1.파일시스템 분석 방법
정책에 따른 분류
1.라이브 파일시스템 분석
2.복사본 분석
3.분석 전용 부팅 매체를 이용한 분석
분석기법에 따른 분류
1.알려진 공격 방법 분석
2.변조된 파일 분석
3.MAC time 분석
4.삭제된 파일 분석
5.LKM 분석
2. 알려진 공격방법 분석
3. 루트킷 분석
주요 트로이 목마 프로그램
백도어/공격 프로그램
루트킷 설정 파일
# find /dev –type f - print
# find / -name “..*” -print
# find / -name “.*” -print
1. How to analyze the file system
Classification by policy
1. Analysis of the live file system
2. Analysis of copies
3. Analysis using a boot medium exclusively for analysis
Classification according to the analysis method
1. Analysis of known attack methods
2. Analyzing Modulated Files
3. Analyzing MAC time
4. Analyzing deleted files
5.LKM Analysis
2. Analysis of known attack methods
General attack procedures
–Intrusion of the system ̀Installation of the back door/troy horse
a back door
–A program installed to allow successful attackers to re-invade later
Trojans' Riding
–Programs that appear to be functioning normally, but perform malicious functions such as password extraction and system information extraction without the user's knowledge
Rootkit
– a package of Trojan horses, back doors, and attack programs
3. Rootkit Analysis
Trojans, backdoor, attack program packages
lrk3, lrk4, lrk5, t0rn kit …
Major Trojan horse programs
crontab
find
ifconfig
inetd
chsh
login
ls
netstat
passwd
ps
syslogd
tcpd
sshd
a backdoor/attack program
bindshell – Rootshell Binding to a Specific Port
linsniffer, es – Sniper
sniffchk – Sniper Watch
wted – wtmp, editing utmp files
z2 – utmp, wtmp, lastlog 삭제
Rootkit configuration file
/dev/ptyr – Specify the file or directory you want to hide from the ls command
/dev/ptyq – IP, UID, PORT you want to hide from netstat command
/dev/ptyp – The process you want to hide from the ps command
Common Rootkit Check Method
/dev/ Find general files below
# # find /dev –type f - print
Find hidden directories
# # find / -name “..*” -print
# # find / -name “.*” -print
