Skip to content

Instantly share code, notes, and snippets.

@cr0nx
Created October 7, 2024 12:20
Show Gist options
  • Save cr0nx/e972aac974e1b5c7703ff6de39c07ca8 to your computer and use it in GitHub Desktop.
Save cr0nx/e972aac974e1b5c7703ff6de39c07ca8 to your computer and use it in GitHub Desktop.
Generic bpftrace-based RCE/webshell prevention technique for critical Linux network services. If for whatever reason you can't run it persistently, it could be useful also as a system-wide 'virtual patching' method.
#!/usr/bin/env bpftrace
tracepoint:syscalls:sys_enter_execve
{
@parent = comm;
}
tracepoint:syscalls:sys_exit_execve
/ @parent == "httpd" || @parent == "php-fpm" || @parent == "mysqld" || @parent == "java" || @parent == "postjournal" /
{
printf("Killing execve() process spawned from %s: PID %d\n", @parent, pid);
signal(9);
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment