#!/bin/csh -f # # Walter - the Weekly Watchman # # This script performs weekly security checks. You should run it before # any cleanup or log rotation scripts, or else they might destroy # some evidence of a problem. # # Eric Myers - 18 July 1996 # Department of Physics, University of Michigan, Ann Arbor # Copyright (C) 1996,1998,199 by Eric Myers, all rights reserved. # @(#) $Id: Walter,v 1.106 2005/08/12 14:08:44 myers Exp myers $ ####################################################################### # Set the path just to what is needed, nothing else. set path=( /usr/local/adm /usr/local/bin /usr/local/gnu/bin ) set path=( $path /bin /usr/bin /usr/sbin /usr/ucb /usr/bsd /usr/etc /etc ) # Regexp of log messages that are okay to ignore set OKREGEXP="myers|'root' from meitner|'root' from gibbs" set OKREGEXP="$OKREGEXP|feynman.*sshd\[.*ROOT LOGIN.*physics.lsa.umich.edu" set OKREGEXP="$OKREGEXP|newton.*sshd\[.*ROOT LOGIN.*physics.lsa.umich.edu" set OKREGEXP="$OKREGEXP|session opened for user root by (uid=5844)" ######### umask 037 set TMP=/tmp/Walter.$$-1 set TMP2=/tmp/Walter.$$-2 set LOG=/tmp/Walter.out /bin/rm -f ${LOG} set RCSVERS = \ `echo '$Revision: 1.106 $' | sed -e 's/Revision: //' -e 's/$\(.*\) \$/\1/'` set INDENT="pr -o 8 -t " # This tells find command to ignore /proc, /afs, and /smb set NOFIND=" -path /proc -prune -o -path /afs -prune -o -path /smb -prune -o" ## # MAILX is mail/mailx or mush, with -s for subject # set MAILX="mail -s " # NeXT/Linux/Sun if ( -x /usr/bin/mailx ) then # HP-UX set MAILX="mailx -s " endif if ( -x /usr/local/bin/mush ) then # mush is prefered set MAILX="mush -s " endif ################################################## ## Determine OS setting & find syslogs, mail logs etc ## Find UNAME from uname, if it exists set UNAME=`\which uname` if ( "$#UNAME" == "1" ) then set UNAME=`$UNAME` else set UNAME="Unix" endif set XDEV=" -xdev " # may be " -mount" on some systems? if ( "$UNAME" == "IRIX" ) XDEV=" -mount" set HOSTNAME=`hostname` # may need uname -n instead? ## Find system log files (list all possible) ####### # Find system log files: check for Linux, SunOS, HP-UX, NeXT, etc... set SYSLOGS="" foreach LOGFILE ( /usr/adm/messages /var/log/messages /var/log/syslog \ /var/adm/syslog/syslog.log ) if ( -f $LOGFILE ) set SYSLOGS=( $SYSLOGS $LOGFILE ) end set MAILLOG="" foreach LOGFILE ( /usr/adm/mail.log /var/adm/syslog/mail.log \ /usr/spool/mqueue/syslog /var/log/syslog ) if ( -f $LOGFILE ) set MAILLOG=( $MAILLOG $LOGFILE ) end set AUTHLOG="" foreach LOGFILE ( /var/adm/authlog /var/log/authlog /var/adm/sulog \ /var/adm/syslog/authlog.log /usr/adm/auth.log /var/adm/syslog/auth.log ) if ( -f $LOGFILE ) set AUTHLOG=( $AUTHLOG $LOGFILE ) end ################################################## ## @(#)* Check for new suid root files ## (May help find suid root files in wrong places) # List of places to check: set SUIDLIST=( /usr/local /var /dev /etc /lib /bin /sbin /lbin ) set SUIDLIST=( $SUIDLIST /usr/bin /usr/lib /usr/etc /usr/sbin ) # How far back to check. e.g. "-mtime -14" goes back 2 weeks set AGE="-mtime -14" set FARG="" if ( -x /hp-ux ) set FARG="-hidden" # HP-UX 9.x hidden files? cp /dev/null $TMP foreach DIR ( $SUIDLIST ) if ( -d $DIR ) then find $DIR $XDEV $FARG -user root -perm -4000 $AGE -print >>$TMP endif end ## # Also check User directories (farther back in time) set SUIDLIST=( /users /Users /home /tmp ) # A different age (farther back?) set AGE="-mtime -60" # age in days foreach DIR ( $SUIDLIST ) if ( -d $DIR ) then find $DIR $XDEV $FARG -user root -perm -4000 $AGE -print >>$TMP endif end if ( ! -z $TMP ) then echo " " >>${LOG} echo "### New setuid root files:" >>${LOG} echo " " >>${LOG} $INDENT $TMP >>${LOG} echo " " >>${LOG} endif rm -f $TMP ################################################## ## @(#)* Check system log for warnings of crack attempts and the like cat /dev/null >$TMP # Look for "crack" attempts in the syslog or mail log, as reported by # imapd and company, or other suscpicious things in the logs if ( "${SYSLOGS}" != "" ) then grep -ih "break-in attempt" ${SYSLOGS} >>$TMP grep -ih "possible SYN flood" ${SYSLOGS} >>$TMP grep -ih "unable to glue" ${SYSLOGS} >>$TMP grep -ih " crack " ${SYSLOGS} >>$TMP grep -ih "getpid : peer died" ${SYSLOGS} >>$TMP grep -ih "can't verify hostname" ${SYSLOGS} >>$TMP grep -ih "can't get client address" ${SYSLOGS} >>$TMP egrep -ih "fingerd.* rejected @" ${SYSLOGS} >>$TMP endif if ( "${MAILLOG}" != "" ) then grep -ih "break-in attempt" ${MAILLOG} >>$TMP grep -ih " crack " ${MAILLOG} >>$TMP grep -ih " attack " ${MAILLOG} >>$TMP grep -ih "null connection" ${MAILLOG} >>$TMP grep -ih "Relaying denied" ${MAILLOG} >>$TMP endif if ( "${AUTHLOG}" != "" ) then egrep -ih "ALERT|Warning|Notice|denied" ${AUTHLOG} >>$TMP grep -ih "request from unauthorized host" ${AUTHLOG} >>$TMP grep -ih "tried to create directory" ${AUTHLOG} >>$TMP endif sort $TMP | uniq | egrep -v "$OKREGEXP" > $TMP2 if ( ! -z $TMP2 ) then cat <>${LOG} ### Crack attempts or suspcicious activity: The following suspicious entries were found in the system logs, mail logs, or authorization logs: EOT cat $TMP2 >>${LOG} cat <>$LOG These only indicate suspicious activity, not an actual break-in, but you should be cautious and investigate. EOT endif rm -f $TMP $TMP2 ################################################## ## @(#)* List all failed logins cat /dev/null >$TMP if ( "${SYSLOGS}" != "" ) then grep -i "failed login" ${SYSLOGS} >>$TMP # NeXTStep grep "REPEATED" ${SYSLOGS} >>$TMP # Sun endif if ( "${AUTHLOG}" != "" ) then grep -ih "repeated login fail" ${AUTHLOG} >>$TMP # Linux grep -ih "failed login" ${AUTHLOG} >>$TMP # Linux grep -ih "invalid password" ${AUTHLOG} >>$TMP # Linux grep -ih "refused connect" ${AUTHLOG} >>$TMP # tcpd endif sort $TMP | uniq | egrep -v "$OKREGEXP" > $TMP2 if ( ! -z $TMP2 ) then echo " " >>${LOG} echo "### Login failures: " >>${LOG} echo " " >>${LOG} cat $TMP2 >>${LOG} echo " " >>${LOG} endif rm -f $TMP $TMP2 ################################################## ## @(#)* List all root logins/su to root cat /dev/null >$TMP if ( "${SYSLOGS}" != "" ) then egrep -ih "su root|BAD SU|ROOT LOGIN" ${SYSLOGS} >>$TMP grep -ih "(su) session opened for user root" ${SYSLOGS} >>$TMP endif if ( "${AUTHLOG}" != "" ) then egrep -ih "su root|BAD SU|ROOT LOGIN" ${AUTHLOG} >>$TMP grep -ih "Authentication failed for root" ${AUTHLOG} >>$TMP grep -ih "(su) session opened for user root" ${AUTHLOG} >>$TMP egrep -ih 'su\[.*root' ${AUTHLOG} >>$TMP egrep -h '^SU.*-root$' ${AUTHLOG} >>$TMP endif sort $TMP | uniq | egrep -v "$OKREGEXP" > $TMP2 if ( ! -z $TMP2 ) then cat <>$LOG ### Root logins/su: Root logins and su's to root, extracted from system logs: EOT cat $TMP2 >>${LOG} echo " " >>${LOG} endif rm -f $TMP $TMP2 ################################################## ## @(#)* Look for empty user passwords cp /dev/null $TMP egrep "^[[:alnum:]]+::" /etc/passwd >> $TMP if ( -f /etc/shadow ) then egrep "^[[:alnum:]]+::" /etc/shadow >> $TMP endif if ( ! -z $TMP ) then cat <>$LOG ### WARNING: empty user password! It appears that a user on this system has an empty password, which makes it really easy for someone else to get in and then run a local exploit. Here's the evidence: EOT $INDENT $TMP >>${LOG} cat <>$LOG You should disable this account and verify that it has not already been used to break in. EOT endif /bin/rm -f $TMP ################################################## ## @(#)* Look for evidence of t0rnkit rootkit cp /dev/null $TMP set nonomatch set WATCHLIST=( /etc/ttyhash /usr/info/.t0rn /usr/src/.puta ) foreach NAME ( $WATCHLIST ) if ( -e $NAME ) ls -ld $NAME >>$TMP end unset nonomatch if ( -r /etc/rc.d.rc.sysinit ) then grep nscd /etc/rc.d/rc.sysinit >>$TMP endif if ( ! -z $TMP ) then cat <>$LOG ### DANGER: Possible intrusion detected I have found files on this system which are commonly left by intruders using the 't0rnkit' rootkit to break in to computers, as describe by CERT Incident Note IN-2000-10. The files are: EOT $INDENT $TMP >>$LOG cat <>$LOG You should investigate further to see if there is other evidence of intrusion. For help, see http://www.cert.org/tech_tips/intruder_detection_checklist.html EOT endif /bin/rm -f $TMP ################################################## ## @(#)* Look for trojan version of util-linux with hacked login cp /dev/null $TMP strings /bin/login | grep "HELO" >$TMP unset nonomatch if ( ! -z $TMP ) then cat <>$LOG ### Possible trojan version of /bin/login detected It appears that the version of /bin/login on this system may have been hacked. Output from the command strings /bin/login | grep "HELO" yields: EOT $INDENT $TMP >>$LOG cat <>$LOG A hacked version of the login program was included in a Trojan horse version of util-linux-2.9g.tar.gz which was placed on at least one ftp server between January 22, 1999, and January 24, 1999. This Trojan horse could have been distributed to mirror FTP sites. For more information see CERT Advisory CA-99-02-Trojan-Horses of 5 February 1999. EOT endif /bin/rm -f $TMP ################################################## ## @(#)* Look for evidence of intruders, as per CS-98.04 cp /dev/null $TMP set nonomatch set WATCHLIST=( /dev/reset /.ncftp /dev/pfcf* /usr/lib/libsn.a ) foreach FILE ( $WATCHLIST ) if ( -r $FILE ) then ls -l $FILE >>$TMP endif end unset nonomatch if ( ! -z $TMP ) then cat <>$LOG ### Possible Intruder detected I have found files on this system which are commonly left by intruders using a 'kit' to break in, as describe by CERT Summary CS-98.04. The files are: EOT $INDENT $TMP >>$LOG cat <>$LOG You should investigate further to see if there is other evidence of intrusion. For help, see ftp://ftp.cert.org/pub/tech_tips/intruder_detection_checklist EOT endif /bin/rm -f $TMP ################################################## ## @(#)* Look for evidence of the 'named w0rm' cp /dev/null $TMP find /tmp -name "*w0rm*" -print >>$TMP grep "w0rm" /etc/passwd >>$TMP if ( ! -z $TMP ) then cat <>$LOG ### Possible 'named w0rm' intrusion: I have found evidence of a break-in using a bug in the 'named' server, as described in CERT Summary CS-98.05. This may have lead to the propagation of a 'worm'. The break-in script adds a user named 'w0rm' to /etc/passwd and/or leaves files in /tmp with names containing 'w0rm'. Here is what I found: EOT $INDENT $TMP >>$LOG cat <>$LOG You should investigate further to see if there is other evidence of intrusion. For help, see ftp://ftp.cert.org/pub/tech_tips/intruder_detection_checklist EOT endif /bin/rm -f $TMP ################################################## ## @(#)* Look for possibility of sadmind worm cp /dev/null $TMP if ( -f /etc/inetd.conf) then grep sadmind /etc/inetd.conf | egrep -v "^#" >>$TMP endif if ( ! -z $TMP ) then cat <>$LOG ### Possible sadmind worm vulnerability: I have found an entry for 'sadmind' in /etc/inetd.conf. This means you may be vulnerable to the sadmind worm, which is described in CERT Advistory CA-2000-11. Please review http://www.cert.org/advisories/CA-2001-11.html to be sure that you are not vulnerable or have not been comprimised. EOT endif /bin/rm -f $TMP ################################################## ## @(#)* Look for attempts to break in # cp /dev/null $TMP set nonomatch # Look for telling syslog messages: egrep "SYN flood|unable to glue" $SYSLOGS >>$TMP egrep -ih "Dropped invalid comments from header address" $SYSLOGS >>$TMP # Anything found? Report it. if ( ! -z $TMP ) then cat <>$LOG ### Attempted break-in or attack: The system logs show the following attempts to crack into your system (they were most likely unsuccesful): EOT $INDENT $TMP >>$LOG cat <>$LOG You should investigate further to see if there is other evidence of intrusion. For help, see http://www.cert.org/tech_tips/intruder_detection_checklist.html EOT endif /bin/rm -f $TMP unset nonomatch ################################################## ## @(#)* Look for evidence of other common root compromises, worms # # References: CERT IN-99-05, CERT-CA-99-14, CERT IN-2001-01, CA-2001-01 # CERT-CA-2003-07 cp /dev/null $TMP set nonomatch # Look for new user accounts with reported names or names I've seen set WATCHLIST=( moof foom bionic Malk2 tox floryn ) foreach USER ( $WATCHLIST ) set X=`egrep "^${USER}:" /etc/passwd* ` if ( "$X" != "" ) echo $X >>$TMP end # Look for certain files or directories commonly installed # (globbing only allowed on the last line!) set WATCHLIST=( /tmp/bob /dev/bp /dev/sda69 /var/named/AMDROCKS /var/named/O ) set WATCHLIST=($WATCHLIST /var/log/lpd/.stel /bin/prick /tmp/m /tmp/ramen.tgz ) set WATCHLIST=($WATCHLIST /usr/src/.poop /sbin/asp /usr/sbin/asp ) set WATCHLIST=($WATCHLIST /usr/man/man1/man1/lib/.lib/.x /dev/pts/01 ) set WATCHLIST=($WATCHLIST /dev/.lib /usr/src/.put /usr/info/.torn /tmp/.cheese ) set WATCHLIST=($WATCHLIST /dev/.shit /usr/bin/adore /tmp/.unlock.c /tmp/.update.c ) set WATCHLIST=($WATCHLIST /dev/tttyy/.kore /sbin/korelkm.o /usr/src/.vela ) set WATCHLIST=($WATCHLIST /tmp/.*bugtraq* /tmp/.cinik* /usr/.zk ) foreach FILE ( $WATCHLIST ) if ( -e $FILE ) ls -latR $FILE >>$TMP end # Look for dot files/directories with spaces at end find / $NOFIND -name '.* ' -exec ls -ld {} \; >> $TMP # Look for badstuff in inetd.conf if ( -e /etc/inetd.conf ) then grep /sbin/asp /etc/inetd.conf >>$TMP endif # Anything found? Report it. if ( ! -z $TMP ) then cat <>$LOG ### Possible Linux break-in or attempted break-in: I have found evidence of a possible break-in or attempted break-in, probably using a recent buffer overflow exploit. Here is what was found: EOT $INDENT $TMP >>$LOG cat <>$LOG You should investigate further to see if there is other evidence of intrusion. For help, see http://www.cert.org/tech_tips/intruder_detection_checklist.html EOT endif /bin/rm -f $TMP unset nonomatch ################################################## ## @(#)* Run tripwire to check for modified files set TWEXE=/usr/local/bin/tripwire set TWDIR=/var/spool/lpd/czech if ( -d /var/spool/lp/request/czech ) set TWDIR=/var/spool/lp/request/czech set DATABASE="$TWDIR/databases/tw.db_`hostname`" set TWFLAGS=" -d $DATABASE -c $TWDIR/tw.config " cp /dev/null $TMP # start a log if ( -x $TWEXE ) then set TWSTART=`date` $TWEXE -q $TWFLAGS > $TMP set TWEND=`date` endif if ( ! -z $TMP ) then echo " " >>${LOG} echo "### Tripwire report:" >>${LOG} echo " " >>${LOG} echo "START: $TWSTART" >>${LOG} cat $TMP >>${LOG} echo "ENDED: $TWEND" >>${LOG} echo " " >>${LOG} endif rm -f $TMP ################################################## ## @(#)* Mail a report to root of anything found if ( -f $LOG && ! -z $LOG ) then (echo "#### Security report for $HOSTNAME from Walter $RCSVERS "; \ cat $LOG ; \ echo "#### End of security report for $HOSTNAME from Walter $RCSVERS "; \ ) | $MAILX "Weekly Security Report for $HOSTNAME" root endif ################################################## ## Clean up /bin/rm -f ${LOG} >/dev/null /bin/rm -f ${TMP} ${TMP2} >/dev/null exit 0