Weekly Perl Script

Bill Jones bill at fccj.org
Sat May 29 21:55:18 CDT 1999 

On the Jax.PM jacksonville-pm-list;
"Bill Jones" <bill at fccj.org> wrote -


[Forth issue in a continuing series...]


Hi All :]

As a benefit for the Jacksonville Perl Monger
membership (now at 7 :) I present the Forth
Issue in the "Weekly Perl Script" series.

Each Week, around Saturday or Sunday, I will submit
to the list a Perl Script which does something useful,
but one which isn't too hard to follow along with and
can be modified to attend other tasks.

I will post a script to the Jax-PM listserv and
allow one week for the group to discuss it; after
the week has passed I will either post a follow-up,
one which will help describe the functioning of
the prior weeks post or we will move on to a
new script to discuss that week.  Fair enough?

BTW:  The 'other' members may post scripts and/or
questions here as well.  I'm not saying that
any of them will be answered - but together
I am sure we can discover a solution!

Here is this weeks offering for your review -
(This weeks offering is actually in three
portions: two scripts and some inetd.conf
configuration stuff...)

# Start of script one, called 'sniffer'...
#!/usr/bin/perl -w

#
# Sniffer - Logs attempts to access 'watched'  ports...
# (based upon backsniff from the Perl Cookbook...)
# Modifications Copyright (C) FCCJ DSS Sneex 1999; All Rights Reserved...
#
# Install this script (as often as needed) in inetd.conf like this:
#
# echo stream tcp nowait nobody /path/to/script/sniffer sniffer
# (Obviously 'echo', the listed service above, is an example...)
#

use Sys::Syslog;
use Socket;

# identify my (Astro's) port and address...
$sockname  = getsockname(STDIN)
  or die "Couldn't identify myself: $!\n";
($port, $iaddr) = sockaddr_in($sockname);
$my_address = inet_ntoa($iaddr);

# get name of the service we are interested in...
$service = (getservbyport ($port, "tcp"))[0] || $port;

# now identify the REMOTE (probing) address...
$sockname = getpeername(STDIN)
  or die "Couldn't identify the PROBING system: $!\n";
($port, $iaddr) = sockaddr_in($sockname);
$ex_address = inet_ntoa($iaddr);
$ex_hostname = gethostbyaddr($iaddr, AF_INET);
#@name_lookup = gethostbyname()
#  or die "Couldn't lookup $ex_hostname: $!\n";
#@resolved_ipAddrs = map { inet_ntoa($_) }
# @name_lookup[ 4 .. $#ips_for_hostname ];

# and finally - log what was found...
openlog("sniffer", "ndelay", "daemon");
syslog("notice", "Connection from %s (%s) to %s:%s\n",
 $ex_address, $ex_hostname, $my_address, $service);
closelog();

print "\nWARNING:  All accesses and attempts are investigated!\n
Attempted access from $ex_address
(possibly hostname:  $ex_hostname) ...\n
Access attempt on ", scalar localtime, ".\n\n
Have A Nice Day!  :]\n";

exit;
# End of script one called 'sniffer'...

###########################################

# Start of second script, called in.fingerd
#!/usr/bin/perl -w

# This script will prevent people from
# using 'finger', when installed
# properly...

use Sys::Syslog;

print "

This server is not allowing finger requests.
If you are having trouble, or need to look up
a user on this server, please contact either
root\@yourhost.here   or
postmaster\@yourhost.here

 Thank you for your understanding in this matter,

 Signed,
 Whomever you are

";

print "This notice was served (and logged) at ", scalar localtime, " local
time.\n\n";

# Set the userID, if known...
my $usrID = `/usr/bin/whoami`;
my $target = @ARGV ? $ARGV[0] : 'unknown';

my $mailAdmin   = 'root at localhost'; # Send Log-On Reports to?
my $mailProject = 'root at localhost'; # Responsible for Project?
my $SENDMAIL    = '/usr/lib/sendmail';
# The location of your sendmail binary...

$| = 1;  # Use unbuffered I/O...

open (MAIL, "| $SENDMAIL $mailAdmin") ||
        die ("$0:  Fatal Error!  Cannot open sendmail: $!\n");

print MAIL "Reply-to: $mailProject\n";
print MAIL "From: 'in.fingerd.Tracking.Server'\n";
print MAIL "To: 'localhost.SysAdmin'\n";
print MAIL "Subject: 'fingerd' service request by $usrID\n";
print MAIL "X-Comments: ===== A Message from the $0 application... =====\n";
print MAIL "SECURITY:  Access to $0 by (real $< )(effective $> )\n";

print MAIL "\n"; # To hide 'event' under X-Comments, comment out line...
print MAIL "UserID: $usrID tried \'finger $target\' request on \@ ", scalar
localtime; # Who requested what...

#print MAIL "\n";
#print MAIL "Relevant data:\n\n";
#print MAIL `ps -ef ; who ; w ; /top -SnU$usrID`;

print MAIL "\n";
close (MAIL);

# and finally - log what was found...
openlog("in.fingerd", "ndelay", "daemon");
syslog("notice", "Local %s tried %s finger request.\n", $usrID, $target);
closelog();

exit;
# End of second script, called in.fingerd

#########################################

And now the changes you should make to
your /etc/inetd.conf file:

#ident "@(#)inetd.conf 1.22 95/07/14 SMI" /* SVr4.0 1.5 */
# Configuration file for inetd(1M).  See inetd.conf(4).
#
# To re-configure the running inetd process, edit this file, then
# send the inetd process a SIGHUP.
#
# Syntax for socket-based Internet services:
#  <service_name> <socket_type> <proto> <flags> <user> <server_pathname>
<args>
#
# Syntax for TLI-based Internet services:
#  <service_name> tli <proto> <flags> <user> <server_pathname> <args>
#
# Some services I have booby-trapped:
#finger stream tcp nowait nobody /usr/sbin/in.fingerd in.fingerd
finger stream tcp nowait nobody /usr/sbin/sniffer sniffer
#systat stream tcp nowait root /usr/bin/ps  ps -ef
systat stream tcp nowait nobody /usr/sbin/sniffer sniffer
#netstat stream tcp nowait root /usr/bin/netstat  netstat -f inet
netstat stream tcp nowait nobody /usr/sbin/sniffer sniffer
#echo stream tcp nowait root internal
echo stream tcp nowait nobody /usr/sbin/sniffer sniffer
#
# WARNING:  Syntax may be different for your particular
# Unix/Linux platform...  Research BEFORE changing...


Look at them, think it over, and if you have
any questions, please post to the list.

Enjoy!
-Sneex-  :]
_________________________________________________________________________
Bill Jones  | Data Security Specialist | http://www.fccj.org/cgi/mail?dss
FCCJ  |  501 W State St  |  Jacksonville, FL 32202  |  1 (904) 632-3089


The Jacksonville Perl Monger's Group is operated by -
Bill -Sneex- Jones ( sneex at usa.net ),
to whom send all praises, complaints, or comments...

More information about the Jacksonville-pm mailing list