[6303] in bugtraq
/tmp event logger
daemon@ATHENA.MIT.EDU (Michal Zalewski)
Sun Mar 15 12:49:31 1998
Date: Sat, 14 Mar 1998 13:09:02 +0100
Reply-To: Michal Zalewski <lcamtuf@BOSS.STASZIC.WAW.PL>
From: Michal Zalewski <lcamtuf@BOSS.STASZIC.WAW.PL>
To: BUGTRAQ@NETSPACE.ORG
Due to excessive amount of /tmp races reported last months, here's
/tmp event logger. This simple and small program logs file activity
in given directory, giving clear, reusable, space-saving format
(including operation, filename, uid/gid, file type, permissions,
current time). It's very useful when you're looking for possible
vunerabilities, or trying to trace attacks.
--
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
#include <stdlib.h>
#include <dirent.h>
#include <time.h>
#define OPENED_MAX 5000
#define LAG 5
#define nopp(x) if (strlen(x)<5) nope=3D'\t'; else nope=3D0;
int wannadies=3D-1,a;
char* opened[OPENED_MAX];
char present[OPENED_MAX],nope;
time_t costam;
int infect(struct dirent *s) {
struct stat x;
if (!(strcmp(s->d_name,"..")&&strcmp(s->d_name,"."))) return -1;
for (a=3D0;a<=3Dwannadies;a++) if (!strcmp(opened[a],s->d_name)) {
present[a]=3D1;
return -1;
}
strncpy((opened[++wannadies]=3Dmalloc(strlen(s->d_name)+1)),s->d_name=
,
strlen(s->d_name)+1);
present[wannadies]=3D1;
if (wannadies>OPENED_MAX) {
fprintf(stderr,"Out of file handlers, dying...\n");
exit(-1);
}
stat(s->d_name,&x);
time(&costam);
nopp(s->d_name);
printf("++ %s%c\t%6o\t%d\t%d\t%d\t%s",s->d_name,nope,x.st_mode,
x.st_uid,x.st_gid,x.st_size,ctime(&costam));
return -1;
}
int foo(struct dirent **a,struct dirent **b) {}
int main(int argc,char* argv[]) {
struct dirent **x;
int a;
fprintf(stderr,"/tmp watcher 1.0 by <lcamtuf@staszic.waw.pl>\n");
if (argc=3D=3D2) if (chdir(argv[1])) {
fprintf(stderr,"Can't change to given directory, dying.\n");
return -1;
} else fprintf(stderr,"Using %s.\n",argv[1]); else {
fprintf(stderr,"No parameter given, using /tmp.\n");
chdir("/tmp");
}
fprintf(stderr,"\nOP FILENAME\tTYPPRM\tUID\tGID\tSIZE\tTIME\n");
while (1) {
bzero(present,sizeof(present));
scandir("/tmp",&x,infect,foo);
for (a=3D0;a<=3Dwannadies;a++) if (!present[a]) {
time(&costam);
nopp(opened[a]);
printf("-- %s%c\t-\t-\t-\t-\t%s",opened[a],nope,ctime(&costam));
free(opened[a]);
present[a]=3Dpresent[wannadies];
if (a<wannadies) opened[a]=3Dopened[wannadies--]; else wannadies-=
-;
}
usleep(LAG);
}
}
--
It isn't visual, multimedial, and it hasn't a lot of more or less
useful features. Feel free to modify it...
_______________________________________________________________________
Micha=B3 Zalewski [tel 9690] | finger 4 PGP [lcamtuf@boss.staszic.waw.p=
l]
Iterowa=E6 jest rzecz=B1 ludzk=B1, wykonywa=E6 rekursywnie - bosk=B1 [P=
. Deustch]
=3D--------------- [ echo "\$0&\$0">_;chmod +x _;./_ ] ----------------=
-=3D
