개인 펫 프로젝트 용으로 AWS를 운영 중이라, 초기에 보안에는 크게 신경을 쓰지 않았는데
서버상태를 자세히 보니 여러 형태의 해킹흔적을 발견했다.
-
Tomcat web-shell 악성코드 deploy
ubuntu:/var/lib/tomcat8/webapps$ ls -lrt total 840 drwxr-xr-x 3 root root 4096 Mar 12 18:01 ROOT drwxr-xr-x 3 tomcat8 tomcat8 4096 Mar 14 00:35 mydata drwxr-xr-x 4 tomcat8 tomcat8 4096 Mar 19 21:03 wanli drwxr-xr-x 3 tomcat8 tomcat8 4096 Mar 27 00:17 aDRT drwxr-xr-x 3 tomcat8 tomcat8 4096 Mar 27 13:34 qdmS
Tomcat admin site를 편의상 사용 중이 었는데, admin 계정의 password가 허술했던게 원인으로 보인다.
해당 web-shell project들을 삭제하고 admin 계정의password의 복잡도를 올려 변경하였다.
-
Database(MYSQL) 서버 접속 흔적 (mysql, error.log)
error.log:2018-03-26T21:27:53.763227Z 7160 [Note] Access denied for user 'root'@'43.226.33.xxx' (using password: YES) error.log:2018-03-26T21:27:54.414126Z 7161 [Note] Access denied for user 'root'@'43.226.33.xxx' (using password: YES) error.log:2018-03-26T21:27:55.043999Z 7162 [Note] Access denied for user 'root'@'43.226.33.xxx' (using password: YES) error.log:2018-03-26T21:27:55.589774Z 7163 [Note] Access denied for user 'root'@'43.226.33.xxx' (using password: YES) error.log:2018-03-26T21:27:56.210796Z 7164 [Note] Access denied for user 'root'@'43.226.33.xxx' (using password: YES) error.log:2018-03-26T21:27:56.786349Z 7165 [Note] Access denied for user 'root'@'43.226.33.xxx' (using password: YES) error.log:2018-03-26T21:27:57.406633Z 7166 [Note] Access denied for user 'root'@'43.226.33.xxx' (using password: YES) error.log:2018-03-26T21:27:58.000088Z 7167 [Note] Access denied for user 'root'@'43.226.33.xxx' (using password: YES) error.log:2018-03-26T21:27:58.434606Z 7168 [Note] Access denied for user 'root'@'43.226.33.xxx' (using password: YES) error.log:2018-03-26T21:27:58.991067Z 7169 [Note] Access denied for user 'root'@'43.226.33.xxx' (using password: YES) error.log:2018-03-26T21:27:59.321888Z 7170 [Note] Access denied for user 'root'@'43.226.33.xxx' (using password: YES) error.log:2018-03-26T21:27:59.687066Z 7171 [Note] Access denied for user 'root'@'43.226.33.xxx' (using password: YES) error.log:2018-03-26T21:28:00.211582Z 7172 [Note] Access denied for user 'root'@'43.226.33.xxx' (using password: YES) error.log:2018-03-26T21:28:00.792386Z 7173 [Note] Access denied for user 'root'@'43.226.33.xxx' (using password: YES) error.log:2018-03-26T21:28:01.222343Z 7174 [Note] Access denied for user 'root'@'43.226.33.xxx' (using password: YES) error.log:2018-03-26T21:28:01.544091Z 7175 [Note] Access denied for user 'root'@'43.226.33.xxx' (using password: YES) error.log:2018-03-26T21:28:02.213445Z 7176 [Note] Access denied for user 'root'@'43.226.33.xxx' (using password: YES) error.log:2018-03-26T21:28:02.845606Z 7177 [Note] Access denied for user 'root'@'43.226.33.xxx' (using password: YES)
web-shell을 통해 취득한 db접속정보를 이용해 원격접속을 계속해서 시도한 흔적이 발견되었다. mysql user host 접속 제한으로 denied 된 것으로 보이나,
추가 적으로 접속가능 host를 제한하여 user 정보를 변경하였다.
-
접속자 IP정보 조회 및 IP차단 (linux – iptables)
접속흔적이 남은 ip를 whois에서 searching 해보았다. 역시 나 중국으로 예상된다.
iptables를 이용해 해당 ip를 차단 처리 하였다.
root:/# iptables -A INPUT -s 43.226.33.156 -j DROP root:/# iptables -A INPUT -s 221.229.204.101 -j DROP root:/# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination DROP all -- 43.226.33.156 anywhere DROP all -- 221.229.204.101 anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination