A shell script question
Uncle Jim
jim at jimani.com
Tue Feb 24 06:59:53 CST 2004
Hi,
On Mon, Feb 23, 2004 at 04:21:43PM -0600, Brian Densmore wrote:
>
> I'm looking to write a little shell/perl/python
> script to run on my server 24/7 looking for attackers.
> I want to hide this script from view. Anyone ever done this?
About the first thing these little kiddies do is download their favorite
rootkit and they seem to like to use "wget" or "ftp". So why not rename
your "wget" and "ftp" to something like "wget2" and "ftp2" and then make
a short shell script named "wget" (with a link to "ftp") that looks some-
thing like this:
#!/bin/bash
echo Bye Bye you little '$@#*!'
/sbin/ifconfig eth0 down
banner HELP ME > /dev/console
This SHOULD stop them before they can do too much damage and before
they start to cover their tracks.
I played with a Perl script to loop doing a "stat" on files like "ls", "ps",
"top", and "netstat" waiting for a change, assuming that any decent rootkit
would replace one or more of these. Even as ugly as polling loops are, I
could not get the script to register any significant CPU usage even with a
"sleep 1" at the bottom of the loop. A program like this will show up in
the output of "ps" so you should be creative when naming it.
Whatever you decide to do, make sure you run tripwire.
--
Jim
More information about the Kclug
mailing list