From owner-FreeBSD-users-jp@jp.freebsd.org  Thu Apr 15 21:38:01 1999
Received: (from daemon@localhost)
	by jaz.jp.freebsd.org (8.9.2+3.1W/8.7.3) id VAA06192;
	Thu, 15 Apr 1999 21:38:01 +0900 (JST)
	(envelope-from owner-FreeBSD-users-jp@jp.FreeBSD.org)
Received: from mx.jaif.or.jp (ns.jaif.or.jp [202.223.55.10])
	by jaz.jp.freebsd.org (8.9.2+3.1W/8.7.3) with ESMTP id VAA06186
	for <FreeBSD-users-jp@jp.freebsd.org>; Thu, 15 Apr 1999 21:37:58 +0900 (JST)
	(envelope-from hatori@jaif.or.jp)
Received: from jaif.or.jp ([210.142.4.20]) by mx.jaif.or.jp (8.8.7/3.4W412/02/96) with ESMTP id MAA00308 for <FreeBSD-users-jp@jp.freebsd.org>; Thu, 15 Apr 1999 12:52:38 GMT
Message-ID: <3715DE13.8CBD62E7@jaif.or.jp>
Date: Thu, 15 Apr 1999 21:39:47 +0900
From: Kentaro Hatori <hatori@jaif.or.jp>
Organization: PASCO Corporation
X-Mailer: Mozilla 4.5 [ja] (WinNT; I)
X-Accept-Language: ja, en,ko
MIME-Version: 1.0
To: FreeBSD-users-jp@jp.freebsd.org
References: <37144E2D.708CCE02@jaif.or.jp>
	 <19990414173239Y.hirano@t.kanazawa-u.ac.jp> <37145F6E.F12B08AF@jaif.or.jp> <m2u2uj1pic.fsf@star.aquilax.co.jp>
Content-Type: text/plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
Reply-To: FreeBSD-users-jp@jp.freebsd.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+990405
X-Sequence: FreeBSD-users-jp 41300
Subject: [FreeBSD-users-jp 41300] Re: How do you do about illeagal access on 
 your host?
Errors-To: owner-FreeBSD-users-jp@jp.freebsd.org
Sender: owner-FreeBSD-users-jp@jp.freebsd.org
X-Originator: hatori@jaif.or.jp

$B$O$H$A$c$s!w%Q%9%3$G$9(B

Masakazu Yamada wrote:
> $B%5!<%A%(%s%8%s$G8!:w$7$?$H$3$m!"<!$N$h$&$J$b$N$r8+$D$1$^$7$?!#(B
> http://www.k-elektronik.org/arsip/eksploit/bsd/freebsd/fbsdrootkit.tar.gz
> 
> $BFbMF$H$7$F$O!"(B
> 
> This package includes the following:
> 
> chpass          Trojaned! User->r00t
> inetd           Trojaned! Remote access
> login           Trojaned! Remote access
> ls              Trojaned! Hide files
> du              Trojaned! Hide files
> ifconfig        Trojaned! Hide sniffing
> netstat         Trojaned! Hide connections
> passwd          Trojaned! User->r00t
> ps              Trojaned! Hide processes
> rshd            Trojaned! Remote access
> syslogd         Trojaned! Hide logs
> fix             File fixer!
> addlen          File length fixer(!)
> zapbsd2         An improved utmp/wtmp/lastlog type zapper
> bindshell       port/shell type daemon!
> tripwire        Trojaned! Hide changes
> sniffit         A kewl sniffz0r!
> 
> $B$H$$$&$h$&$J$b$N$G$9!#2>$K$3$l$,%$%s%9%H!<%k$5$l$?$H$7$?$i!"$=$N$^$^F0$+(B
> $B$7$F$*$$$F$O$$$1$J$$$G$7$g$&!#B(:B$K%M%C%H%o!<%/$+$i@Z$jN%$9$Y$-$G$9$M!#(B

$B$3$s$J%D!<%k$,$"$C$F$$$$$b$N$J$N$+!"6/$$%7%g%C%/$r<u$1$^$7$?!#(B
$B$3$l$C$F0lHL%f!<%6$N%"%+%&%s%H$5$(;}$C$F$$$l$P!"(BTrojan$BE*$J(B
$B%W%m%0%i%`$r;E3]$1$k$3$H$,$G$-$k$H$$$&$3$H$G$9$h$M(B...

$B%7%g%C%/$r<u$1$F$P$+$j$bF~$i$l$J$$$N$G!"%j%b!<%H$J4D6-$G$N(BOS$B$N:F(B
$B%$%s%9%H!<%k$b$^$^$J$i$J$$8=>u$G$O!"$H$j$"$($:<!$N$h$&$JBP=hNEK!$r(B
$B$7$^$7$?!#(B

(1) $B$3$N%[%9%H$OF1$8(BHDD$B$,(B2$BBfF1$89=@.$K$7$F$"$C$F!"(B2$BBfL\$N%7%9%F%`$O(B
    $B$H$j$"$($:?/F~$5$l$k$b$N$NA0$N$b$N$J$N$G!"%3%^%s%I$r<B9T$9$k$H$-(B
    $B$O$3$A$i$r;H$&!#(B

(2) $B$9$Y$F$N%7%9%F%`$N<B9T7A<0$N%U%!%$%k$r(B2$BBfL\$+$i(B1$BBfL\$K(Bcp$B$9$k!#(B
      cp -p /u1/bin/* /bin
      cp -p /u1/sbin/* /sbin
      cp -p /u1/usr/bin/* /usr/bin
      cp -p /u1/usr/sbin/* /usr/sbin
      cp -p /u1/usr/libexec/* /usr/libexec

$B<:GT$=$N(B1
$BITCm0U$K$b(Bcp$B$O(B1$BBfL\$K$"$k$b$N$r;H$C$F$$$?!#$3$3$O(Bpath$B$r$O$C$F3N<B$K(B
2$BBfL\$N(Bcp$B$r;H$&$h$&$K$9$k$Y$-$G$"$C$?!#(B

$B5?Ld$=$N(B1
cp$B$r<B9T$7$?:]!"$$$/$D$+$N%U%!%$%k$O(BText busy$B$H$J$C$F%3%T!<$G$-$J(B
$B$+$C$?$,!"$3$l$i$r%3%T!<$9$k>l9g!"(Bkill$B$7$F$d$l$P$$$$$H;W$$$D$D$b(B
$B<B:]$K(Bkill$B$7$F;Y>c$,$"$C$F$b:$$k$N$G!"$3$N(Bkill$B$H(Bcp$B$rF1;~$K<B9T$7$F(B
$B:F5/F0$r?^$k$h$&$J(Bkill -HUP$BE*$JET9g$N$$$$J}K!$O$"$k$N$G$7$g$&$+!#(B

(3) $B%b!<%I$,(B-r-sr-xr-x$B$N%U%!%$%k$r(Bcp -p$B$H$7$F$b!"<B9T7k2L$O(B
    -r-s------$B$K$J$C$F$7$^$$$^$9!#$=$3$G(Bchmod$B$r;H$C$F%b!<%I$r:F@_Dj(B
    $B$9$k!#(B
      chmod 555 hogehoge

$B<:GT$=$N(B2
$B>e5-$N%3%^%s%I$r<B9T$9$k$H%b!<%I$O(B-r-xr-xr-x$B$K$J$C$F!"(Bw$B$J$I$N%3%^%s%I(B
$B$O0lHL%f!<%6$G$O<B9T$G$-$J$/$J$C$F$7$^$&!#@5$7$/$O(B
  chmod go=rx hogehoge
$B$H$9$k$Y$-!#$*$+$2$G(B2$BBfL\$N%U%!%$%k$N%b!<%I$r3NG'$7$D$D:F$S:n6H$9$k(B
$B1)L\$K$J$C$?!#(B

$B5?Ld$=$N(B2
$B%b!<%I$,(B-r-sr-xr-x$B$N%U%!%$%k$r$=$N$^$^(Bcp -p$B$9$k$K$O!"$I$N$h$&$JJ}K!(B
$B$,$"$k$N$G$7$g$&$+!#(B

$B0J>e$r$d$j$^$7$?$,!"%j%b!<%H$G%j%V!<%H$5$;$k$H2?8N$+@N$+$i:F5/F0(B
$B$7$J$$(B($B2hLL$r>C$7$F$$$k$+$i(B)$B$N$G!"<B:]$K$=$3$K9T$C$?$H$-$K:F5/F0(B
$B$7$F$_$^$9!#(B

-- 

    /   / Kentaro Hatori
   __  /  mailto:hatori@jaif.or.jp
 _/  _/   $B$3$l$C$F%*!<%W%s%=!<%9$KBP$9$kD)@o!)(B
