[ http://www.rootshell.com/ ] Date: Fri, 13 Mar 1998 23:37:16 +0100 From: Michal Zalewski Subject: /tmp vunerability scanner here's my nice, cute proggy which logs every single event in /tmp or any other given directory in clear and reusable format - it's very useful when you're looking for possible race conditions, attacker's attempts, or anything unusual... /* /tmp watcher 01 ---------------- (c) lcamtuf '98 */ #include #include #include #include #include #include #include #define OPENED_MAX 10000 #define LAG 5 #define nopp(x) if (strlen(x)<6) nope='\t'; else nope=0; int wannadies=-1,a; char* opened[OPENED_MAX]; char present[OPENED_MAX],nope; time_t costam; int infect(struct dirent *s) { struct stat x; if (!(strcmp(s->d_name,"..")&&strcmp(s->d_name,"."))) return -1; for (a=0;a<=wannadies;a++) if (!strcmp(opened[a],s->d_name)) { present[a]=1; return -1; } strncpy((opened[++wannadies]=malloc(strlen(s->d_name)+1)),s->d_name,strlen(s- >d_name)); present[wannadies]=1; if (wannadies>OPENED_MAX) { fprintf(stderr,"Out of file descriptors, dying...\n"); exit(-1); } stat(s->d_name,&x); time(&costam); nopp(s->d_name); printf("++ %s%c\t%6o\t%d\t%d\t%d\t%s",s->d_name,nope,x.st_mode, x.st_uid,x.st_gid,x.st_size,ctime(&costam)); return -1; } int foo(struct dirent **a,struct dirent **b) {} int main(int argc,char* argv[]) { struct dirent **x; int a; fprintf(stderr,"/tmp watcher 1.0 by \n"); if (argc==2) if (chdir(argv[1])) { fprintf(stderr,"Can't change to given directory, dying.\n"); return -1; } else fprintf(stderr,"Using %s.\n",argv[1]); else { fprintf(stderr,"No parameter given, using /tmp.\n"); chdir("/tmp"); } fprintf(stderr,"\nOP FILENAME\tTYPPRM\tUID\tGID\tSIZE\tTIME\n"); while (1) { bzero(present,sizeof(present)); scandir("/tmp",&x,infect,foo); for (a=0;a<=wannadies;a++) if (!present[a]) { time(&costam); nopp(opened[a]); printf("-- %s%c\t-\t-\t-\t-\t%s",opened[a],nope,ctime(&costam)); free(opened[a]); present[a]=present[wannadies]; if (a