|
|
|
|
|
¸®´ª½ºÆÁ Go Unix Power Tools Online Book
Go Bash Guide
|
|
|
| Read No. 27 article |
2001-08-14 08:18:53 |
|
|
|
|
| NickName |
Ç®ºñ´© |
| Subject |
·Î±× ºÐ¼®Çϱâ |
|
|
·Î±× ºÐ¼®Çϱâ
- Log¶õ ¹«¾ùÀΰ¡
Log¶õ ³ªÁßÀ» À§ÇØ °¢ »ç¿ëÀÚµéÀÇ ÇàÀ§¿¡ ´ëÇÑ ±â·ÏÀÌ´Ù. µû¶ó¼ ¿ÜºÎ¿¡¼
ħÀÔÀ» ÇØ¿Â attacker°¡ ½Ã½ºÅÛ¿¡ ¹«½¼ ÀÏÀ» ÇàÇß´ÂÁö ¾Ë·ÁÁֹǷΠº¸¾ÈÀûÀ¸·Î
Å« Àǹ̸¦ °®´Â´Ù
- Log ÆÄÀÏÀÇ Á¾·ù(/var/log/)
- lastlog (/var/log/lastlog)
lastlog¸í·É¾î´Â ·Î±×ÀÎÇÑ »ç¿ëÀÚ À̸§°ú Æ÷Æ®, Á¢¼ÓÇÑ IPÁÖ¼Ò, ·Î±×ÀÎ
½Ã°£µîÀÇ µ¥ÀÌÅ͸¦ Æ÷ÇÔÇÕ´Ï´Ù.
<pre> # lastlog
Username Port From Latest
root ttyp1 :0.0 Mon May 15 11:08:28 2000
bin ***Never logged in***
ftp ***Never logged in***
MaZonna 0 143.248.220.10 Sun Jul 23 12:21:02 2000
thisstar 1 dor20688 Thu Jun 11 22:54:32 2000
guest **Never logged in**
</pre>
À§ÀÇ µ¥ÀÌÅÍ´Â ¸®´ª½º¿¡¼ÀÇ ±â·ÏÀ̸ç ÀϺΠ±â·Ï¸¸À» ³ª¿ÇÏ¿´´Ù.
- last
/var/log/wtmpÆÄÀÏÀ» °Ë»öÇÏ¿© ÀÌ ÆÄÀÏÀÌ »ý¼ºµÈ ÀÌÈÄ¿¡ ÀÏ¾î³ »ç¿ëÀÚµéÀÇ
login°ú logoutÀ» ¸ðµÎ Ãâ·ÂÇØÁØ´Ù. Login-name, port, IP, login - logout
time, ÀÛ¾÷½Ã°£À» Ãâ·ÂÇؼ º¸¿©ÁØ´Ù. last¸¸ »ç¿ëÇÒ ¼öµµ ÀÖ°í, last login-nameÀÇ
ÇüÅ·Π»ç¿ëÇÒ ¼öµµ ÀÖ´Ù.
<pre> # last
ftp ftp 210.222.254.3 Thu Jul 6 14:13 - 14:13 (00:00)
ftp ftp 210.222.254.3 Thu Jul 6 14:12 - 14:12 (00:00)
ftp ftp extek.cnu.ac.kr Thu Jul 6 10:07 - 10:07 (00:00)
ftp ftp dor202113.kaist. Wed Jul 5 23:27 - 23:27 (00:00)
ftp ftp minjok.kaist.ac. Tue Jul 4 21:54 - 21:55 (00:00)
evol ttyp0 211.62.246.200 Tue Jul 4 20:09 - 20:10 (00:00)
ftp ftp dor202113.kaist. Tue Jul 4 18:57 - 18:58 (00:00)
ftp ftp dor202113.kaist. Tue Jul 4 18:57 - 18:57 (00:00)
this ttyp0 dor202113.kaist. Tue Jul 4 18:57 - 18:57 (00:00)
evol ftp dor22095.kaist.a Tue Jul 4 14:14 - 14:15 (00:00)
evol ttyp0 dor22095 Tue Jul 4 14:13 - 14:15 (00:02)
evol ttyp0 dor22160 Sun Jul 2 20:43 - 20:43 (00:00)
babo ttyp0 adsl-dongjak-210 Sun Jul 2 16:07 - 16:07
(00:00)
ftp ftp a-te4-31.tin.it Sat Jul 1 09:49 - 09:49 (00:00)
wtmp begins Sat Jul 1 09:49:34 2000</pre>
À§ÀÇ ¿¹´Â ÇÑ ¸®´ª½º ½Ã½ºÅÛÀÇ ¿¹ÀÌ¸ç ¸¶Áö¸· ¶óÀο¡ wtmpÆÄÀÏÀÌ »ý¼ºµÈ
½Ã°£À» Ãâ·ÂÇÑ´Ù.
- xferlog
ÀÌ ÆÄÀÏÀº ftp¸¦ ÀÌ¿ëÇÏ¿© Àü¼ÛµÈ ÆÄÀÏ¿¡ ´ëÇØ ±â·ÏÇÑ logÆÄÀÏÀÌ´Ù. ÀÌ
ÆÄÀÏ¿¡´Â current time, transfer time, remote host, file size, filename,
transfer type, special action flag, direction, access mode, username,
Service name, authentication-method,authenticated user id, completion
status¸¦ Æ÷ÇÔÇÑ´Ù.
<pre> # more xferlog
Sun Feb 27 20:40:31 2000 6 dor224143.kaist.ac.kr 3191923
/home/bebechien/pighouse/mp3/03-½Ç¿¬.mp3 b _ o r bebechien ftp 0 * c
Sun Feb 27 20:40:38 2000 7 dor224143.kaist.ac.kr 4728392
/home/bebechien/pighouse/mp3/05-¿Í.mp3 b _ o r bebechien ftp 0 * c
</pre>
À§ÀÇ ±â·Ï¿¡ ´ëÇØ »ó¼¼È÷ ¾Ë¾Æº¸ÀÚ.
Sun Feb 27 20:40:31 2000 ÀÌ ÆÄÀÏÀ» Àü¼ÛÇÑ ½Ã°£ 6 Àü¼Û ¼Ò¿ä ½Ã°£
dor224143.kaist.ac.kr
Àü¼ÛÇÑ È£½ºÆ® ³×ÀÓ 3191923 ÆÄÀÏ Å©±â
/home/bebechien/pighouse/mp3/03-½Ç¿¬.mp3
ÆÄÀÏÀÇ À̸§ b Àü¼Û ¹æ½Ä _ special action flag o direction r access ¹æ½Ä
bebechien »ç¿ëÀÚ À̸§ ftp Service¹æ½Ä 0 Authentication ¹æ½Ä * ÀÎÁõµÈ
»ç¿ëÀÚ À̸§ c ¿Ï·á »óÅÂ
Special action flag´Â C, U, T, _ÀÇ °ªÀ» °¡Áö¸ç °¢ Ç÷¡±×ÀÇ Àǹ̴Â
´ÙÀ½°ú °°´Ù.
<pre> C ¾ÐÃàµÈ ÆÄÀÏ (Compressed file)
U ºñ¾ÐÃàµÈ ÆÄÀÏ (Uncompressed file)
T ¹ÀÎ ÆÄÀÏ(Tar'ed file)
_ No action was taken</pre>
access mode´Â a, g, rÀÇ ¼¼ °¡Áö °ªÀ» °¡Áø´Ù. a´Â anonymous¸¦ ÀǹÌÇÏ°í,
g´Â guest, rÀº realÀ» ÀǹÌÇÑ´Ù. authentication ¹æ½ÄÀº o ¶Ç´Â l °ªÀ»
°¡Áö¸ç, ¿©±â¼ o´Â noneÀ» lÀº RFC931ÀÇ ÀÎÁõ¹æ½ÄÀ» »ç¿ëÇÑ´Ù´Â °ÍÀ» ÀǹÌÇÑ´Ù.
¿Ï·á »óÅ´ c, iÀÇ °ªÀ» °¡Áö¸ç, c´Â ¿Ï·áµÈ »óÅÂ, i´Â ºÒ¿Ï·áµÈ »óŸ¦
ÀǹÌÇÑ´Ù.
- httpd logs
/var/log/httpd µð·ºÅ丮 ³»¿¡´Â access_log¿Í error_log¶ó´Â ÆÄÀÏÀ»
º¼ ¼ö ÀÖ´Ù. access_logÆÄÀÏÀº ½Ã½ºÅÛ¿¡ ´©°¡ ¾ðÁ¦ Á¢¼ÓÇß´ÂÁö¸¦ ±â·ÏÇÑ
ÆÄÀÏÀ̸ç error_logÆÄÀÏÀº access error¿¡ ´ëÇÑ ±â·ÏµéÀ» ÀúÀåÇÑ´Ù.
<pre> # more access_log
143.248.223.37 - - [21/May/2000:12:50:29 +0900] "GET /
HTTP/1.1" 200 1020
143.248.250.103 - - [21/May/2000:14:06:26 +0900] "GET /
HTTP/1.1" 200 1020
143.248.250.103 - - [21/May/2000"14:06:52 +0900] "GET
/physics.jpg HTTP/1.1" 404 295</pre>
ÀÌ ÆÄÀÏÀÇ ±â·Ï¿¡ ´ëÇÑ Á¤º¸´Â ´ÙÀ½°ú °°´Ù.
<pre> 143.248.223.37 ¹æ¹®ÀÚÀÇ IP ÁÖ¼Ò
[21/May/2000:12:50:29 +0900] event's ½Ã°£°ú ³¯Â¥
"GET / HTTP/1.1" Command³ª Request
200 Status Code</pre>
Status CodeÀÇ °ª Áß 200ÀÌ ÀÇ¹Ì ÇÏ´Â ¹Ù´Â "everything went
well"À»
ÀǹÌÇÏ°í 404´Â "document was not found"¸¦ ÀǹÌÇÑ´Ù.
<pre> # more error_log
[Sun May 21 04:02:01 2000] [notice] Apache/1.3.12 (Unix) (Red
Hat/Linux) configured -- resuming normal operations
[Sun May 21 14:06:52 2000] [error] [client 143.248.230.103] File does
not exist: /home/httpd/html/physics.jpg</pre>
error_logÀÇ ±â·ÏÀº ´ÙÀ½ÀÇ Á¤º¸¸¦ °¡Áø´Ù.
<pre> [Sun May 21 14:06:52 2000] Date and
time
[error] Report Type
[client 143.248.230.103] Client IP
File does not exist: Error°¡ ¹ß»ýÇÑ
ÀÌÀ¯</pre>
- messages (/usr/log/messages)
ÀÌ ÆÄÀÏÀº System°ú KernelÀÇ ¸Þ½ÃÁö¸¦ ´ã°í ÀÖ´Ù. ÀÌ´Â Syslogd¿Í klogd¿¡
ÀÇÇØ ±â·ÏÀÌ µÈ´Ù.
<pre> # more messages
May 21 04:02:00 lacvert syslogd 1.3-3 restart.
May 21 04:09:07 lacvert -- bbs[1393]: LOGIN ON 0 BY bbs FROM
chiak
May 21 17:40:27 lacvert ftpd[4774]: USER bebechien
May 21 17:40:29 lacvert ftpd[4774]: PASS password
May 21 17:40:29 lacvert ftpd[4774]: QUIT</pre>
¸¹Àº ³»¿ë Áß ´ÜÁö ÀϺκи¸À» Á¤¸®ÇØ ³õÀº °ÍÀÌ´Ù.
- secure(/usr/log/secure)
<pre> # more secure
May 21 04:09:06 lacvert in.telnetd[1392]: connect from
143.248.102.4
May 21 04:41:48 lacvert in.rshd[3988]: connect from
143.248.92.252
May 21 18:23:23 lacvert in.ftpd[4837]: connect from
143.249.92.244
May 21 18:04:15 lacvert in.ipop3d[4837]: error: cannot execute
/usr/sbin/ipop3d: No Such file or directory</pre>
À§ÀÇ ¿¹¿¡¼ ¸¶Áö¸· ¶óÀÎÀº Port ScanÀÇ ÈçÀûÀÌ´Ù.
- Log¿Í º¸¾È
ÀϹÝÀûÀ¸·Î buffer overflow¸¦ ÀÌ¿ëÇÑ °ø°ÝÀº ´ÙÀ½°ú °°Àº log¸¦
/var/log/messages¿¡
³²±ä´Ù. imapd¸¦ ÀÌ¿ëÇÑ °ø°ÝÀº ºñ½ÁÇÑ °ÍÀ» /var/log/maillog¿¡¼ º¼¼ö ÀÖ´Ù.
<pre> #more messages
May 21 04:20:51 lacvert mounted[6688]: Blocked attempt of
192.168.11.200 to mount
p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p
p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p
p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p
p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p
p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p
p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p
p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p
p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p
p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p
p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p
p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p
p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p
p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p
~p~p~p3v3A` ^[I~@303A~KU`FI~@DAVo1A
^B1~@EAvbeb^V-<,yT^FDAt^Keo`
T`TB~</pre>
¹°·Ð ÀÌ·±°ÍµéÀÌ ³²¾ÆÀÖ´Ù¸é ÀÌ ¼¹ö´Â °ø°ÝÀ» ´çÇÑ °ÍÀ̸ç, ±×°ÍÀÌ ½ÇÆÐÇ߰ųª
ȤÀº ÁøÇàÁßÀ̶ó´Â °ÍÀ» ÀǹÌÇÑ´Ù. log´Â attacker°¡ ħÀÔÈÄ °¡Àå ¸ÕÀú û¼ÒÇÏ´Â
¸ñÇ¥¹°À̱⠶§¹®¿¡ Á¤»óÀûÀ¸·Î log°¡ ³²Áö ¾Ê´Â´Ù¸é ÀÌ¹Ì °ø°ÝÀ» ´çÇÑ °ÍÀ̶ó°í
ÇÒ ¼ö ÀÖ´Ù.
¸¸¾à ´ÙÀ½°ú °°Àº »óȲÀÌ ¹ß»ýÇß´Ù¸é ÀǽÉÀ» Çغ¸¾Æ¾ß ÇÒ °ÍÀÌ´Ù.
- Àͼ÷ÇÏÁö ¾ÊÀº ¿ÜºÎ¿¡¼ÀÇ Á¢¼Ó ½Ãµµ
- /etc/passwd ÆÄÀÏ¿¡ ¸¸µç ÀûÀÌ ¾ø´Â ¾ÆÀ̵ð Á¸Àç
- ½Ã½ºÅÛ ·Î±×°¡ ³²Áö ¾Ê´Â Á¡, processÀÇ »óŸ¦ º¸¿©ÁÖ´Â ps °¡ ÀÌ»óÇÑ
°æ¿ì
- »ç¿ëÇÏÁö ¾Ê°í Àִµ¥ ÇÏµå µð½ºÅ©°¡ µ¹¾Æ°¡°í ÀÖ´Â Á¡.
nmap°°Àº °æ¿ì -sS optionÀ» ÁÖ¸é log°¡ ³²Áö ¾Ê´Â´Ù. ÀÌ·± stealth scan
ÇÁ·Î±×·¥µéÀ» °¨ÁöÇÏ´Â ÇÁ·Î±×·¥µéÀ» »ç¿ëÇÏ´Â °ÍÀÌ ÁÁ´Ù.
¶ÇÇÑ log¸¦ ¾ÈÀüÇÏ°Ô ÀúÀåÇØ¾ß ÇÑ´Ù. crackerµéÀÌ root shellÀ» ¾ò°í ³ª¼
Á¦ÀÏ ¸ÕÀú ÇÏ´Â °ÍÀº ÀÚ½ÅÀÌ µé¾î¿Â ÈçÀûÀ» Áö¿ì´Â ÀÏÀ̱⠶§¹®¿¡ ±×³É log¸¦
ÀúÀåÇصδ °ÍÀº ¾ÈÀüÇÏÁö ¸øÇÏ´Ù. º¸¾ÈÀÌ ¸Å¿ì Áß¿äÇÑ ¼¹ö¶ó¸é logÆÄÀÏÀ» µû·Î
ÀúÀåÇÏ´Â remote log-server¸¦ ¸¸µé¾î µÎµµ·Ï ÇÑ´Ù.
|
|
|
Page Loading [ 0.04 Sec ]
SQL Time [ 0 Sec ]
|
|
|
