B / Y / U / S
HOME À¥ È£½ºÆà µµ¸ÞÀÎ ¸Å´º¾ó °í°´Áö¿ø ¼³Á¤Á¤º¸ °èÁ¤½Åû 2024-12-23 Monday 
À¥ È£½ºÆÃ
# °øÁö »çÇ×
# ÀÚÁÖ ¹¯´Â Áú¹®
# Áú¹®°ú ´äº¯
# °¡ÀÔ ¹®ÀÇ
Ä¿¹Â´ÏƼ
# ÀÚÀ¯°Ô½ÃÆÇ
# ¸®´ª½ºÆÁ
# ¾ÆÀÌÅ¥ Å×½ºÆ®
# ³»È¨ ¼Ò°³
# °Ö·¯¸®
# ÀÚ·á½Ç

  ¸®´ª½ºÆÁ  Go Unix Power Tools Online Book Go Bash Guide
Read No. 27 article 2001-08-14 08:18:53
NickName   Ç®ºñ´©
Subject   ·Î±× ºÐ¼®Çϱâ



·Î±× ºÐ¼®Çϱâ


  1. Log¶õ ¹«¾ùÀΰ¡

    Log¶õ ³ªÁßÀ» À§ÇØ °¢ »ç¿ëÀÚµéÀÇ ÇàÀ§¿¡ ´ëÇÑ ±â·ÏÀÌ´Ù. µû¶ó¼­ ¿ÜºÎ¿¡¼­ ħÀÔÀ» ÇØ¿Â attacker°¡ ½Ã½ºÅÛ¿¡ ¹«½¼ ÀÏÀ» ÇàÇß´ÂÁö ¾Ë·ÁÁֹǷΠº¸¾ÈÀûÀ¸·Î Å« Àǹ̸¦ °®´Â´Ù

  2. Log ÆÄÀÏÀÇ Á¾·ù(/var/log/)
    1. lastlog (/var/log/lastlog)

      lastlog¸í·É¾î´Â ·Î±×ÀÎÇÑ »ç¿ëÀÚ À̸§°ú Æ÷Æ®, Á¢¼ÓÇÑ IPÁÖ¼Ò, ·Î±×ÀÎ ½Ã°£µîÀÇ µ¥ÀÌÅ͸¦ Æ÷ÇÔÇÕ´Ï´Ù.

      <pre> # lastlog Username Port From Latest root ttyp1 :0.0 Mon May 15 11:08:28 2000 bin ***Never logged in*** ftp ***Never logged in*** MaZonna 0 143.248.220.10 Sun Jul 23 12:21:02 2000 thisstar 1 dor20688 Thu Jun 11 22:54:32 2000 guest **Never logged in** </pre>

      À§ÀÇ µ¥ÀÌÅÍ´Â ¸®´ª½º¿¡¼­ÀÇ ±â·ÏÀ̸ç ÀϺΠ±â·Ï¸¸À» ³ª¿­ÇÏ¿´´Ù.

    2. last

      /var/log/wtmpÆÄÀÏÀ» °Ë»öÇÏ¿© ÀÌ ÆÄÀÏÀÌ »ý¼ºµÈ ÀÌÈÄ¿¡ ÀϾ »ç¿ëÀÚµéÀÇ login°ú logoutÀ» ¸ðµÎ Ãâ·ÂÇØÁØ´Ù. Login-name, port, IP, login - logout time, ÀÛ¾÷½Ã°£À» Ãâ·ÂÇؼ­ º¸¿©ÁØ´Ù. last¸¸ »ç¿ëÇÒ ¼öµµ ÀÖ°í, last login-nameÀÇ ÇüÅ·Π»ç¿ëÇÒ ¼öµµ ÀÖ´Ù.

      <pre> # last ftp ftp 210.222.254.3 Thu Jul 6 14:13 - 14:13 (00:00) ftp ftp 210.222.254.3 Thu Jul 6 14:12 - 14:12 (00:00) ftp ftp extek.cnu.ac.kr Thu Jul 6 10:07 - 10:07 (00:00) ftp ftp dor202113.kaist. Wed Jul 5 23:27 - 23:27 (00:00) ftp ftp minjok.kaist.ac. Tue Jul 4 21:54 - 21:55 (00:00) evol ttyp0 211.62.246.200 Tue Jul 4 20:09 - 20:10 (00:00) ftp ftp dor202113.kaist. Tue Jul 4 18:57 - 18:58 (00:00) ftp ftp dor202113.kaist. Tue Jul 4 18:57 - 18:57 (00:00) this ttyp0 dor202113.kaist. Tue Jul 4 18:57 - 18:57 (00:00) evol ftp dor22095.kaist.a Tue Jul 4 14:14 - 14:15 (00:00) evol ttyp0 dor22095 Tue Jul 4 14:13 - 14:15 (00:02) evol ttyp0 dor22160 Sun Jul 2 20:43 - 20:43 (00:00) babo ttyp0 adsl-dongjak-210 Sun Jul 2 16:07 - 16:07 (00:00) ftp ftp a-te4-31.tin.it Sat Jul 1 09:49 - 09:49 (00:00) wtmp begins Sat Jul 1 09:49:34 2000</pre>

      À§ÀÇ ¿¹´Â ÇÑ ¸®´ª½º ½Ã½ºÅÛÀÇ ¿¹ÀÌ¸ç ¸¶Áö¸· ¶óÀο¡ wtmpÆÄÀÏÀÌ »ý¼ºµÈ ½Ã°£À» Ãâ·ÂÇÑ´Ù.

    3. xferlog

      ÀÌ ÆÄÀÏÀº ftp¸¦ ÀÌ¿ëÇÏ¿© Àü¼ÛµÈ ÆÄÀÏ¿¡ ´ëÇØ ±â·ÏÇÑ logÆÄÀÏÀÌ´Ù. ÀÌ ÆÄÀÏ¿¡´Â current time, transfer time, remote host, file size, filename, transfer type, special action flag, direction, access mode, username, Service name, authentication-method,authenticated user id, completion status¸¦ Æ÷ÇÔÇÑ´Ù.

      <pre> # more xferlog Sun Feb 27 20:40:31 2000 6 dor224143.kaist.ac.kr 3191923 /home/bebechien/pighouse/mp3/03-½Ç¿¬.mp3 b _ o r bebechien ftp 0 * c Sun Feb 27 20:40:38 2000 7 dor224143.kaist.ac.kr 4728392 /home/bebechien/pighouse/mp3/05-¿Í.mp3 b _ o r bebechien ftp 0 * c </pre>

      À§ÀÇ ±â·Ï¿¡ ´ëÇØ »ó¼¼È÷ ¾Ë¾Æº¸ÀÚ.

      Sun Feb 27 20:40:31 2000 ÀÌ ÆÄÀÏÀ» Àü¼ÛÇÑ ½Ã°£ 6 Àü¼Û ¼Ò¿ä ½Ã°£ dor224143.kaist.ac.kr Àü¼ÛÇÑ È£½ºÆ® ³×ÀÓ 3191923 ÆÄÀÏ Å©±â /home/bebechien/pighouse/mp3/03-½Ç¿¬.mp3 ÆÄÀÏÀÇ À̸§ b Àü¼Û ¹æ½Ä _ special action flag o direction r access ¹æ½Ä bebechien »ç¿ëÀÚ À̸§ ftp Service¹æ½Ä 0 Authentication ¹æ½Ä * ÀÎÁõµÈ »ç¿ëÀÚ À̸§ c ¿Ï·á »óÅÂ

      Special action flag´Â C, U, T, _ÀÇ °ªÀ» °¡Áö¸ç °¢ Ç÷¡±×ÀÇ Àǹ̴ ´ÙÀ½°ú °°´Ù.

      <pre> C ¾ÐÃàµÈ ÆÄÀÏ (Compressed file) U ºñ¾ÐÃàµÈ ÆÄÀÏ (Uncompressed file) T ¹­ÀÎ ÆÄÀÏ(Tar'ed file) _ No action was taken</pre>

      access mode´Â a, g, rÀÇ ¼¼ °¡Áö °ªÀ» °¡Áø´Ù. a´Â anonymous¸¦ ÀǹÌÇÏ°í, g´Â guest, rÀº realÀ» ÀǹÌÇÑ´Ù. authentication ¹æ½ÄÀº o ¶Ç´Â l °ªÀ» °¡Áö¸ç, ¿©±â¼­ o´Â noneÀ» lÀº RFC931ÀÇ ÀÎÁõ¹æ½ÄÀ» »ç¿ëÇÑ´Ù´Â °ÍÀ» ÀǹÌÇÑ´Ù. ¿Ï·á »óÅ´ c, iÀÇ °ªÀ» °¡Áö¸ç, c´Â ¿Ï·áµÈ »óÅÂ, i´Â ºÒ¿Ï·áµÈ »óŸ¦ ÀǹÌÇÑ´Ù.

    4. httpd logs

      /var/log/httpd µð·ºÅ丮 ³»¿¡´Â access_log¿Í error_log¶ó´Â ÆÄÀÏÀ» º¼ ¼ö ÀÖ´Ù. access_logÆÄÀÏÀº ½Ã½ºÅÛ¿¡ ´©°¡ ¾ðÁ¦ Á¢¼ÓÇß´ÂÁö¸¦ ±â·ÏÇÑ ÆÄÀÏÀ̸ç error_logÆÄÀÏÀº access error¿¡ ´ëÇÑ ±â·ÏµéÀ» ÀúÀåÇÑ´Ù.

      <pre> # more access_log 143.248.223.37 - - [21/May/2000:12:50:29 +0900] "GET / HTTP/1.1" 200 1020 143.248.250.103 - - [21/May/2000:14:06:26 +0900] "GET / HTTP/1.1" 200 1020 143.248.250.103 - - [21/May/2000"14:06:52 +0900] "GET /physics.jpg HTTP/1.1" 404 295</pre>

      ÀÌ ÆÄÀÏÀÇ ±â·Ï¿¡ ´ëÇÑ Á¤º¸´Â ´ÙÀ½°ú °°´Ù.

      <pre> 143.248.223.37 ¹æ¹®ÀÚÀÇ IP ÁÖ¼Ò [21/May/2000:12:50:29 +0900] event's ½Ã°£°ú ³¯Â¥ "GET / HTTP/1.1" Command³ª Request 200 Status Code</pre>

      Status CodeÀÇ °ª Áß 200ÀÌ ÀÇ¹Ì ÇÏ´Â ¹Ù´Â "everything went well"À» ÀǹÌÇÏ°í 404´Â "document was not found"¸¦ ÀǹÌÇÑ´Ù.

      <pre> # more error_log [Sun May 21 04:02:01 2000] [notice] Apache/1.3.12 (Unix) (Red Hat/Linux) configured -- resuming normal operations [Sun May 21 14:06:52 2000] [error] [client 143.248.230.103] File does not exist: /home/httpd/html/physics.jpg</pre>

      error_logÀÇ ±â·ÏÀº ´ÙÀ½ÀÇ Á¤º¸¸¦ °¡Áø´Ù.

      <pre> [Sun May 21 14:06:52 2000] Date and time [error] Report Type [client 143.248.230.103] Client IP File does not exist: Error°¡ ¹ß»ýÇÑ ÀÌÀ¯</pre>
    5. messages (/usr/log/messages)

      ÀÌ ÆÄÀÏÀº System°ú KernelÀÇ ¸Þ½ÃÁö¸¦ ´ã°í ÀÖ´Ù. ÀÌ´Â Syslogd¿Í klogd¿¡ ÀÇÇØ ±â·ÏÀÌ µÈ´Ù.

      <pre> # more messages May 21 04:02:00 lacvert syslogd 1.3-3 restart. May 21 04:09:07 lacvert -- bbs[1393]: LOGIN ON 0 BY bbs FROM chiak May 21 17:40:27 lacvert ftpd[4774]: USER bebechien May 21 17:40:29 lacvert ftpd[4774]: PASS password May 21 17:40:29 lacvert ftpd[4774]: QUIT</pre>

      ¸¹Àº ³»¿ë Áß ´ÜÁö ÀϺκи¸À» Á¤¸®ÇØ ³õÀº °ÍÀÌ´Ù.

    6. secure(/usr/log/secure)
      <pre> # more secure May 21 04:09:06 lacvert in.telnetd[1392]: connect from 143.248.102.4 May 21 04:41:48 lacvert in.rshd[3988]: connect from 143.248.92.252 May 21 18:23:23 lacvert in.ftpd[4837]: connect from 143.249.92.244 May 21 18:04:15 lacvert in.ipop3d[4837]: error: cannot execute /usr/sbin/ipop3d: No Such file or directory</pre>

      À§ÀÇ ¿¹¿¡¼­ ¸¶Áö¸· ¶óÀÎÀº Port ScanÀÇ ÈçÀûÀÌ´Ù.

  3. Log¿Í º¸¾È

    ÀϹÝÀûÀ¸·Î buffer overflow¸¦ ÀÌ¿ëÇÑ °ø°ÝÀº ´ÙÀ½°ú °°Àº log¸¦ /var/log/messages¿¡ ³²±ä´Ù. imapd¸¦ ÀÌ¿ëÇÑ °ø°ÝÀº ºñ½ÁÇÑ °ÍÀ» /var/log/maillog¿¡¼­ º¼¼ö ÀÖ´Ù.

    <pre> #more messages May 21 04:20:51 lacvert mounted[6688]: Blocked attempt of 192.168.11.200 to mount p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p~p ~p~p~p3v3A` ^[I~@303A~KU`FI~@DAVo1A ^B1~@EAvbeb^V-<,yT^FDAt^Keo` T`TB~</pre>

    ¹°·Ð ÀÌ·±°ÍµéÀÌ ³²¾ÆÀÖ´Ù¸é ÀÌ ¼­¹ö´Â °ø°ÝÀ» ´çÇÑ °ÍÀ̸ç, ±×°ÍÀÌ ½ÇÆÐÇ߰ųª ȤÀº ÁøÇàÁßÀ̶ó´Â °ÍÀ» ÀǹÌÇÑ´Ù. log´Â attacker°¡ ħÀÔÈÄ °¡Àå ¸ÕÀú û¼ÒÇÏ´Â ¸ñÇ¥¹°À̱⠶§¹®¿¡ Á¤»óÀûÀ¸·Î log°¡ ³²Áö ¾Ê´Â´Ù¸é ÀÌ¹Ì °ø°ÝÀ» ´çÇÑ °ÍÀ̶ó°í ÇÒ ¼ö ÀÖ´Ù.

    ¸¸¾à ´ÙÀ½°ú °°Àº »óȲÀÌ ¹ß»ýÇß´Ù¸é ÀǽÉÀ» Çغ¸¾Æ¾ß ÇÒ °ÍÀÌ´Ù.

    • Àͼ÷ÇÏÁö ¾ÊÀº ¿ÜºÎ¿¡¼­ÀÇ Á¢¼Ó ½Ãµµ
    • /etc/passwd ÆÄÀÏ¿¡ ¸¸µç ÀûÀÌ ¾ø´Â ¾ÆÀ̵ð Á¸Àç
    • ½Ã½ºÅÛ ·Î±×°¡ ³²Áö ¾Ê´Â Á¡, processÀÇ »óŸ¦ º¸¿©ÁÖ´Â ps °¡ ÀÌ»óÇÑ °æ¿ì
    • »ç¿ëÇÏÁö ¾Ê°í Àִµ¥ ÇÏµå µð½ºÅ©°¡ µ¹¾Æ°¡°í ÀÖ´Â Á¡.

    nmap°°Àº °æ¿ì -sS optionÀ» ÁÖ¸é log°¡ ³²Áö ¾Ê´Â´Ù. ÀÌ·± stealth scan ÇÁ·Î±×·¥µéÀ» °¨ÁöÇÏ´Â ÇÁ·Î±×·¥µéÀ» »ç¿ëÇÏ´Â °ÍÀÌ ÁÁ´Ù.

    ¶ÇÇÑ log¸¦ ¾ÈÀüÇÏ°Ô ÀúÀåÇØ¾ß ÇÑ´Ù. crackerµéÀÌ root shellÀ» ¾ò°í ³ª¼­ Á¦ÀÏ ¸ÕÀú ÇÏ´Â °ÍÀº ÀÚ½ÅÀÌ µé¾î¿Â ÈçÀûÀ» Áö¿ì´Â ÀÏÀ̱⠶§¹®¿¡ ±×³É log¸¦ ÀúÀåÇصδ °ÍÀº ¾ÈÀüÇÏÁö ¸øÇÏ´Ù. º¸¾ÈÀÌ ¸Å¿ì Áß¿äÇÑ ¼­¹ö¶ó¸é logÆÄÀÏÀ» µû·Î ÀúÀåÇÏ´Â remote log-server¸¦ ¸¸µé¾î µÎµµ·Ï ÇÑ´Ù.

Regist Addr [ 127.0.0.1 ] ¸ñ·Ïº¸±â À­±Û ¾Æ·§±Û
Á¤±ÔÇ¥Çö½Ä [ »ó¼¼ °Ë»ö ]
Page Loading [ 0.05 Sec ] SQL Time [ 0 Sec ]

Copyleft 1999-2024 by JSBoard Open Project
Theme Designed by IDOO And follow GPL2

°³ÀÎÁ¤º¸ Ãë±Þ¹æħ ÀÌ¿ë ¾à°ü »çÀÌÆ® ¸Ê ¾îµå¹Î °ü¸®