Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 26 Feb 2000 23:55:28 PST
From:      "PinkSmurf Mushroom" <smurfclanz@hotmail.com>
To:        freebsd-security@freebsd.org
Subject:   Mixter's shlog.c
Message-ID:  <20000227075528.97409.qmail@hotmail.com>
next in thread | raw e-mail | index | archive | help 

I've stumble upon Mixter's fixed code, shlog.c. It will log down any 
connections that will produce a shell.
But so far I'm unable to make it log sh shell since most exploits will 
produce sh upon a successful attack. I've added the script to /etc/profile 
and /etc/csh.cshrc. Should I add it to other file in order for it to log 
down sh shell?

Below is the code :
----------------------------------------------------------------
/*
* shlog.c (c) Mixter
* FIXED Version (thanks to scagneti@chisel.toolcity.net)
* Well, this does not too much.. it will determine the
* origin (remote IP address) from which a shell is launched (user
* id/remote host), and write a syslog entry, everytime a login shell
* is invoked. This can help against login trojans, or just for providing
* better audit trails.
* Put a call to shlog into /etc/profile and/or /etc/bashrc
*/

#include <syslog.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>

#define IO_STDIN	0

int
main (int argc, char **argv)
{
  struct sockaddr_in sin;
  unsigned int nl = sizeof (struct sockaddr_in);
  int test = getpeername (IO_STDIN, (struct sockaddr *) &sin, &nl);

  (void) openlog (argv[0], LOG_PID, LOG_AUTHPRIV);

  if (test == 0)
    syslog (LOG_NOTICE | LOG_AUTHPRIV,
	    "shell '%s' (uid: %d euid: %d gid: %d) invoked by remote connection 
from host %s",
	    getenv ("SHELL"),
	    getuid (), geteuid (), getgid (),
	    inet_ntoa (sin.sin_addr));
  else
    syslog (LOG_NOTICE | LOG_AUTHPRIV,
      "shell '%s' (uid: %d euid: %d gid: %d) invoked from local host or 
program",
            getenv ("SHELL"),
	    getuid (), geteuid (), getgid ());

  (void) closelog ();

  return 0;
}
----------------------------------------------------------------

smurfy =p
______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000227075528.97409.qmail>