결국 프로세스와 네트워크 정보로 확인하는게 제일 빠른듯
추가적으로 MAC 타임 기반으로 정리하여도 공격 흐름 분석하기에는 좋음
더보기
#1. Mount 과정 모니터링
strace /bin/mount /mnt/cdrom
#2. CD 마운트
mount -n /mnt/cdrom
#3. 시스템 환경 정보 (생략)
uname -a
df -k
df -H
uptime
env
#4. 시간 조회
echo "1. date - local time"
/mnt/cdrom/date
echo ""
echo ""
echo "2. date - UTC time"
/mnt/cdrom/date -u
echo ""
echo ""
#5. 네트워크 정보 수집
echo "3. arp -an"
/mnt/cdrom/arp -na
echo ""
echo ""
echo "4. netstat -an"
/mnt/cdrom/netstat -nap
echo ""
echo ""
echo "5. netstat -nr"
/mnt/cdrom/netstat -nr
echo ""
echo ""
echo "6. ifconfig -a"
/mnt/cdrom/ifconfig -a
echo ""
echo ""
#6.프로세스 목록
echo "7. ps -aux"
/mnt/cdrom/ps -aux
echo ""
echo ""
echo "8. pstree -alG"
/mnt/cdrom/pstree -alG
echo ""
echo ""
echo "9. lsof -n -P -l(-i)"
/mnt/cdrom/lsof -n -P -l
/mnt/cdrom/lsof -n -P -i
echo ""
echo ""
#7. 로그인 사용자 정보
echo "10. w"
/mnt/cdrom/w
echo ""
echo ""
echo "11. last"
/mnt/cdrom/last
echo ""
echo ""
#8. 주요 설정 파일 정보
echo "12. cat /etc/passwd"
/mnt/cdrom/cat /etc/passwd
echo ""
echo ""
echo "13. cat /etc/group"
/mnt/cdrom/cat /etc/group
echo ""
echo ""
echo "14. cat /etc/hosts"
/mnt/cdrom/cat /etc/hosts
echo ""
echo ""
echo "15. cat /etc/hosts.allow(deny)"
/mnt/cdrom/cat /etc/hosts.allow
/mnt/cdrom/cat /etc/hosts.deny
echo ""
echo ""
echo "16. cat /etc/rc.d/rc3.d/*"
/mnt/cdrom/ls -al /etc/rc.d/rc3.d/
/mnt/cdrom/cat /etc/rc.d/rc3.d/S*
echo ""
echo ""
echo "17. cat /etc/inetd.conf"
/mnt/cdrom/cat /etc/inetd.conf
echo ""
echo ""
echo "18. cat /etc/xinetd.d/*"
/mnt/cdrom/ls -al /etc/xinetd.d/
/mnt/cdrom/cat /etc/xinetd.d/*
echo ""
echo ""
#9. /proc 정보
echo "19. cat /proc/ksyms"
/mnt/cdrom/cat /proc/ksyms
echo ""
echo ""
echo "20. cat /proc/modules"
/mnt/cdrom/cat /proc/modules
echo ""
echo ""
echo "21. kcore - 별도파일(kcore) 참조"
echo ""
echo ""
#/media/cdrom/dd < /proc/kcore | /media/cdrom/nc 10.0.0.1 8888 -w 3
#/mnt/cdrom/dd < /proc/modules | /mnt/cdrom/nc 121.160.7.1 8888 -w 3
#/mnt/cdrom/dd < /proc/ksyms | /mnt/cdrom/nc 121.160.7.1 8888 -w 3
#10. 로그 정보
echo "22. MAC 타임 조회"
echo "22-1 M Time"
/mnt/cdrom/ls -Ralt
echo ""
echo ""
echo "22-2 A Time"
/mnt/cdrom/ls -Raltu
echo ""
echo ""
echo "22-2 C Time"
/mnt/cdrom/ls -Raltc /
echo ""
echo ""
#11. rpm 변조 정보 (생략)
echo "23. rpm -Va"
/mnt/cdrom/rpm -Va
echo ""
echo ""
#12. 종료시간
echo "24. date(종료시간)"
/mnt/cdrom/date
echo ""
echo ""
#13. 추가 분석
/media/cdrom/lsof -i vs /media/cdrom/netstat -na
/media/cdrom/lsof -iUDP:port num
/media/cdrom/ps -ef vs ps -ef
정보보안 위기대응실무매뉴얼.hwp
