로그 분석중 원인을 알 수 없네요.
글쓴이: lastsky / 작성시간: 월, 2005/03/14 - 3:05오후
안녕하세요.
호스팅 업체에서 서버가 다운 되었다는 메일을 받고
(커널패닉이라 파워리셋 했다고 왔습니다.)
로그를 살펴본 결과 secure 파일은 해당 시간대에 지워진 상태구요.
messages 에 다음과 같은 의구심이 가는 기록을 발견하게 되었습니다.
13일까지는 실패한것 같긴한데, 14일에 이상한 trace 흔적은 무엇인지 이해가 안가네요. 그리고 어떻게 공격을 당한건지 아니면 시스템 내부적 결함진이 추측이 불가능합니다.
평소 이상한 아이디로 ssh에 로그인을 무수하게 시도하는 기록은 많았지만 Accept 되지 않아 그냥 무시하고 지나가고 말았거든요.
로그데몬이 자꾸 죽었었는데 그를 크론데몬에 재시작 스크립트를 매일 하도록 넣어주게끔 대처한것이 화근이된거 같기도하고,
보안 이라고 해봤자 iptable 막고, secure 파일 매일 점검하는 정도 였는데, 다른 사항이 발생하니 막막하네요...
여러분의 조언부탁드립니다.
아래는 messages 의 의심드는 부분을 가져왔습니다.
-bash-2.05b# vi messages Mar 13 06:04:56 ns1 syslogd 1.4.1: restart. Mar 13 06:05:03 ns1 kernel: Kernel logging (proc) stopped. Mar 13 06:05:03 ns1 kernel: Kernel log daemon terminating. Mar 13 06:05:05 ns1 syslog: klogd shutdown succeeded Mar 13 06:05:05 ns1 exiting on signal 15 Mar 13 06:05:05 ns1 syslogd 1.4.1: restart. Mar 13 06:05:05 ns1 syslog: syslogd startup succeeded Mar 13 06:05:05 ns1 kernel: klogd 1.4.1, log source = /proc/kmsg started. Mar 13 06:05:05 ns1 syslog: klogd startup succeeded Mar 13 06:05:05 ns1 syslog: syslogd shutdown succeeded Mar 13 06:27:24 ns1 sshd(pam_unix)[23052]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=218.108.29.74 user=root Mar 13 06:27:27 ns1 sshd(pam_unix)[23054]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=218.108.29.74 user=root Mar 13 06:27:29 ns1 sshd(pam_unix)[23056]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=218.108.29.74 user=root Mar 13 06:27:32 ns1 sshd(pam_unix)[23058]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=218.108.29.74 user=root Mar 13 06:27:35 ns1 sshd(pam_unix)[23060]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=218.108.29.74 user=root Mar 13 06:27:37 ns1 sshd(pam_unix)[23062]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=218.108.29.74 user=root Mar 13 06:27:40 ns1 sshd(pam_unix)[23064]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=218.108.29.74 user=root Mar 13 06:27:43 ns1 sshd(pam_unix)[23066]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=218.108.29.74 user=root Mar 13 18:45:28 ns1 sshd(pam_unix)[28098]: check pass; user unknown Mar 13 18:45:28 ns1 sshd(pam_unix)[28098]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=65.194.204.40 Mar 13 20:31:23 ns1 vsftpd: warning: can't get client address: Bad file descriptor Mar 13 20:31:24 ns1 vsftpd(pam_unix)[29045]: check pass; user unknown Mar 13 20:31:24 ns1 vsftpd(pam_unix)[29045]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=61.54.210.33 Mar 14 04:02:40 ns1 su(pam_unix)[1203]: session opened for user root by (uid=0) Mar 14 04:02:40 ns1 su(pam_unix)[1203]: session closed for user root Mar 14 05:34:30 ns1 kernel: Unable to handle kernel NULL pointer dereference at virtual address 00000000 Mar 14 05:34:30 ns1 kernel: printing eip: Mar 14 05:34:30 ns1 kernel: c0219820 Mar 14 05:34:30 ns1 kernel: *pde = 00000000 Mar 14 05:34:30 ns1 kernel: Oops: 0000 Mar 14 05:34:30 ns1 kernel: CPU: 0 Mar 14 05:34:30 ns1 kernel: EIP: 0010:[<c0219820>] Not tainted Mar 14 05:34:30 ns1 kernel: EFLAGS: 00010046 Mar 14 05:34:30 ns1 kernel: eax: 00000000 ebx: 00000000 ecx: 0000001b edx: 00000000 Mar 14 05:34:30 ns1 kernel: esi: 00000000 edi: 0000001b ebp: dfe49a00 esp: d4cc3df4 Mar 14 05:34:30 ns1 kernel: ds: 0018 es: 0018 ss: 0018 Mar 14 05:34:30 ns1 kernel: Process tar (pid: 1205, stackpage=d4cc3000) Mar 14 05:34:30 ns1 kernel: Stack: 00000000 dfedb400 dfe49a00 dfee8078 00000000 c021b056 dffe1800 dfe49a00 Mar 14 05:34:30 ns1 kernel: 00000202 c0394000 00000000 dfe49a00 dfee8078 00000000 dfe49a58 c021a5c6 Mar 14 05:34:30 ns1 kernel: dfee8078 000000da c01e5ca7 000000da 00000287 d4cc3e74 dfee8000 dfe49a00 Mar 14 05:34:30 ns1 kernel: Call Trace: [<c021b056>] [<c021a5c6>] [<c01e5ca7>] [<c020be22>] [<c020c420>] Mar 14 05:34:30 ns1 kernel: [<c020ffb0>] [<c02135cd>] [<c01e4c68>] [<c011e20a>] [<c013ffbf>] [<c012b9d1>] Mar 14 05:34:30 ns1 kernel: [<c012b9fb>] [<c012c01d>] [<c012c5f0>] [<c012c78d>] [<c012c5f0>] [<c013b4e3>] Mar 14 05:34:30 ns1 kernel: [<c013aa6a>] [<c010902f>] Mar 14 05:34:30 ns1 kernel: Mar 14 05:34:30 ns1 kernel: Code: 8b 02 85 c0 74 07 8b 42 04 85 c0 75 7f 8b 02 85 c0 75 07 8b Mar 14 05:34:30 ns1 kernel: <1>Unable to handle kernel NULL pointer dereference at virtual address 00000004 Mar 14 05:34:30 ns1 kernel: printing eip: Mar 14 05:34:30 ns1 kernel: c01e4f79 Mar 14 05:34:31 ns1 kernel: *pde = 00000000 Mar 14 05:34:31 ns1 kernel: Oops: 0002 Mar 14 05:34:31 ns1 kernel: CPU: 0 Mar 14 05:34:31 ns1 kernel: EIP: 0010:[<c01e4f79>] Not tainted Mar 14 05:34:31 ns1 kernel: EFLAGS: 00010002 Mar 14 05:34:31 ns1 kernel: eax: 00000000 ebx: 00000005 ecx: c1658274 edx: c1658280 Mar 14 05:34:31 ns1 kernel: esi: dfe8d900 edi: 00000001 ebp: dfe97e40 esp: df4b9d94 Mar 14 05:34:31 ns1 kernel: ds: 0018 es: 0018 ss: 0018 Mar 14 05:34:31 ns1 kernel: Process kjournald (pid: 622, stackpage=df4b9000) Mar 14 05:34:31 ns1 kernel: Stack: 00000000 00000008 c942eb40 c01e5509 c1658274 00000001 c942eb40 00000080 Mar 14 05:34:31 ns1 kernel: 00000001 00000400 c165829c 00000008 00000400 00000200 00000000 00000000 Mar 14 05:34:31 ns1 kernel: c16582a4 00000000 00000008 018b1f80 dfe97e40 c942eb40 00000008 040f9b51 Mar 14 05:34:31 ns1 kernel: Call Trace: [<c01e5509>] [<c01e5bfa>] [<c010ce38>] [<c01e5ca7>] [<c013d7fb>] Mar 14 05:34:31 ns1 kernel: [<c01e5e54>] [<c0170532>] [<c027897b>] [<c0172924>] [<c01727b0>] [<c010741e>] Mar 14 05:34:31 ns1 kernel: [<c01727d0>] Mar 14 05:34:31 ns1 kernel: Mar 14 05:34:31 ns1 kernel: Code: 89 50 04 89 02 c7 46 04 00 00 00 00 c7 06 00 00 00 00 ff 09 Mar 14 05:34:31 ns1 kernel: <1>Unable to handle kernel NULL pointer dereference at virtual address 00000004 Mar 14 05:34:31 ns1 kernel: printing eip: Mar 14 05:34:31 ns1 kernel: c01e4f79 Mar 14 05:34:31 ns1 kernel: *pde = 00000000 Mar 14 05:34:32 ns1 kernel: Oops: 0002 Mar 14 05:34:32 ns1 kernel: CPU: 0 Mar 14 05:34:32 ns1 kernel: EIP: 0010:[<c01e4f79>] Not tainted Mar 14 05:34:32 ns1 kernel: EFLAGS: 00010002 Mar 14 05:34:32 ns1 kernel: eax: 00000000 ebx: 00000005 ecx: c1658274 edx: c1658280 Mar 14 05:34:32 ns1 kernel: esi: dfe8d900 edi: 00000001 ebp: dfe97e40 esp: dfb73dbc Mar 14 05:34:32 ns1 kernel: ds: 0018 es: 0018 ss: 0018 Mar 14 05:34:32 ns1 kernel: Process kjournald (pid: 12, stackpage=dfb73000) Mar 14 05:34:32 ns1 kernel: Stack: 00000000 00000008 dd4e4560 c01e5509 c1658274 00000001 c165829c dd4e4560 Mar 14 05:34:32 ns1 kernel: 00000001 00000400 c165829c dd4e4560 00000400 00000200 00000000 00000000 Mar 14 05:34:32 ns1 kernel: c16582a4 00000000 00000008 0000d568 00000000 dd4e4560 00000008 004c5bb8 Mar 14 05:34:32 ns1 kernel: Call Trace: [<c01e5509>] [<c01e5bfa>] [<c01e5ca7>] [<c016f920>] [<c011e142>] Mar 14 05:34:32 ns1 kernel: [<c011e056>] [<c010a7ce>] [<c01165d4>] [<c0172924>] [<c01727b0>] [<c010741e>] Mar 14 05:34:32 ns1 kernel: [<c01727d0>] Mar 14 05:34:32 ns1 kernel: Mar 14 05:34:32 ns1 kernel: Code: 89 50 04 89 02 c7 46 04 00 00 00 00 c7 06 00 00 00 00 ff 09 Mar 14 06:05:42 ns1 syslogd 1.4.1: restart. Mar 14 06:05:42 ns1 syslog: syslogd startup succeeded
보안이란 분야에 관심이 있지만, 항상 예외가 발생하니 참 막막합니다.
어떻게 이런 예외상황에 대해 잘 대처할 수 있을까요?
읽어주셔서 감사합니다.
Forums:
중국애들은 잠도 없나보군요.메시지야 root를 얻으면 얼마든지 지울
중국애들은 잠도 없나보군요.
메시지야 root를 얻으면 얼마든지 지울 수 있으니까 13일저녁부터 14일 새벽까지의
데이터가 지워진건 아닐까요?
음...
일단 ftp와 ssh를 통해서 root로 접근하지 못하도록 조치를 취해야할겁니다.
또한 root의 비밀번호를 어렵게 (중간에 ' '나 '.'등을 넣는게 좋을겁니다.)만들어서
관리를하고 chkrootkit을 설치해서 혹시모를 보안구멍을 점검하는것이 좋습니다.
보안에 대해서 완벽한것은 -Network가 있는 상황에서는- 없는것 같습니다.
주기적으로 관리를 해주는 방법밖에는요.
------------------------------
좋은 하루 되세요.
댓글 달기