[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] Attempted inside job. A report.

Subject: Re: [cobalt-security] Attempted inside job. A report.
From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
Date: Sun, 30 Sep 2001 21:03:08 +0200
Organization: Stauber Multimedia Design
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Hi Simon,

> I would be very interested in knowing exactly how you do this
> and a copy of the shellscript. I already use Chkrootkit but to automate it 
> would be great. Any chance ?

no problem at all. Sorry for the late reply.

The script itself is very, very simple. It just runs chkrootkit, dumps the 
output to a file and then emails the file out. Once the email is sent, then 
the output file is deleted.

---------------------- start: check.sh ----------------------
#!/bin/sh
#
#       check.sh: CHKROOTKIT mailer
#       Written by Michael Stauber <mstauber@xxxxxxxxxxxxxx>
#       Based the logcheck script from Craig Rowland <crowland@xxxxxxxxxxx>
#
 
# CONFIGURATION SECTION
 
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/ucb:/usr/local/bin:/home/chkrootkit
CHKROOTKITPATH=/home/chkrootkit
SYSADMIN=admin
MAIL=mail
HOSTNAME=`hostname`
DATE=`date +%m/%d/%y:%H.%M`

# Needs to be created:
TMPDIR=/home/chkrootkit/tmp

# No changes needed below: 
umask 077
rm -f $TMPDIR/check.run
cd $CHKROOTKITPATH
./chkrootkit >$TMPDIR/check.run
cat $TMPDIR/check.run | $MAIL -s "$HOSTNAME $DATE chkrootkit report" $SYSADMIN

# Clean Up
rm -f $TMPDIR/check.run
---------------------- stop: check.sh ----------------------

No changes need to be made to any chkrootkit-files. This is my directory 
layout:

/
| 
| -----home
        |
        |--- chkrootkit
            |
            |----tmp

I put a "chmod -R 700 /home/chkrootkit" and "chown -R root:root 
/home/chkrootkit" onto the directory to hide it from anyone except root.

Just run it as a cronjob as often as you like. Once per day works fine for 
me. For that purpose you can copy the check.sh to /etc/cron.daily or set it 
up through "crontab -e" as cronjob of user root.

As said, the script is simple and was thrown together in just a few minutes 
based on the heavily trimmed down logcheck script. I had first intended to 
pipe it through "grep" to only receive mailed information when something 
noteable was going on. This could be done by piping the output through grep 
and by discarding all lines with the words "not" or "may take" in them.

But then again, chkrootkit is of limited use, as "chkproc" (the sub-program 
which checks for hidden processes and LKMs) tends to give false information 
on systems with a high load and many dynamic processes. How that happens is 
clear: It compares the output from "ps" with the "/proc" directory. However, 
if some processes (like the odd MySQL or Apache fork) just ended between 
those two comparisons which run one after another, not simultaneously, then 
chkproc cries "wolf".


-- 

Mit freundlichen Grüßen / With best regards

Michael Stauber

 Stauber Multimedia Design ____ Phone:  +49-6081-946240
 Eppsteiner Weg 9 ___  D-61267 Neu-Anspach ___ Germany
 SMD.NET ___ SOLARSPEED.NET ___ FORUMWORLD.COM

References:
- RE: [cobalt-security] Attempted inside job. A report.
  - From: Simon Wilson

Prev by Date: Re: [cobalt-security] Hacked by SDI linux remote exploit for ProFTP
Next by Date: [cobalt-security] Problems running nessus
Previous by thread: RE: [cobalt-security] Attempted inside job. A report.
Next by thread: Re: [cobalt-security] Attempted inside job. A report.

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index