Cover V10, I09

Article
Listing 1
Listing 2
Listing 3
Listing 4
Listing 5

sep2001.tar


Listing 1 syslog check script

#!/usr/bin/awk -f
#
# looks for basic syslog items: failed logins, block connects (via tcpd)
# and bad su's (confirmed in sulog)
#
# copyright(c) 2001 jose nazario
#
BEGIN {
  print "\n\tChecking the syslog"
  print "\t-------------------"
  failed=0
  blocked=0
  badsu=0
  notmine=0
  shellcode=0
  binsh=0
}

{
  if ($5 ~ /login*/) {
# useful for IRIX
    if ($6 ~ /failed*/) {
      print "failed login: "$9"\tat "$1" "$2" "$3" from\t"$7
      failed=failed+1
    }
# useful for Linux
    if ($0 ~ /LOGIN.FAILURE/) {
      print "failed login: "$11"\tat "$1" "$2" "$3" from\t"$10
      failed=failed+1
    }
# also useful for Linux
     if ($0 ~ /FAILED.LOGIN/) {
       print "failed login: "$10"\tat "$1" "$2" "$3" from\t"$12
       failed=failed+1
     }
  } # end if $5 == login...

#looking for failed sshd1 logins, openssh2 format
  if ($5~ /sshd*/) {
    if ($6 == "Failed"){
      print "failed login: "$9"\tat "$1" "$2" "$3" from\t"$11
      failed=failed+1
    }
  }

# tcp wrappers check
  if ($6 ~ /refused/) {
    source=$9
    printf("blocked %-32s\tto "$5" at\t"$1" "$2" "$3"\n", source)
    blocked=blocked+1
  }

# syslog su checking (backed up in sulog on IRIX, Solaris)
# IRIX, Solaris, Linux
  if (($5 ~ /su\[*/) && ($6 ~ /failed*/)) {
    badsu=badsu+1
    printf("failed su from "$10" to "$12" at \t"$1" "$2" "$3"\n")
  }
# Linux using PAM (ie RedHat)
  if (($12 ~ /su/) && ($7 ~ /failure*/)) {
    badsu=badsu+1
    print "failed su from "$8" to "$10" at \t"$1" "$2" "$3
  }
# HPUX 10.20
  if (($6 == "su") && ($7 == "-")) {
    badsu=badsu+1
    print "failed su: "$9" at \t"$1" "$2" "$3
  }

# looking for not local syslog messages
  if ($4 != "$HOSTNAME") {
    notmine=notmine+1
    print "nonlocal syslog entry:" 
    print $0 
  }

# looking for possible exloit signatures

# \x90 is x86 only!
  if ($0 ~ /\x90/) {
    shellcode=shellcode+1
    print "----------------- Possible buffer overflow at line "NR
    print "time: "$1" "$2" "$3" process was "$5
    }
  if ($0 ~ /bin.sh/) {
    binsh=binsh+1
    print "------------- Possible call to /bin/sh at line "NR
    print "time: "$1" "$2" "$3" process was "$5
    }
}

END {
print "\t----------------------------------------"
printf("\trecords processed:\t%15d\n", NR)
printf("\tnumber of failed logins:%15d\n", failed)
printf("\tblocked connections:\t%15d\n", blocked)
printf("\tnumber of failed su's:\t%15d\n", badsu)
printf("\tlines not from localhost:%15d\n", notmine)
printf("\tpossible shellcode found:%15d\n", shellcode)
printf("\tpossible /bin/sh calls:%15d\n\n", binsh)
}

 

© 2003 CMP Media LLC. All Rights Reserved.
www.samag.com