How to detect metasploit reverse shell?

G

gremlintv22018-08-07 09:57:59

iptables

gremlintv2, 2018-08-07 09:57:59

1) Will lsof -i help?
2) Can this backdoor be burned by an updated antivirus (clamav or others)? If yes, then how?
3) Can Snort (or other IDS) help to detect a backdoor? Are there universal rules for Snort?
4) How can iptables (or another fw) be used in this case, so as not to the detriment of site visitors to block such activity?
5) Will SElinux help out in this case?
6) how can such activity be burned through processes?
Thank you!
PS: I googled.. I searched... But the impressions from what I read are molten - some are glad that they created undetectable malware, others offer some kind of dances with a tambourine around tcpdump and filtering traffic by signatures, they offer a similar story in the case of Snort... IMHO: I'll wash nonsense. What can you advise from your experience?

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

P

PrAw, 2019-03-16
@gremlintv2

As a matter of fact, it won't work.
Options:
1. Thorough traffic spying with the help of systems that analyze giblets of packets and raise an alarm in case of any deviations.
For digging, this implies the requirement to decrypt any https traffic, that is, that little fun task. If the traffic could not be decrypted or inside is not what was expected - CUT.
A very expensive option. It will require hardware and software or a free + cool admin or a paid and not very cool admin.
2. Whitelists - where you can connect.
on 6:
most often it will resemble the typical operation of the system, therefore it is problematic.