-->

컴퓨터잡동사니

2419 No

해킹 감사 보고서

2025-05-21 20:17:31 By 라이트 0 830 댓글수 0
삭제 포스트 하기
11월 2025
      1
2345678
9101112131415
16171819202122
23242526272829
30      

 

 

NAME="Ubuntu"
VERSION="20.04 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal

 

 

1. 최근 요청 많은 IP 확인 (해킹/공격 징후 확인)

Last login: Wed May 21 09:00:10 2025 from 115.161.189.22
/usr/bin/xauth:  file /root/.Xauthority does not exist
root@ubuntu:~# sudo awk '{print $1}' /var/log/apache2/access.log | sort | uniq -c | sort -nr | head -20
   7402 20.171.207.47
   7389 20.171.207.114
   7373 20.171.207.169
   7366 20.171.207.234
   7358 20.171.207.17
   6734 20.171.207.238
   2090 37.27.51.145
   2017 20.171.207.123
   1990 20.171.207.129
   1827 20.171.207.105
   1809 20.171.207.180
   1510 20.171.207.156
   1412 20.171.207.132
   1225 221.167.255.56
   1184 216.244.66.243
   1082 37.27.51.144
   1038 216.244.66.197
    910 121.129.54.111
    879 1.214.205.186
    778 ::1

 

 


2. 자주 호출된 URL 확인 (취약점 스캔 여부 확인)

root@ubuntu:~# sudo awk '{print $7}' /var/log/apache2/access.log | sort | uniq -c | sort -nr | head -20
   1504 /robots.txt
   1387 /
    922 408
    816 *
    375 /css/layout.css
    366 /js/common.js
    363 /css/common.css
    361 /js/font-awesome/css/font-awesome.min.css
    358 /css/jquery-ui.min.css
    353 /js/jquery.bxslider.js
    351 /js/html5.js
    349 /js/wrest.js?ver=171222
    349 /js/datepicker-ko.js
    348 /js/placeholders.min.js
    348 /js/jquery-ui.min.js
    347 /js/jquery-1.12.4.js
    317 /favicon.ico
    305 /img/header/top_logo_new2.jpg
    299 /font/NotoSansKR-Light-Hestia.woff
    294 /theme/basic/css/default.css?ver=2019-01-07

 

 

 

 

 

3. 트래픽 급증 시간대 파악-  공격 시간대 파악

root@ubuntu:~# sudo awk '{print $4}' /var/log/apache2/access.log | cut -d: -f2 | sort | uniq -c
  24851 00
  24010 01
  13006 02
   6419 03
   5044 04
   6239 05
   5720 06
  15888 07
   6713 08
   6679 09
   7740 10
   6387 11
   5606 12
   8176 13
   8051 14
   8428 15
   7337 16
   6343 17
   5789 18
   5647 19

 

 

 

4. Apache에 로그 포맷 확인 (해커 정보 더 수집)

 

root@ubuntu:~# cat /etc/apache2/apache2.conf | grep LogFormat
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

 

 

5.tail -n 300 /var/log/apache2/access.log

최근 로그 더보기
???? 최근 수백 줄 확인


t/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36"
222.239.104.222 - - [21/May/2025:20:06:01 +0900] "GET /img_main/2024_main_icon_04.png HTTP/1.1" 200 8495 "https://akei.or.kr/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36"
222.239.104.222 - - [21/May/2025:20:06:01 +0900] "GET /img_main/2024_main_icon_05.png HTTP/1.1" 200 8471 "https://akei.or.kr/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36"
222.239.104.222 - - [21/May/2025:20:06:01 +0900] "GET /img_main/2024_main_icon_06.png HTTP/1.1" 200 6374 "https://akei.or.kr/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36"
222.239.104.222 - - [21/May/2025:20:06:01 +0900] "GET /img_main/2024_main_icon_07.png HTTP/1.1" 200 6115 "https://akei.or.kr/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36"
222.239.104.222 - - [21/May/2025:20:06:01 +0900] "GET /img_main/2024_main_icon_08.png HTTP/1.1" 200 10490 "https://akei.or.kr/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36"
222.239.104.222 - - [21/May/2025:20:06:01 +0900] "GET /img_main/2024_main_icon_09.png HTTP/1.1" 200 9094 "https://akei.or.kr/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36"
222.239.104.222 - - [21/May/2025:20:06:01 +0900] "GET /img/footer/bottom_link_bg.jpg HTTP/1.1" 200 1956 "https://akei.or.kr/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36"
222.239.104.222 - - [21/May/2025:20:06:01 +0900] "GET /img/footer/ico_goTop.gif HTTP/1.1" 200 1585 "https://akei.or.kr/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36"
222.239.104.222 - - [21/May/2025:20:06:01 +0900] "GET /css/images/bx_loader.gif HTTP/1.1" 200 8911 "https://akei.or.kr/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36"
222.239.104.222 - - [21/May/2025:20:06:01 +0900] "GET /img_main/before_arrow.png HTTP/1.1" 200 20395 "https://akei.or.kr/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36"
222.239.104.222 - - [21/May/2025:20:06:01 +0900] "GET /img_main/after_arrow.png HTTP/1.1" 200 20407 "https://akei.or.kr/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36"
222.239.104.222 - - [21/May/2025:20:06:01 +0900] "GET /img_main/slick-master/slick/ajax-loader.gif HTTP/1.1" 200 4508 "https://akei.or.kr/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36"
47.128.110.118 - - [21/May/2025:20:06:02 +0900] "GET /bbs/download.php?bo_table=pressRelease&no=0&page=24&wr_id=607 HTTP/1.1" 200 6443 "-" "Mozilla/5.0 (Linux; Android 5.0) AppleWebKit/537.36 (KHTML, like Gecko) Mobile Safari/537.36 (compatible; Bytespider; spider-feedback@bytedance.com)"
185.191.171.17 - - [21/May/2025:20:06:03 +0900] "GET /bbs/board.php?bo_table=newspaper&page=25&wr_id=7667 HTTP/1.1" 200 15153 "-" "Mozilla/5.0 (compatible; SemrushBot/7~bl; +http://www.semrush.com/bot.html)"
3.212.219.113 - - [21/May/2025:20:06:04 +0900] "GET /bbs/board.php?bo_table=newspaper&page=83&wr_id=6786 HTTP/1.1" 200 7943 "-" "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; Amazonbot/0.1; +https://developer.amazon.com/support/amazonbot) Chrome/119.0.6045.214 Safari/537.36"
44.205.120.22 - - [21/May/2025:20:06:05 +0900] "GET /bbs/download.php?bo_table=pressRelease&no=0&page=52&wr_id=151 HTTP/1.1" 200 5819 "-" "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; Amazonbot/0.1; +https://developer.amazon.com/support/amazonbot) Chrome/119.0.6045.214 Safari/537.36"
85.208.96.195 - - [21/May/2025:20:06:05 +0900] "GET /bbs/board.php?bo_table=newspaper&page=222&wr_id=4330 HTTP/1.1" 200 12530 "-" "Mozilla/5.0 (compatible; SemrushBot/7~bl; +http://www.semrush.com/bot.html)"
34.139.191.255 - - [21/May/2025:20:06:05 +0900] "GET /bbs/board.php?bo_table=pressRelease&wr_id=932 HTTP/1.0" 200 16596 "-" "Mozilla/5.0/(X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36"
114.111.32.40 - - [21/May/2025:20:06:08 +0900] "GET /bbs/board.php?bo_table=weekly&wr_id=4923 HTTP/1.1" 200 14134 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko; compatible; Yeti/1.1; +https://naver.me/spd) Chrome/133.0.0.0 Safari/537.36"
34.231.156.59 - - [21/May/2025:20:06:08 +0900] "GET /bbs/board.php?bo_table=pressRelease&page=10&sca=%EC%82%B0%EC%97%85%EB%B6%80&wr_id=276 HTTP/1.1" 200 8153 "-" "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; Amazonbot/0.1; +https://developer.amazon.com/support/amazonbot) Chrome/119.0.6045.214 Safari/537.36"
18.214.124.6 - - [21/May/2025:20:06:09 +0900] "GET /bbs/download.php?bo_table=pressRelease&no=0&page=38&wr_id=367 HTTP/1.1" 200 5815 "-" "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; Amazonbot/0.1; +https://developer.amazon.com/support/amazonbot) Chrome/119.0.6045.214 Safari/537.36"
185.191.171.14 - - [21/May/2025:20:06:10 +0900] "GET /bbs/board.php?bo_table=newspaper&page=48&wr_id=7277 HTTP/1.1" 200 14317 "-" "Mozilla/5.0 (compatible; SemrushBot/7~bl; +http://www.semrush.com/bot.html)"
85.208.96.194 - - [21/May/2025:20:06:12 +0900] "GET /bbs/board.php?bo_table=bid&page=7&wr_id=38 HTTP/1.1" 200 13785 "-" "Mozilla/5.0 (compatible; SemrushBot/7~bl; +http://www.semrush.com/bot.html)"
34.226.89.140 - - [21/May/2025:20:06:12 +0900] "GET /bbs/board.php?bo_table=memNews&page=7&wr_id=4780 HTTP/1.1" 200 10994 "-" "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; Amazonbot/0.1; +https://developer.amazon.com/support/amazonbot) Chrome/119.0.6045.214 Safari/537.36"
34.239.197.197 - - [21/May/2025:20:06:14 +0900] "GET /bbs/download.php?bo_table=notice&no=1&page=24&wr_id=1810 HTTP/1.1" 200 5809 "-" "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; Amazonbot/0.1; +https://developer.amazon.com/support/amazonbot) Chrome/119.0.6045.214 Safari/537.36"
85.208.96.207 - - [21/May/2025:20:06:16 +0900] "GET /bbs/board.php?bo_table=newspaper&wr_id=8008 HTTP/1.1" 200 14955 "-" "Mozilla/5.0 (compatible; SemrushBot/7~bl; +http://www.semrush.com/bot.html)"
100.27.153.9 - - [21/May/2025:20:06:16 +0900] "GET /bbs/board.php?bo_table=memNews&page=8&wr_id=4763 HTTP/1.1" 200 7981 "-" "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; Amazonbot/0.1; +https://developer.amazon.com/support/amazonbot) Chrome/119.0.6045.214 Safari/537.36"
85.208.96.206 - - [21/May/2025:20:06:16 +0900] "GET /bbs/board.php?bo_table=newspaper&page=114&wr_id=6032 HTTP/1.1" 200 11938 "-" "Mozilla/5.0 (compatible; SemrushBot/7~bl; +http://www.semrush.com/bot.html)"
44.193.102.198 - - [21/May/2025:20:06:17 +0900] "GET /bbs/download.php?bo_table=covid19&no=1&page=2&wr_id=49 HTTP/1.1" 200 5817 "-" "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; Amazonbot/0.1; +https://developer.amazon.com/support/amazonbot) Chrome/119.0.6045.214 Safari/537.36"
211.249.46.140 - - [21/May/2025:20:06:17 +0900] "GET /bbs/board.php?bo_table=weekly&wr_id=4922 HTTP/1.1" 200 10876 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko; compatible; Yeti/1.1; +https://naver.me/spd) Chrome/133.0.0.0 Safari/537.36"
57.141.2.25 - - [21/May/2025:20:06:19 +0900] "GET /bbs/board.php?bo_table=newspaper&wr_id=7885&page=12 HTTP/1.1" 200 67600 "-" "meta-externalagent/1.1 (+https://developers.facebook.com/docs/sharing/webmasters/crawler)"
185.191.171.6 - - [21/May/2025:20:06:19 +0900] "GET /bbs/board.php?bo_table=weekly&page=25&wr_id=4614 HTTP/1.1" 200 12576 "-" "Mozilla/5.0 (compatible; SemrushBot/7~bl; +http://www.semrush.com/bot.html)"
18.214.251.19 - - [21/May/2025:20:06:20 +0900] "GET /bbs/board.php?bo_table=covid19&page=3&wr_id=76 HTTP/1.1" 200 11638 "-" "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; Amazonbot/0.1; +https://developer.amazon.com/support/amazonbot) Chrome/119.0.6045.214 Safari/537.36"
185.191.171.5 - - [21/May/2025:20:06:21 +0900] "GET /bbs/board.php?bo_table=newspaper&page=123&wr_id=6045 HTTP/1.1" 200 12219 "-" "Mozilla/5.0 (compatible; SemrushBot/7~bl; +http://www.semrush.com/bot.html)"
52.204.89.12 - - [21/May/2025:20:06:22 +0900] "GET /bbs/download.php?bo_table=business&no=1&page=10&wr_id=1026 HTTP/1.1" 200 2154 "-" "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; Amazonbot/0.1; +https://developer.amazon.com/support/amazonbot) Chrome/119.0.6045.214 Safari/537.36"

 

 

 



6. 과도한 User-Agent 탐색
 

awk -F\" '{print $6}' /var/log/apache2/access.log | sort | uniq -c | sort -nr | head -10

root@ubuntu:~# awk -F\" '{print $6}' /var/log/apache2/access.log | sort | uniq -c | sort -nr | head -10
  54688 Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; GPTBot/1.2; +https://openai.com/gptbot)
  33368 Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; Amazonbot/0.1; +https://developer.amazon.com/support/amazonbot) Chrome/119.0.6045.214 Safari/537.36
  20693 Mozilla/5.0 (compatible; SemrushBot/7~bl; +http://www.semrush.com/bot.html)
   9030 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36
   7942 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Edg/136.0.0.0
   7048 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36
   5296 Mozilla/5.0 (Linux; Android 5.0) AppleWebKit/537.36 (KHTML, like Gecko) Mobile Safari/537.36 (compatible; Bytespider; spider-feedback@bytedance.com)
   4716 Mozilla/5.0 (compatible; MJ12bot/v1.4.8; http://mj12bot.com/)
   3771 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko; compatible; Yeti/1.1; +https://naver.me/spd) Chrome/127.0.0.0 Safari/537.36
   3191 Mozilla/5.0 (compatible; BLEXBot/1.0; +https://help.seranking.com/en/blex-crawler)


 

 

about author

PHRASE

Level 1  라이트

댓글 ( 0)

댓글 남기기

작성

? Copyright 2016 JunHo | Powered by Codeigniter | Powered by jQuery Rain

| Powered by Bootstrap

macaronics.net 는 그어떠한 동영상, 이미지, 파일등을 직접적으로 업로드 제공을 하지 않습니다. 페이스북, 트위터 등 각종 SNS 처럼 macaronics.net 는 웹서핑을 통하여 각종 페이지위치등을 하이퍼링크, 다이렉트링크, 직접링크등으로 링크된 페이지 주소만을 수집 저장하여 제공하고 있습니다. 저장된 각각의 주소에 연결된 페이지등은 그 페이지에서 제공하는 "서버, 사이트" 상황에 따라 페이지와 내용이 삭제 중단 될 수 있으며 macaronics.net 과는 어떠한 연관 관련이 없음을 알려드립니다. 또한, 저작권에 관련된 문제있는 글이나 기타 저작권에 관련된 문제가 있는 것은 연락주시면 바로 삭제해 드리겠습니다.

개인정보 처리방침 | 서비스 이용약관

관리자 문의: braverokmc79@gmail.com 혹은 가입후 관리자 1:1 게시판