서버해킹 당한거 같은데요 로그분석 및 대처방법 문의
작성자 정보
- 이종민 작성
- 작성일
컨텐츠 정보
- 3,924 조회
- 0 추천
- 목록
본문
안녕하세요.
약 두달전에 서버가 해킹당했던 적이있으며, 최근들어서도 이상한 경우가 자주 발생됩니다.
리눅스는 오늘에서야 시작하는 완존 초보라 몇가지 로그내용 분석 및 대처방법좀 부탁드립니다.
서버 용도는 주로 데이터(DB) 서버로 사용하고 있으며, 조그만 회사소개 홈페이지 하나 운영중입니다.
특히 2006. 06.02 오후9시경 메세지 보시면 아시겠지만 트래픽이 급상승하여 호스팅 업체에서 서버를
아예 차단했습니다.
워낙 초보라 자주 TOP 명령으로 Perl 프로세스가 과다하게 올라온게 확인되면 바로 죽이고 있는실정입니다.
세부적으로 어떠한 조치를 취해야 하는지 자세한 답변 부탁 드립니다.
분석에 더 필요한 내용이 있는경우 말씀해 주시면 바로 올리도록 하겠습니다.
즐건 주말 되세요..^^
[root@localhost tmp]# ls -al
total 56
drwxrwxrwt 2 root root 4096 Jun 9 20:04 .
drwxr-xr-x 20 root root 4096 Jun 9 08:38 ..
-rw-r--r-- 1 nobody 4294967295 20112 Jun 9 06:03 botperl
-rwxr-xr-x 1 nobody 4294967295 21399 Jun 9 18:56 miro
-rw------- 1 root root 4096 Jun 9 20:04 .miro.swp
srwxrwxrwx 1 mysql mysql 0 Jun 9 08:39 mysql.sock
[root@localhost tmp]# ps -ef
UID PID PPID C STIME TTY TIME CMD
root 1 0 0 08:37 ? 00:00:05 init [3]
root 2 0 0 08:37 ? 00:00:00 [migration/0]
root 3 0 0 08:37 ? 00:00:00 [migration/1]
root 4 1 0 08:37 ? 00:00:00 [keventd]
root 5 1 0 08:37 ? 00:00:02 [ksoftirqd_CPU0]
root 6 1 0 08:37 ? 00:00:00 [ksoftirqd_CPU1]
root 11 1 0 08:37 ? 00:00:00 [bdflush]
root 7 1 0 08:37 ? 00:00:00 [kswapd]
root 8 1 0 08:37 ? 00:00:00 [kscand/DMA]
root 9 1 0 08:37 ? 00:00:13 [kscand/Normal]
root 10 1 0 08:37 ? 00:00:00 [kscand/HighMem]
root 12 1 0 08:37 ? 00:00:02 [kupdated]
root 13 1 0 08:37 ? 00:00:00 [mdrecoveryd]
root 17 1 0 08:37 ? 00:00:49 [kjournald]
root 75 1 0 08:38 ? 00:00:00 [khubd]
root 2915 1 0 08:38 ? 00:00:00 [kjournald]
root 3408 1 0 08:39 ? 00:00:00 syslogd -m 0
root 3412 1 0 08:39 ? 00:00:00 klogd -x
named 3491 1 0 08:39 ? 00:00:00 /usr/sbin/named -u named
root 3505 1 0 08:39 ? 00:00:01 /usr/sbin/sshd
root 3519 1 0 08:39 ? 00:00:00 xinetd -stayalive -reuse -pidfile /var/run/xinetd.pid
root 3539 1 0 08:39 ? 00:00:00 sendmail: accepting connections
smmsp 3548 1 0 08:39 ? 00:00:00 sendmail: Queue runner@01:00:00 for /var/spool/clientmqueue
root 3558 1 0 08:39 ? 00:00:00 crond
root 4022 1 0 08:39 ? 00:00:00 /bin/sh /usr/local/mysql/bin/safe_mysqld --user=mysql --default-character-set
mysql 4049 4022 0 08:39 ? 00:04:25 /usr/local/mysql/libexec/mysqld --basedir=/usr/local/mysql --datadir=/usr/loc
root 4059 1 0 08:39 ? 00:00:00 /usr/local/apache2/bin/httpd -k restart
root 4060 1 0 08:39 tty1 00:00:00 /sbin/mingetty tty1
root 4061 1 0 08:39 tty2 00:00:00 /sbin/mingetty tty2
root 4062 1 0 08:39 tty3 00:00:00 /sbin/mingetty tty3
root 4063 1 0 08:39 tty4 00:00:00 /sbin/mingetty tty4
root 4064 1 0 08:39 tty5 00:00:00 /sbin/mingetty tty5
root 4065 1 0 08:39 tty6 00:00:00 /sbin/mingetty tty6
nobody 4163 1 0 08:45 ? 00:00:00 proftpd (accepting connections)
root 11571 3505 0 11:37 ? 00:00:00 /usr/sbin/sshd
mysql 11574 11571 0 11:37 ? 00:00:08 /usr/sbin/sshd
mysql 11575 11574 0 11:37 pts/0 00:00:00 -bash
nobody 12170 4059 0 13:53 ? 00:00:00 /usr/local/apache2/bin/httpd -k restart
root 12365 11575 0 14:34 pts/0 00:00:00 su
root 12366 12365 0 14:34 pts/0 00:00:00 bash
root 12392 12366 0 14:34 pts/0 00:00:00 vim /var/log/secure
nobody 12512 4059 0 15:04 ? 00:00:00 /usr/local/apache2/bin/httpd -k restart
root 12760 12366 0 16:05 pts/0 00:00:00 vim /usr/local/proftpd/etc/proftpd.conf
root 12781 12366 0 16:08 pts/0 00:00:00 vim /usr/sbin/proftpd/proftpd.conf
root 12786 12366 0 16:09 pts/0 00:00:00 vim /usr/sbin/proftpd/proftpd
root 12787 12366 0 16:09 pts/0 00:00:00 su
root 12788 12787 0 16:09 pts/0 00:00:00 bash
root 12832 12788 0 16:12 pts/0 00:00:00 vim /etc/ftpusers
root 12863 12788 0 16:14 pts/0 00:00:00 vim /usr/local/proftpd/etc/proftpd.conf
nobody 12872 4059 0 16:16 ? 00:00:00 /usr/local/apache2/bin/httpd -k restart
nobody 12874 4059 0 16:16 ? 00:00:00 /usr/local/apache2/bin/httpd -k restart
root 12891 12788 0 16:17 pts/0 00:00:00 vim proftpd.conf
root 12930 12788 0 16:20 pts/0 00:00:00 vim proftpd.conf
root 12933 12788 0 16:20 pts/0 00:00:00 vim proftpd.conf
root 12945 12788 0 16:23 pts/0 00:00:00 vim proftpd.conf
root 12947 12788 0 16:23 pts/0 00:00:00 vim pwdb.conf
root 12982 12788 0 16:32 pts/0 00:00:00 vim su
root 12987 12788 0 16:33 pts/0 00:00:00 vim /etc/group
root 13019 12788 0 16:40 pts/0 00:00:00 vim /etc/vsftpd.conf
root 13025 12788 0 16:41 pts/0 00:00:00 vim xinetd.conf
root 13046 12788 0 16:46 pts/0 00:00:00 vim /etc/proftpd.conf
root 13073 12788 0 16:52 pts/0 00:00:00 vim proftpd
root 13077 12788 0 16:53 pts/0 00:00:00 vim proftpd.conf
root 13078 12788 0 16:53 pts/0 00:00:00 vim proftpd.conf.swf
root 13150 12788 0 17:03 pts/0 00:00:00 vim proftpd.conf
root 13167 12788 0 17:06 pts/0 00:00:00 vim proftpd.conf
root 13192 12788 0 17:11 pts/0 00:00:00 vim proftpd.conf
root 13196 12788 0 17:12 pts/0 00:00:00 vim proftpd.conf
root 13289 12788 0 17:34 pts/0 00:00:00 top
root 13320 12788 0 17:42 pts/0 00:00:00 vim /var/log/secure
nobody 13344 4059 0 17:48 ? 00:00:00 /usr/local/apache2/bin/httpd -k restart
nobody 13392 4059 0 17:57 ? 00:00:00 /usr/local/apache2/bin/httpd -k restart
nobody 13393 4059 0 17:57 ? 00:00:00 /usr/local/apache2/bin/httpd -k restart
nobody 13437 4059 0 18:05 ? 00:00:00 /usr/local/apache2/bin/httpd -k restart
nobody 13438 4059 0 18:05 ? 00:00:00 /usr/local/apache2/bin/httpd -k restart
nobody 13473 4059 0 18:09 ? 00:00:00 /usr/local/apache2/bin/httpd -k restart
nobody 13638 12170 0 18:51 ? 00:00:00 [sh ]
nobody 13689 1 0 18:57 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL
root 13728 12788 0 19:06 pts/0 00:00:00 vim /var/log/messages
nobody 13775 1 0 19:17 ? 00:00:00 bash
root 14609 12788 0 20:04 pts/0 00:00:00 vim miro
root 14702 12788 0 20:26 pts/0 00:00:00 ps -ef
[root@localhost mysql]# nmap localhost
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on localhost.localdomain (127.0.0.1):
(The 1593 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop-3
953/tcp open rndc
3306/tcp open mysql
Nmap run completed -- 1 IP address (1 host up) scanned in 2 seconds
[root@localhost mysql]#
[root@localhost tmp]# vi /var/log/messages - 2006. 06.09 오후 7시경 메세지
Jun 9 18:55:57 localhost kernel: application bug: perl(13643) has SIGCHLD set to SIG_IGN but calls wait().
Jun 9 18:55:57 localhost kernel: (see the NOTES section of 'man 2 wait'). Workaround activated.
Jun 9 18:57:02 localhost proftpd[13682]: localhost.localdomain (125.131.94.9[125.131.94.9]) - FTP session opened.
Jun 9 18:57:02 localhost PAM_pwdb[13682]: (ftp) session opened for user costnet by (uid=0)
Jun 9 18:57:33 localhost kernel: application bug: perl(13643) has SIGCHLD set to SIG_IGN but calls wait().
Jun 9 18:57:33 localhost kernel: (see the NOTES section of 'man 2 wait'). Workaround activated.
Jun 9 18:57:59 localhost proftpd[13682]: localhost.localdomain (125.131.94.9[125.131.94.9]) - FTP session closed.
Jun 9 18:57:59 localhost PAM_pwdb[13682]: (ftp) session closed for user costnet
Jun 9 19:13:19 localhost kernel: application bug: perl(13643) has SIGCHLD set to SIG_IGN but calls wait().
Jun 9 19:13:19 localhost kernel: (see the NOTES section of 'man 2 wait'). Workaround activated.
Jun 9 19:45:23 localhost sshd(pam_unix)[13884]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=218.207.245.22 user=root
Jun 9 19:45:27 localhost sshd(pam_unix)[13886]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=218.207.245.22 user=root
Jun 9 19:45:30 localhost sshd(pam_unix)[13888]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=218.207.245.22 user=root
[root@localhost tmp]# vi /var/log/messages - 2006. 06.09 오전 8시경 메세지
Jun 9 06:08:08 localhost sshd(pam_unix)[3143]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=211.21.198.214 user=root
Jun 9 06:08:18 localhost sshd(pam_unix)[3145]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=211.21.198.214 user=root
Jun 9 06:08:27 localhost sshd(pam_unix)[3147]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=211.21.198.214 user=root
Jun 9 06:08:36 localhost sshd(pam_unix)[3149]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=211.21.198.214 user=root
Jun 9 06:08:45 localhost sshd(pam_unix)[3151]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=211.21.198.214 user=root
Jun 9 06:08:55 localhost sshd(pam_unix)[3153]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=211.21.198.214 user=root
Jun 9 08:23:32 localhost kernel: application bug: perl(3065) has SIGCHLD set to SIG_IGN but calls wait().
Jun 9 08:23:32 localhost kernel: (see the NOTES section of 'man 2 wait'). Workaround activated.
Jun 9 08:33:27 localhost sshd(pam_unix)[3645]: session opened for user mysql by (uid=500)
Jun 9 08:33:48 localhost su(pam_unix)[3681]: session opened for user root by mysql(uid=500)
Jun 9 08:36:41 localhost shutdown: shutting down for system reboot
Jun 9 08:36:41 localhost init: Switching to runlevel: 6
Jun 9 08:36:43 localhost rc: Stopping keytable: succeeded
Jun 9 08:36:43 localhost sshd: sshd -TERM succeeded
Jun 9 08:36:43 localhost sendmail: sendmail shutdown succeeded
Jun 9 08:36:43 localhost sendmail: sm-client shutdown succeeded
Jun 9 08:36:43 localhost named[3491]: shutting down: flushing changes
Jun 9 08:36:43 localhost named[3491]: stopping command channel on 127.0.0.1#953
[root@localhost tmp]# vi /var/log/messages - 2006. 06.04 오전10시경 메세지
Jun 4 21:48:59 localhost sshd(pam_unix)[12807]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=59.52.28.136 user=root
Jun 4 22:21:11 localhost kernel: application bug: perl(12930) has SIGCHLD set to SIG_IGN but calls wait().
Jun 4 22:21:11 localhost kernel: (see the NOTES section of 'man 2 wait'). Workaround activated.
[root@localhost tmp]# vi /var/log/messages - 2006. 06.02 오후9시경 메세지
Jun 2 07:49:15 localhost sshd(pam_unix)[4986]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=125.251.172.2 user=root
Jun 2 08:55:39 localhost sshd(pam_unix)[5216]: session opened for user mysql by (uid=500)
Jun 2 08:55:54 localhost su(pam_unix)[5252]: session opened for user root by mysql(uid=500)
Jun 2 09:33:14 localhost su(pam_unix)[5252]: session closed for user root
Jun 2 09:33:15 localhost sshd(pam_unix)[5216]: session closed for user mysql
Jun 2 09:46:02 localhost kernel: application bug: perl(5531) has SIGCHLD set to SIG_IGN but calls wait().
Jun 2 09:46:02 localhost kernel: (see the NOTES section of 'man 2 wait'). Workaround activated.
Jun 2 09:49:05 localhost kernel: application bug: perl(5531) has SIGCHLD set to SIG_IGN but calls wait().
Jun 2 09:49:05 localhost kernel: (see the NOTES section of 'man 2 wait'). Workaround activated.
Jun 2 09:51:15 localhost kernel: application bug: perl(5531) has SIGCHLD set to SIG_IGN but calls wait().
Jun 2 09:51:15 localhost kernel: (see the NOTES section of 'man 2 wait'). Workaround activated.
Jun 2 10:05:37 localhost kernel: application bug: perl(5531) has SIGCHLD set to SIG_IGN but calls wait().
Jun 2 10:05:37 localhost kernel: (see the NOTES section of 'man 2 wait'). Workaround activated.
Jun 2 10:11:00 localhost kernel: application bug: perl(5531) has SIGCHLD set to SIG_IGN but calls wait().
Jun 2 10:11:00 localhost kernel: (see the NOTES section of 'man 2 wait'). Workaround activated.
Jun 2 10:13:07 localhost kernel: application bug: perl(5531) has SIGCHLD set to SIG_IGN but calls wait().
Jun 2 10:13:07 localhost kernel: (see the NOTES section of 'man 2 wait'). Workaround activated.
Jun 2 10:15:04 localhost kernel: application bug: perl(5531) has SIGCHLD set to SIG_IGN but calls wait().
Jun 2 10:15:04 localhost kernel: (see the NOTES section of 'man 2 wait'). Workaround activated.
Jun 2 10:20:21 localhost proftpd[5757]: localhost.localdomain (220.76.118.41[220.76.118.41]) - FTP session opened.
Jun 2 10:20:21 localhost PAM_pwdb[5757]: (ftp) session opened for user costnet by (uid=0)
Jun 2 10:20:50 localhost kernel: application bug: perl(5531) has SIGCHLD set to SIG_IGN but calls wait().
Jun 2 10:20:50 localhost kernel: (see the NOTES section of 'man 2 wait'). Workaround activated.
Jun 2 10:21:27 localhost proftpd[5757]: localhost.localdomain (220.76.118.41[220.76.118.41]) - FTP session closed.
Jun 2 10:21:27 localhost PAM_pwdb[5757]: (ftp) session closed for user costnet
Jun 2 11:06:33 localhost proftpd[5968]: localhost.localdomain (211.174.61.20[211.174.61.20]) - FTP session opened.
Jun 2 11:06:33 localhost proftpd[5968]: localhost.localdomain (211.174.61.20[211.174.61.20]) - FTP session closed.
Jun 2 11:06:39 localhost xinetd[5971]: warning: can't get client address: Connection reset by peer
Jun 2 11:06:41 localhost proftpd[5972]: localhost.localdomain (211.174.61.20[211.174.61.20]) - FTP session opened.
Jun 2 11:06:51 localhost proftpd[5972]: localhost.localdomain (211.174.61.20[211.174.61.20]) - FTP session closed.
Jun 2 11:06:51 localhost proftpd[5977]: localhost.localdomain (211.174.61.20[211.174.61.20]) - FTP session opened.
Jun 2 11:06:56 localhost proftpd[5977]: localhost.localdomain (211.174.61.20[211.174.61.20]) - FTP session closed.
Jun 2 11:09:45 localhost kernel: bcm5700: eth0 NIC Link is Down
Jun 2 11:09:46 localhost kernel: bcm5700: eth0 NIC Link is Up, 100 Mbps full duplex
Jun 2 11:09:48 localhost kernel: bcm5700: eth0 NIC Link is Down
Jun 2 11:09:50 localhost kernel: bcm5700: eth0 NIC Link is Up, 100 Mbps full duplex
Jun 2 11:09:53 localhost kernel: bcm5700: eth0 NIC Link is Down
Jun 2 12:36:58 localhost kernel: bcm5700: eth0 NIC Link is Up, 100 Mbps full duplex
Jun 2 12:37:30 localhost sshd(pam_unix)[6262]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=124.61.204.38 user=mysql
Jun 2 12:38:05 localhost sshd(pam_unix)[6272]: session opened for user mysql by (uid=500)
Jun 2 12:38:26 localhost su(pam_unix)[6309]: session opened for user root by mysql(uid=500)
Jun 2 12:38:48 localhost kernel: application bug: perl(5760) has SIGCHLD set to SIG_IGN but calls wait().
Jun 2 12:38:48 localhost kernel: (see the NOTES section of 'man 2 wait'). Workaround activated.
Jun 2 12:39:13 localhost shutdown: shutting down for system reboot
Jun 2 12:39:13 localhost init: Switching to runlevel: 6
Jun 2 12:39:14 localhost rc: Stopping keytable: succeeded
관련자료
-
이전
-
다음
