#!/bin/sh
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11"
export PATH
hfile=`mktemp`
echo $hfile >> $hfile
echo "I was called with: $0 $*" >> $hfile
date >> $hfile
echo >> $hfile
echo "-- ps fax --">> $hfile
ps fax >>$hfile
echo >> $hfile
echo "-- ps auxwwwe --">> $hfile
ps auxwwwe >>$hfile
echo >> $hfile
echo "-- lsof --" >> $hfile
lsof >> $hfile
echo >> $hfile
echo "-- netstat -ptuna --" >> $hfile
netstat -ptuna >> $hfile
echo >> $hfile
echo "-- tail /var/log/messages --" >> $hfile
tail /var/log/messages >> $hfile
echo >> $hfile
echo "-- tail /var/log/daemon.log --" >> $hfile
tail /var/log/daemon.log >> $hfile
echo >> $hfile
echo "-- tail /var/log/auth.log --" >> $hfile
tail /var/log/auth.log >> $hfile
echo >> $hfile
cat $hfile | mail -s "HACK ATTEMPT" my@mydomain.com
echo Error: Connection Refused.
Save that script to say /usr/bin/wget or fetch, save the original binary with a different name such as wget.real or real.wg or wg, whatever. You should get enough information on what's going on to know where to start looking.
By no means should this be used instead of your host based IDS such as ossec or tripwire.
No comments:
Post a Comment