Due to excessive amount of /tmp races reported last months, here's /tmp event logger. This simple and small program logs file activity in given directory, giving clear, reusable, space-saving format (including operation, filename, uid/gid, file type, permissions, current time). It's very useful when you're looking for possible vunerabilities, or trying to trace attacks. -- #include <stdio.h> #include <sys/types.h> #include <sys/stat.h> #include <unistd.h> #include <stdlib.h> #include <dirent.h> #include <time.h> #define OPENED_MAX 5000 #define LAG 5 #define nopp(x) if (strlen(x)<5) nope='\t'; else nope=0; int wannadies=-1,a; char* opened[OPENED_MAX]; char present[OPENED_MAX],nope; time_t costam; int infect(struct dirent *s) { struct stat x; if (!(strcmp(s->d_name,"..")&&strcmp(s->d_name,"."))) return -1; for (a=0;a<=wannadies;a++) if (!strcmp(opened[a],s->d_name)) { present[a]=1; return -1; } strncpy((opened[++wannadies]=malloc(strlen(s->d_name)+1)),s->d_name, strlen(s->d_name)+1); present[wannadies]=1; if (wannadies>OPENED_MAX) { fprintf(stderr,"Out of file handlers, dying...\n"); exit(-1); } stat(s->d_name,&x); time(&costam); nopp(s->d_name); printf("++ %s%c\t%6o\t%d\t%d\t%d\t%s",s->d_name,nope,x.st_mode, x.st_uid,x.st_gid,x.st_size,ctime(&costam)); return -1; } int foo(struct dirent **a,struct dirent **b) {} int main(int argc,char* argv[]) { struct dirent **x; int a; fprintf(stderr,"/tmp watcher 1.0 by <lcamtufat_private>\n"); if (argc==2) if (chdir(argv[1])) { fprintf(stderr,"Can't change to given directory, dying.\n"); return -1; } else fprintf(stderr,"Using %s.\n",argv[1]); else { fprintf(stderr,"No parameter given, using /tmp.\n"); chdir("/tmp"); } fprintf(stderr,"\nOP FILENAME\tTYPPRM\tUID\tGID\tSIZE\tTIME\n"); while (1) { bzero(present,sizeof(present)); scandir("/tmp",&x,infect,foo); for (a=0;a<=wannadies;a++) if (!present[a]) { time(&costam); nopp(opened[a]); printf("-- %s%c\t-\t-\t-\t-\t%s",opened[a],nope,ctime(&costam)); free(opened[a]); present[a]=present[wannadies]; if (a<wannadies) opened[a]=opened[wannadies--]; else wannadies--; } usleep(LAG); } } -- It isn't visual, multimedial, and it hasn't a lot of more or less useful features. Feel free to modify it... _______________________________________________________________________ Michał Zalewski [tel 9690] | finger 4 PGP [lcamtufat_private] Iterować jest rzeczą ludzką, wykonywać rekursywnie - boską [P. Deustch] =--------------- [ echo "\$0&\$0">_;chmod +x _;./_ ] -----------------=
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:45:25 PDT