#!/usr/bin/perl
######## Configuration #######
$nice = "/bin/nice";
$mailprog = "/usr/sbin/sendmail";
$recipients = 'security@sourcedns.com';
$todays_date = `date +"%A, %B %e, %Y %l:%M%P (%Z)"`;
$date = `date +"%B %e"`;
$host = `hostname`;
chomp($todays_date, $date);
chomp $mailprog;
chomp $host;
####### Configuration ######
# Get nobody procs
@nob_exec = `ps -f h -U nobody --cols=400`;
# Nobody processes can be whitelisted in ignore.nobody.list
$nobody_exclude_file="/usr/local/lp/apps/security/whitelists/ignore.nobody.list";
open(NOBEXCL, $nobody_exclude_file) || die("could not open nobody exclude file");
my @exclude_list = <NOBEXCL>;
close(NOBEXCL);
my $exclude_line = '';
foreach my $exc (@exclude_list) {
$exclude_line .= $exc . '|';
}
$exclude_line =~ s/\|$//;
foreach my $nob_exec_line (@nob_exec) {
if ($nob_exec_line !~ /($exclude_line)/) {
push @good_nob_exec, $nob_exec_line;
}
}
@nob_exec = @good_nob_exec;
# Other checks. filenames in /tmp/ that need to be ignored can be added to ignore.tmp.list
@tmp = `find /tmp/ -type f | grep -Ef /usr/local/lp/apps/security/blacklists/tmp.list`;
@vtmp = `find /var/tmp/ -type f | grep -Ef /usr/local/lp/apps/security/blacklists/tmp.list`;
@shm = `find /dev/shm -type f | grep -Ef /usr/local/lp/apps/security/blacklists/shm.list`;
@mail = `find /var/mail/ -perm -o+x -type f`;
@count = `find /var/cpanel/Counters -perm -o+x -type f`;
@ddos = `ps faux | grep '/usr/bin/[h]ost'`;
@root1 = `find /lib/ -type f -name "libkeyutils*" -size +30k`;
@root2 = `find /lib64/ -type f -name "libkeyutils*" -size +30k`;
@root3 = `grep ':0:' /etc/passwd | /bin/cut -d':' -f 1 | grep -vf /usr/local/lp/apps/security/whitelists/ignore.root.list`;
@root4 = `/bin/rpm -qi openssh-server | grep -E 'Signature.*none'`;
# Allow for custom unsigned ssh builds; if the customer has one, create the "custom_ssh" file below (it can be empty).
if ( -e '/usr/local/lp/apps/security/whitelists/custom_ssh' ) {
undef @root4;
}
if ( -e '/usr/sbin/lsof' ) {
@darkmailer = `/usr/sbin/lsof -i :25 |grep -vf /usr/local/lp/apps/security/whitelists/ignore.smtp.list`;
}
my %hash;
foreach my $line (@nob_exec) {
#my $pid = (split(/ /,$line))[1]; short hand for:
my @fields = split(/\s+/,$line);
my $pid = $fields[1];
#Read the file into one big string
open(IN, "/proc/$pid/environ");
my $envstring = '';
while ($input = <IN>) {
$envstring .= $input;
}
close(IN);
#split the string up into its ENV="value" strings.
my @env = split(/\0/,$envstring);
#lets stuff the lines into a hash
foreach my $envline (@env) {
my ($key, $value) = split(/=/,$envline);
$hash{$pid}{$key} = $value;
}
}
push @files, @tmp, @vtmp, @shm, @mail, @count, @root1, @root2;
if (@files != "" || @nob_exec != "" || @darkmailer != "" || @root3 != "" || @root4 != "" || @ddos != "")
{
####Send Me the report
open (MAIL, "|$mailprog -t") or die("Can't access $mailprog!\n");
print MAIL "To: $recipients\n";
print MAIL "From: $host\n";
print MAIL "Subject: $host Infect Files\n\n";
print MAIL "--- REPORT SUMMARY ---\n";
print MAIL "Date: $todays_date\n";
print MAIL "--------------------------------------------\n";
print MAIL "\n\nNaughty Files\n";
print MAIL "-----------------\n";
print MAIL "@files";
print MAIL "\n\nDarkmailer Check (procs socketed to port 25)\n";
print MAIL "-----------------\n";
print MAIL "@darkmailer";
print MAIL "\n\nUser accounts with UID/GID 0 in /etc/passwd\n";
print MAIL "-----------------\n";
print MAIL "@root3";
print MAIL "\n\nRunning /usr/bin/host spoofed procs\n";
print MAIL "-----------------\n";
print MAIL "@ddos";
print MAIL "\n\nUnsigned openssh-server RPM?\n";
print MAIL "-----------------\n";
print MAIL "@root4";
print MAIL "\n\nRunning Nobody's\n";
print MAIL "----------------\n";
foreach my $nob (@nob_exec) {
print MAIL $nob;
}
print MAIL "\n";
print MAIL "\n\nStringed Nobody Procs\n";
print MAIL "----------------\n";
foreach my $pid (keys %hash) {
print MAIL "PID: $pid\n";
foreach my $envkey (keys %{$hash{$pid}}) {
print MAIL " $envkey: " . $hash{$pid}{$envkey}, "\n";
}
print MAIL "\n\n";
}
close(MAIL);
}
|