linux (ubuntu) 해킹 방어 (webserver, database 등)

개인 펫 프로젝트 용으로 AWS를 운영 중이라, 초기에 보안에는 크게 신경을 쓰지 않았는데

서버상태를 자세히 보니 여러 형태의 해킹흔적을 발견했다.

 

  1. Tomcat web-shell 악성코드 deploy

    ubuntu:/var/lib/tomcat8/webapps$ ls -lrt
    total 840
    drwxr-xr-x 3 root    root      4096 Mar 12 18:01 ROOT
    drwxr-xr-x 3 tomcat8 tomcat8   4096 Mar 14 00:35 mydata
    drwxr-xr-x 4 tomcat8 tomcat8   4096 Mar 19 21:03 wanli
    drwxr-xr-x 3 tomcat8 tomcat8   4096 Mar 27 00:17 aDRT
    drwxr-xr-x 3 tomcat8 tomcat8   4096 Mar 27 13:34 qdmS

    Tomcat admin site를 편의상 사용 중이 었는데, admin 계정의 password가 허술했던게 원인으로 보인다.
    해당 web-shell project들을 삭제하고 admin 계정의password의 복잡도를 올려 변경하였다.


  2. Database(MYSQL) 서버 접속 흔적 (mysql, error.log)

    error.log:2018-03-26T21:27:53.763227Z 7160 [Note] Access denied for user 'root'@'43.226.33.xxx' (using password: YES)
    error.log:2018-03-26T21:27:54.414126Z 7161 [Note] Access denied for user 'root'@'43.226.33.xxx' (using password: YES)
    error.log:2018-03-26T21:27:55.043999Z 7162 [Note] Access denied for user 'root'@'43.226.33.xxx' (using password: YES)
    error.log:2018-03-26T21:27:55.589774Z 7163 [Note] Access denied for user 'root'@'43.226.33.xxx' (using password: YES)
    error.log:2018-03-26T21:27:56.210796Z 7164 [Note] Access denied for user 'root'@'43.226.33.xxx' (using password: YES)
    error.log:2018-03-26T21:27:56.786349Z 7165 [Note] Access denied for user 'root'@'43.226.33.xxx' (using password: YES)
    error.log:2018-03-26T21:27:57.406633Z 7166 [Note] Access denied for user 'root'@'43.226.33.xxx' (using password: YES)
    error.log:2018-03-26T21:27:58.000088Z 7167 [Note] Access denied for user 'root'@'43.226.33.xxx' (using password: YES)
    error.log:2018-03-26T21:27:58.434606Z 7168 [Note] Access denied for user 'root'@'43.226.33.xxx' (using password: YES)
    error.log:2018-03-26T21:27:58.991067Z 7169 [Note] Access denied for user 'root'@'43.226.33.xxx' (using password: YES)
    error.log:2018-03-26T21:27:59.321888Z 7170 [Note] Access denied for user 'root'@'43.226.33.xxx' (using password: YES)
    error.log:2018-03-26T21:27:59.687066Z 7171 [Note] Access denied for user 'root'@'43.226.33.xxx' (using password: YES)
    error.log:2018-03-26T21:28:00.211582Z 7172 [Note] Access denied for user 'root'@'43.226.33.xxx' (using password: YES)
    error.log:2018-03-26T21:28:00.792386Z 7173 [Note] Access denied for user 'root'@'43.226.33.xxx' (using password: YES)
    error.log:2018-03-26T21:28:01.222343Z 7174 [Note] Access denied for user 'root'@'43.226.33.xxx' (using password: YES)
    error.log:2018-03-26T21:28:01.544091Z 7175 [Note] Access denied for user 'root'@'43.226.33.xxx' (using password: YES)
    error.log:2018-03-26T21:28:02.213445Z 7176 [Note] Access denied for user 'root'@'43.226.33.xxx' (using password: YES)
    error.log:2018-03-26T21:28:02.845606Z 7177 [Note] Access denied for user 'root'@'43.226.33.xxx' (using password: YES)

    web-shell을 통해 취득한 db접속정보를 이용해 원격접속을 계속해서 시도한 흔적이 발견되었다.  mysql user host 접속 제한으로 denied 된 것으로 보이나,
    추가 적으로 접속가능 host를 제한하여 user 정보를 변경하였다.


  3. 접속자 IP정보 조회 및 IP차단 (linux – iptables)

    접속흔적이 남은 ip를 whois에서 searching 해보았다.  역시 나 중국으로 예상된다.

    iptables를 이용해 해당 ip를 차단 처리 하였다.

    root:/# iptables -A INPUT -s 43.226.33.156 -j DROP
    root:/# iptables -A INPUT -s 221.229.204.101 -j DROP
    root:/# iptables -L
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination
    DROP       all  --  43.226.33.156        anywhere
    DROP       all  --  221.229.204.101      anywhere
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    

     

답글 남기기

이메일 주소는 공개되지 않습니다.