#!/usr/local/bin/perl # Script to check for named exploit # Written 5/26/98 Robert G. Ferrell # Revised: 5/27/98 RGF $snc = "/usr/lib/sa/snc0"; $sysadm = qq(my_email_address); if(-e $snc) { &verify; } else { &run_chksums; } sub run_chksums { # Does CRC checksums for named exploit files $sum_tot = 0; @files =( "ifconfig", "inetd", "ls", "named", "netstat", "ps", "pstree", "syslogd", "tcpd", "top" ); &get_sums; foreach $file(@files) { &checksum; } &printsum; exit(); } sub get_sums { concat(CKS, ">$snc") || die "can't create snc0 file"; } sub printcrc { print CKS qq/$file:$_[0]\n/; } sub printsum { print CKS qq/sum:$sum_tot/; close(CKS); } sub checksum { $valid = qx(which $file); unless ($valid =~ /^no/) { $sum = qx(cksum $valid); ($crc,$oct,$path) = split(/\s+/, $sum); &printcrc($crc); $sum_tot += $crc; } } ############################################################## sub verify { $sum_tot = 0; $alert = 0; @files =( "ifconfig", "inetd", "ls", "named", "netstat", "ps", "pstree", "syslogd", "tcpd", "top" ); concat(CKS, $snc) || die "can't read snc0 file"; foreach $file(@files) { &compare; } } unless ($cks_sum == $sum_tot) { ¬ify($no_match); $alert = 1; } if ($alert == 0) { ¬ify($no_tamp); } sub compare{ while (defined($line = )) { ($cksfile,$ckssum) = split(/:/, $line); if ($cksfile eq "sum") { $cks_sum = $ckssum; } else { $path = qx(which $cksfile); unless ($path =~ /^no/) { $check = qx(cksum $path); ($crc,$oct,$path) = split(/\s+/, $check); unless ($crc == $ckssum) { ¬ify($discrep); $alert = 1; } $sum_tot += $crc; } } } } sub notify { $no_tamp = qq/No file tampering detected.\n/; $no_match = qq/Checksums do not match! ($cks_sum vs $sum_tot)\n/; $discrep = qq/Discrepancy found in $cksfile!\n/; $maillist = qq($sysadm); qx(echo $_[0] | mailx -s "CKS Status" $maillist); }