해킹건에 대한 문의
작성자 정보
- 이상봉 작성
- 작성일
컨텐츠 정보
- 2,343 조회
- 0 추천
- 목록
본문
고객서버는 아니지만 임시서버가 해킹을 당했어요 ㅡ.ㅡ;
근데 어떻게 뚫었는지를 모르겠네요 홈페이지도 돌아가고 있지 않았으니 웹 인젝션
공격도 아니었던 것 같구요. ssh 는 루트만 로그인 가능하게 설정했고 그러니
스니핑에 의한 것 같지도 않구요. 또 ssh 암호도 사전공격으로 거의 불가능 하게
설정했거든요. rkhunter. chrootkit 도 동작하지 않네요 .
[root@localhost tmp]# rkhunter
Fatal error: can't find INSTALLDIR option in configuration file (/usr/local/etc/rkhunter.conf)
[root@localhost chkrootkit-0.45]# ./chkrootkit
ROOTDIR is `/'
./chkrootkit: line 2603: 13180 Done echo "${TROJAN}"
13181 Segmentation fault | ${egrep} "${L_REGEXP}$cmd${R_REGEXP}" >/dev/null 2>&1
Checking `amd'... c
./chkrootkit: line 2600: amd: command not found
./chkrootkit: line 2603: 13187 Done echo "${TROJAN}"
13188 Segmentation fault | ${egrep} "${L_REGEXP}$cmd${R_REGEXP}" >/dev/null 2>&1
Checking `basename'... c
basename: too few arguments
Try `basename --help' for more information.
./chkrootkit: line 2603: 13196 Done echo "${TROJAN}"
13197 Segmentation fault | ${egrep} "${L_REGEXP}$cmd${R_REGEXP}" >/dev/null 2>&1
Checking `biff'... c
./chkrootkit: line 2600: biff: command not found
./chkrootkit: line 2603: 13203 Done echo "${TROJAN}"
13204 Segmentation fault | ${egrep} "${L_REGEXP}$cmd${R_REGEXP}" >/dev/null 2>&1
Checking `chfn'... c
Changing finger information for root.
fcheck 를 했을때 변경된 파일입니다.
ADDITION: [localhost.localdomain] /etc/ppp/s/200.210.pscan.139
Inode Permissons Size Created On
1114537 -rw-r--r-- 2996 Aug 10 08:13 2005
ADDITION: [localhost.localdomain] /etc/ppp/s/200.210.smb.out
Inode Permissons Size Created On
1114540 -rw-r--r-- 180 Aug 10 08:14 2005
ADDITION: [localhost.localdomain] /etc/ppp/s/200.215.pscan.139
Inode Permissons Size Created On
1114539 -rw-r--r-- 2803 Aug 10 08:40 2005
ADDITION: [localhost.localdomain] /etc/ppp/s/200.215.smb
Inode Permissons Size Created On
1114541 -rw-r--r-- 0 Aug 10 08:40 2005
ADDITION: [localhost.localdomain] /etc/ppp/s/200.248.pscan.139
Inode Permissons Size Created On
1114510 -rw-r--r-- 2906 Aug 09 13:48 2005
ADDITION: [localhost.localdomain] /etc/ppp/s/200.248.smb.out
Inode Permissons Size Created On
1114516 -rw-r--r-- 139 Aug 09 13:49 2005
ADDITION: [localhost.localdomain] /etc/ppp/s/200.63.pscan.139
Inode Permissons Size Created On
1114507 -rw-r--r-- 4347 Aug 09 13:11 2005
ADDITION: [localhost.localdomain] /etc/ppp/s/200.63.smb.out
Inode Permissons Size Created On
1114509 -rw-r--r-- 59 Aug 09 13:12 2005
ADDITION: [localhost.localdomain] /etc/ppp/s/201.14.pscan.139
Inode Permissons Size Created On
1114508 -rw-r--r-- 2899 Aug 09 13:29 2005
ADDITION: [localhost.localdomain] /etc/ppp/s/201.14.smb.out
Inode Permissons Size Created On
1114511 -rw-r--r-- 206 Aug 09 13:30 2005
ADDITION: [localhost.localdomain] /etc/ppp/s/201.30.pscan.139
....
ADDITION: [localhost.localdomain] /etc/ssh/core
Inode Permissons Size Created On
3277056 -rw------- 225280 Aug 10 07:42 2005
ADDITION: [localhost.localdomain] /etc/ssh/go.sh
Inode Permissons Size Created On
3277060 -rwxr-xr-x 85 Aug 10 07:42 2005
ADDITION: [localhost.localdomain] /etc/ssh/ss
Inode Permissons Size Created On
3277055 -rwxr-xr-x 462731 Aug 10 12:09 2005
ADDITION: [localhost.localdomain] /etc/ssh/sshf
Inode Permissons Size Created On
3277057 -rwxr-xr-x 848207 Aug 10 07:45 2005
ADDITION: [localhost.localdomain] /etc/ssh/uniq.txt
Inode Permissons Size Created On
3277059 -rw-r--r-- 29078 Aug 10 12:09 2005
ADDITION: [localhost.localdomain] /etc/ssh/vuln.txt
Inode Permissons Size Created On
3277061 -rw-r--r-- 1799 Aug 10 07:42 2005
DELETION: [localhost.localdomain] /etc/passwd.lock
Inode Permissons Size Created On
229444 -rw------- 6 Aug 09 02:23 2005
DELETION: [localhost.localdomain] /etc/shadow.lock
Inode Permissons Size Created On
229578 -rw------- 6 Aug 09 02:23 2005
DELETION: [localhost.localdomain] /etc/group.lock
Inode Permissons Size Created On
229583 -rw------- 6 Aug 09 02:23 2005
DELETION: [localhost.localdomain] /etc/gshadow.lock
Inode Permissons Size Created On
...
ROGRESS: validating integrity of /sbin
STATUS:
WARNING: [localhost.localdomain] /sbin/ifconfig
[Inodes: 671774 - 3637503, Sizes: 51672 - 31504, Times: Aug 02 05:52 2005 - Aug 09 10:11 2005]
WARNING: [localhost.localdomain] /sbin/init
[Inodes: 671865 - 671774, Sizes: 27036 - 28520, Times: Aug 02 05:53 2005 - Aug 09 10:11 2005]
WARNING: [localhost.localdomain] /sbin/syslogd
[Inodes: 671863 - 3637507, Sizes: 27424 - 26496, Times: Aug 02 05:53 2005 - Aug 09 10:11 2005]
WARNING: [localhost.localdomain] /sbin/telinit
[Inodes: 671865 - 671774, Sizes: 27036 - 28520, Times: Aug 02 05:53 2005 - Aug 09 10:11 2005]
ADDITION: [localhost.localdomain] /sbin/initpsybnc
Inode Permissons Size Created On
672014 -rwxr-xr-x 27036 Aug 09 09:50 2005
PROGRESS: validating integrity of /usr/sbin/
STATUS:
WARNING: [localhost.localdomain] /usr/sbin/lsof
[Inodes: 393306 - 3637498, Sizes: 95640 - 82628, Times: Aug 02 05:54 2005 - Aug 09 10:11 2005]
ADDITION: [localhost.localdomain] /usr/sbin/xntps
Inode Permissons Size Created On
393486 -rwxr-xr-x 97093 Aug 09 10:11 2005
rpm은 최신버전으로 모두 업그레이드 했고,. httpd 2.0.54, PHP 5.0.4 Mysql-4.0.18
이거든요.
아래는 해커가 사용한 파일과 디렉토리 입니다. 파일이 변조되었구요.
근데 어떻게 서버 넣은지 한달도 안됐는데 shv4.tar.gz 파일 생성날짜가
Mar 28로 되어 있는지 ㅡㅡ;;
라이브러리도 바꿔치기 한것 같네요. 음.. 그리고 secure로그가 더이상 쌓이지
않아요.
drwxr-xr-x 2 503 503 4096 Mar 1 2003 cd
drwx---r-x 5 1005 users 4096 Aug 11 11:01 shv4
-rw-rw-rw- 1 root root 463900 Mar 28 16:30 shv4.tar.gz
[root@localhost shv4]# ls
bin bin.tgz conf conf.tgz lib lib.tgz setup
[root@localhost shv4]# ll bin
total 768
-rwxr-xr-x 1 mysql proftpd 39696 Nov 30 2000 dir
-rwxr-xr-x 1 mysql proftpd 14808 Dec 13 2000 encrypt
-rwxr-xr-x 1 mysql proftpd 59536 Nov 30 2000 find
-rwxr-xr-x 1 mysql proftpd 31504 Nov 30 2000 ifconfig
-rwxr-xr-x 1 mysql proftpd 13725 Jan 18 2001 login
-rwxr-xr-x 1 mysql proftpd 39696 Nov 30 2000 ls
-rwxr-xr-x 1 mysql proftpd 82628 Nov 30 2000 lsof
-rwxr-xr-x 1 mysql proftpd 31452 Dec 13 2000 md5sum
-rwxr-xr-x 1 mysql proftpd 54152 Nov 30 2000 netstat
-rwxr-xr-x 1 mysql proftpd 3216 Jan 14 2002 pg
-rwxr-xr-x 1 mysql proftpd 62920 Nov 30 2000 ps
-rwxr-xr-x 1 mysql proftpd 12340 Nov 30 2000 pstree
-rwxr-xr-x 1 mysql proftpd 23560 Nov 30 2000 slocate
-rwxr-xr-x 1 mysql proftpd 95383 Jan 22 2001 ssh-only.tgz
-rwxrwxr-x 1 mysql proftpd 97405 Jan 14 2002 ssh.tgz
-rwxr-xr-x 1 mysql proftpd 26496 Nov 30 2000 syslogd
-rwxr-xr-x 1 mysql proftpd 1382 Jul 25 2000 sz
-rwxr-xr-x 1 mysql proftpd 33992 Nov 30 2000 top
[root@localhost shv4]# ll conf
total 20
-rw-r--r-- 1 mysql proftpd 86 Jan 14 2002 file.h
-rw-r--r-- 1 mysql proftpd 57 Mar 27 2002 hosts.h
-rw-r--r-- 1 mysql proftpd 43 Jan 7 2002 lidps1.so
-rw-r--r-- 1 mysql proftpd 73 Jan 7 2002 log.h
-rw-r--r-- 1 mysql proftpd 89 Jan 7 2002 proc.h
[root@localhost shv4]# ll lib
total 76
-rwxr-xr-x 1 root root 33848 Sep 9 2000 libproc.a
lrwxrwxrwx 1 root root 16 Aug 11 11:01 libproc.so -> libproc.so.2.0.6
-rwxr-xr-x 1 root root 37984 Sep 9 2000 libproc.so.2.0.6
이거.. 대체 어떻게 들어온 건지 어떻게 확인할 수 있죠.?
관련자료
-
이전
-
다음
