#!/bin/sh # # Example script to check binaries...( simple 1st pass hacker detection ) # # Initialize the Expected Values # ------------------------------ # CheckSum.sh -init # # From Crontab: ( hourly checks at 33 minutes after the hour ) # ------------ # 33 * * * * /usr/scripts/CheckSum.sh # # # xx-Sep-00 s-s Date-of-Birth # 07-Oct-00 amo Clean and Updated # 09-Oct-00 amo Added hostname # 01-Apr-01 amo Added inetd.conf, rc.sysinit # 02-Apr-01 amo Added *.bin.tgz # 01-Jun-01 amo Added killall, lsof # 04-Jun-01 amo Added rm, kill, added echo "diff current " # # # ------------------------------------------------------------------------------- # # Name of Program # NM="CheckSum.sh" # # # Who to call if a problem # EMAIL="root@`hostname -d`" HOST=`hostname -f` # # # Pick a secure place....( preferably on removable media ) # SEC="/mnt/floppy" # # # Some Binaries # CAT="/bin/cat" DIFF="/usr/bin/diff" LSL="/bin/ls -l" MAIL="/bin/mail" SUM="/usr/bin/sum" TAR="/bin/tar" # # # ==================================================================================== # # List of files to check # ====================== # # LST1="/etc/passwd /etc/shadow /etc/inetd.conf /etc/rc.d/rc.sysinit /bin/login /usr/bin/passwd" LST2="/bin/ls /usr/bin/find /usr/bin/top /usr/bin/w /usr/bin/who /usr/bin/last /usr/bin/*grep" LST3="/bin/ps /bin/netstat /sbin/ifconfig /sbin/route /usr/sbin/lsof /usr/sbin/traceroute" LST4="/bin/cat /bin/grep /bin/egrep /bin/rpm /bin/su /bin/tar /usr/sbin/named /usr/bin/diff /usr/bin/sum /bin/mail" LST5="/usr/sbin/sendmail /usr/bin/pine /usr/bin/elm /usr/bin/mutt /bin/mail" LST6="/usr/bin/killall /sbin/killall5 /bin/kill /bin/rm" LIST="$LST1 $LST2 $LST3 $LST4 $LST5 $LST6" # # # ===================================================================================== # # if [ ! -d $SEC ]; then mkdir $SEC fi # # # Initialize # ----------- # if [ ${1}x = "-initx" ] ; then # # Create a safe local copy of the binaries # `$TAR -cf $SEC/$NM.bin.tgz $LIST ` # sum=` cat $SEC/$NM.bin.tgz | $SUM ` echo "$sum" > $SEC/$NM.sum.txt # $LSL $LIST > $SEC/$NM.ls.txt # fi # # # What should it be # ----------------- # if [ -f $SEC/$NM.sum.txt ]; then res=` $CAT $SEC/$NM.sum.txt ` else echo "" echo "$NM: ERROR: Missing $SEC/$NM.sum.txt.." echo "" exit 1 fi # # # Check what we got for this pass # ------------------------------- # check=` $TAR -cf - $LIST | $SUM ` # if [ "$res" != "$check" ]; then # # spacing sensitive echo "` $LSL $LIST `" > /tmp/foo.txt # echo "# " > /tmp/foo2.txt echo "# $DIFF current_copy archive_copy" >> /tmp/foo2.txt echo "# " >> /tmp/foo2.txt # $DIFF /tmp/foo.txt $SEC/$NM.ls.txt > /tmp/foo2.txt # $MAIL -s "Binaries been Modified - $HOST" $EMAIL < /tmp/foo2.txt # sync rm -f /tmp/foo.txt rm -f /tmp/foo2.txt # echo "" echo "$NM: ERROR: Binaries been Modified..$HOST.." echo "" # exit 1 # else echo "" echo "$NM: Seems normal..." echo "" # exit 0 # fi # # # end of file