์ƒˆ์†Œ์‹

์ธ๊ธฐ ๊ฒ€์ƒ‰์–ด

๐Ÿ” Forensic

1. ์นจํ•ด์‚ฌ๊ณ ์กฐ์‚ฌ - ๋กœ๊ทธ ๋ถ„์„

  • -
๋ฐ˜์‘ํ˜•
# accounts ํŒŒ์ผ์˜ history
adduser dev์™€ adduser ahnlab ๋ช…๋ น์–ด ์‹คํ–‰ ํ™•์ธ

# accounts ํŒŒ์ผ์˜ last_R
ahnlab   pts/1        Mon Aug 27 10:14   still logged in   
dev      pts/0        Mon Aug 27 10:11   still logged in

# accounts ํŒŒ์ผ์˜ lastlog
dev              pts/0    192.168.184.161  Mon Aug 27 10:11:09 +0900 2012
ahnlab           pts/1    192.168.184.136  Mon Aug 27 10:14:54 +0900 2012

# accounts ํŒŒ์ผ์˜ w
dev      pts/0    192.168.184.161  10:11    4:47   0.11s  0.11s -bash
ahnlab   pts/1    192.168.184.136  10:14    0.00s  0.23s  0.07s sshd: ahnlab

# dev๊ฐ€ bash๋กœ ๋กœ๊ทธ์ธํ•œ ๊ฒƒ ํ™•์ธ , ahnlab์ด sshd๋กœ ๋กœ๊ทธ์ธํ•œ ๊ฒƒ ํ™•์ธ
# sshd๋Š” ๋ณด์•ˆ์ด ๊ฐ•๋ ฅํ•˜๊ธฐ ๋•Œ๋ฌธ์— bash๋กœ ๋กœ๊ทธ์ธ ํ•œ dev ์˜์‹ฌ

# weblog ํŒŒ์ผ์˜ access.log

81096
cmd=cHdk HTTP/1.1" 200 323 "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2;

81105
cmd=bHMgLWFsICAvdmFyL3d3dy91cGxvYWQvZWRpdG9yL2ltYWdlLw%20%20 # %20์€ URL escape code
cmd=bHMgLWFsICAvdmFyL3d3dy91cGxvYWQvZWRpdG9yL2ltYWdlLw== # =์œผ๋กœ ๋ณ€ํ™˜
ls -al  /var/www/upload/editor/image/
> ํด๋” ์ด๋™

81122
cmd=dGFyIC1jdmYgL3Zhci93d3cvdXBsb2FkL2VkaXRvci9pbWFnZS8xMzMwNjY0ODM4IC92YXIvd3d3Lw%20%20
cmd=dGFyIC1jdmYgL3Zhci93d3cvdXBsb2FkL2VkaXRvci9pbWFnZS8xMzMwNjY0ODM4IC92YXIvd3d3Lw==
tar -cvf /var/www/upload/editor/image/1330664838 /var/www/
> ์‰˜๋กœ ์™ธ๋ถ€ ํŒŒ์ผ ๋‹ค์šด๋กœ๋“œ , ์••์ถ• ํ’€๊ธฐ

81141
cmd=cGhwIC1mIC92YXIvd3d3L3VwbG9hZC9lZGl0b3IvaW1hZ2UvcmV2ZXJzZS5waHA%20
cmd=cGhwIC1mIC92YXIvd3d3L3VwbG9hZC9lZGl0b3IvaW1hZ2UvcmV2ZXJzZS5waHA=
php -f /var/www/upload/editor/image/reverse.php
> ์••์ถ• ํ‘ผ ํŒŒ์ผ ์‹คํ–‰

php? != > ํ•„ํ„ฐ๋ง
<>? = ์ผ๋ฐ˜ ์œ ์ €๊ฐ€ ์‚ฌ์šฉํ•˜์ง€ ๋ชปํ•˜๊ฒŒ ํ•„ํ„ฐ๋ง ๊ฑด๋‹ค
๋ฐ˜์‘ํ˜•
Contents

ํฌ์ŠคํŒ… ์ฃผ์†Œ๋ฅผ ๋ณต์‚ฌํ–ˆ์Šต๋‹ˆ๋‹ค

์ด ๊ธ€์ด ๋„์›€์ด ๋˜์—ˆ๋‹ค๋ฉด ๊ณต๊ฐ ๋ถ€ํƒ๋“œ๋ฆฝ๋‹ˆ๋‹ค.