해킹당한 서버 분석 및 조치..(어떤 해킹인지??)
작성자 정보
- 씨큐 작성
- 작성일
컨텐츠 정보
- 3,361 조회
- 1 댓글
- 0 추천
- 목록
본문
고객 서버중 한대가 해킹을 다해 나름대로 분석해 보았습니다.
그러나 어떤해킹인지..어느 취약점을 통해 들어왔는지가 궁금하네요..
어떤방법으로 알수 있는지...부탁드립니다..
[root@bmtown root]# cat /etc/redhat-release
Red Hat Linux release 9 (Shrike)
[root@bmtown root]# uname -a
Linux bmtown 2.4.20-8smp #1 SMP Thu Mar 13 17:45:54 EST 2003 i686 i686 i386 GNU/Linux
[root@bmtown root]#
[root@bmtown root]# pstree
init-+-24*[(swapd] <= 비정상 프로세스
|-anacron
|-atd
|-bdflush
|-crond
|-httpd---12*[httpd]
|-keventd
|-khubd
|-2*[kjournald]
|-klogd
|-kscand/DMA
|-kscand/HighMem
|-kscand/Normal
|-ksoftirqd_CPU0
|-ksoftirqd_CPU1
|-ksoftirqd_CPU2
|-ksoftirqd_CPU3
|-kswapd
|-kupdated
|-login---bash
|-mdrecoveryd
|-named
|-proftpd
|-safe_mysqld---mysqld
|-smbd40-D---smbd40-D---bash---httpd---brute---101*[brute] <= 비정상 프로세스
|-sshd---sshd-+-bash---pstree
| |-bash
| `-sftp-server
|-syslogd
`-xinetd
[root@bmtown log]#
[root@bmtown root]# ps -aux
USER PID %CPU %MEM SIZE RSS TTY STAT START TIME COMMAND
daemon 2045 0.0 0.0 1412 532 ? S 13:19 0:00 [atd]
mysql 2087 0.0 0.4 266796 4760 ? S 13:19 0:00 [mysqld]
named 1935 0.0 0.2 55288 2816 ? S 13:19 0:00 [named]
nobody 2003 0.0 0.1 2200 1108 ? S 13:19 0:00 [proftpd]
nobody 2092 0.0 0.5 10024 5460 ? S 13:19 0:00 [httpd]
...
...
root 2091 0.0 0.0 2260 980 ? S 13:19 0:00 login -- root
root 2102 0.0 0.1 4312 1408 1 S 13:19 0:00 -bash
root 2173 0.0 0.1 4300 1400 ? S 13:22 0:00 -bash
root 2296 0.0 0.2 6784 2072 ? S 13:30 0:00 /usr/sbin/sshd
root 2297 0.0 0.1 4116 1048 ? S 13:30 0:00 /bin/bash ./httpd 203
root 2306 0.0 0.1 4532 1452 ? S 13:30 0:00 -bash
root 2348 0.0 0.0 4620 736 1 S 13:30 0:00 top
root 2618 0.0 0.0 868 188 ? S 13:42 0:00 ./brute 100
root 2621 0.1 0.0 888 556 ? S 13:42 0:00 ./brute 100
root 2624 0.2 0.0 892 516 ? S 13:42 0:00 ./brute 100
root 2625 0.2 0.0 892 516 ? S 13:42 0:00 ./brute 100
root 2626 0.2 0.0 892 516 ? S 13:42 0:00 ./brute 100
root 2627 0.2 0.0 892 516 ? S 13:42 0:00 ./brute 100
root 2628 0.2 0.0 892 516 ? S 13:42 0:00 ./brute 100
root 2629 0.3 0.0 892 516 ? S 13:42 0:00 ./brute 100
root 2630 0.2 0.0 892 516 ? S 13:42 0:00 ./brute 100
root 2631 0.2 0.0 892 516 ? S 13:42 0:00 ./brute 100
root 2381 0.0 0.0 1464 600 ? R 13:31 0:00 ps -aux
[root@bmtown root]#
[root@bmtown root]# netstat -nlp <= 비정상 (명령어 변조됨)
netstat: invalid option -- l
usage: netstat [-veenNcCF] [] -r netstat {-V|--version|-h|--help}
netstat [-vnNcaeo] []
netstat { [-veenNac] -i | [-vnNc] -L | [-cnNe] -M }
-r, --route display routing table
-L, --netlink display netlink kernel messages
-i, --interfaces display interface table
-M, --masquerade display masqueraded connections
-v, --verbose be verbose
-n, --numeric dont resolve names
-e, --extend display other/more informations
-c, --continuous continuous listing
-a, --all, --listening display all
-o, --timers display timers
={-t|--tcp} {-u|--udp} {-w|--raw} {-x|--unix} --ax25 --ipx --netrom
= -A {inet|ipx|netrom|ddp|ax25},... --inet --ipx --netrom --ddp --ax25
[root@bmtown root]#
[root@bmtown log]# find / -name brute
/tmp/.b/brute
[root@bmtown tmp]# cd /tmp/
[root@bmtown tmp]# ls -al
total 338088
drwxrwxrwt 4 root root 4096 Jun 17 13:32 .
drwxr-xr-x 20 root root 4096 Jun 17 13:19 ..
drwxr-xr-x 2 706 700 4096 Jun 17 13:30 .b <= 비정상
srwxrwxrwx 1 mysql mysql 0 Jun 17 13:19 mysql.sock
drwxr-xr-x 3 root root 4096 May 20 00:26 screens <= 비정상(??)
[root@bmtown tmp]#
[root@bmtown tmp]# vi /var/log/secure
Jun 14 02:51:13 bmtown sshd[21040]: Illegal user guest from 67.109.58.118 <= 불법 접근
Jun 14 02:51:15 bmtown sshd[21046]: Illegal user admin from 67.109.58.118
Jun 14 02:51:17 bmtown sshd[21050]: Illegal user admin from 67.109.58.118
Jun 14 02:51:21 bmtown sshd[21056]: Illegal user user from 67.109.58.118
Jun 14 02:51:27 bmtown sshd[21070]: Failed password for root from 67.109.58.118 port 51982 ssh2
Jun 14 02:51:33 bmtown sshd[21088]: Failed password for root from 67.109.58.118 port 52258 ssh2
Jun 14 02:51:41 bmtown sshd[21097]: Failed password for root from 67.109.58.118 port 52451 ssh2
Jun 14 02:51:46 bmtown sshd[21123]: Failed password for test from 67.109.58.118 port 52736 ssh2
Jun 14 02:51:52 bmtown sshd[21136]: Failed password for test from 67.109.58.118 port 52887 ssh2
Jun 14 02:51:57 bmtown sshd[21154]: Failed password for test from 67.109.58.118 port 53078 ssh2
Jun 14 02:52:02 bmtown sshd[21167]: Failed password for test from 67.109.58.118 port 53206 ssh2
Jun 14 02:52:07 bmtown sshd[21176]: Failed password for root from 67.109.58.118 port 53320 ssh2Jun 14 02:52:12 bmtown sshd[21180]: Failed password for root from 67.109.58.118 port 53419 ssh2Jun 14 02:52:22 bmtown sshd[21186]: Failed password for root from 67.109.58.118 port 53505 ssh2Jun 14 13:48:56 bmtown sshd[11280]: Did not receive identification string from 81.73.219.61
Jun 14 13:58:14 bmtown sshd[13476]: Illegal user ftpuser from 81.73.219.61Jun 14 13:58:19 bmtown sshd[13498]: Illegal user oracle from 81.73.219.61
Jun 14 13:58:24 bmtown sshd[13515]: Illegal user guest from 81.73.219.61Jun 14 13:58:33 bmtown sshd[13537]: Failed password for test from 81.73.219.61 port 51963 ssh2Jun 14 13:58:38 bmtown sshd[13569]: Illegal user admin from 81.73.219.61
Jun 14 13:58:42 bmtown sshd[13590]: Illegal user ftp from 81.73.219.61
....
Jun 17 12:37:41 bmtown sshd[12632]: Failed password for test from 221.209.246.132 port 44063 ssh2
Jun 17 12:37:48 bmtown sshd[12635]: Illegal user guest from 221.209.246.132
Jun 17 12:37:56 bmtown sshd[12637]: Illegal user admin from 221.209.246.132
Jun 17 12:38:03 bmtown sshd[12639]: Illegal user admin from 221.209.246.132
Jun 17 12:38:11 bmtown sshd[12641]: Illegal user user from 221.209.246.132
...
[root@bmtown log]# last
root pts/3 211.224.xxx.xxx Fri Jun 17 13:40 still logged in
root pts/2 211.224.xxx.xxx Fri Jun 17 13:30 still logged in
root tty1 Fri Jun 17 13:19 still logged in
reboot system boot 2.4.20-8smp Fri Jun 17 13:18 (00:25)
master ftpd17970 211.248.246.157 Sun Jun 12 19:23 - down (4+17:50)
master ftpd16278 211.43.210.60 Sun Jun 12 19:19 - 19:20 (00:01)
master ftpd14054 puma.aiware.jp Sat Jun 11 19:10 - 19:10 (00:00)
master ftpd9850 puma.aiware.jp Sat Jun 11 18:59 - 18:59 (00:00)
master ftpd9558 puma.aiware.jp Sat Jun 11 18:58 - 18:59 (00:00)
master ftpd17112 201.134.236.77 Fri Jun 10 20:19 - 20:23 (00:03)
master ftpd16658 201.134.236.77 Fri Jun 10 20:18 - 20:22 (00:03)
master ftpd28088 210.122.128.66 Fri Jun 10 19:26 - 19:26 (00:00)
master ftpd28655 222.66.52.18 Fri Jun 10 05:25 - 05:29 (00:04)
master ftpd28642 222.99.91.49 Fri Jun 10 05:25 - 05:25 (00:00)
master ftpd28201 puma.aiware.jp Fri Jun 10 05:17 - 05:17 (00:00)
master ftpd28188 dns2.shipl.edu.c Fri Jun 10 05:16 - 05:17 (00:00)
master ftpd28876 mail.nankai.com. Wed Jun 8 01:19 - 01:19 (00:00)
master ftpd8397 219.239.188.17 Mon Jun 6 22:12 - 22:30 (00:18)
master ftpd15677 219.106.228.250 Mon Jun 6 20:33 - 20:34 (00:00)
master ftpd9571 211.21.206.68 Mon Jun 6 20:23 - 20:23 (00:00)
master ftpd8804 210.241.239.221 Mon Jun 6 20:21 - 20:23 (00:01)
master ftpd10247 220-135-144-205. Mon Jun 6 18:08 - 18:09 (00:01)
master ftpd7120 220-130-65-44.HI Mon Jun 6 18:02 - 18:07 (00:04)
master ftpd23529 ruby.kist.re.kr Mon Jun 6 17:27 - 17:28 (00:00)
master ftpd23251 usen-221x242x75x Mon Jun 6 17:27 - 17:27 (00:00)
master ftpd13396 ruby.kist.re.kr Mon Jun 6 17:05 - 17:05 (00:00)
master ftpd13244 ruby.kist.re.kr Mon Jun 6 17:04 - 17:04 (00:00)
master ftpd3686 ruby.kist.re.kr Mon Jun 6 16:42 - 16:44 (00:02) <= 의심되는 계정
wtmp begins Wed Jun 1 21:15:31 2005
master 라는 없었던 계정이 생성이 되어 ftp로 접근을 했던것으로 보임.
[조치내역]
비정상 프로세스 종료
[root@bmtown root]# pstree
init-+-24*[(swapd] <= 비정상 프로세스
|-smbd40-D---smbd40-D---bash---httpd---brute---101*[brute] <= 비정상 프로세스
[root@bmtown root]#
[root@bmtown log]# killall -9 brute <= 비정상 프로세스 종료
swapd 와 smdb40-D 프로세스는 종료 되지 않음.
[root@bmtown root]# find / -name smbd*
/usr/bin/smbd -D <= 비정상
/usr/local/games/ /smbd <= 비정상
/usr/local/games/smbd <= 비정상
파일 삭제
[root@bmtown root]# cd /usr/bin/
[root@bmtown bin]# ls -al smb*
-rwxr-xr-x 1 root root 670214 Oct 12 2002 smbd -D
[root@bmtown bin]# rm -f smbd -D <= 비정상 파일 삭제
[root@bmtown bin]# ls -al smb*
ls: smb*: No such file or directory
[root@bmtown root]# cd /usr/local/games/
[root@bmtown games]# ls -al
total 236
drwx------ 2 mysql mysql 4096 Jun 16 19:40 <= 비정상 디렉토리
drwxr-xr-x 3 root root 4096 Jun 17 14:44 .
drwxr-xr-x 13 root root 4096 Jul 13 2004 ..
-rw-r--r-- 1 root root 6 Jun 15 19:10 x.pid <= 비정상 파일
[root@bmtown games]#
ls 의 명령어 변조로 smbd 파일이 실제로 존재 하지만 ls -al 명령어로 보이지 않음
[root@bmtown games]# rm -f smbd
[root@bmtown games]# rm -f x.pid
[root@bmtown games]# ls -ali
total 12
3473703 drwx------ 2 mysql mysql 4096 Jun 16 19:40
3325960 drwxr-xr-x 3 root root 4096 Jun 17 14:51 .
3096584 drwxr-xr-x 13 root root 4096 Jul 13 2004 ..
디렉토리 명이 보이지도 않고 디렉토리 안으로 들어갈수도 없어서 inode 번호로 삭제시킴.
[root@bmtown games]# find -inum 3473703 -exec rm -rf {} ;
확인결과 모두 삭제 되었음.
[root@bmtown games]# ls -ali
total 8
3325960 drwxr-xr-x 2 root root 4096 Jun 17 14:53 .
3096584 drwxr-xr-x 13 root root 4096 Jul 13 2004 ..
[root@bmtown root]#
[root@bmtown root]# find / -name *swapd*
/proc/sys/vm/kswapd <= 정상
/usr/bin/(swapd) <= 비정상
[root@bmtown bin]# cd /usr/bin/
[root@bmtown bin]# ls -al *swapd*
-rwxr-xr-x 1 root root 16141 May 9 17:17 (swapd)
[root@bmtown bin]#
[root@bmtown bin]# rm -f "(swapd)" <= 비정상 파일 삭제
[root@bmtown bin]# ls -al *swapd*
ls: *swapd*: No such file or directory
[root@bmtown tmp]# cd /tmp/
[root@bmtown tmp]# rm -rf .b/ <= 비정상 디렉토리 및 파일 삭제
[root@bmtown bin]# reboot
리부팅 후 정상 프로세스 확인
[root@bmtown root]# pstree
init-+-anacron
|-atd
|-bdflush
|-crond
|-httpd---10*[httpd]
|-keventd
|-khubd
|-2*[kjournald]
|-klogd
|-kscand/DMA
|-kscand/HighMem
|-kscand/Normal
|-ksoftirqd_CPU0
|-ksoftirqd_CPU1
|-ksoftirqd_CPU2
|-ksoftirqd_CPU3
|-kswapd
|-kupdated
|-mdrecoveryd
|-mingetty
|-named
|-proftpd
|-safe_mysqld---mysqld
|-sshd---sshd-+-bash---pstree
| |-bash
| `-sftp-server
|-syslogd
`-xinetd
[root@bmtown root]#
관련자료
-
이전
-
다음
HijAckeR님의 댓글
- HijAckeR
- 작성일
