Short connection is a concept relative to long connection. It refers to that in the process of data transmission, a connection is established only when data needs to be sent. After data transmission, the connection is disconnected, that is, each connection only completes the transmission of one service. In the system maintenance, it is usually difficult to detect, which can only be found with the help of network security equipment or packet capturing analysis.
One day, the network administrator at the export WAF detected that a certain server was constantly requesting from Hong Kong I, and felt very strange. He logged in to the server to check, and wanted to find the process of initiating the short connection.
Log in to the server to view the port and process, and no server exception is found. However, when the port connection is refreshed multiple times, you can view the connection. Sometimes the command will only appear after it has been swiped for more than ten times. It is very difficult for such a short connection to capture the corresponding process and source file.
It's hard to track because it's impossible to manually capture and estimate, so I wrote a small script to capture the PID and source files corresponding to the short connection.
The script file is as follows:
#!/bin/bash
ip=118.184.15.40
i=1
while :
do
tmp=`netstat -anplt|grep $ip|awk -F '[/]' '{print $1}'|awk '{print $7}'`
if test -z "$tmp"
then
((i=i+1))
else
for pid in $tmp; do
echo "PID: "${pid}
result=`ls -lh /proc/$pid|grep exe`
echo "Process: "${result}
kill -9 $pid
done
break
fi
done
echo "Total number of times: "${i}
The operation results are as follows:
After running the script three times, it can be found that the process PID initiated by the short connection is always changing, but it has been caught that the source file of the process initiating the abnormal connection is / usr / lib / nfsiod
This paper briefly introduces the skills of short connection and capturing the source files of short connection. From the perspective of security administrator, we should strengthen the management of network security devices, and find more security threats that are difficult to detect in the system layer at the network layer.
This article was originally published by bypass. Please keep the source for reprint. Welcome to my personal WeChat official account: Bypass--, for more excellent articles.
Bypass
About Me
A network security enthusiast has a paranoid pursuit of technology. Committed to sharing original high-quality dry goods, including but not limited to: penetration testing, WAF bypass, code audit, security operation and maintenance.