중국놈한테 당했는데요...도와주세요
작성자 정보
- 김민주 작성
- 작성일
컨텐츠 정보
- 3,438 조회
- 0 추천
- 목록
본문
더운데 수고들 하십니다..
다름이 아니라 해킹을 당한것 같습니다
중국놈 한테요.
다행히 root 계정이 없어지거나
중요파일의 피해는 입지는 않았지만
찝찝해서 하루종일 헤메고 있습니다.
그 중국놈이 설치한 rpm 인데 무엇인지 알려주세요
아래 내용은 ./bash_history 입니다.
wget wget http://www.python.org/ftp/python/2.3.3/Python-2.3.3.tgz
tar xzf Python-2.3.3.tgz
ls
cd Python-2.3.3
ls
CFLAGS='-D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64' OPT="-g -O2 $CFLAGS"
CFLAGS='-D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64' OPT="-g -O2 $CFLAGS" ./configure
make && make install
cd ..
wget http://zope.org/Products/Zope/2.7.0/Zope-2.7.0.tgz
tar xvf Zope-2.7.0.tgz
tar zxvf Zope-2.7.0.tgz
cd Zope-2.7.0/
./configure --with-python=/usr/local/bin/python2.3 --prefix=/opt/Zope-2.7
make && make install
useradd zope
whereis useradd zope
/usr/sbin/useradd zope
cd /var
ls
mkdir /var/ZopeInstances/demo
ls -la
mkdir ZopeInstances/demo
su zope
/opt/Zope-2.7/bin/mkzopeinstance.py
cd /home2/kuin
;s
ls
bin/runzope
bin /runzope
whereis bin
/usr/local/bin/runzope
/usr/local/bin /runzope
whereis runzope
find / -name runzope
ls
ls -la
cd /home2/kuin/./README.txt
more /home2/kuin/./README.txt
/sbin/ifocnfig
/sbin/ifconfig
apt-get update
whereis apt-get
ps
ls
wget http://ftp.freshrpms.net/pub/freshrpms/redhat/8.0/apt/apt-0.5.5cnc6-fr0.rh80.1.i386.rpm
rpm -ivh apt-0.5.5cnc6-fr0.rh80.1.i386.rpm
uname -a
wget ftp://at.rpmfind.net/linux/redhat.com/dist/linux/updates/8.0/en/os/i386/glibc-2.3.2-4.80.8.i386.rpm
wget ftp://at.rpmfind.net/linux/redhat.com/dist/linux/updates/8.0/en/os/i686/glibc-2.3.2-4.80.8.i686.rpm
telnet localhost
ftp localhost
demsg
whereis demsg
demsg
find / demsg
find / -name demsg
uname -a
ls
wget http://ftp.freshrpms.net/pub/freshrpms/redhat/7.2/apt/apt-0.3.19cnc55-fr7.i386.rpm
rpm -ivh apt-0.3.19cnc55-fr7.i386.rpm
wget http://www.sh-linux.org/rpm-2003/RPMS/sh3/rpm-4.0.4-7x.18.2.sh3.rpm
rpm -ivh rpm-4.0.4-7x.18.2.sh3.rpm
wget http://www.sh-linux.org/rpm-2003/RPMS/sh3/popt-1.6.4-7x.18.2.sh3.rpm
rpm -ivh popt-1.6.4-7x.18.2.sh3.rpm
rpm -ivh rpm-4.0.4-7x.18.2.sh3.rpm
wget http://ftp.freshrpms.net/pub/freshrpms/redhat/7.1/apt/apt-0.5.4cnc9-fr0.1.rh71.i386.rpm
rpm -ivh apt-0.5.4cnc9-fr0.1.rh71.i386.rpm
wget ftp://linux.s390.org/pub/ThinkBlue64-7.1/RPMS/s390x/rpm-4.0.2-12.s390x.rpm
wget ftp://ftp.linuxforum.net/RPM/redhat/updates/6.2/en/os/i386/rpm-4.0.2-6x.i386.rpm
rpm -ivh rpm-4.0.2-6x.i386.rpm
ls
rm *.rpm
ls
wget http://ftp.freshrpms.net/pub/freshrpms/redhat/7.0/apt/apt-0.5.5cnc6-fr0.rh70.1.i386.rpm
rpm -ivh apt-0.5.5cnc6-fr0.rh70.1.i386.rpm
피해내용은 우선 어떤 계정폴더에 파일들이 잔든 있는데 게시판 파일입니다 외국거구요
db 생성했더군요 확인해보니 게시판인데 내용은 죄다 중국어라서
우선 db 생성계정 폴더 다 삭제했구요
root 및 접속 계정 패스 변경했구요
웹이랑,메일,db 같이 돌아가는 서버인데요
모두 정상이구요
원래 telnet은 제컴에서만 접속이 되구요
ssh는 풀어놨는데 이것도 제컴에서만 접속되게 막아놨구요
다행히 제가 접속 상태에서 들어온거 같은데
좀 봐주시고 충고줌 주세요
아래는 /var/log/message 파일인데요 이상한 부분이라서요
Jul 1 16:22:18 woho 7월 1 16:22:18 su(pam_unix)[23884]: session closed for user root
Jul 1 16:23:35 woho named[12242]: lame server on 'incheon.go.kr' (in 'incheon.go.kr'?): 210.220.163.20#53
Jul 1 16:23:48 woho named[12242]: lame server on 'hmail.net' (in 'hmail.NET'?): 211.32.116.134#53
Jul 1 16:24:28 woho named[12242]: lame server on 'hanbox.com' (in 'hanbox.com'?): 211.216.50.150#53
Jul 1 16:24:55 woho login(pam_unix)[31465]: authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user=root
Jul 1 16:24:57 woho login[31465]: FAILED LOGIN 1 FROM (null) FOR root, Authentication failure
Jul 1 16:24:57 woho login(pam_unix)[31465]: bad username []
Jul 1 16:25:00 woho login[31465]: FAILED LOGIN 2 FROM (null) FOR , Authentication failure
Jul 1 16:25:07 woho login(pam_unix)[31465]: session opened for user root by LOGIN(uid=0)
Jul 1 16:25:07 woho -- root[31465]: ROOT LOGIN ON tty1--------------------------------------------------------> 이부분이 이상하더군요.. ip 도없고..
[root@woho root]# netstat -an | grep LISTEN
tcp 0 0 0.0.0.0:1025 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:48135 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:873 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:4014 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN
tcp 0 0 211.43.xxx.147:53 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
unix 2 [ ACC ] STREAM LISTENING 1275 /tmp/.font-unix/fs7100
unix 2 [ ACC ] STREAM LISTENING 1262 /tmp/mysql.sock
[root@woho root]# lsof | grep LISTEN
아래 nobody 로 돌아가는것이 궁금합니다..
막아야할 포트가 있다면 해당 포트 는 /etc/service 파일 열어서 막으면 되는건지요?
shell 426 nobody 4u IPv4 146067842 TCP *:1025 (LISTEN)
shell 426 nobody 16u IPv4 75764380 TCP *:http (LISTEN)
httpd 431 root 16u IPv4 75764380 TCP *:http (LISTEN)
httpd 432 root 16u IPv4 75764380 TCP *:http (LISTEN)
httpd 433 root 16u IPv4 75764380 TCP *:http (LISTEN)
shell 434 nobody 4u IPv4 146067861 TCP *:48135 (LISTEN)
shell 434 nobody 16u IPv4 75764380 TCP *:http (LISTEN)
httpd 440 root 16u IPv4 75764380 TCP *:http (LISTEN)
httpd 441 root 16u IPv4 75764380 TCP *:http (LISTEN)
httpd 442 root 16u IPv4 75764380 TCP *:http (LISTEN)
httpd 443 root 16u IPv4 75764380 TCP *:http (LISTEN)
httpd 444 root 16u IPv4 75764380 TCP *:http (LISTEN)
httpd 445 root 16u IPv4 75764380 TCP *:http (LISTEN)
httpd 446 root 16u IPv4 75764380 TCP *:http (LISTEN)
httpd 447 root 16u IPv4 75764380 TCP *:http (LISTEN)
httpd 448 root 16u IPv4 75764380 TCP *:http (LISTEN)
httpd 449 root 16u IPv4 75764380 TCP *:http (LISTEN)
httpd 450 root 16u IPv4 75764380 TCP *:http (LISTEN)
httpd 451 root 16u IPv4 75764380 TCP *:http (LISTEN)
httpd 452 root 16u IPv4 75764380 TCP *:http (LISTEN)
httpd 453 root 16u IPv4 75764380 TCP *:http (LISTEN)
httpd 454 root 16u IPv4 75764380 TCP *:http (LISTEN)
httpd 455 root 16u IPv4 75764380 TCP *:http (LISTEN)
httpd 456 root 16u IPv4 75764380 TCP *:http (LISTEN)
httpd 457 root 16u IPv4 75764380 TCP *:http (LISTEN)
httpd 458 root 16u IPv4 75764380 TCP *:http (LISTEN)
httpd 459 root 16u IPv4 75764380 TCP *:http (LISTEN)
httpd 460 root 16u IPv4 75764380 TCP *:http (LISTEN)
httpd 461 root 16u IPv4 75764380 TCP *:http (LISTEN)
httpd 462 root 16u IPv4 75764380 TCP *:http (LISTEN)
httpd 463 root 16u IPv4 75764380 TCP *:http (LISTEN)
httpd 464 root 16u IPv4 75764380 TCP *:http (LISTEN)
httpd 465 root 16u IPv4 75764380 TCP *:http (LISTEN)
httpd 466 root 16u IPv4 75764380 TCP *:http (LISTEN)
httpd 467 root 16u IPv4 75764380 TCP *:http (LISTEN)
httpd 468 root 16u IPv4 75764380 TCP *:http (LISTEN)
httpd 469 root 16u IPv4 75764380 TCP *:http (LISTEN)
httpd 470 root 16u IPv4 75764380 TCP *:http (LISTEN)
httpd 473 root 16u IPv4 75764380 TCP *:http (LISTEN)
httpd 474 root 16u IPv4 75764380 TCP *:http (LISTEN)
httpd 475 root 16u IPv4 75764380 TCP *:http (LISTEN)
httpd 476 root 16u IPv4 75764380 TCP *:http (LISTEN)
httpd 477 root 16u IPv4 75764380 TCP *:http (LISTEN)
httpd 479 root 16u IPv4 75764380 TCP *:http (LISTEN)
httpd 480 root 16u IPv4 75764380 TCP *:http (LISTEN)
httpd 481 root 16u IPv4 75764380 TCP *:http (LISTEN)
httpd 482 root 16u IPv4 75764380 TCP *:http (LISTEN)
httpd 483 root 16u IPv4 75764380 TCP *:http (LISTEN)
httpd 484 root 16u IPv4 75764380 TCP *:http (LISTEN)
httpd 485 root 16u IPv4 75764380 TCP *:http (LISTEN)
httpd 486 root 16u IPv4 75764380 TCP *:http (LISTEN)
httpd 487 root 16u IPv4 75764380 TCP *:http (LISTEN)
httpd 488 root 16u IPv4 75764380 TCP *:http (LISTEN)
httpd 489 root 16u IPv4 75764380 TCP *:http (LISTEN)
httpd 490 root 16u IPv4 75764380 TCP *:http (LISTEN)
httpd 491 root 16u IPv4 75764380 TCP *:http (LISTEN)
httpd 492 root 16u IPv4 75764380 TCP *:http (LISTEN)
httpd 493 root 16u IPv4 75764380 TCP *:http (LISTEN)
httpd 494 root 16u IPv4 75764380 TCP *:http (LISTEN)
httpd 495 root 16u IPv4 75764380 TCP *:http (LISTEN)
httpd 496 root 16u IPv4 75764380 TCP *:http (LISTEN)
httpd 497 root 16u IPv4 75764380 TCP *:http (LISTEN)
httpd 498 root 16u IPv4 75764380 TCP *:http (LISTEN)
httpd 499 root 16u IPv4 75764380 TCP *:http (LISTEN)
httpd 500 root 16u IPv4 75764380 TCP *:http (LISTEN)
mysqld 656 root 3u IPv4 1260 TCP *:mysql (LISTEN)
mysqld 678 root 3u IPv4 1260 TCP *:mysql (LISTEN)
mysqld 679 root 3u IPv4 1260 TCP *:mysql (LISTEN)
sendmail 9977 root 4u IPv4 144951164 TCP *:smtp (LISTEN)
named 12239 root 11u IPv4 146821328 TCP localhost.localdomain:domain (LISTEN)
named 12239 root 13u IPv4 146821330 TCP woho.co.kr:domain (LISTEN)
named 12241 root 11u IPv4 146821328 TCP localhost.localdomain:domain (LISTEN)
named 12241 root 13u IPv4 146821330 TCP woho.co.kr:domain (LISTEN)
named 12242 root 11u IPv4 146821328 TCP localhost.localdomain:domain (LISTEN)
named 12242 root 13u IPv4 146821330 TCP woho.co.kr:domain (LISTEN)
named 12243 root 11u IPv4 146821328 TCP localhost.localdomain:domain (LISTEN)
named 12243 root 13u IPv4 146821330 TCP woho.co.kr:domain (LISTEN)
named 12244 root 11u IPv4 146821328 TCP localhost.localdomain:domain (LISTEN)
named 12244 root 13u IPv4 146821330 TCP woho.co.kr:domain (LISTEN)
shell 15617 nobody 4u IPv4 146067842 TCP *:1025 (LISTEN)
shell 15617 nobody 16u IPv4 75764380 TCP *:http (LISTEN)
httpd 21324 root 16u IPv4 75764380 TCP *:http (LISTEN)
httpd 21325 root 16u IPv4 75764380 TCP *:http (LISTEN)
httpd 21326 root 16u IPv4 75764380 TCP *:http (LISTEN)
httpd 21327 root 16u IPv4 75764380 TCP *:http (LISTEN)
httpd 21328 root 16u IPv4 75764380 TCP *:http (LISTEN)
httpd 21329 root 16u IPv4 75764380 TCP *:http (LISTEN)
httpd 21330 root 16u IPv4 75764380 TCP *:http (LISTEN)
httpd 21331 root 16u IPv4 75764380 TCP *:http (LISTEN)
httpd 21332 root 16u IPv4 75764380 TCP *:http (LISTEN)
httpd 21333 root 16u IPv4 75764380 TCP *:http (LISTEN)
merchant_ 29180 root 3u IPv4 82594189 TCP *:4014 (LISTEN)
shell 30420 nobody 4u IPv4 146067842 TCP *:1025 (LISTEN)
shell 30420 nobody 16u IPv4 75764380 TCP *:http (LISTEN)
shell 30879 nobody 4u IPv4 146067842 TCP *:1025 (LISTEN)
shell 30879 nobody 16u IPv4 75764380 TCP *:http (LISTEN)
xinetd 31635 root 3u IPv4 147583675 TCP *:pop3 (LISTEN)
xinetd 31635 root 4u IPv4 147583677 TCP *:ftp (LISTEN)
xinetd 31635 root 5u IPv4 147583678 TCP *:rsync (LISTEN)
xinetd 31635 root 7u IPv4 147583679 TCP *:telnet (LISTEN)
sshd 31674 root 3u IPv4 147583791 TCP *:ssh (LISTEN)
httpd 31933 root 16u IPv4 75764380 TCP *:http (LISTEN)
[root@woho root]#
[root@woho root]# find /dev -type f
/dev/MAKEDEV
[root@wohochkrootkit-0.34]# ./chkrootkit
ROOTDIR is `/'
Checking `amd'... not infected
Checking `basename'... not infected
Checking `biff'... not infected
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not infected
Checking `gpm'... not infected
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not infected
Checking `inetdconf'... not found
Checking `identd'... not infected
Checking `killall'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `mail'... not infected
Checking `mingetty'... not infected
Checking `netstat'... not infected
Checking `named'... not infected
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not infected
Checking `rlogind'... not infected
Checking `rshd'... not infected
Checking `slogin'... not infected
Checking `sendmail'... not infected
Checking `sshd'... not infected
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `top'... not infected
Checking `telnetd'... not infected
Checking `timed'... not found
Checking `traceroute'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while...
/usr/lib/perl5/5.6.0/i386-linux/.packlist /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/mod_perl/.packlist /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/DCOP/.packlist
Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... nothing detected
Checking `rexedcs'... not found
Checking `sniffer'...
eth0 is not promisc
Checking `wted'... 1 deletion(s) between Thu Jul 1 17:22:59 2004 and Thu Jul 1 17:31:33 2004
nothing deleted
Checking `z2'... user root deleted or never loged from lastlog!
user admin deleted or never loged from lastlog!
읽어주셔서 감사하구요..
지금은 이상없지만 또 들어올지도 몰라서요
부탁드립니다..
관련자료
-
이전
-
다음
