질문&답변
클라우드/리눅스에 관한 질문과 답변을 주고 받는 곳입니다.
리눅스 분류

운영하고 있는 서버에대한 해킹시도 관련 메일을 받았는데 무슨 뜻 인가요...

작성자 정보

  • 김태환 작성
  • 작성일

컨텐츠 정보

본문

******

This report from RealConnect,Inc. is advisory -- THERE IS NO NEED TO REPLY.
However, if you do not take appropriate measures promptly, your network(s)
will be blacklisted by RealConnect, Inc.

Replies to this email are assumed to be autoresponses.

If you believe you have received this complaint in error, please email:
incident.inquiry@realconnect.com

******

SUSPECT IP: 61.111.8.251 (61-111-8-251.kidc.net)

This host, apparently from your network, probed port udp/5060 (SIP)
on the IPs listed below, within the past 24 hours.

Since the scan targeted random IPs on our networks, it should be viewed
as an overtly hostile action.

All timestamps are EDT.

2010-09-04 17:52:39: access denied udp 61.111.8.251(5064) ->
66.63.42.24(5060)
2010-09-04 17:50:57: access denied udp 61.111.8.251(5064) ->
66.63.34.9(5060)
2010-09-04 17:46:34: access denied udp 61.111.8.251(5064) ->
66.63.42.110(5060)
2010-09-04 17:45:42: access denied udp 61.111.8.251(5064) ->
66.63.11.218(5060)
2010-09-04 17:45:17: access denied udp 61.111.8.251(5064) ->
66.63.11.136(5060)
2010-09-04 17:44:57: access denied udp 61.111.8.251(5064) ->
66.63.9.116(5060)
2010-09-04 17:41:00: access denied udp 61.111.8.251(5064) ->
66.63.11.213(5060)
2010-09-04 17:38:42: access denied udp 61.111.8.251(5064) ->
66.63.46.92(5060)
2010-09-04 17:34:22: access denied udp 61.111.8.251(5064) ->
66.63.42.57(5060)
2010-09-04 17:21:25: access denied udp 61.111.8.251(5064) ->
66.63.58.50(5060)
2010-09-04 16:47:53: access denied udp 61.111.8.251(5064) ->
66.63.47.27(5060)
2010-09-04 16:37:33: access denied udp 61.111.8.251(5064) ->
66.63.9.31(5060)
2010-09-04 16:17:08: access denied udp 61.111.8.251(5064) ->
66.63.42.115(5060)
2010-09-04 16:03:42: access denied udp 61.111.8.251(5064) ->
66.63.34.205(5060)
2010-09-04 15:55:08: access denied udp 61.111.8.251(5064) ->
66.63.63.22(5060)
2010-09-04 15:44:10: access denied udp 61.111.8.251(5064) ->
66.63.62.103(5060)
2010-09-04 15:36:31: access denied udp 61.111.8.251(5064) ->
66.63.47.22(5060)
2010-09-04 15:33:06: access denied udp 61.111.8.251(5064) ->
66.63.11.149(5060)
2010-09-04 15:28:33: access denied udp 61.111.8.251(5064) ->
66.63.42.0(5060)
2010-09-04 15:24:53: access denied udp 61.111.8.251(5064) ->
66.63.62.115(5060)
2010-09-04 15:20:06: access denied udp 61.111.8.251(5064) ->
66.63.10.98(5060)
2010-09-04 14:58:25: access denied udp 61.111.8.251(5064) ->
66.63.11.205(5060)
2010-09-04 14:54:09: access denied udp 61.111.8.251(5064) ->
66.63.47.247(5060)
2010-09-04 14:50:52: access denied udp 61.111.8.251(5064) ->
66.63.34.39(5060)
2010-09-04 14:50:31: access denied udp 61.111.8.251(5064) ->
66.63.56.131(5060)
2010-09-04 14:50:01: access denied udp 61.111.8.251(5064) ->
66.63.34.198(5060)
2010-09-04 14:44:46: access denied udp 61.111.8.251(5064) ->
66.63.56.104(5060)
2010-09-04 14:43:44: access denied udp 61.111.8.251(5064) ->
66.63.46.88(5060)
2010-09-04 14:34:48: access denied udp 61.111.8.251(5064) ->
66.63.33.131(5060)
2010-09-04 14:28:22: access denied udp 61.111.8.251(5064) ->
66.63.56.217(5060)
2010-09-04 14:26:15: access denied udp 61.111.8.251(5064) ->
66.63.58.59(5060)
2010-09-04 14:22:10: access denied udp 61.111.8.251(5064) ->
66.63.10.10(5060)
2010-09-04 14:21:27: access denied udp 61.111.8.251(5064) ->
66.63.32.197(5060)
2010-09-04 14:11:17: access denied udp 61.111.8.251(5064) ->
66.63.9.27(5060)
2010-09-04 14:09:20: access denied udp 61.111.8.251(5064) ->
66.63.58.39(5060)
2010-09-04 14:09:10: access denied udp 61.111.8.251(5064) ->
66.63.33.219(5060)
2010-09-04 14:07:00: access denied udp 61.111.8.251(5064) ->
66.63.33.110(5060)
2010-09-04 14:05:17: access denied udp 61.111.8.251(5064) ->
66.63.33.246(5060)
2010-09-04 14:01:01: access denied udp 61.111.8.251(5064) ->
66.63.63.11(5060)
2010-09-04 13:54:10: access denied udp 61.111.8.251(5064) ->
66.63.34.194(5060)
2010-09-04 13:50:07: access denied udp 61.111.8.251(5064) ->
66.63.42.14(5060)
2010-09-04 13:46:13: access denied udp 61.111.8.251(5064) ->
66.63.58.48(5060)
2010-09-04 13:43:02: access denied udp 61.111.8.251(5064) ->
66.63.63.9(5060)
2010-09-04 13:36:38: access denied udp 61.111.8.251(5064) ->
66.63.46.84(5060)
2010-09-04 13:35:23: access denied udp 61.111.8.251(5064) ->
66.63.11.135(5060)
2010-09-04 13:33:39: access denied udp 61.111.8.251(5064) ->
66.63.34.15(5060)
2010-09-04 13:31:21: access denied udp 61.111.8.251(5064) ->
66.63.42.47(5060)
2010-09-04 13:27:53: access denied udp 61.111.8.251(5064) ->
66.63.63.6(5060)
2010-09-04 13:24:56: access denied udp 61.111.8.251(5064) ->
66.63.11.198(5060)
2010-09-04 13:20:53: access denied udp 61.111.8.251(5064) ->
66.63.42.31(5060)

관련자료

댓글 1

마성민님의 댓글

  • 마성민
  • 작성일
사용하고 계신 서버에서 66.63.42.31 아이피를 사용하는 서버로 UDP Flooding 패킷이 나간게 아닌가 싶습니다.
서버에 SSH든 Telnet이든 접속을 하셔서 프로세스 중에 이상 프로세스가 떠있는지 체크해 보시는게 좋을듯 합니다. 또는 netstat으로 5064 포트를 사용하는 프로세스가 있는지 확인해 보세요..

공격하고 있는 데몬이 이름이 안바뀌어 있다면 쉽게 찾을 수 있으나, 가끔씩 httpd 로 프로세스명을 위장하고 있는 경우도 있으므로, 유의하여 확인하신 후 죽이시면 될듯 합니다.

물론 공격 데몬을 죽이시기 전에는 해당 데몬이 어느 위치에 있는지 ls -al /proc/PID로 간단하게나마 확인하여 해당 데몬을 지우시고, 데몬이 올라온 경로 또는 소스 파일 내 취약점을 찾아 보완 하시면 될 것 같습니다.

공지사항


뉴스광장


  • 현재 회원수 :  60,498 명
  • 현재 강좌수 :  37,467 개
  • 현재 접속자 :  477 명