A shell script question

Brian Densmore DensmoreB at ctbsonline.com
Tue Feb 24 15:17:25 CST 2004 

> -----Original Message-----
> From: Uncle Jim
> Hi,
> On Mon, Feb 23, 2004 at 04:21:43PM -0600, Brian Densmore wrote:
> > 
> > I'm looking to write a little shell/perl/python
> > script to run on my server 24/7 looking for attackers.
> > I want to hide this script from view. Anyone ever done this?
> 
> About the first thing these little kiddies do is download 
> their favorite
> rootkit and they seem to like to use "wget" or "ftp".  So why 
> not rename
> your "wget" and "ftp" to something like "wget2" and "ftp2" 
> and then make
> a short shell script named "wget" (with a link to "ftp") that 
> looks some-
> thing like this:
> 
>   #!/bin/bash
>   echo Bye Bye you little '$@#*!'
>   /sbin/ifconfig eth0 down
>   banner HELP ME > /dev/console
Oooh, I like that idea. That's kind of along the lines I was thinking,
as part of a solution.

> 
> This SHOULD stop them before they can do too much damage and before
> they start to cover their tracks.
> 
> I played with a Perl script to loop doing a "stat" on files 
> like "ls", "ps",
> "top", and "netstat" waiting for a change, assuming that any 
> decent rootkit
> would replace one or more of these.  Even as ugly as polling 
> loops are, I
> could not get the script to register any significant CPU 
> usage even with a
> "sleep 1" at the bottom of the loop.  A program like this 
> will show up in
> the output of "ps" so you should be creative when naming it.
Right something like this too.

> 
> Whatever you decide to do, make sure you run tripwire.
The rootkit they hit me with takes tripwire down too.

Again, I'm looking to add many layers of security, but need
to not go overboard. I want a usable system when I done, not
one that spends all day looking for breakins. ;')
I only have one system so I really am not looking to make a honeypot. 
Basically what I am looking to do is to harden the kernel, add a sane
firewall, establish a good update policy (maybe a cron job to apt-get
update && apt-get upgrade to the security.debian.org site automatically),
and some standard and custom tools for auditing the system and paging
me in certain cases. I don't want a paranoid system. There has to be balance.

Thanks all for the ideas,
Brian

More information about the Kclug mailing list