해킹 당한듯 다시 올립니다.
작성자 정보
- 홍석범 작성
- 작성일
컨텐츠 정보
- 2,676 조회
- 0 추천
-
목록
본문
안녕하십니까?
아래 올려주신 내용만으로는 정상으로 보입니다.
물론 커널기반 백도어가 설치되어 있다면 바정상 프로세스는 보이지 않을 수 있습니다. 이러한 경우 chkrootkit등을 돌려보시면 파악이 가능합니다.
어떤 근거로 해킹이라고 판단하시는지 말씀해 주시면 도움이 될 것 같습니다.
감사합니다.
[root@www root]# ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.2 0.0 1384 484 ? S 13:03 0:04 init
root 2 0.0 0.0 0 0 ? SW 13:03 0:00 [migration/0]
root 3 0.0 0.0 0 0 ? SW 13:03 0:00 [migration/1]
root 4 0.0 0.0 0 0 ? SW 13:03 0:00 [keventd]
root 5 0.1 0.0 0 0 ? SWN 13:03 0:01 [ksoftirqd_CPU0]
root 6 0.0 0.0 0 0 ? SWN 13:03 0:00 [ksoftirqd_CPU1]
root 11 0.0 0.0 0 0 ? SW 13:03 0:00 [bdflush]
root 7 0.0 0.0 0 0 ? SW 13:03 0:00 [kswapd]
root 8 0.0 0.0 0 0 ? SW 13:03 0:00 [kscand/DMA]
root 9 0.0 0.0 0 0 ? SW 13:03 0:00 [kscand/Normal]
root 10 0.1 0.0 0 0 ? SW 13:03 0:02 [kscand/HighMem]
root 12 0.0 0.0 0 0 ? SW 13:03 0:00 [kupdated]
root 13 0.0 0.0 0 0 ? SW 13:03 0:00 [mdrecoveryd]
root 19 0.0 0.0 0 0 ? DW 13:03 0:00 [aarich watchdog]
root 20 0.0 0.0 0 0 ? SW 13:03 0:00 [scsi_eh_0]
root 23 0.0 0.0 0 0 ? SW 13:03 0:00 [kjournald]
root 80 0.0 0.0 0 0 ? SW 13:04 0:00 [khubd]
root 156 0.0 0.0 0 0 ? SW 13:04 0:00 [kjournald]
root 157 0.0 0.0 0 0 ? SW 13:04 0:00 [kjournald]
root 158 0.0 0.0 0 0 ? SW 13:04 0:00 [kjournald]
root 159 0.0 0.0 0 0 ? SW 13:04 0:00 [kjournald]
root 160 0.0 0.0 0 0 ? SW 13:04 0:00 [kjournald]
root 415 0.0 0.0 1456 568 ? S 13:04 0:00 syslogd -m 0
root 419 0.0 0.0 1380 448 ? S 13:04 0:00 klogd -x
root 428 0.0 0.1 3520 1516 ? S 13:04 0:00 /usr/sbin/sshd
root 439 0.0 0.0 2068 880 ? S 13:04 0:00 xinetd -stayalive
root 461 0.0 0.2 5960 2572 ? S 13:04 0:00 [sendmail]
smmsp 470 0.0 0.2 5760 2304 ? S 13:04 0:00 [sendmail]
nobody 480 0.0 0.0 2072 964 ? S 13:05 0:00 [proftpd]
root 489 0.0 0.0 1428 588 ? S 13:05 0:00 crond
root 501 0.0 0.1 4392 1120 ? S 13:05 0:00 /bin/sh /usr/loca
mysql 533 0.0 1.9 465348 20184 ? S 13:05 0:00 [mysqld]
mysql 534 0.0 1.9 465348 20184 ? S 13:05 0:00 [mysqld]
mysql 535 0.0 1.9 465348 20184 ? S 13:05 0:00 [mysqld]
mysql 536 0.0 1.9 465348 20184 ? S 13:05 0:00 [mysqld]
mysql 537 0.0 1.9 465348 20184 ? S 13:05 0:00 [mysqld]
mysql 538 0.0 1.9 465348 20184 ? S 13:05 0:00 [mysqld]
mysql 539 0.0 1.9 465348 20184 ? S 13:05 0:00 [mysqld]
mysql 540 0.0 1.9 465348 20184 ? S 13:05 0:00 [mysqld]
mysql 541 0.0 1.9 465348 20184 ? S 13:05 0:00 [mysqld]
mysql 542 0.0 1.9 465348 20184 ? S 13:05 0:00 [mysqld]
root 543 0.0 0.0 1360 384 tty1 S 13:05 0:00 /sbin/mingetty tt
root 544 0.0 0.0 1360 384 tty2 S 13:05 0:00 /sbin/mingetty tt
root 545 0.0 0.0 1360 384 tty3 S 13:05 0:00 /sbin/mingetty tt
root 546 0.0 0.0 1360 384 tty4 S 13:05 0:00 /sbin/mingetty tt
root 547 0.0 0.0 1360 384 tty5 S 13:05 0:00 /sbin/mingetty tt
root 548 0.0 0.0 1360 384 tty6 S 13:05 0:00 /sbin/mingetty tt
root 549 0.0 0.2 6868 2120 ? S 13:06 0:00 /usr/sbin/sshd
root 551 0.0 0.1 5464 1480 pts/0 S 13:06 0:00 -bash
root 634 0.0 0.6 17048 6912 ? S 13:07 0:00 /usr/local/apache
nobody 635 0.0 0.7 17768 7980 ? S 13:07 0:00 [libhttpd.ep]
nobody 636 0.0 0.7 17940 8152 ? S 13:07 0:00 [libhttpd.ep]
nobody 637 0.0 0.7 17620 7820 ? S 13:07 0:00 [libhttpd.ep]
nobody 638 0.0 0.7 17440 7580 ? S 13:07 0:00 [libhttpd.ep]
nobody 639 0.0 0.6 17108 7024 ? S 13:07 0:00 [libhttpd.ep]
nobody 640 0.0 0.7 17280 7440 ? S 13:07 0:00 [libhttpd.ep]
nobody 641 0.0 0.7 17580 7764 ? S 13:07 0:00 [libhttpd.ep]
nobody 642 0.0 0.7 17892 8080 ? S 13:07 0:00 [libhttpd.ep]
nobody 643 0.0 0.7 17616 7832 ? S 13:07 0:00 [libhttpd.ep]
nobody 644 0.0 0.7 17560 7744 ? S 13:07 0:00 [libhttpd.ep]
nobody 645 0.0 0.7 17732 7932 ? S 13:07 0:00 [libhttpd.ep]
nobody 646 0.0 0.7 17712 7928 ? S 13:07 0:00 [libhttpd.ep]
nobody 647 0.0 0.7 17680 7900 ? S 13:07 0:00 [libhttpd.ep]
nobody 648 0.0 0.7 17288 7512 ? S 13:07 0:00 [libhttpd.ep]
nobody 649 0.0 0.6 17108 7032 ? S 13:07 0:00 [libhttpd.ep]
mysql 650 0.1 1.9 465348 20184 ? S 13:07 0:02 [mysqld]
mysql 651 0.1 1.9 465348 20184 ? S 13:07 0:02 [mysqld]
nobody 652 0.0 0.7 17620 7824 ? S 13:07 0:00 [libhttpd.ep]
nobody 653 0.0 0.7 17612 7832 ? S 13:07 0:00 [libhttpd.ep]
nobody 654 0.0 0.7 17524 7744 ? S 13:07 0:00 [libhttpd.ep]
nobody 655 0.0 0.7 17724 7900 ? S 13:07 0:00 [libhttpd.ep]
nobody 656 0.0 0.6 17108 7028 ? S 13:07 0:00 [libhttpd.ep]
nobody 1168 0.0 0.6 17108 7036 ? S 13:34 0:00 [libhttpd.ep]
nobody 1169 0.0 0.6 17108 7028 ? S 13:34 0:00 [libhttpd.ep]
nobody 1170 0.0 0.6 17140 7148 ? S 13:34 0:00 [libhttpd.ep]
nobody 1171 0.0 0.6 17108 7028 ? S 13:34 0:00 [libhttpd.ep]
nobody 1175 0.3 0.7 17772 7972 ? S 13:34 0:00 [libhttpd.ep]
nobody 1183 0.0 0.6 17108 7028 ? S 13:34 0:00 [libhttpd.ep]
nobody 1184 0.0 0.6 17108 7028 ? S 13:34 0:00 [libhttpd.ep]
nobody 1185 0.0 0.6 17108 7028 ? S 13:34 0:00 [libhttpd.ep]
nobody 1186 0.0 0.6 17108 7028 ? S 13:34 0:00 [libhttpd.ep]
nobody 1187 0.0 0.6 17108 7028 ? S 13:34 0:00 [libhttpd.ep]
nobody 1188 0.0 0.6 17108 7028 ? S 13:34 0:00 [libhttpd.ep]
nobody 1189 0.0 0.6 17108 7028 ? S 13:34 0:00 [libhttpd.ep]
nobody 1190 0.0 0.6 17108 7028 ? S 13:34 0:00 [libhttpd.ep]
nobody 1191 0.0 0.7 17252 7404 ? S 13:34 0:00 [libhttpd.ep]
nobody 1192 0.5 0.7 17692 7872 ? S 13:34 0:00 [libhttpd.ep]
nobody 1193 0.0 0.6 17108 7028 ? S 13:34 0:00 [libhttpd.ep]
nobody 1194 0.0 0.6 17108 7028 ? S 13:34 0:00 [libhttpd.ep]
nobody 1195 0.0 0.6 17072 6932 ? S 13:34 0:00 [libhttpd.ep]
nobody 1196 0.0 0.6 17072 6932 ? S 13:34 0:00 [libhttpd.ep]
nobody 1197 0.0 0.6 17072 6932 ? S 13:34 0:00 [libhttpd.ep]
nobody 1198 0.0 0.6 17072 6932 ? S 13:34 0:00 [libhttpd.ep]
nobody 1199 0.0 0.6 17072 6932 ? S 13:34 0:00 [libhttpd.ep]
nobody 1200 0.0 0.6 17072 6932 ? S 13:34 0:00 [libhttpd.ep]
nobody 1201 0.0 0.6 17072 6932 ? S 13:34 0:00 [libhttpd.ep]
nobody 1202 0.0 0.6 17072 6932 ? S 13:34 0:00 [libhttpd.ep]
nobody 1203 0.0 0.6 17072 6932 ? S 13:34 0:00 [libhttpd.ep]
nobody 1204 0.0 0.6 17072 6932 ? S 13:34 0:00 [libhttpd.ep]
nobody 1205 0.0 0.6 17072 6932 ? S 13:34 0:00 [libhttpd.ep]
nobody 1206 0.0 0.6 17072 6932 ? S 13:34 0:00 [libhttpd.ep]
nobody 1207 0.0 0.6 17072 6932 ? S 13:34 0:00 [libhttpd.ep]
nobody 1208 0.0 0.6 17072 6932 ? S 13:34 0:00 [libhttpd.ep]
nobody 1209 0.0 0.6 17072 6932 ? S 13:34 0:00 [libhttpd.ep]
nobody 1210 0.0 0.6 17072 6932 ? S 13:34 0:00 [libhttpd.ep]
root 1214 0.0 0.0 2676 736 pts/0 R 13:35 0:00 ps aux
[root@www root]# netstat -lnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
PID/Program name
tcp 0 0 0.0.0.0:873 0.0.0.0:* LISTEN
439/xinetd
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN
533/
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN
439/xinetd
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN
439/xinetd
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
634/httpd
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN
480/
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
428/sshd
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
461/
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node PID/Program name Pat
h
unix 2 [ ACC ] STREAM LISTENING 1024 533/ /tm
p/mysql.sock
=============================================
처음에는 좀비가 859개 였는데 재부팅후에는 좀비가 없어졌네요.
만약 해킹 당한것이라면 어떻게 대처를 해야 하나요?
관련자료
-
이전
-
다음
