of another method for detecting a resilient shell attack according to an embodiment of the present application;
fig. 4 is a schematic diagram of an apparatus for detecting a resilient shell attack according to an embodiment of the present application;
fig. 5 is a structural diagram of another apparatus for detecting a bounce shell attack according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments in the present application without any creative effort belong to the protection scope of the present application.
The core of the application is to provide a method for detecting the rebound shell attack.
In order that those skilled in the art will better understand the disclosure, the following detailed description will be given with reference to the accompanying drawings.
The bounce shell means that a target initiates a request to a server port, the input and the output of a command line of the target shell are sent, and the server obtains the content of the request through a monitoring port. The reverse shell corresponds to standard shells such as telnet and ssh, and is essentially the role reversal of the client/server of the network concept. The method is generally used for situations that a controlled terminal is limited by a firewall, has insufficient authority, and a port is occupied. Generally speaking, a bounce shell is an intrusion behavior, which is mainly expressed by that a local host is actively connected with a remote attacker, so that the remote attacker can obtain an execution environment of the local host and can randomly execute a command.
In the Linux system, a file descriptor can be understood as a digital handle allocated by the system to track an open file, and the digital handle is essentially a file handle, so that the read-write operation of the file can be realized through the handle. And opening a new file after the process is started, and automatically and sequentially increasing the descriptors. Each new process inherits the file descriptor of its parent process, so all shell commands have three file descriptors by default, namely standard input, standard output and standard error output descriptors. The shell is located between the operating system and the application program, is an interface of the operating system and the application program, and is mainly responsible for interpreting input command information of the application program to the operating system and interpreting a result after an instruction of the operating system is processed to the application program. And the shell provides the ability for user interaction, which is essentially a command interpreter. The Linux supports the standard input and output to be reassigned to other files, socket numbers or pipe pipelines, and the rebound shell command realizes the remote control of the controlled end by utilizing the reorientation standard input and output.
In order to detect a resilient shell process in time, avoid a host from being invaded, improve the protection capability of a system, and prevent a hacker from remotely executing a command, even right-lifting and installing a backdoor program, an embodiment of the present application provides a method for detecting a resilient shell attack, which is applied to a Linux system, and fig. 1 is a flowchart of a method for detecting a resilient shell attack provided by the embodiment of the present application, and as shown in fig. 1, the method includes:
step S11: capturing a user process and screening out a shell process to be tested;
and screening out the currently running shell process in the host machine so as to carry out targeted screening analysis.
Step S12: screening the shell process to be tested meeting preset conditions according to the file descriptor in the shell process to be tested, and marking the shell process to be tested as a suspicious shell process, wherein the preset conditions are that the file descriptor is connected to a remote socket or the file descriptor is connected to the remote socket through a pipeline;
for a process, the first three of the file descriptors are the most important, namely the standard input descriptor, the standard output descriptor and the standard error output descriptor, and in order to realize the closed-loop feedback, a hacker needs to hijack at least the first two of the three descriptors. By detecting the standard input descriptor and the standard output descriptor, the detection range is reduced, but the detection accuracy is not reduced.
Based on the analysis of the attack means commonly used at present, the rebound shell characteristics of all scenes are not the same. For example, if some bounce shells are connected through a pipe, then descriptors 0, 1 point to pipe at the same time. However, the input and output handles of the bash process on the target drone corresponding to the partial bounce shell (e.g., bash bounce, Python bounce, Perl bounce, nc bounce, PHP bounce, etc.) are all redirected to the remote socket, but the remote input stream is redirected to/bin/bash through the pipeline, and the corresponding host process characteristics are slightly different. I.e. hide the socket through the pipe.
Therefore, the preset condition mentioned in the present embodiment is that the standard input descriptor and the standard output descriptor are both connected to the remote socket or that the standard input descriptor and the standard output descriptor are both connected to the remote socket through the pipe. And if the standard input descriptor and the standard output descriptor all necessarily meet preset conditions, the current process can be marked as a suspicious shell process. The specific flow of detection is not limited in this embodiment, and the standard input descriptor and the standard output descriptor may be determined at the same time, or one of them may be determined first, and the other one is determined after the condition is satisfied, and the determination is not continued if the condition is not satisfied.
Step S13: analyzing whether the suspicious shell process is abnormal or not; if yes, go to step S14;
when the detected shell detection meets the preset condition, the detected shell detection is marked as a suspicious shell process, the suspicious shell detection is further detected, whether the current suspicious shell process is abnormal or not is judged, the judging condition for judging whether the suspicious shell detection is abnormal or not is not particularly limited in the embodiment, and the method can be designed according to actual needs. For example, whether the traffic characteristics of the current suspicious shell process are abnormal or not is judged, whether the behavior of the current suspicious shell process is abnormal or not is judged, and the like.
Step S14: and marking the current suspicious shell process as a rebound shell process.
If the suspicious shell detection has abnormity, the suspicious shell process is marked as rebound shell detection, and the embodiment does not limit what operation needs to be carried out after the rebound shell process is detected, and the design can be carried out according to actual needs. For example, the data information of the rebounding shell process is reported through a log system; or directly clearing the rebound shell process; and sending alarm information, and inquiring rebound shell detection information and the like by a worker.
Specifically, a user process is captured and a shell process to be tested is screened out; screening a shell process to be tested meeting preset conditions according to a file descriptor in the shell process to be tested, and marking the shell process to be tested as a suspicious shell process, wherein the preset conditions are that the file descriptor is connected to a remote socket or the file descriptor is connected to the remote socket through a pipeline; analyzing whether the suspicious shell process is abnormal or not; and if the suspicious shell process is abnormal, marking the current suspicious shell process as a rebound shell process.
According to the method for detecting the rebound shell attack, if the file descriptor is connected to the remote socket or the file descriptor is connected to the remote socket through the pipeline, the file is marked as a suspicious shell process, further data analysis is carried out on the suspicious shell process, whether abnormity exists in the suspicious shell process is judged, the accuracy rate of detecting the rebound shell is improved through multiple screening, the situation that the remote socket is redirected only through judging the file descriptor and is judged as the rebound shell is avoided, and the problem that the rebound shell process of hiding the socket through the pipeline is not detected is caused.
According to the above embodiment, the step S12 is to screen the to-be-tested shell process meeting the preset condition according to the file descriptor in the to-be-tested shell process, and mark the to-be-tested shell process as a suspicious shell process, which may specifically include:
step S21: judging whether the file descriptors are connected through a socket; if yes, go to step S22, otherwise, go to step S24;
step S22: determining whether the file descriptor is redirected to the remote socket; if yes, go to step S23;
step S23: marking the current shell process to be tested as a suspicious shell process;
step S24: judging whether the file descriptors are connected through a layer of pipeline; if yes, go to step S22; if not, go to step S25;
step S25: judging whether the file descriptors are connected through another pipeline; if yes, the process proceeds to step S23.
In this embodiment, the shell processes to be tested screened in step S11 are further screened. Step S21, judging whether the file descriptors are connected through sockets, if yes, entering step S22 to judge whether the file descriptors are redirected to a remote socket, and if the file descriptors are redirected to the remote socket, marking the current shell process to be tested as a suspicious shell process; if not, the step S24 is carried out to judge whether the file descriptor is connected through a layer of pipeline, if so, the socket connection is hidden through a layer of pipeline, the step S22 is carried out to judge whether the file descriptor is redirected to a remote socket, and if the file descriptor is redirected to the remote socket, the current shell process to be tested is marked as a suspicious shell process; if the step S24 determines that the file descriptor is not connected through one layer of pipeline, it continues to determine whether the file descriptor is connected through another layer of pipeline, that is, performing a pipeline connection detection once, if so, it is determined by default that the descriptor is suspected to be hijacked, and the step S23 is directly performed to mark the current shell process to be detected as a suspicious shell process.
Preferably, the pipeline mentioned in this embodiment includes two modes, namely an anonymous pipeline and a pipeline file, so as to detect more hidden resilient shell processes, and improve the detection accuracy.
Through the scheme provided by the embodiment, whether the file descriptor satisfies connection to the remote socket or whether the file descriptor is connected to the remote socket through a pipeline is achieved, and preferably, the file descriptor mentioned in the embodiment refers to a standard input descriptor and a standard output descriptor. By detecting the standard input descriptor and the standard output descriptor, the detection range is reduced, but the detection accuracy is not reduced. The specific flow of detection is not limited in this embodiment, and the standard input descriptor and the standard output descriptor may be determined at the same time, or one of them may be determined first, and the other one is determined after the condition is satisfied, and the determination is not continued if the condition is not satisfied.
According to the foregoing embodiments, this embodiment provides a preferred scheme for determining whether the current suspicious shell process has an exception, and the step S13 of analyzing whether the suspicious shell process has an exception includes:
s31: analyzing whether the flow transmitted in the suspicious shell process contains preset data information or whether a violation instruction is contained in a command executed by the suspicious shell process or whether the suspicious shell process violates an important file or generates a malicious file; if yes, the flow goes to step S14 to mark the current suspicious shell process as a bounce shell process.
In the three conditions mentioned in this embodiment, if the flow transmitted in the suspicious shell process includes preset data information, the command executed by the suspicious shell process includes an illegal command, and the suspicious shell process violates an important file or generates a malicious file, if one of the conditions is met, it is determined that the suspicious shell process is abnormal, and step S14 is performed to mark the current suspicious shell process as a resilient shell process.
Preferably, step S12 is to screen the to-be-tested shell process meeting the preset condition according to the file descriptor in the to-be-tested shell process, and mark the to-be-tested shell process as a suspicious shell process, and then, the method further includes:
recording suspicious shell process data information, comprising: process name, PID number, runtime, and associated files generated.
After the relevant data information is recorded, the process proceeds to step S31;
specifically, detecting the traffic transmitted by the suspicious shell process in the operation process, and marking the current suspicious shell process as a resilient shell process once the traffic is detected to contain important data information and machine information;
simultaneously monitoring whether the command executed by the suspicious shell process contains an illegal instruction, and marking the current suspicious shell process as a rebound shell process once the command is detected to contain the feature code of the illegal instruction;
and simultaneously monitoring the behavior of the suspicious shell process, judging whether important files are illegally operated or malicious files are generated, and marking the current suspicious shell process as a rebound shell process once abnormal behavior is detected.
The embodiment provides a specific scheme of the step S11, and the step S11 captures a user process and screens out a to-be-tested shell process, including:
traversing the process in the proc folder;
judging whether the process is a shell process;
if so, judging whether the process name of the shell process is consistent with a preset shell process name or not;
and if so, marking the current shell process as the shell process to be tested.
First, all processes in the proc folder need to be traversed, and in the Linux system, each folder under the directory is a process. And after traversing and checking the proc folder, all the shell processes to be tested need to be screened out, wherein the specific detection method comprises the steps of firstly obtaining all shell programs supported by the system according to/etc/shells files, then comparing the current process name with the shell name, and if the current process name is consistent with the shell name, recording the shell processes to be tested.
The embodiment provides a specific scheme of step S14, where after marking the current suspicious shell process as the bounce shell process, the method further includes:
and reporting the information of the rebounding shell process through a log system, clearing the rebounding shell process and other processes related to the rebounding shell process, and clearing files generated by the rebounding shell process.
The rebound shell process information is reported through the log system, so that a manager can conveniently check the detection result of the rebound shell, clear the rebound shell process and other processes related to the rebound shell process, clear files generated by the rebound shell process, ensure the safety problem of the operation of a host and improve the protection capability of the system.
In the foregoing embodiment, a method for detecting a bounce shell attack is described in detail, and the present application also provides an embodiment corresponding to an apparatus for detecting a bounce shell attack. It should be noted that the present application describes the embodiments of the apparatus portion from two perspectives, one from the perspective of the function module and the other from the perspective of the hardware.
Fig. 4 is a schematic diagram of an apparatus for detecting a bounce shell attack according to an embodiment of the present application, as shown in fig. 4, including:
the screening module 41 is used for capturing a user process and screening out a shell process to be tested;
the judging module 42 is configured to screen a shell process to be tested meeting a preset condition according to a file descriptor in the shell process to be tested, and mark the shell process to be tested as a suspicious shell process, where the preset condition is that the file descriptor is connected to a remote socket or the file descriptor is connected to the remote socket through a pipeline;
the analysis module 43 is used for analyzing whether the suspicious shell process is abnormal or not; if yes, the marking module 44 is triggered;
and the marking module 44 is used for marking the current suspicious shell process as the rebounding shell process.
Specifically, the screening module 41 captures a user process and screens out a shell process to be tested; the judging module 42 screens the shell process to be tested meeting preset conditions according to the file descriptor in the shell process to be tested, and marks the shell process to be tested as a suspicious shell process, wherein the preset conditions are that the file descriptor is connected to a remote socket or the file descriptor is connected to the remote socket through a pipeline; the analysis module 43 analyzes whether the suspicious shell process has abnormality; if so, the trigger marking module 44 marks the current suspicious shell process as a bounce shell process.
Through the device for detecting the rebound shell attack provided by the embodiment, if the file descriptor is connected to the remote socket or the file descriptor is connected to the remote socket through the pipeline, the file is marked as a suspicious shell process, the suspicious shell process is subjected to further data analysis, whether abnormity exists or not is judged, the accuracy rate of detecting the rebound shell is improved through multiple screening, the situation that the remote socket is redirected only by judging the file descriptor is avoided, the rebound shell is judged to be the rebound shell, and the problem that the rebound shell process for hiding the socket through the pipeline is not detected is caused.
Since the embodiments of the apparatus portion and the method portion correspond to each other, please refer to the description of the embodiments of the method portion for the embodiments of the apparatus portion, which is not repeated here.
Fig. 5 is a structural diagram of another apparatus for detecting a bouncing shell attack according to an embodiment of the present application, and as shown in fig. 5, the apparatus for detecting a bouncing shell attack includes: a memory 50 for storing a computer program;
a processor 51, configured to implement the steps of the method for detecting a bounce shell attack as described in the above embodiments when executing the computer program.
The device for detecting the bounce shell attack provided by the embodiment can include, but is not limited to, a smart phone, a tablet computer, a notebook computer or a desktop computer.
The processor 51 may include one or more processing cores, such as a 4-core processor, an 8-core processor, and the like. The Processor 51 may be implemented in hardware using at least one of a Digital Signal Processor (DSP), a Field-Programmable Gate Array (FPGA), and a Programmable Logic Array (PLA). The processor 51 may also include a main processor and a coprocessor, where the main processor is a processor for Processing data in an awake state, and is also called a Central Processing Unit (CPU); a coprocessor is a low power processor for processing data in a standby state. In some embodiments, the processor 51 may be integrated with a Graphics Processing Unit (GPU) which is responsible for rendering and drawing the content required to be displayed on the display screen. In some embodiments, the processor 51 may further include an Artificial Intelligence (AI) processor for processing computational operations related to machine learning.
Memory 50 may include one or more computer-readable storage media, which may be non-transitory. Memory 50 may also include high speed random access memory, as well as non-volatile memory, such as one or more magnetic disk storage devices, flash memory storage devices. In this embodiment, the memory 50 is at least used for storing a computer program 501, wherein after being loaded and executed by the processor 51, the computer program can implement the relevant steps of the method for detecting a resilient shell attack disclosed in any of the foregoing embodiments. In addition, the resources stored in the memory 50 may also include an operating system 502, data 503, and the like, and the storage manner may be a transient storage manner or a permanent storage manner. Operating system 502 may include Windows, Unix, Linux, etc. The data 503 may include, but is not limited to, data involved in implementing a method of detecting a bounce shell attack, and the like.
In some embodiments, the apparatus for detecting the bouncing shell attack may further include a display screen 52, an input/output interface 53, a communication interface 54, a power supply 55, and a communication bus 56.
Those skilled in the art will appreciate that the architecture shown in fig. 5 does not constitute a limitation on the means for detecting a bounce shell attack and may include more or fewer components than those shown.
The device for detecting the rebound shell attack comprises a memory and a processor, wherein the processor can realize the following method when executing a program stored in the memory: according to the method for detecting the rebound shell attack, if a file descriptor is connected to a remote socket or the file descriptor is connected to the remote socket through a pipeline, the file descriptor is marked as a suspicious shell process, further data analysis is carried out on the suspicious shell process, whether the suspicious shell process is abnormal or not is judged, the accuracy rate of detecting the rebound shell is improved through multiple screening, and the problem that the rebound shell process which hides the socket through the pipeline cannot be detected only by judging that the file descriptor is redirected to the remote socket and judging the remote socket as the rebound shell is solved.
Finally, the application also provides a corresponding embodiment of the computer readable storage medium. The computer readable storage medium has stored thereon a computer program which, when being executed by a processor, carries out the steps as described in the above-mentioned embodiment of the method of detecting a bounce shell attack.
It is to be understood that if the method in the above embodiments is implemented in the form of software functional units and sold or used as a stand-alone product, it can be stored in a computer readable storage medium. Based on such understanding, the technical solutions of the present application may be embodied in the form of a software product, which is stored in a storage medium and executes all or part of the steps of the methods described in the embodiments of the present application, or all or part of the technical solutions. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The present embodiment provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the method of: according to the method for detecting the rebound shell attack, if a file descriptor is connected to a remote socket or the file descriptor is connected to the remote socket through a pipeline, the file descriptor is marked as a suspicious shell process, further data analysis is carried out on the suspicious shell process, whether the suspicious shell process is abnormal or not is judged, the accuracy rate of detecting the rebound shell is improved through multiple screening, and the problem that the rebound shell process which hides the socket through the pipeline cannot be detected only by judging that the file descriptor is redirected to the remote socket and judging the remote socket as the rebound shell is solved.
The method, the device and the medium for detecting the rebound shell attack provided by the application are described in detail above. The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description. It should be noted that, for those skilled in the art, it is possible to make several improvements and modifications to the present application without departing from the principle of the present application, and such improvements and modifications also fall within the scope of the claims of the present application.
It is further noted that, in the present specification, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.

Claims (10)

1. A method for detecting a bounce shell attack, comprising:
capturing a user process and screening out a shell process to be tested;
screening the shell process to be tested meeting preset conditions according to a file descriptor in the shell process to be tested, and marking the shell process to be tested as a suspicious shell process, wherein the preset conditions are that the file descriptor is connected to a remote socket or the file descriptor is connected to the remote socket through a pipeline;
analyzing whether the suspicious shell process has abnormity or not;
and if so, marking the current suspicious shell process as a rebound shell process.
2. The method for detecting the rebounding shell attack according to claim 1, wherein the step of screening the shell process to be detected which satisfies a preset condition according to the file descriptor in the shell process to be detected, and marking the shell process to be detected as a suspicious shell process comprises the steps of:
judging whether the file descriptors are connected through a socket;
if the file descriptor is connected through a socket, judging whether the file descriptor is redirected to the remote socket;
if the file descriptor is redirected to the remote socket, marking the current shell process to be tested as a suspicious shell process;
if the file descriptors are not connected through the socket, judging whether the file descriptors are connected through a layer of pipeline;
if the file descriptor is connected through the pipeline, entering the step of judging whether the file descriptor is redirected to the remote socket;
if the file descriptors are not connected through the pipeline, judging whether the file descriptors are connected through another pipeline;
and if the file descriptors are connected through another pipeline, marking the current shell process to be tested as the suspicious shell process.
3. The method for detecting the resilient shell attack as claimed in claim 2, wherein the analyzing whether the suspicious shell process has an exception comprises:
analyzing whether the flow transmitted in the suspicious shell process contains preset data information or not, whether a violation instruction is contained in a command executed by the suspicious shell process or not, whether the suspicious shell process violates an important file or generates a malicious file or not;
and if so, entering the step of marking the current suspicious shell process as a rebound shell process.
4. The method for detecting the rebounding shell attack according to claim 2, wherein the capturing the user process and screening out the shell process to be tested comprises:
traversing the process in the proc folder;
judging whether the process is a shell process;
if so, judging whether the process name of the shell process is consistent with a preset shell process name or not;
and if so, marking the current shell process as the shell process to be tested.
5. The method of detecting a bouncing shell attack as claimed in claim 1, wherein said marking the current suspicious shell process as a bouncing shell process further comprises:
and reporting the information of the rebounding shell process through a log system, clearing the rebounding shell process and other processes related to the rebounding shell process, and clearing files generated by the rebounding shell process.
6. The method of detecting a bouncing shell attack as claimed in claim 1, wherein said pipe comprises: anonymous pipes and pipe files.
7. The method of detecting a bouncing shell attack as claimed in claim 1, wherein said file descriptor comprises: a standard input descriptor and a standard output descriptor.
8. An apparatus for detecting a resilient shell attack, comprising:
the screening module is used for capturing the user process and screening out the shell process to be tested;
the judging module is used for screening the shell process to be tested meeting preset conditions according to the file descriptor in the shell process to be tested, and marking the shell process to be tested as a suspicious shell process, wherein the preset conditions are that the file descriptor is connected to a remote socket or the file descriptor is connected to the remote socket through a pipeline;
the analysis module is used for analyzing whether the suspicious shell process is abnormal or not; if yes, triggering a marking module;
and the marking module is used for marking the current suspicious shell process as a rebound shell process.
9. An apparatus for detecting a resilient shell attack, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the method of detecting a bouncing shell attack according to any of the claims 1-7 when executing said computer program.
10. A computer-readable storage medium, having stored thereon a computer program which, when being executed by a processor, carries out the steps of the method of detecting a bouncing shell attack as claimed in any one of the claims 1 to 7.
CN202210576271.6A 2022-05-25 2022-05-25 Method, device and medium for detecting rebound shell attack Pending CN114861182A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210576271.6A CN114861182A (en) 2022-05-25 2022-05-25 Method, device and medium for detecting rebound shell attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210576271.6A CN114861182A (en) 2022-05-25 2022-05-25 Method, device and medium for detecting rebound shell attack

Publications (1)

Publication Number Publication Date
CN114861182A true CN114861182A (en) 2022-08-05

Family

ID=82639031

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210576271.6A Pending CN114861182A (en) 2022-05-25 2022-05-25 Method, device and medium for detecting rebound shell attack

Country Status (1)

Country Link
CN (1) CN114861182A (en)

Similar Documents

Publication Publication Date Title
EP3225009B1 (en) Systems and methods for malicious code detection
US9516060B2 (en) Malware analysis methods and systems
US10169585B1 (en) System and methods for advanced malware detection through placement of transition events
US9781144B1 (en) Determining duplicate objects for malware analysis using environmental/context information
CN109586282B (en) Power grid unknown threat detection system and method
US9444834B2 (en) Method and system for detecting behavior of remotely intruding into computer
CN111274583A (en) Big data computer network safety protection device and control method thereof
JP4283228B2 (en) Method and system for responding to computer intrusion
US11403389B2 (en) System and method of detecting unauthorized access to computing resources for cryptomining
EP3416083B1 (en) System and method of detecting anomalous events
KR101132197B1 (en) Apparatus and Method for Automatically Discriminating Malicious Code
JP2014038596A (en) Method for identifying malicious executable
EP3474174B1 (en) System and method of adapting patterns of dangerous behavior of programs to the computer systems of users
US9479521B2 (en) Software network behavior analysis and identification system
US10645099B1 (en) Malware detection facilitated by copying a memory range from an emulator for analysis and signature generation
CN113632432B (en) Method and device for judging attack behaviors and computer storage medium
US11533325B2 (en) Automatic categorization of IDPS signatures from multiple different IDPS systems
CN112532631A (en) Equipment safety risk assessment method, device, equipment and medium
WO2019026310A1 (en) Information processing device, information processing method, and information processing program
US8935782B2 (en) Malware detection via network information flow theories
JP2017220195A (en) System and method of detecting malicious computer systems
US20190121975A1 (en) System and method for adapting patterns of malicious program behavior from groups of computer systems
US20130326627A1 (en) Apparatus and method for detecting vulnerability
CN111859386A (en) Trojan horse detection method and system based on behavior analysis
CN115086081B (en) Escape prevention method and system for honeypots

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination