A shell script question
Brian Kelsay
BLKELSAY at kcc.usda.gov
Tue Feb 24 15:38:50 CST 2004
I was going to mention tripwire and say look for a project at freshmeat.net for something to
monitor it like the following:
http://freshmeat.net/projects/ficc/
Or run SNORT and a monitor similar to the following:
http://freshmeat.net/projects/sam-snortalertmonitor/
I like Jim's idea also to trick the script kiddies. Hopefully after all the protections your
server doesn't run way slower than the old machine.
You might also think about something like this:
http://freshmeat.net/projects/ktools-oak/
that can page, SMS message or email the admin about errors in syslog, etc.
Brian Kelsay
>>> Uncle Jim <> 02/24/04 12:59AM >>>
On Mon, Feb 23, 2004 at 04:21:43PM -0600, Brian Densmore wrote:
>
> I'm looking to write a little shell/perl/python
> script to run on my server 24/7 looking for attackers.
> I want to hide this script from view. Anyone ever done this?
About the first thing these little kiddies do is download their favorite
rootkit and they seem to like to use "wget" or "ftp". So why not rename
your "wget" and "ftp" to something like "wget2" and "ftp2" and then make
a short shell script named "wget" (with a link to "ftp") that looks some-
thing like this:
#!/bin/bash
echo Bye Bye you little '$@#*!'
/sbin/ifconfig eth0 down
banner HELP ME > /dev/console
This SHOULD stop them before they can do too much damage and before
they start to cover their tracks.
I played with a Perl script to loop doing a "stat" on files like "ls", "ps",
"top", and "netstat" waiting for a change, assuming that any decent rootkit
would replace one or more of these. Even as ugly as polling loops are, I
could not get the script to register any significant CPU usage even with a
"sleep 1" at the bottom of the loop. A program like this will show up in
the output of "ps" so you should be creative when naming it.
Whatever you decide to do, make sure you run tripwire.
--
Jim
More information about the Kclug
mailing list