{"id":892,"date":"2023-09-18T11:48:25","date_gmt":"2023-09-18T02:48:25","guid":{"rendered":"https:\/\/hyandmj.asuscomm.com\/hblog\/?p=892"},"modified":"2023-09-18T14:14:11","modified_gmt":"2023-09-18T05:14:11","slug":"%ed%95%b4%ed%82%b9-%eb%b3%b5%ea%b5%ac","status":"publish","type":"post","link":"https:\/\/hyandmj.asuscomm.com\/hblog\/?p=892","title":{"rendered":"\ud574\ud0b9 \ubcf5\uad6c"},"content":{"rendered":"\n

Introduction<\/h2>\n\n\n\n

\uc791\ub144 12\uc6d4 \ub9d0\uc5d0 \ud648\uc11c\ubc84\uc5d0 \ud574\ud0b9 \ud53c\ud574\ub97c \uc785\uc740 \uac83\uc744 \uc778\uc9c0\ud588\ub294\ub370, \uadc0\ucc2e\uc544\uc11c \ube44\ubc00\ubc88\ud638\ub9cc \ubc14\uafb8\uace0 ssh \uc11c\ubc84\ub97c \ub2eb\uc544\ubc84\ub9b0 \ucc44\ub85c \uac70\uc758 10\uac1c\uc6d4\uc774 \ud758\ub800\ub2e4. \ub108\ubb34 \ubc29\uce58\ud558\uae30\ub294 \uadf8\ub807\uace0 \ubca0\uc2a4\ud2b8\ub294 \ud3ec\ub9f7\uc778\ub370 \uc77c\uc774 \uadf8\ub7ec\uba74 \ub108\ubb34 \ucee4\uc9c4\ub2e4. \ub300\ucda9 \ubcf5\uad6c\ub97c \uc880 \ud558\uace0 Ubuntu 24.04 LTS\uac00 \ub098\uc624\uba74 \uadf8\ub54c \uc804\uccb4 \ud3ec\ub9f7\uc744 \uc9c4\ud589\ud560 \uc608\uc815.<\/p>\n\n\n\n

Procedure<\/h2>\n\n\n\n

\ubcc0\uc870\ub41c \uc2dc\uc2a4\ud15c \ubc14\uc774\ub108\ub9ac \ubcf5\uad6c<\/h3>\n\n\n\n

\/usr\/bin<\/code> \ub0b4\uc5d0\uc11c \uc758\uc2ec\uc774 \uac00\ub294 \ubcc0\uc870 \ud30c\uc77c \ubaa9\ub85d\ub4e4\uc740 \ub2e4\uc74c\uacfc \uac19\ub2e4.<\/p>\n\n\n

\n-rwxr-xr-x 1 root root 3.4K Dec 25  2022 unhide-tcp\n-rwxr-xr-x 1 root root 3.4K Dec 25  2022 unhide-posix\n-rwxr-xr-x 1 root root 3.4K Dec 25  2022 unhide_rb\n-rwxr-xr-x  1 root    root     4.2K Dec 20  2022  unhide\nlrwxrwxrwx  1 root    root        9 Dec 20  2022  insmod -> \/bin\/kmod\n-rwxr-xr-x  1 root    root       73 Dec 20  2022  chattr\n-rwxr-xr-x  1 root    root      282 Dec 20  2022  lsattr\n-rwxr-xr-x  1 root    root      15K Jun  2  2022  e2\n-rwxr-xr-x  1 root    root      15K Jun  2  2022  time-date\n<\/pre><\/div>\n\n\n
\uc9c4\uc9dc lsattr\uc740 time-date<\/code>\ub85c \ubc14\uafd4\ub450\uace0 \uac00\uc9dc\ub97c \ub9cc\ub4e4\uc5b4 \ub193\uc558\ub2e4. \uc9c4\uc9dc chattr<\/code> \uc5ed\uc2dc e2<\/code>\ub85c \uc228\uaca8\ub450\uc5c8\ub2e4. insmod<\/code>\ub294 \ubb54\uc9c0 \uc798 \ubaa8\ub974\uaca0\ub2e4. \uc800 unhide<\/code>\ub4e4\uc740 \ubb54\uc9c0…?<\/p>\n\n\n\n
\/usr\/sbin<\/code> \ub0b4\uc5d0\uc11c \uc758\uc2ec\uc774 \uac00\ub294 \ubcc0\uc870 \ud30c\uc77c \ubaa9\ub85d\ub4e4\uc740 \ub2e4\uc74c\uacfc \uac19\ub2e4.<\/p>\n\n\n
\n-rwxr-xr-x  1 root root    4.2K Dec 20  2022 global-date\n<\/pre><\/div>\n\n\n
\uac00\uc9dc unhide<\/code>\ub97c \uac16\ub2e4 \ub193\uace0 \uc9c4\uc9dc\ub294 global-date<\/code>\ub85c \ubc14\uafd4\ub454 \ub4ef \ud558\ub2e4.<\/p>\n\n\n\n
\uc0ad\uc81c\ud55c \uc815\uccb4 \ubd88\uba85\uc758 \ud30c\uc77c\ub4e4 \ubaa9\ub85d<\/h3>\n\n\n\n
    \n
  1. \/usr\/local\/games\/.cache<\/code><\/li>\n\n\n\n
  2. \/tmp\/.cache<\/code><\/li>\n\n\n\n
  3. \/tmp\/.lock<\/code><\/li>\n\n\n\n
  4. \/tmp\/.XIM-unix<\/code><\/li>\n\n\n\n
  5. \/root\/.local\/share\/nano<\/code> (\ud574\ucee4\uac00 \ub098\ub178 \uc5d0\ub514\ud130\ub97c \uc0ac\uc6a9\ud55c\ub2e4\ub294 \ub73b?)<\/li>\n<\/ol>\n\n\n\n
    unhide<\/code>\ub85c \uc228\uaca8\uc9c4 \ud504\ub85c\uc138\uc2a4 \uc788\ub294\uc9c0 \ud655\uc778<\/h3>\n\n\n
    \n$ unhide -m -d sys procall brute reverse\n<\/pre><\/div>\n\n\n
    \uc2e4\ud589 \uacb0\uacfc \ubcc4\ub2e4\ub978 \uc774\uc0c1\uc740 \ucc3e\uc9c0 \ubabb\ud588\uc74c.<\/p>\n\n\n\n
    chkrootkit<\/code> \ubc31\ub3c4\uc5b4 \uc810\uac80<\/h3>\n\n\n\n
    http:\/\/www.chkrootkit.org\/\u00a0\uc5d0\uc11c \ub2e4\uc6b4\ubc1b\uc544\uc11c \uc2e4\ud589:<\/p>\n\n\n
    \n$ wget ftp:\/\/ftp.chkrootkit.org\/pub\/seg\/pac\/chkrootkit.tar.gz\n$ tar -xf chkrootkit.tar.gz\ncd chkrootkit-0.58b\n.\/chkrootkit\n...\nSearching for suspicious files and dirs, it may take a while...\n\/usr\/lib\/debug\/.build-id \/usr\/lib\/python3\/dist-packages\/matplotlib\/tests\/baseline_images\/.keep \/usr\/lib\/jvm\/.java-1.11.0-openjdk-amd64.jinfo \/usr\/lib\/modules\/5.4.0-137-generic\/vdso\/.build-id \/usr\/lib\/modules\/5.4.0-162-generic\/vdso\/.build-id\n\/usr\/lib\/debug\/.build-id \/usr\/lib\/modules\/5.4.0-137-generic\/vdso\/.build-id \/usr\/lib\/modules\/5.4.0-162-generic\/vdso\/.build-id\n...\n<\/pre><\/div>\n\n\n
    \uc758\uc2ec\ub418\ub294 \ud30c\uc77c\uc744 \ucc3e\uc558\ub2e4\uace0\ub294 \ud558\ub098 \ud655\uc778 \uacb0\uacfc \uc798 \ubaa8\ub974\uaca0\uc74c. rkhunter<\/code>\ub3c4 \ud574\ubd24\ub294\ub370 \uc2ec\uac01\ud55c \uc704\ud611\uc740 \uc5c6\ub294\ub4ef.<\/p>\n","protected":false},"excerpt":{"rendered":"
    Introduction \uc791\ub144 12\uc6d4 \ub9d0\uc5d0 \ud648\uc11c\ubc84\uc5d0 \ud574\ud0b9 \ud53c\ud574\ub97c \uc785\uc740 \uac83\uc744 \uc778\uc9c0\ud588\ub294\ub370, \uadc0\ucc2e\uc544\uc11c \ube44\ubc00\ubc88\ud638\ub9cc \ubc14\uafb8\uace0 ssh \uc11c\ubc84\ub97c \ub2eb\uc544\ubc84\ub9b0 \ucc44\ub85c \uac70\uc758 10\uac1c\uc6d4\uc774 \ud758\ub800\ub2e4. \ub108\ubb34 \ubc29\uce58\ud558\uae30\ub294 \uadf8\ub807\uace0 \ubca0\uc2a4\ud2b8\ub294 \ud3ec\ub9f7\uc778\ub370 \uc77c\uc774 \uadf8\ub7ec\uba74 \ub108\ubb34 \ucee4\uc9c4\ub2e4. \ub300\ucda9 \ubcf5\uad6c\ub97c \uc880 \ud558\uace0 Ubuntu 24.04 LTS\uac00 \ub098\uc624\uba74 \uadf8\ub54c \uc804\uccb4 \ud3ec\ub9f7\uc744 \uc9c4\ud589\ud560 \uc608\uc815. Procedure \ubcc0\uc870\ub41c \uc2dc\uc2a4\ud15c \ubc14\uc774\ub108\ub9ac \ubcf5\uad6c \/usr\/bin \ub0b4\uc5d0\uc11c \uc758\uc2ec\uc774 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-892","post","type-post","status-publish","format-standard","hentry","category-linux"],"_links":{"self":[{"href":"https:\/\/hyandmj.asuscomm.com\/hblog\/index.php?rest_route=\/wp\/v2\/posts\/892","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hyandmj.asuscomm.com\/hblog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hyandmj.asuscomm.com\/hblog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hyandmj.asuscomm.com\/hblog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/hyandmj.asuscomm.com\/hblog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=892"}],"version-history":[{"count":5,"href":"https:\/\/hyandmj.asuscomm.com\/hblog\/index.php?rest_route=\/wp\/v2\/posts\/892\/revisions"}],"predecessor-version":[{"id":901,"href":"https:\/\/hyandmj.asuscomm.com\/hblog\/index.php?rest_route=\/wp\/v2\/posts\/892\/revisions\/901"}],"wp:attachment":[{"href":"https:\/\/hyandmj.asuscomm.com\/hblog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=892"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hyandmj.asuscomm.com\/hblog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=892"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hyandmj.asuscomm.com\/hblog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=892"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}