HIPS/3/ABNORMALSHELL

Message

HIPS/3/ABNORMALSHELL: The abnormal shell behavior has been detected. (eventCategory=[event-category], eventType=[event-type], level=[level], occurTime=[occur-time], result=[result], path=[shell-path], operationType=[operation-type], cmdline=[cmdline], type=[attribute-type], from=[old-attribute], to=[new-attribute], slot=[slot], card=[card], cpu=[cpu], barcode=[barcode])

In VS mode, this log is supported only by the admin VS.

Description

Abnormal shell behavior is detected. After intruding the system, the attacker tampers with and copies the existing shell to bypass the security detection system on the device before establishing the reverse shell. This facilitates the establishment of the control channel for the reverse shell.

Parameters

Parameter Name Parameter Meaning

event-category

Event classification:

1016: NE intrusion alarm

event-type

Event type. The options are as follows:

  • File privilege escalation
  • Unauthorized root user
  • Rootkit attack
  • Key file tampering
  • Shell file tampering

level

Event severity.

occur-time

Event date.

result

Operation result.

shell-path

Shell file path.

operation-type

Operation type.

cmdline

Command.

attribute-type

Attribute change type.

old-attribute

Old attribute.

new-attribute

New attribute.

slot

Slot ID.

card

Subcard ID.

cpu

CPU ID.

barcode

Barcode that uniquely identifies a board.

Possible Causes

Abnormal shell behavior occurs, such as shell copy, shell file attribute modification, and shell file content modification.

Procedure

Isolate the device from the network immediately and submit the log information to Huawei engineers for analysis.

Parent Topic: HIPS
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
Next topic >