Wednesday, February 23, 2011

A linux security wrapper

Here's a fun script (or vairation of) that I use on nearly all my servers to catch exploits and scriptkiddies:

export PATH

echo $hfile >> $hfile
echo "I was called with: $0 $*" >> $hfile
date >> $hfile

echo >> $hfile
echo "-- ps fax --">> $hfile
ps fax >>$hfile

echo >> $hfile
echo "-- ps auxwwwe --">> $hfile
ps auxwwwe >>$hfile

echo >> $hfile
echo "-- lsof --" >> $hfile
lsof >> $hfile

echo >> $hfile
echo "-- netstat -ptuna --" >> $hfile
netstat -ptuna >> $hfile

echo >> $hfile
echo "-- tail /var/log/messages --" >> $hfile
tail /var/log/messages >> $hfile

echo >> $hfile
echo "-- tail /var/log/daemon.log --" >> $hfile
tail /var/log/daemon.log >> $hfile

echo >> $hfile
echo "-- tail /var/log/auth.log --" >> $hfile
tail /var/log/auth.log >> $hfile

echo >> $hfile

cat $hfile | mail -s "HACK ATTEMPT"

echo Error: Connection Refused.

Save that script to say /usr/bin/wget or fetch, save the original binary with a different name such as wget.real or real.wg or wg, whatever. You should get enough information on what's going on to know where to start looking.

By no means should this be used instead of your host based IDS such as ossec or tripwire.