Re: Recovering from compromised system

From: Bit Twister (BitTwister_at_localhost.localdomain)
Date: 09/09/03 

Date: Tue, 09 Sep 2003 13:14:22 GMT

On Mon, 08 Sep 2003 21:15:38 -0700, Thomas Frayne wrote:
> On Mon, 08 Sep 2003 23:20:26 +0000, Bit Twister wrote:
>
>> On Mon, 08 Sep 2003 14:50:11 -0700, Thomas Frayne wrote:
> ...
>> Yes, here is a perl replacement for gen_ck
>> ---------->8---------->8---------->8---------->8---------->8---------->8
>> #!/usr/bin/perl -w
>> # use strict ;
>>
>> local ($cmd_fn) = "j.ksh" ;
>> local ($lst_fn) = "list_2_ck" ;
>> local ($line) = "" ;
>> local ($ref) = "" ;
>>
>> open (CMD, ">$cmd_fn") or die "Open $lst_fn Failed - $!" ;
>> open (LST, $lst_fn) or die "Open $lst_fn Failed - $!" ;
>>
>> while (<LST>)
>> { chomp ; # kill line feed char
>> $line = $_ ;
>>
>> if (length ($_) == 0)
>> { goto NEXT ; }
>>
>> $ref = substr ($line, 9) ;
>>
>> print CMD "\ncmp $line $ref \n" ;
>> print CMD "if \[ \$0 -ne 0 \] ; then \n" ; print CMD " echo compare
>> failure\n" ; print CMD " echo $line \n" ;
>> print CMD " echo $ref \n" ;
>> print CMD "fi\n" ;
>> NEXT:
>> }
>> }
>> close (CMD) or die "Close $cmd_fn Failed - $!" ; close (LST) or die
>> "Close $lst_fn Failed - $!" ;
>> ---------->8---------->8---------->8---------->8---------->8---------->8
>
> I hate to keep asking one question after another,

Ask them all at one time. :)

> but this is the first
> perl script I have ever seen, and I would hate even more to learn a new
> language to understand one script. (I'm not that good with bash scripts,
> either.)

http://www.tldp.org/LDP/abs/html/index.html is a good bash script read.

locate .pl might find lots of examples on your box.

That was my problem with the fist script I gave you. I did not know
how to substring a variable without playing around with IFS.

> Does opening CMD and LST set it up so print CMD appends lines to j.ksh and
><LST> goes to 0 when the end of the list is reached?

That is it in a nutshell.

> Is the single ">" correct for appending the lines?

Let's say it indicates CMD is opened for output.

> I don't understand how the "$ref =
> substr ($line, 9) ;" is supposed to transform the filename from badpart
> into the corresponding filename in Auditor.

That command is normal for a lot of substring functions. Since I did
not supply the length of the substring, the function just copies the rest
of the line starting with character 10 on the line, (zero is char 1)
in the substring function.

That is where you will have to append your other reference directory
when it is not just /

Example: the period is the string concatenation operator in perl.
         $ref = "/new_ref_dir" . substr ($line, 9) ;

> What are you assuming about the environment here?

You are running in root's directory.
Perl is installed.
Partition to audit is mounted on /bad_part
list_2_ck contains file names like /bad_part/each/file/to/check/here
The reference files are in the same place on the Auditor system.
j.ksh will be the script to realy run the check.

If reference files are somewhere else, you modify $ref to point
to the correct location.

Hey, put a few lines in list_2_ck, run the perl script, cat j.ksh. Example:

/bad_part/root/.bashrc
/bad_part/sbin/addpart
/bad_part/etc/hosts

You may want to modify perl script to test for file before comparing.
Here is new and improved perl scrip.

---------->8---------->8---------->8---------->8---------->8---------->8
#!/usr/bin/perl -w
# use strict ;

local ($cmd_fn) = "j.ksh" ;
local ($lst_fn) = "list_2_ck" ;
local ($line) = "" ;
local ($ref) = "" ;

open (CMD, ">$cmd_fn") or die "Open $cmd_fn Failed - $!" ;
open (LST, $lst_fn) or die "Open $lst_fn Failed - $!" ;
  
while (<LST>)
{ chomp ; # kill line feed char
    $line = $_ ;
    
    if (length ($_) == 0)
    { goto NEXT ; }

    $ref = substr ($line, 9) ;

    print CMD "\n" ;
    print CMD "if [ ! -e $ref ] ; then\n" ;
    print CMD " echo no reference $ref\n" ;
    print CMD "else\n" ;
    print CMD " cmp $line $ref \n" ;
    print CMD " if \[ \$0 -ne 0 \] ; then \n" ;
    print CMD " echo compare failure\n" ;
    print CMD " echo $line \n" ;
    print CMD " echo $ref \n" ;
    print CMD " fi\n" ;
    print CMD "fi\n" ;
NEXT:
 }

close (CMD) or die "Close $cmd_fn Failed - $!" ;
close (LST) or die "Close $lst_fn Failed - $!" ;

exit 0 ;
---------->8---------->8---------->8---------->8---------->8---------->8

Relevant Pages

  • [NEWS] IBM Informix Web DataBlade Local Root by Design
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... that ease development of "intelligent", interactive, Web-enabled database ... person who has access to change the Perl script. ...
    (Securiteam)
  • my perl script for ripping mp3s...aka MP3scRIPt
    ... This is a Perl script to convert audio cd tracks to mp3s. ... Possibly root privs to access the cdrom device ... - this is mainly a problem on 'variety cds', mp3 files suffering from this ill ...
    (comp.unix.bsd.freebsd.misc)
  • Re: Perl script to mimic uniq
    ... mdfoster44@netscape.net spits TOFU in my face: ... > # Perl script to find most common CS ... > So I'm back to my original script which looks like this. ... > identify a sequence as unique. ...
    (comp.lang.perl)
  • Re: Slow Performance When Using DBI, otherwise Not
    ... If I run the same perl script on the database server itself it runs ... check versions of DBI and DBD (I greped for version on every module under ...
    (perl.dbi.users)
  • Re: Linux - Programm als root absichern
    ... > ich habe ein Programm welches die konfiguration eines ... Diesses Programm hat einen schlecht abgesicherten ... > als LoginShell für einen user mit UID 0 das PERL Script hat. ...
    (de.comp.security.misc)