HOME > 게시판 > 공지사항
게시판| 공지사항
 
작성일 : 02-09-19 13:26
[긴급공지]Linux Slapper Worm감염점검법
 글쓴이 : 관리자
조회 : 5,587  

안녕하세요.
수퍼유저코리아 입니다.  이번에도 긴급으로 공지합니다.
Linux Slapper Worm의 감염여부를 확인하는 툴(arirang)의 다운과 설치방법에 관한 것입니다.

제목 : Linux Slapper Worm 감염 점검방법

1. 점검툴(arirang)을 다운 받는다. 

   다운받을 파일명 :  arirang-1.6other.tar.gz 

   -
http://ftp.superuser.co.kr/pub/security/arirang/

   - http://monkey.org/~pilot/arirang/

  위 둘중 어느곳이든 관계없음...

2. 다운받은 툴을 서버로 가져와서 컴파일한다. 

    컴파일은 configure등 과정없이 그냥 "make"라고만 하면 된다.

    아래는 직접설치한 예임.

[root@www userid]# tar xvfpz arirang-1.6other.tar.gz    <-압축풀기
arirang-1.6other
arirang-1.6other/scanrule
arirang-1.6other/scanrule/against-snort.uxe
arirang-1.6other/scanrule/all.uxe
arirang-1.6other/scanrule/bof_dos.uxe
arirang-1.6other/scanrule/cfusion.uxe
arirang-1.6other/scanrule/codered.uxe
arirang-1.6other/scanrule/idstest.uxe
arirang-1.6other/scanrule/iis.uxe
arirang-1.6other/scanrule/iiscgi.uxe
arirang-1.6other/scanrule/inject.uxe
arirang-1.6other/scanrule/nes.uxe
arirang-1.6other/scanrule/nt.uxe
arirang-1.6other/scanrule/nt_head.uxe
arirang-1.6other/scanrule/rule.uxe
arirang-1.6other/scanrule/server.uxe
arirang-1.6other/scanrule/unix.uxe
arirang-1.6other/scanrule/unix_bin.uxe
arirang-1.6other/scanrule/unix_cgi.uxe
arirang-1.6other/scanrule/unix_head.uxe
arirang-1.6other/scanrule/apache.uxe
arirang-1.6other/scanrule/frontpage2k.uxe
arirang-1.6other/scanrule/nimda.uxe
arirang-1.6other/scanrule/network.uxe
arirang-1.6other/scanrule/ncbook.uxe
arirang-1.6other/screen.c
arirang-1.6other/version.h
arirang-1.6other/osfinger.c
arirang-1.6other/rule.c
arirang-1.6other/grabhead.c
arirang-1.6other/Makefile
arirang-1.6other/arirang.h
arirang-1.6other/TODO
arirang-1.6other/arirang.c
arirang-1.6other/README
arirang-1.6other/sample_scanhosts
arirang-1.6other/BUGS

[root@www userid]# cd arirang-1.6other
[root@www arirang-1.6other]# ls -l
total 80
-rw-------    1 1190     users        6145 Jul 21 21:26 arirang.c
-rw-------    1 1190     users        1384 Jul 21 20:54 arirang.h
-rw-------    1 1190     users         156 May 26  2001 BUGS
-rw-------    1 1190     users        5167 Jul 21 21:00 grabhead.c
-rw-------    1 1190     users         285 Jul 21 15:53 Makefile
-rw-------    1 1190     users        3036 Jul 21 15:49 osfinger.c
-rw-------    1 1190     users        1533 Jul 21 21:36 README
-rw-------    1 1190     users       17009 Jul 21 21:39 rule.c
-rw-------    1 1190     users        3493 May 26  2001 sample_scanhosts
drwx------    2 1190     users        4096 Jul 21 15:14 scanrule
-rw-------    1 1190     users        4379 Jul 21 15:50 screen.c
-rw-------    1 1190     users          97 Jul 21 20:57 TODO
-rw-------    1 1190     users         105 Jul 21 21:01 version.h

[root@www arirang-1.6other]# make        <-컴파일하기
cc -Wall -pedantic -c arirang.c
cc -Wall -pedantic -c grabhead.c
cc -Wall -pedantic -c osfinger.c
cc -Wall -pedantic -c rule.c
rule.c: In function `scanrule':
rule.c:117: warning: comparison between pointer and integer
rule.c: In function `scanruleP':
rule.c:312: warning: comparison between pointer and integer
rule.c: In function `scanruleWP':
rule.c:575: warning: comparison between pointer and integer
cc -Wall -pedantic -c screen.c
screen.c: In function `usage':
screen.c:81: warning: string length `2193' is greater than the minimum length `509' ISO C89 is required to support
cc -Wall -pedantic -o arirang arirang.o grabhead.o osfinger.o rule.o screen.o
[root@www arirang-1.6other]#
[root@www arirang-1.6other]#
[root@www arirang-1.6other]# ls -l
total 156
-rwxr-xr-x    1 root     root        35453 Sep 19 10:42 arirang   <- 생성된 실행파일
-rw-------    1 1190     users        6145 Jul 21 21:26 arirang.c
-rw-------    1 1190     users        1384 Jul 21 20:54 arirang.h
-rw-r--r--    1 root     root         5584 Sep 19 10:42 arirang.o
-rw-------    1 1190     users         156 May 26  2001 BUGS
-rw-------    1 1190     users        5167 Jul 21 21:00 grabhead.c
-rw-r--r--    1 root     root         4332 Sep 19 10:42 grabhead.o
-rw-------    1 1190     users         285 Jul 21 15:53 Makefile
-rw-------    1 1190     users        3036 Jul 21 15:49 osfinger.c
-rw-r--r--    1 root     root         2480 Sep 19 10:42 osfinger.o
-rw-------    1 1190     users        1533 Jul 21 21:36 README
-rw-------    1 1190     users       17009 Jul 21 21:39 rule.c
-rw-r--r--    1 root     root        12424 Sep 19 10:42 rule.o
-rw-------    1 1190     users        3493 May 26  2001 sample_scanhosts
drwx------    2 1190     users        4096 Jul 21 15:14 scanrule
-rw-------    1 1190     users        4379 Jul 21 15:50 screen.c
-rw-r--r--    1 root     root         3664 Sep 19 10:42 screen.o
-rw-------    1 1190     users          97 Jul 21 20:57 TODO
-rw-------    1 1190     users         105 Jul 21 21:01 version.h
[root@www arirang-1.6other]#

3. 취약점 점검방법및 사용법

   점검시에는 위의 컴파일결과 생성된 arirang이라는 툴을 이용함.
점검방법 예1) ip로 점검하기

[root@www arirang-1.6other]# ./arirang -O -h 192.168.0.100 | grep OpenSSL
unable to retrieve OS type

점검방법 예2) 도메인으로 점검하기

[root@www arirang-1.6other]# ./arirang -O -h www.testserver.co.kr | grep OpenSSL
[root@www arirang-1.6other]#

점검방법 예3) 취약점이 발견된 경우의 예1

[root@www arirang-1.6other]# ./arirang -O -h testserver.co.kr | grep OpenSSL
Operating System Guess: testserver.co.kr running Apache/1.3.19 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.1 OpenSSL/0.9.6 DAV/1.0.2 PHP/4.0.4pl1 mod_perl/1.24_01/ on Linux
[root@www arirang-1.6other]#
[root@www arirang-1.6other]#

점검방법 예4) 취약점이 발견된 경우의 예2
[root@www arirang-1.6other]# ./arirang -O -h 192.168.0.100 | grep OpenSSL
Operating System Guess: 192.168.0.100 running Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6 DAV/1.0.2 PHP/4.0.6 mod_perl/1.24_01/ on Linux


점검방법 예1) IP구간별로 점검하기
[root@www arirang-1.6other]#
[root@www arirang-1.6other]# ./arirang -G -s 192.168.0.1 -e 192.168.0.255 | grep OpenSSL
192.168.0.55 Server: Apache/1.3.20 (Unix)(Red-Hat/Linux)mod_ssl/2.8.4 OpenSSL/0.9.6 DAV/1.0.2 PHP/4.0.4pl1 mod_perl/1.24_01
192.168.0.220 Server: Apache/1.3.14 (Unix)(Red-Hat/Linux)mod_ssl/2.7.1 OpenSSL/0.9.5a DAV/1.0.1 PHP/4.0.3pl1 mod_perl/1.24

여기서 -s뒤에는 점검구간의 시작 IP 이며 -e는 점검구간의 마지막 IP임.

4. 참고 : arirang 옵션들 보기

Don't tell your webserver free from attack    arirang 1.6 for Linux 2.4.7-10 (i686)
(c) 2001-2002 by pilot, Release 2002/07/21    powered by twwwscan         

usage        : arirang [-GO] [-p] [-hfs] [-e] [-r] [-v] [-P]               
<finger>     : -O  웹서버 운영체제등을 체크합니다
               -G  HTTP HEADER를 통해 서버를 체크합니다.
<port>       : -p  서버의 포트를 점검합니다. 
<scan type>  : -h  하나의 서버를 대상으로점검합니다.                                                       
             : -f  scan hosts list file                                    
             : -s  네트워크를 대상으로 스캔할 경우에 시작 IP를 지정하는 옵션
             : -e  네트워크를 대상으로 스캔할 경우에 종료 IP를 지정하는 옵션
<scan rule>  : -r  databases(.uxe) 룰을 적용하여 스캔합니다
<virtual>    : -v  가상호스트를 대상으로 점검합니다.
<process>    : -P  max process count(default file,wide 30,normal 0)        
<examples>                                                                 
grab server  : arirang -G -h drill.hackerslab.org                          
os detect    : arirang -O -h 203.239.110.20                                
server port  : arirang -G -p 8080 -h yourhost                              
virtual      : arirang -G -h virtual_host -r test.uxe -v                   
scan hosts   : arirang -G -f scanlist_file                                 
wide         : arirang -G -s 192.168.1.1 -e 192.168.2.255                  
scan rule    : arirang -O -h drill.hackerslab.org -r unix.uxe              
fast scan    : arirang -G -h drill.hackerslab.org -r unix.uxe -P 20        
             : arirang -G -f scanlist_file -r unicode.uxe -P 10            
             : arirang -G -s 192.168.1.1 -e 192.168.2.255 -r unix.uxe    
             : arirang -G -s 192.168.1.1 -e 192.168.1.255 -r codered.uxe -P 60

 

5. 제작자및 저작권 정보보기

contact      : pilot@monkey.org    http://www.monkey.org/~pilot          
thanks to r0ar,a_a_a,apl,BK,chute,parasol,bitrider,chaeso,*^^*,            
Dug Song(monkey.org),UNYUN(Shadow Penguin Security),Roelof(www.sensepost.com)
David(A.K.A AnOnYmUs),friends(dhartmei,fgsch,ActivatE,obecian,jeremie,Lupines)
#openbsd(efnet)'s friends) and contributors.

긴하신분들께는 도움이 되었기를 바라면서....
감사합니다


이 글을 트위터로 보내기 이 글을 페이스북으로 보내기