Security Management Strategies for the CIORequires Free Membership to View
SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!
Michael S. Mimoso, Editorial Director
Unfortunately, reviewing audit logs for reverse shell traffic can be very difficult. Seriously, some of the reverse shell techniques being used are quite stealthy. The best way is to first ensure that your firewall is locked down for both incoming and outgoing packets. Yes, you want to lock down the outgoing packets to only those ports and protocols that you really need to use. Also, you need to be logging your outgoing traffic for suspicious packets. For example, if you log your outgoing HTTP traffic and an attacker has managed to install a reverse shell that uses that port, the reverse shell packets should look rather different from real HTTP traffic. Detecting this attack is rather difficult on an automated basis and involves a lot of time to do by hand. You are probably better off examining the running processes on the systems you suspect might be compromised. Be aware though, if the attacker could install a reverse proxy, they probably installed a rootkit too and covered their tracks. They may have messed with the system tools that would tell you what processes are running.
Your best bet for detection is to have an IDS that is up to date with its intrusion-detection strings. Hopefully, the IDS vendor can identify the typical reverse shells that are being used and develop a way to detect their outgoing packets. Of course, if you aren't monitoring your outbound traffic, you are completely out of luck.
For more info on this topic, visit these SearchSecurity.com resources:
This was first published in May 2004