해킹을 당했습니다. 파일은 삭제 했지만, 에어젼트가 있는지 다시 생겨버리네요....
작성자 정보
- adaylily 작성
- 작성일
컨텐츠 정보
- 3,300 조회
- 3 댓글
- 0 추천
- 목록
본문
일단 아랫글에 이어서, 2번째 이야기입니다.
삭제는 했지만, /tmp 폴더에 이런 것이 또 생겼습니다.
vi guidlist
/usr/libexec/utempter/utempter
/usr/sbin/sendmail.sendmail
/usr/sbin/lockdev
/usr/bin/wall
/usr/bin/write
/usr/bin/screen
/usr/bin/locate
/usr/bin/lockfile
/usr/bin/crontab
/usr/bin/ssh-agent
/usr/local/src/re2c-0.12.3/.deps
/sbin/netreport
[root@www .ICE-unix]# rpm -qf /usr/libexec/utempter/utempter
libutempter-1.1.4-4.el5
libutempter-1.1.4-4.el5
[root@www .ICE-unix]# rpm -qV libutempter-1.1.4-4.el5
[root@www .ICE-unix]# rpm -qf /usr/sbin/lockdev
lockdev-1.0.1-10
lockdev-1.0.1-10
[root@www .ICE-unix]# rpm -qV lockdev-1.0.1-10
prelink: /usr/sbin/lockdev: at least one of file's dependencies has changed since prelinking
S.?..... /usr/sbin/lockdev
/usr/bin/lockfile
[root@www .ICE-unix]# rpm -qV mlocate-0.15-1.el5.2
[root@www .ICE-unix]# rpm -qf /usr/bin/lockfile
procmail-3.22-17.1.el5.centos
[root@www .ICE-unix]# rpm -qV procmail-3.22-17.1.el5.centos
prelink: /usr/bin/formail: at least one of file's dependencies has changed since prelinking
S.?..... /usr/bin/formail
prelink: /usr/bin/lockfile: at least one of file's dependencies has changed since prelinking
S.?..... /usr/bin/lockfile
prelink: /usr/bin/procmail: at least one of file's dependencies has changed since prelinking
S.?..... /usr/bin/procmail
prelinking 라고 계속 생기는데, 저 서버는 procmail을 사용하지 않습니다.
netstat -nlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:2049 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:4003 0.0.0.0:* LISTEN 7590/rpc.rquotad
tcp 0 0 0.0.0.0:646 0.0.0.0:* LISTEN 7675/rpc.mountd
tcp 0 0 0.0.0.0:873 0.0.0.0:* LISTEN 2798/xinetd
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 7570/portmap
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 8056/vsftpd
tcp 0 0 192.168.0.2:53 0.0.0.0:* LISTEN 2702/named
tcp 0 0 211.234.100.120:53 0.0.0.0:* LISTEN 2702/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 2702/named
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 2817/sendmail: acce
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 2702/named
tcp 0 0 0.0.0.0:60955 0.0.0.0:* LISTEN -
tcp 0 0 :::80 :::* LISTEN 8826/httpd
tcp 0 0 :::24 :::* LISTEN 2766/sshd
tcp 0 0 :::443 :::* LISTEN 8826/httpd
udp 0 0 0.0.0.0:2049 0.0.0.0:* -
udp 0 0 0.0.0.0:643 0.0.0.0:* 7675/rpc.mountd
udp 0 0 0.0.0.0:4003 0.0.0.0:* 7590/rpc.rquotad
udp 0 0 0.0.0.0:58666 0.0.0.0:* -
udp 0 0 192.168.0.2:53 0.0.0.0:* 2702/named
udp 0 0 211.234.100.120:53 0.0.0.0:* 2702/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 2702/named
udp 0 0 0.0.0.0:111 0.0.0.0:* 7570/portmap
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 2 [ ACC ] STREAM LISTENING 6692 2863/gam_server @/tmp/fam-root-
unix 2 [ ACC ] STREAM LISTENING 744365 15097/0 /tmp/ssh-ifFPC15097/agent.15097
그리고 관련 데몬은 모두 내렸는데, 신기하게 웹 서버 루트 디렉토리 또 에어젼트가 생겨버렸습니다.
근데 자꾸 왠놈이 들어와서 ftp로 접속하는 것인지...
와서, 자꾸 실행을 거네요...
어떻게 거는지도, chmod 는 일반사용자는 권한이 없는데 어떻게 실행시키는것인지 모르겠습니다.
ls
chmod 7777 1
ls -al
./1
dir
pwd
su
cd ~
pwd
exit
gcc
cd ..
ls
pwd
cd ..
ls
ls
cd chmod
ls
ls
touch
tocuh 1
vi 1.txt
ls
chmod 7777 1.txt
ls -al
vi 1
ls
chmod 7777 1
exit
ls
rm 1
rm 1.txt
chmod 7777 1
./1
w
exit
ftp localhost
exit
관련자료
-
이전
-
다음
족구왕슛돌이님의 댓글
- 족구왕슛돌이
- 작성일
php가 감염 됐다면...
adaylily님의 댓글
- adaylily
- 작성일
족구왕슛돌이님의 댓글의 댓글
- 족구왕슛돌이
- 작성일
별 도움이 안되서..ㅠ
