Bugtraq mailing list archives
/tmp event logger
From: lcamtuf () BOSS STASZIC WAW PL (Michal Zalewski)
Date: Sat, 14 Mar 1998 13:09:02 +0100
Due to excessive amount of /tmp races reported last months, here's
/tmp event logger. This simple and small program logs file activity
in given directory, giving clear, reusable, space-saving format
(including operation, filename, uid/gid, file type, permissions,
current time). It's very useful when you're looking for possible
vunerabilities, or trying to trace attacks.
--
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
#include <stdlib.h>
#include <dirent.h>
#include <time.h>
#define OPENED_MAX 5000
#define LAG 5
#define nopp(x) if (strlen(x)<5) nope='\t'; else nope=0;
int wannadies=-1,a;
char* opened[OPENED_MAX];
char present[OPENED_MAX],nope;
time_t costam;
int infect(struct dirent *s) {
struct stat x;
if (!(strcmp(s->d_name,"..")&&strcmp(s->d_name,"."))) return -1;
for (a=0;a<=wannadies;a++) if (!strcmp(opened[a],s->d_name)) {
present[a]=1;
return -1;
}
strncpy((opened[++wannadies]=malloc(strlen(s->d_name)+1)),s->d_name,
strlen(s->d_name)+1);
present[wannadies]=1;
if (wannadies>OPENED_MAX) {
fprintf(stderr,"Out of file handlers, dying...\n");
exit(-1);
}
stat(s->d_name,&x);
time(&costam);
nopp(s->d_name);
printf("++ %s%c\t%6o\t%d\t%d\t%d\t%s",s->d_name,nope,x.st_mode,
x.st_uid,x.st_gid,x.st_size,ctime(&costam));
return -1;
}
int foo(struct dirent **a,struct dirent **b) {}
int main(int argc,char* argv[]) {
struct dirent **x;
int a;
fprintf(stderr,"/tmp watcher 1.0 by <lcamtuf () staszic waw pl>\n");
if (argc==2) if (chdir(argv[1])) {
fprintf(stderr,"Can't change to given directory, dying.\n");
return -1;
} else fprintf(stderr,"Using %s.\n",argv[1]); else {
fprintf(stderr,"No parameter given, using /tmp.\n");
chdir("/tmp");
}
fprintf(stderr,"\nOP FILENAME\tTYPPRM\tUID\tGID\tSIZE\tTIME\n");
while (1) {
bzero(present,sizeof(present));
scandir("/tmp",&x,infect,foo);
for (a=0;a<=wannadies;a++) if (!present[a]) {
time(&costam);
nopp(opened[a]);
printf("-- %s%c\t-\t-\t-\t-\t%s",opened[a],nope,ctime(&costam));
free(opened[a]);
present[a]=present[wannadies];
if (a<wannadies) opened[a]=opened[wannadies--]; else wannadies--;
}
usleep(LAG);
}
}
--
It isn't visual, multimedial, and it hasn't a lot of more or less
useful features. Feel free to modify it...
_______________________________________________________________________
Micha³ Zalewski [tel 9690] | finger 4 PGP [lcamtuf () boss staszic waw pl]
Iterowaæ jest rzecz± ludzk±, wykonywaæ rekursywnie - bosk± [P. Deustch]
=--------------- [ echo "\$0&\$0">_;chmod +x _;./_ ] -----------------=
Current thread:
- Re: the purpose of dynamic memory allocation, (continued)
- Re: the purpose of dynamic memory allocation tqbf () secnet com (Mar 06)
- Possible Bug in CDE on HP-UX gareth greenaway (Mar 09)
- Re: Possible Bug in CDE on HP-UX Jeremy Brinkley (Mar 10)
- Re: the purpose of dynamic memory allocation David LeBlanc (Mar 10)
- Re: the purpose of dynamic memory allocation Jeffrey Hutzelman (Mar 10)
- Re: the purpose of dynamic memory allocation Alan Cox (Mar 11)
- DoS (and possibly more) on MDaemon for NT/95 Alvaro Martinez Echevarria (Mar 10)
- MDaemon SMTP Server Buffer Overflow's Aleph One (Mar 10)
- Security problem in Slackware. Suman_Saraf (Mar 11)
- Re: Security problem in Slackware. Peter van Dijk (Mar 13)
- /tmp event logger Michal Zalewski (Mar 14)
- Re: /tmp event logger Theo de Raadt (Mar 15)
- Possible Bug in CDE on HP-UX gareth greenaway (Mar 09)
- Vunerable shell scripts Michal Zalewski (Mar 14)
- More broadcast fun T. Freak (Mar 14)
- Midnight Commander /tmp race Michal Zalewski (Mar 15)
- Re: Midnight Commander /tmp race Pavel Kankovsky (Mar 17)
- Re: Midnight Commander /tmp race willy () SNOWYOWL CSU AC RU (Mar 17)
- Re: Midnight Commander /tmp race Pavel Kankovsky (Mar 18)
- Re: the purpose of dynamic memory allocation tqbf () secnet com (Mar 06)
- Solaris printd security vulnerability Aleph One (Mar 11)
- Sun Security Bulletin #00165 Aleph One (Mar 11)
- Fwd: Sun Security Bulletin #00166 Tony Hagale (Mar 11)