[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Attempted inside job. A report.
- Subject: Re: [cobalt-security] Attempted inside job. A report.
- From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
- Date: Sun, 30 Sep 2001 21:03:08 +0200
- Organization: Stauber Multimedia Design
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hi Simon,
> I would be very interested in knowing exactly how you do this
> and a copy of the shellscript. I already use Chkrootkit but to automate it
> would be great. Any chance ?
no problem at all. Sorry for the late reply.
The script itself is very, very simple. It just runs chkrootkit, dumps the
output to a file and then emails the file out. Once the email is sent, then
the output file is deleted.
---------------------- start: check.sh ----------------------
#!/bin/sh
#
# check.sh: CHKROOTKIT mailer
# Written by Michael Stauber <mstauber@xxxxxxxxxxxxxx>
# Based the logcheck script from Craig Rowland <crowland@xxxxxxxxxxx>
#
# CONFIGURATION SECTION
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/ucb:/usr/local/bin:/home/chkrootkit
CHKROOTKITPATH=/home/chkrootkit
SYSADMIN=admin
MAIL=mail
HOSTNAME=`hostname`
DATE=`date +%m/%d/%y:%H.%M`
# Needs to be created:
TMPDIR=/home/chkrootkit/tmp
# No changes needed below:
umask 077
rm -f $TMPDIR/check.run
cd $CHKROOTKITPATH
./chkrootkit >$TMPDIR/check.run
cat $TMPDIR/check.run | $MAIL -s "$HOSTNAME $DATE chkrootkit report" $SYSADMIN
# Clean Up
rm -f $TMPDIR/check.run
---------------------- stop: check.sh ----------------------
No changes need to be made to any chkrootkit-files. This is my directory
layout:
/
|
| -----home
|
|--- chkrootkit
|
|----tmp
I put a "chmod -R 700 /home/chkrootkit" and "chown -R root:root
/home/chkrootkit" onto the directory to hide it from anyone except root.
Just run it as a cronjob as often as you like. Once per day works fine for
me. For that purpose you can copy the check.sh to /etc/cron.daily or set it
up through "crontab -e" as cronjob of user root.
As said, the script is simple and was thrown together in just a few minutes
based on the heavily trimmed down logcheck script. I had first intended to
pipe it through "grep" to only receive mailed information when something
noteable was going on. This could be done by piping the output through grep
and by discarding all lines with the words "not" or "may take" in them.
But then again, chkrootkit is of limited use, as "chkproc" (the sub-program
which checks for hidden processes and LKMs) tends to give false information
on systems with a high load and many dynamic processes. How that happens is
clear: It compares the output from "ps" with the "/proc" directory. However,
if some processes (like the odd MySQL or Apache fork) just ended between
those two comparisons which run one after another, not simultaneously, then
chkproc cries "wolf".
--
Mit freundlichen Grüßen / With best regards
Michael Stauber
Stauber Multimedia Design ____ Phone: +49-6081-946240
Eppsteiner Weg 9 ___ D-61267 Neu-Anspach ___ Germany
SMD.NET ___ SOLARSPEED.NET ___ FORUMWORLD.COM