|
|
|
|
|
À̸§ : È£¼® (211.¢½.74.31) |
|
³¯Â¥ : 2006-04-19 09:54:21 |
|
Á¦¸ñ : [º¸¾È] º¸¾ÈÀýÂ÷¼ ( ±âÃʺ¸¾È ) |
|
´Ù¿î·Îµå #1 : rkhunter-1.2.8.tar.tar (123.4K), Down:6 |
¢Ì¢Ì¢Ì¢Ì¢Ì º¸¾ÈÁ¤Ã¥ ¢Ì¢Ì¢Ì¢Ì¢Ì
0. ÆÄƼ¼ÇÀÇ ºÐ¸® ÆÄÀϼսǿ¡ ´ëºñÇÑ ÃÖ»óÀÇ ¹æ¹ý ( ¸®´ª½º ÃÖÃʼ³Ä¡½Ã ÆÄƼ¼ÇÁ¤Ã¥À» ¼¼¿î´Ù.)
1. º¸¾ÈToolÀÇ ¼³Ä¡
- chkrootkit ÀÇ ¼³Ä¡ www.chkrootkit.org
- portsentry ÀÇ ¼³Ä¡
- nmap rpm ¹öÁ¯ÀÇ ¼³Ä¡
- saint ¼³Ä¡·Î º¸¾È Ãë¾à¼º °Ë»ç
- ***** ¸ð´ÏÅ͸µ ÅøÀÇ ¼³Ä¡ *************
- webalizer ÀÇ ¼³Ä¡
- mrtg ÀÇ ¼³Ä¡
2. ¼ÒÀ¯±Ç¹× ÆÛ¹Ì¼Ç ¼³Á¤
¸®´ª½º ½ÇÇà¸í·É¾î¿¡ ´ëÇÑ »ç¿ë±ÇÇÑÀÇ Á¦ÇÑ
( ps c gcc netstat tcpdump )
chmod 600 /etc/exports
chmod 600 /etc/fstab
chmod 700 /usr/bin/chage
chmod 500 /usr/bin/wall
chmod 700 /usr/bin/at
chmod 700 /usr/bin/man
chmod 700 /usr/bin/wall
chmod 700 /usr/bin/chfn
chmod 700 /usr/bin/write
chmod 700 /usr/sbin/usernetctl
chmod 700 /bin/mount
chmod 700 /bin/umount
chmod /sbin/netreport
chmod 750 /bin/ps chgrp wheel /bin/ps
chmod 750 /bin/netstat chgrp wheel /bin/netstat
chmod 750 /bin/dmesg chgrp wheel /bin/dmesg
chmod 750 /bin/df chgrp wheel /bin/df
chmod 750 /usr/bin/w chgrp wheel /usr/bin/w
chmod 750 /usr/bin/who chgrp wheel /usr/bin/who
chmod 750 /usr/bin/finger chgrp wheel /usr/bin/finger
chmod 750 /usr/bin/last chgrp wheel /usr/bin/last
chmod 750 /usr/bin/top chgrp wheel /usr/bin/top
3. º¸¾È ¾÷µ¥ÀÌÆ®
- wu-ftp °»½Å
- bind °»½Å
- ftp ¹× telnet ¿¡ ´ëÇÑ È®½ÇÇÑ Á¤Ã¥ÇÊ¿ä !
- ftp file ¹× µð·ºÅ丮 Á¢±Ù¿¡ ´ëÇؼ Á¦ÇÑ ( À͸í»ç¿ëÀÚ Á¢±Ù ±ÝÁö )
- telnet Á¢±ÙÀÇ Á¦ÇÑ ( port 23 ¹øÀ» ¼ºñ½ºÁßÁö )
- openssh( secure shell ) ÀÇ ¼³Ä¡ (port 22 ÀÇ »ç¿ë)
- ipchain À» ÀÌ¿ëÇÑ ¹æȺ® ¼³Á¤
- tcp wrapper ÀÇ ¼³Á¤ ( /etc/hosts.allow /etc/hosts.deny ) ip º°·Î ¼¹öÁ¢±Ù Á¦ÇÑ
4. ±âŸ
- °¡Àå ±âº»ÀûÀ¸·Î ÇÊ¿äÇÑ µ¥¸ó¸¸ ¶Ù¿î´Ù.
ps -ef -aux Çؼ ÇÊ¿äÇÑ µ¥¸ó¸¸ ³²±â°í ¸ðµÎ »èÁ¦ÇÑ´Ù.
inetd.conf ¿¡¼ ¹Ýµå½Ã ÇÊ¿äÇÑ µ¥¸ó¸¸ ÁÖ¼®À» »èÁ¦ÇÑ´Ù.
/etc/rc.d/init.d/*.*
/etc/rc.d/rc3.d/ S40crond S99local S50inet S75keytable S10network S85gpm S30syslog S90xfs
/etc/rc.d/rc5.d/ S40crond S99local S50inet S75keytable S10network S85gpm S30syslog S90xfs
- ÇÊ¿ä¾ø´Â tty(Å͹̳Î)»èÁ¦ --- /etc/inittab ÀÇ ¼öÁ¤
- ºÒÇÊ¿äÇÑ °èÁ¤ÀÇ »èÁ¦ ( /etc/passwd /etc/group -- userdel groupdel ·Î »èÁ¦ÇÑ´Ù.)
adm, lp, sync, shutdown, halt, news, uucp, operator, games, gopher, ftp ,rpcuser, rpc µî ºÒÇÊ¿ä°èÁ¤ÀÇ »èÁ¦
- ºÒÇÊ¿äÇÑ ÆÐÅ°Áö »èÁ¦
rpm -e --nodeps ypbind-1.xx.xx
- ¸í·ÉÀÇ »ç¿ë ¼¹ö ¸ð´ÏÅ͸µ
find / -ctime -10 -ls
-----------------------------------------------------------------
¿É¼Ç ±â´É
-----------------------------------------------------------------
-atime N nÀÏ Àü¿¡ ¾×¼¼½º(access)µÈ ÆÄÀÏÀ» ã½À´Ï´Ù.
-mtime N nÀÏ Àü¿¡ ¼öÁ¤(modify)µÈ ÆÄÀÏÀ» ã½À´Ï´Ù.
-newer USR fileº¸´Ù ´Ê°Ô ¼öÁ¤µÈ ÆÄÀÏÀ» ã½À´Ï´Ù.
-size n n*512 ¹ÙÀÌÆ® ±æÀ̸¦ °¡Áö´Â ÆÄÀÏÀ» ã½À´Ï´Ù.
-name WORD ÆÄÀÏ À̸§À¸·Î °Ë»öÇÕ´Ï´Ù. À̸§¿¡´Â ¸ÞŸ ¹®ÀÚ(*, ?, [])¸¦
»ç¿ëÇÒ ¼ö ÀÖ½À´Ï´Ù.
-perm MODE Æ۹̼ÇÀ¸·Î °Ë»öÇÕ´Ï´Ù. (-perm +2000)
-type LETTER ÆÄÀÏÇü½ÄÀ¸·Î °Ë»öÇÕ´Ï´Ù. f´Â º¸Åë ÆÄÀÏ, d´Â µð·ºÅ丮
ÆÄÀÏÀ» ÀǹÌÇÕ´Ï´Ù.
-user USR »ç¿ëÀÚ À̸§ÀÌ usrÀÎ ÆÄÀÏÀ» ã½À´Ï´Ù.
-nouser ÆÄÀÏ ¼ÒÀ¯ÀÚ À̸§ÀÌ µî·ÏµÇ¾î ÀÖÁö ¾ÊÀº ÆÄÀÏÀ» ã½À´Ï´Ù.
-nogrp ÆÄÀÏ ¼ÒÀ¯ ±×·ì À̸§ÀÌ µî·ÏµÇ¾î ÀÖÁö ¾ÊÀº ÆÄÀÏÀ» ã½À´Ï´Ù.
-----------------------------------------------------------------
¿É¼Ç ±â´É
-----------------------------------------------------------------
-exec CMD ¸í·É(CMD)À» ½ÇÇàÇÕ´Ï´Ù. ¸í·ÉÇàÀÇ ³¡Àº ¹Ýµå½Ã \; ·Î
´Ý¾Æ ÁÖ¾î¾ß ÇÕ´Ï´Ù. ÇöÀç ãÀº ÆÄÀÏÀ̸§ÀÇ ¹è¿À» {}·Î
ÀÔ·ÂÀ¸·Î »ç¿ëÇÒ ¼ö ÀÖ½À´Ï´Ù. ¾Æ·¡ ¸í·ÉÀº È®ÀåÀÚ°¡ bakÀÎ
¸ðµç ÆÄÀÏÀ» ã¾Æ »èÁ¦ÇÕ´Ï´Ù.
find ./ -name '*.bak' -exec rm -f {} \;
-ok CMD ¸í·ÉÀ» ½ÇÇàÇϱâ Àü¿¡ »ç¿ëÀÚ ÀÔ·ÂÀ» ±â´Ù¸³´Ï´Ù.
-print Ç¥ÁØÃâ·Â(stdout)À¸·Î Ãâ·ÂÇÕ´Ï´Ù. ±âº»¼³Á¤ÀÔ´Ï´Ù.
-ptint0 -print¿Í °°ÀÌ µ¿ÀÛÇÏÁö¸¸ Ãâ·ÂÀÇ ³¡¿¡ °³Ç๮ÀÚ¸¦ ºÙÀÌÁö
¾Ê½À´Ï´Ù.
-fprint FILE -print¿Í °°ÀÌ µ¿ÀÛÇÏ¸é¼ Ãâ·ÂÀ» ÁöÁ¤ÇÑ ÆÄÀÏ·Î º¸³À´Ï´Ù.
-printf FORM c ½ºÅ¸ÀÏÀÇ Æ÷¸ËÀ» »ç¿ëÇÏ¿© Ãâ·ÂÇÕ´Ï´Ù.
man 3 printf
-ls ls -dils Çü½ÄÀ¸·Î ÆÄÀÏ Á¤º¸¸¦ ÀÚ¼¼È÷ Ãâ·ÂÇÕ´Ï´Ù.
-fls -ls ¿Í °°ÀÌ µ¿ÀÛÇÏ¸é¼ Ãâ·ÂÀ» ÁöÁ¤ÇÑ ÆÄÀÏ·Î º¸³À´Ï´Ù.
-----------------------------------------------------------------
$ find . -type l -exec ls -l {} \;
ÀÌ ¸í·ÉÀº ¸ðµç symbolic link¸¦ ã¾Æ¼ ±×°ÍÀÌ Áö½ÃÇÏ´Â °ÍÀÌ ¹«¾ùÀÎÁö º¸¿©ÁØ´Ù.
$ find / -name "*.old" -ok rm {} \;
ÀÌ ¸í·ÉÀº ÁöÁ¤µÈ ÆÐÅÏ¿¡ ÇØ´çµÇ´Â ÆÄÀÏÀ» ¸ðµÎ ã¾Æ¼ ´ç½Å¿¡°Ô Çã¶ôÀ» ¿ä±¸ÇÑ ´ÙÀ½ Áö¿î´Ù.
$ find . -perm +111
ÀÌ ¸í·ÉÀº permissionÀÌ 111ÀÎ(½ÇÇàÆÄÀÏ) ¸ðµç ÆÄÀÏÀ» ã´Â´Ù.
$ find . -user root
ÀÌ ¸í·ÉÀº root¿¡ ¼ÓÇÏ´Â ¸ðµç ÆÄÀÏÀ» ã´Â´Ù. ÀÌ °æ¿ì ¿©·¯ °¡Áö °¡´É¼ºÀÌ ÀÖ´Ù---RMP.
find / -atime 10 -ls // 10 ÀÏ Àü¿¡ access µÈ ÈÀÏ Ã£±â
find / -type f -perm -4000 -ls // suid ã±â
find / -type f -perm -2000 -ls // sgid ã±â
rpm -V fileutils // °á°úº¸±â S: ½ÎÀÌÁ°æ 5:md5 °ªº¯°æ T:ÆÄÀÏÀÇ mtime°ª º¯°æ
nmap »ç¿ë¹ý # nmap -V -sS -O www.my.com
nmap »ç¿ë¹ý # nmap -V -sS -O 192.168.0.0/16
nmap »ç¿ë¹ý # nmap -V -sS -O 192.88-90.0.0/16
***********************************************************
- º¸¾È üũ È®ÀÎ ÇÁ·Î±×·¥À» È®ÀÎÇÏÀÚ
. prevent denyip ¿¡ ÀÚµ¿À¸·Î 5 ¹ø ·Î±×ÀÎ ½ÇÆнà /etc/denyip ¿¡ Ãß°¡µÊ
. rkhunter ( ÆÄÀÏ÷ºÎ ) root kit ã´Â ÇÁ·Î±×·¥
. chkrootkit root kit ã´Â ÇÁ·Î±×·¥
***********************************************************
| |
|
|
È£¼® |
|
|
|
Å©±â°¡ °¡Àå Å« ÆÄÀÏ, µð·ºÅ丮 ã±â
°¡Àå Å« µð·ºÅ丮¸¦ ãÀ¸·Á¸é,
du -S | sort -n
°¡Àå Å« ÆÄÀÏÀ» ãÀ¸·Á¸é,
ls -lR | sort +4n |
06-06-02 16:38
211.¢½.74.31
|
|
|