리눅스 분류
점검 부분확인 부탁드립니다.
작성자 정보
- 사루쭌 작성
- 작성일
컨텐츠 정보
- 2,124 조회
- 1 댓글
- 0 추천
- 목록
본문
안녕하십니까?
시스템 초짜입니다.
현재 서버에 해킹의심이 들고 있는데 이것저것 확인은 했는데
어떤식으로 해결해야 될지 몰라 문의 드립니다.
-증상-
1.종종 syslog가 restart 되어있음
2.해외쪽에서의 접근시도가 많음
3. rkhunter정보
[17:09:44] Warning: Checking for prerequisites [ Warning ]
[17:09:44] The file of stored file properties (rkhunter.dat) does not exist, and should be created. To do this type in 'rkhunter --prop
[17:11:23] /sbin/ifdown [ Warning ]
[17:11:24] Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable
[17:11:26] /sbin/ifup [ Warning ]
[17:11:31] Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable
[17:17:58] /usr/bin/GET [ Warning ]
[17:17:59] Warning: The command '/usr/bin/GET' has been replaced by a script: /usr/bin/GET: perl script text executable
[17:18:01] /usr/bin/groups [ Warning ]
[17:18:02] Warning: The command '/usr/bin/groups' has been replaced by a script: /usr/bin/groups: Bourne shell script text executable
17:18:26] /usr/bin/ldd [ Warning ]
[17:18:27] Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne shell script text executable
[17:20:41] /usr/bin/whatis [ Warning ]
[17:20:43] Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable
[18:27:52] Checking if SSH root access is allowed [ Warning ]
[18:27:54] Warning: The SSH configuration option 'PermitRootLogin' has not been set.
The default value may be 'yes', to allow root access.
[18:27:58] Checking if SSH protocol v1 is allowed [ Warning ]
[18:31:58] Checking version of GnuPG [ Warning ]
[18:31:59] Warning: Application 'gpg', version '1.2.6', is out of date, and possibly a security risk
[18:32:02] Checking version of OpenSSL [ Warning ]
[18:32:03] Warning: Application 'openssl', version '0.9.7a', is out of date, and possibly a security risk.
[18:32:09] Checking version of OpenSSH [ Warning ]
[18:32:12] Warning: Application 'sshd', version '3.9p1', is out of date, and possibly a security risk.
[18:32:14] System checks summary
[18:32:14] =====================
[18:32:14]
[18:32:14] File properties checks...
[18:32:16] Required commands check failed
[18:32:16] Files checked: 138
[18:32:20] Suspect files: 6
[18:32:25]
[18:32:25] Rootkit checks...
[18:32:26] Rootkits checked : 390
[18:32:27] Possible rootkits: 0
[18:32:27]
[18:32:27] Applications checks...
[18:32:29] Applications checked: 4
[18:32:29] Suspect applications: 3
[18:32:30]
[18:32:30] The system checks took: 86 minutes and 59 seconds
고수님들 확인 부탁드립니다.
감사합니다.
시스템 초짜입니다.
현재 서버에 해킹의심이 들고 있는데 이것저것 확인은 했는데
어떤식으로 해결해야 될지 몰라 문의 드립니다.
-증상-
1.종종 syslog가 restart 되어있음
2.해외쪽에서의 접근시도가 많음
3. rkhunter정보
[17:09:44] Warning: Checking for prerequisites [ Warning ]
[17:09:44] The file of stored file properties (rkhunter.dat) does not exist, and should be created. To do this type in 'rkhunter --prop
[17:11:23] /sbin/ifdown [ Warning ]
[17:11:24] Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable
[17:11:26] /sbin/ifup [ Warning ]
[17:11:31] Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable
[17:17:58] /usr/bin/GET [ Warning ]
[17:17:59] Warning: The command '/usr/bin/GET' has been replaced by a script: /usr/bin/GET: perl script text executable
[17:18:01] /usr/bin/groups [ Warning ]
[17:18:02] Warning: The command '/usr/bin/groups' has been replaced by a script: /usr/bin/groups: Bourne shell script text executable
17:18:26] /usr/bin/ldd [ Warning ]
[17:18:27] Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne shell script text executable
[17:20:41] /usr/bin/whatis [ Warning ]
[17:20:43] Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable
[18:27:52] Checking if SSH root access is allowed [ Warning ]
[18:27:54] Warning: The SSH configuration option 'PermitRootLogin' has not been set.
The default value may be 'yes', to allow root access.
[18:27:58] Checking if SSH protocol v1 is allowed [ Warning ]
[18:31:58] Checking version of GnuPG [ Warning ]
[18:31:59] Warning: Application 'gpg', version '1.2.6', is out of date, and possibly a security risk
[18:32:02] Checking version of OpenSSL [ Warning ]
[18:32:03] Warning: Application 'openssl', version '0.9.7a', is out of date, and possibly a security risk.
[18:32:09] Checking version of OpenSSH [ Warning ]
[18:32:12] Warning: Application 'sshd', version '3.9p1', is out of date, and possibly a security risk.
[18:32:14] System checks summary
[18:32:14] =====================
[18:32:14]
[18:32:14] File properties checks...
[18:32:16] Required commands check failed
[18:32:16] Files checked: 138
[18:32:20] Suspect files: 6
[18:32:25]
[18:32:25] Rootkit checks...
[18:32:26] Rootkits checked : 390
[18:32:27] Possible rootkits: 0
[18:32:27]
[18:32:27] Applications checks...
[18:32:29] Applications checked: 4
[18:32:29] Suspect applications: 3
[18:32:30]
[18:32:30] The system checks took: 86 minutes and 59 seconds
고수님들 확인 부탁드립니다.
감사합니다.
관련자료
-
이전
-
다음
댓글 1
dslee님의 댓글
- dslee
- 작성일
secure 로그 및 xferlog , access_log 등을 살펴보신후, 특정 IP 에서 접근이 많다면,
해당 IP 유입경로 확인하신후에 해당 ip 차단 을 하는방법도 있겠네요.
해외에서 접근 시도가 많으시다면, 방화벽에서 국내만 접근가능하도록 설정하시면 됩니다.
서버가 복구 불가능한 상태가 되셨으면, os 재설치 방법을 시도해봐야겠네요.
해당 IP 유입경로 확인하신후에 해당 ip 차단 을 하는방법도 있겠네요.
해외에서 접근 시도가 많으시다면, 방화벽에서 국내만 접근가능하도록 설정하시면 됩니다.
서버가 복구 불가능한 상태가 되셨으면, os 재설치 방법을 시도해봐야겠네요.
