{"id":644,"date":"2014-03-22T01:39:51","date_gmt":"2014-03-21T16:39:51","guid":{"rendered":"http:\/\/lovelinux.mydns.jp\/?p=644"},"modified":"2014-03-24T11:49:56","modified_gmt":"2014-03-24T02:49:56","slug":"linux%e5%90%91%e3%81%91%e3%82%a6%e3%82%a3%e3%83%ab%e3%82%b9-ebury-%e3%81%ab%e6%84%9f%e6%9f%93%e3%81%97%e3%81%a6%e3%81%84%e3%82%8b%e3%81%8b%e3%83%81%e3%82%a7%e3%83%83%e3%82%af%e3%81%99%e3%82%8b","status":"publish","type":"post","link":"https:\/\/lovelinux.mydns.jp\/?p=644","title":{"rendered":"Linux\u5411\u3051\u30a6\u30a3\u30eb\u30b9 Ebury \u306b\u611f\u67d3\u3057\u3066\u3044\u308b\u304b\u30c1\u30a7\u30c3\u30af\u3059\u308b\u65b9\u6cd5"},"content":{"rendered":"

\u306a\u3093\u304b\u3001Ebury\u3068\u3044\u3046Linux\u5411\u3051\u306e\u30a6\u30a3\u30eb\u30b9\u304c\u6d41\u884c\u3063\u3066\u3044\u308b\u3089\u3057\u3044\u3002\u53b3\u5bc6\u306b\u3069\u306e\u3088\u3046\u306a\u30a6\u30a3\u30eb\u30b9\u304b\u3068\u3044\u3046\u306e\u306f\u3088\u304f\u77e5\u3089\u306a\u3044\u306e\u3060\u304c\u3001ssh\u3092\u30a2\u30bf\u30c3\u30af\u3057\u3066\u3001\u30d1\u30b9\u30ef\u30fc\u30c9\u3092\u30cf\u30c3\u30af\u3057\u3066\u3001\u30b9\u30d1\u30e0\u884c\u52d5\u3092\u8d77\u3053\u3057\u305f\u308a\u3059\u308b\u3082\u306e\u307f\u305f\u3044\u3067\u3059\u3002\uff08\u8981\u8abf\u67fb\uff09<\/p>\n

\u8a73\u3057\u3044\u5185\u5bb9\u306f\u3001\u518d\u5ea6\u8abf\u3079\u308b\u3068\u3057\u3066\u3001\uff12\u4e07\uff15\uff10\uff10\uff10\u53f0\u306eLinux\u30b5\u30fc\u30d0\u30fc\u304c\u611f\u67d3\u3057\u3066\u3044\u308b\u3068\u3044\u3046\u3053\u3068\u306a\u306e\u3067\u3001\u3068\u308a\u3042\u3048\u305a\u3001\u81ea\u5206\u304c\u7ba1\u7406\u3057\u3066\u3044\u308bLinux\u304c\u611f\u67d3\u3057\u3066\u3044\u306a\u3044\u304b\u30c1\u30a7\u30c3\u30af\u3059\u308b\u65b9\u6cd5\u3092\u8abf\u3079\u3066\u307f\u307e\u3057\u305f\u3002<\/p>\n

\u3053\u306e\u30b5\u30a4\u30c8\u306b\u3088\u308b\u3068\u3001ipcs\u30b3\u30de\u30f3\u30c9\u3092\u4f7f\u3063\u3066\u3001permission\u304c666\u3067\u3001\uff13MB\u4ee5\u4e0a(3000000\uff09\u30e1\u30e2\u30ea\u3092\u98df\u3063\u3066\u308b\u5974\u304c\u3044\u305f\u3089\u5371\u306a\u3044\u305c\uff01\u3068\u306e\u3053\u3068\u3002<\/p>\n

https:\/\/www.cert-bund.de\/ebury-faq<\/a><\/p>\n

[bash mark=”6,12,13″]
\n# ipcs -m
\n—— Shared Memory Segments ——–
\nkey shmid owner perms bytes nattch
\n0x00000000 0 peter 600 393216 2
\n0x00000000 32769 paul 600 393216 2
\n0x000006e0 65538 root 666 3283128 0<\/p>\n

# ipcs -m
\n—— Shared Memory Segments ——–
\nkey shmid owner perms bytes nattch
\n0x0000020c 32768 root 644 16384 2
\n0x00000469 65538 101 666 4313584 0
\n0x0000047a 131075 smmsp 666 3966496 0
\n[\/bash]<\/p>\n

\u3082\u3046\u3072\u3068\u3064\u306e\u8abf\u67fb\u65b9\u6cd5\u306f\u3001\u4ee5\u4e0b\u306e\u30b3\u30de\u30f3\u30c9\u3092\u767a\u884c\u3059\u308b\u3053\u3068\u3002
\nhttp:\/\/news.mynavi.jp\/news\/2014\/03\/20\/398\/<\/a><\/p>\n

[bash]
\n# ssh -G 2>&1 | grep -e illegal -e unknown > \/dev\/null && echo “System clean” || echo “System infected”
\n[\/bash]<\/p>\n

\u51fa\u529b\u7d50\u679c\u304c
\n\u300cSystem clean\u300d\u306a\u3089\u30bb\u30fc\u30d5
\n\u300cSystem infected\u300d\u306a\u3089\u30a2\u30a6\u30c8<\/p>\n

\u3068\u3044\u3046\u3053\u3068\u3089\u3057\u3044\u3002<\/p>\n

\u5f15\u304d\u7d9a\u304d\u8abf\u3079\u3066\u307f\u307e\u3059\u3002<\/p>\n

\u5bfe\u7b56<\/h3>\n

\u8d85\u7c21\u6613\u5bfe\u7b56\uff11<\/h4>\n

\u307e\u3060\u30a6\u30a3\u30eb\u30b9\u306b\u611f\u67d3\u3057\u3066\u3044\u306a\u304b\u3063\u305f\u306a\u3089\u3001\u3068\u308a\u3042\u3048\u305a\u3001\u4ee5\u4e0b\u306e\u65b9\u6cd5\u3067\u305d\u306e\u5834\u3057\u306e\u304e\u306f\u53ef\u80fd\u304b\u3068\u30fb\u30fb<\/p>\n

[bash]
\n$ sudo nano \/etc\/ssh\/sshd_config
\n[\/bash]<\/p>\n

root\u3067\u306e\u30ed\u30b0\u30a4\u30f3\u3092\u7121\u52b9\u306b\u3059\u308b<\/p>\n

[diff]<\/p>\n

– #PermitRootLogin yes
\n+ PermitRootLogin no
\n[\/diff]<\/p>\n

\u30b5\u30fc\u30d3\u30b9\u518d\u8d77\u52d5<\/p>\n

[bash]
\n$ sudo service ssh restart<\/p>\n

or <\/p>\n

$ sudo service sshd restart
\n[\/bash]<\/p>\n

\u8d85\u7c21\u6613\u5bfe\u7b56\uff12<\/h4>\n

[bash]
\n$ sudo nano \/etc\/ssh\/sshd_config
\n[\/bash]<\/p>\n

\u904b\u7528\u30dd\u30fc\u30c8\u3092\u5909\u66f4
\n[diff]
\n– #Port 22
\n+ Port 11122
\n[\/diff]<\/p>\n

\u30b5\u30fc\u30d3\u30b9\u518d\u8d77\u52d5<\/p>\n

[bash]
\n$ sudo service ssh restart<\/p>\n

or <\/p>\n

$ sudo service sshd restart
\n[\/bash]<\/p>\n

\u9375\u8a8d\u8a3c\u306b\u5909\u66f4<\/h4>\n

\u3059\u3093\u307e\u305b\u3093\u3001\u4e45\u3005\u306b\u8a2d\u5b9a\u3059\u308b\u306e\u3067\u3084\u308a\u65b9\u5fd8\u308c\u3061\u3083\u3063\u3066\u307e\u3059\u3002\u305f\u3060\u4eca\u8abf\u3079\u4e2d\u3002\u3002\u3002
\n\u3063\u3066\u304b\u3001\u4ed6\u306e\u30b5\u30a4\u30c8\u3067\u78ba\u8a8d\u3057\u3066\u3082\u3089\u3046\u306e\u304c\u78ba\u5b9f\u304b\u3082\u30fb\u30fb\u30fb<\/p>\n

\u30ed\u30b0\u78ba\u8a8d<\/h3>\n

ssh\u306e\u30ed\u30b0\u3092\u30c1\u30a7\u30c3\u30af\u3057\u3066\u307f\u308b\u306e\u3082\u826f\u3044\u304b\u3082\u3057\u308c\u307e\u305b\u3093\u3002<\/p>\n

[bash]
\n$ sudo tail \/var\/log\/secure -n 500|less <\/p>\n

or <\/p>\n

$ sudo tail \/var\/log\/auth.log -n 500|less
\n[\/bash]<\/p>\n

\u8ffd\u8a18\uff1a \u30a2\u30f3\u30c1\u30a6\u30a3\u30eb\u30b9\u30bd\u30d5\u30c8\u30a6\u30a7\u30a2\u3001rootkit\u5bfe\u7b56\u306f\u6709\u52b9\u304b\uff1f<\/h3>\n

https:\/\/www.cert-bund.de\/ebury-faq<\/a>
\n\u306b\u3088\u308b\u3068\u3001Linux\u306b\u30a2\u30f3\u30c1\u30a6\u30a3\u30eb\u30b9\u30bd\u30d5\u30c8\u30a6\u30a7\u30a2\u306b\u3088\u3063\u3066Ebury\u306e\u88ab\u5bb3\u304c\u9632\u3052\u308b\u304b\u5426\u304b\u306b\u3064\u3044\u3066\u8a18\u8f09\u3055\u308c\u3066\u3044\u308b\u3002\u6b8b\u5ff5\u306a\u304c\u3089\u3001ClamAV\u3084 chkrootkit\/rkhunter \u306f\u4eca\u306e\u3068\u3053\u308dEbury\u306b\u306f\u5bfe\u5fdc\u3067\u304d\u3066\u3044\u306a\u3044\u3068\u306e\u3053\u3068\u3067\u3042\u308b\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"

\u306a\u3093\u304b\u3001Ebury\u3068\u3044\u3046Linux\u5411\u3051\u306e\u30a6\u30a3\u30eb\u30b9\u304c\u6d41\u884c\u3063\u3066\u3044\u308b\u3089\u3057\u3044\u3002\u53b3\u5bc6\u306b\u3069\u306e\u3088\u3046\u306a\u30a6\u30a3\u30eb\u30b9\u304b\u3068\u3044\u3046\u306e\u306f\u3088\u304f\u77e5\u3089\u306a\u3044\u306e\u3060\u304c\u3001ssh\u3092\u30a2\u30bf\u30c3\u30af\u3057\u3066\u3001\u30d1\u30b9\u30ef\u30fc\u30c9\u3092\u30cf\u30c3\u30af\u3057\u3066\u3001\u30b9\u30d1\u30e0\u884c\u52d5\u3092\u8d77\u3053\u3057\u305f\u308a\u3059\u308b\u3082\u306e\u307f\u305f\u3044\u3067\u3059\u3002\uff08\u8981\u8abf\u67fb\uff09 \u8a73\u3057\u3044\u5185\u5bb9\u306f\u3001\u518d\u5ea6\u8abf\u3079\u308b\u3068\u3057\u3066\u3001\uff12\u4e07\uff15\uff10\uff10\uff10\u53f0\u306eLinux\u30b5\u30fc\u30d0\u30fc\u304c\u611f\u67d3\u3057\u3066\u3044\u308b\u3068\u3044\u3046\u3053\u3068\u306a\u306e\u3067\u3001\u3068\u308a\u3042\u3048\u305a\u3001\u81ea\u5206\u304c\u7ba1\u7406\u3057\u3066\u3044\u308bLinux\u304c\u611f\u67d3\u3057\u3066\u3044\u306a\u3044\u304b\u30c1\u30a7\u30c3\u30af\u3059\u308b\u65b9\u6cd5\u3092\u8abf\u3079\u3066\u307f\u307e\u3057\u305f\u3002 \u3053\u306e\u30b5\u30a4\u30c8\u306b\u3088\u308b\u3068\u3001ipcs\u30b3\u30de\u30f3\u30c9\u3092\u4f7f\u3063\u3066\u3001permission\u304c666\u3067\u3001\uff13MB\u4ee5\u4e0a(3000000\uff09\u30e1\u30e2\u30ea\u3092\u98df\u3063\u3066\u308b\u5974\u304c\u3044\u305f\u3089\u5371\u306a\u3044\u305c\uff01\u3068\u306e\u3053\u3068\u3002 https:\/\/www.cert-bund.de\/ebury-faq [bash mark=”6,12,13″] # ipcs -m —— Shared Memory Segments ——– key shmid owner perms bytes nattch 0x00000000 0 peter 600 393216 2 0x00000000 32769 paul 600 393216 2 0x000006e0 65538 root 666 3283128 0 # ipcs -m —— Shared Memory Segments ——– key shmid owner perms bytes nattch 0x0000020c 32768 root 644 16384 2 0x00000469 65538 101 666 4313584 0 0x0000047a 131075 smmsp 666 3966496 0 [\/bash] \u3082\u3046\u3072\u3068\u3064\u306e\u8abf\u67fb\u65b9\u6cd5\u306f\u3001\u4ee5\u4e0b\u306e\u30b3\u30de\u30f3\u30c9\u3092\u767a\u884c\u3059\u308b\u3053\u3068\u3002 http:\/\/news.mynavi.jp\/news\/2014\/03\/20\/398\/ [bash] # ssh -G 2>&1 | grep -e illegal -e unknown > \/dev\/null && echo “System clean” || echo “System infected” [\/bash] \u51fa\u529b\u7d50\u679c\u304c \u300cSystem clean\u300d\u306a\u3089\u30bb\u30fc\u30d5 \u300cSystem infected\u300d\u306a\u3089\u30a2\u30a6\u30c8 \u3068\u3044\u3046\u3053\u3068\u3089\u3057\u3044\u3002 \u5f15\u304d\u7d9a\u304d\u8abf\u3079\u3066\u307f\u307e\u3059\u3002 \u5bfe\u7b56 \u8d85\u7c21\u6613\u5bfe\u7b56\uff11 \u307e\u3060\u30a6\u30a3\u30eb\u30b9\u306b\u611f\u67d3\u3057\u3066\u3044\u306a\u304b\u3063\u305f\u306a\u3089\u3001\u3068\u308a\u3042\u3048\u305a\u3001\u4ee5\u4e0b\u306e\u65b9\u6cd5\u3067\u305d\u306e\u5834\u3057\u306e\u304e\u306f\u53ef\u80fd\u304b\u3068\u30fb\u30fb [bash] $ sudo nano \/etc\/ssh\/sshd_config [\/bash] root\u3067\u306e\u30ed\u30b0\u30a4\u30f3\u3092\u7121\u52b9\u306b\u3059\u308b [diff] – #PermitRootLogin yes + PermitRootLogin no [\/diff] \u30b5\u30fc\u30d3\u30b9\u518d\u8d77\u52d5 [bash] $ sudo service ssh restart or $ sudo service sshd restart [\/bash] \u8d85\u7c21\u6613\u5bfe\u7b56\uff12 [bash] $ sudo nano \/etc\/ssh\/sshd_config [\/bash] \u904b\u7528\u30dd\u30fc\u30c8\u3092\u5909\u66f4 [diff] – #Port 22 + Port 11122 [\/diff] \u30b5\u30fc\u30d3\u30b9\u518d\u8d77\u52d5 [bash] $ sudo service ssh restart or $ sudo service sshd restart [\/bash] \u9375\u8a8d\u8a3c\u306b\u5909\u66f4 \u3059\u3093\u307e\u305b\u3093\u3001\u4e45\u3005\u306b\u8a2d\u5b9a\u3059\u308b\u306e\u3067\u3084\u308a\u65b9\u5fd8\u308c\u3061\u3083\u3063\u3066\u307e\u3059\u3002\u305f\u3060\u4eca\u8abf\u3079\u4e2d\u3002\u3002\u3002 \u3063\u3066\u304b\u3001\u4ed6\u306e\u30b5\u30a4\u30c8\u3067\u78ba\u8a8d\u3057\u3066\u3082\u3089\u3046\u306e\u304c\u78ba\u5b9f\u304b\u3082\u30fb\u30fb\u30fb \u30ed\u30b0\u78ba\u8a8d ssh\u306e\u30ed\u30b0\u3092\u30c1\u30a7\u30c3\u30af\u3057\u3066\u307f\u308b\u306e\u3082\u826f\u3044\u304b\u3082\u3057\u308c\u307e\u305b\u3093\u3002 [bash] $ sudo tail \/var\/log\/secure -n 500|less or $ sudo tail \/var\/log\/auth.log -n 500|less [\/bash] \u8ffd\u8a18\uff1a \u30a2\u30f3\u30c1\u30a6\u30a3\u30eb\u30b9\u30bd\u30d5\u30c8\u30a6\u30a7\u30a2\u3001rootkit\u5bfe\u7b56\u306f\u6709\u52b9\u304b\uff1f https:\/\/www.cert-bund.de\/ebury-faq \u306b\u3088\u308b\u3068\u3001Linux\u306b\u30a2\u30f3\u30c1\u30a6\u30a3\u30eb\u30b9\u30bd\u30d5\u30c8\u30a6\u30a7\u30a2\u306b\u3088\u3063\u3066Ebury\u306e\u88ab\u5bb3\u304c\u9632\u3052\u308b\u304b\u5426\u304b\u306b\u3064\u3044\u3066\u8a18\u8f09\u3055\u308c\u3066\u3044\u308b\u3002\u6b8b\u5ff5\u306a\u304c\u3089\u3001ClamAV\u3084 chkrootkit\/rkhunter \u306f\u4eca\u306e\u3068\u3053\u308dEbury\u306b\u306f\u5bfe\u5fdc\u3067\u304d\u3066\u3044\u306a\u3044\u3068\u306e\u3053\u3068\u3067\u3042\u308b\u3002<\/p>\n","protected":false},"author":1,"featured_media":659,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"footnotes":""},"categories":[4],"tags":[41],"class_list":{"0":"post-644","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-4","8":"tag-ebury"},"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/lovelinux.mydns.jp\/index.php?rest_route=\/wp\/v2\/posts\/644","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lovelinux.mydns.jp\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lovelinux.mydns.jp\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lovelinux.mydns.jp\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lovelinux.mydns.jp\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=644"}],"version-history":[{"count":16,"href":"https:\/\/lovelinux.mydns.jp\/index.php?rest_route=\/wp\/v2\/posts\/644\/revisions"}],"predecessor-version":[{"id":726,"href":"https:\/\/lovelinux.mydns.jp\/index.php?rest_route=\/wp\/v2\/posts\/644\/revisions\/726"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lovelinux.mydns.jp\/index.php?rest_route=\/wp\/v2\/media\/659"}],"wp:attachment":[{"href":"https:\/\/lovelinux.mydns.jp\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=644"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lovelinux.mydns.jp\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=644"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lovelinux.mydns.jp\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=644"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}