#!/usr/local/bin/perl # # Brieflog - Give a brief summary of security info in log files. # - Use ARGV[1] to set the log directory, else $Logdir is used # # This program is composed of several subroutines which are called # from the main section right at the bottom of the file. Each of the # subroutines performs a single task, which may mean that the same # log file is opened and reread several times; this is inefficient # but make the program modular. You can comment out the subroutine # calls you don't need. # # The program was written to run on a FreeBSD 1.1 system, and so # several subroutines will need to be rewritten for other systems. # There are also several variables used throughout the program to # tailor it for your system, so please read the whole file before # putting it to normal use. # # I would like to receive other subroutines for other log data and # other systems; collecting these in a single file will help prevent # other sysdamins from reinventing the wheel. # # TODO: make lots of @ and % arrays local so they become undefined # once a subroutine finishes. # # Warren Toomey wkt@tuhs.org # # $Date: 1996/01/31 02:00:14 $ # # # Log files # $Logdir="/var/log"; if ($#ARGV == 0) { $Logdir= $ARGV[0]; } # $Tcplog= "$Logdir/tcplog"; # Log file generated by the TCP Wrappers prog $Xferlog= "$Logdir/xferlog"; # Transfer file generated by wu-ftpd 2.x $Daemlog= "$Logdir/daemonlog"; # Log file for wu-ftpd 2.x login failures $Rebootlog="$Logdir/messages"; # Log file for reboot/shutdown messages $Sulog= "$Logdir/messages"; # Log file for su attempts $Cronlog= "$Logdir/cronlog"; # Log file for crontab $Loginlog= "$Logdir/messages"; # Log file for login failures $Maillog= "$Logdir/maillog"; # Log file for sendmail errors $Ftplog= "$Logdir/ftpcmds"; # Log file for wu-ftpd 2.x commands $Kernlog= "$Logdir/kernlog"; # Log file for kernel messages $Weblog= "$Logdir/httplog"; # Log file for NCSA httpd/Apache $Portlog= "$Logdir/kernlog"; # Connection attempts on unused ports $Pktlog= "$Logdir/pktlog"; # Log of suspicious packets ############################################################################### # Subroutines I couldn't get to work on FreeBSD # Convert an IP address of the form xxxxxxxx to ddd.ddd.ddd.ddd sub Hextoip { local($_, $ip); $_= $_[0]; /^(..)(..)(..)(..)$/; $ip= hex($1) . "." . hex($2) . "." . hex($3) . "." . hex($4); return($ip); } # Load the file /etc/services, used by Getservbyport below sub Load_Services { open(IN, "/etc/services") || die("Can't open /etc/services: $?\n"); while() { if (/^#/) { next; } ($name, $type)= split; $_= $type; ($port, $proto)= split(/\//); if ($proto eq "tcp") { $_tcp_services[$port] = $name; } if ($proto eq "udp") { $_udp_services[$port] = $name; } } close(IN); } # A replacement for getservbyport, doesn't seem to work right. sub Getservbyport { local(@foo); if (!defined(@_tcp_services)) { &Load_Services; } if ($_[1] eq "tcp" && defined($_tcp_services[$_[0]])) { $foo[0]= $_tcp_services[$_[0]]; $foo[1]=""; $foo[3]= $_[1]; $foo[2]= $_[0]; } if ($_[1] eq "udp" && defined($_udp_services[$_[0]])) { $foo[0]= $_udp_services[$_[0]]; $foo[1]=""; $foo[3]= $_[1]; $foo[2]= $_[0]; } return(@foo); } ############################################################################### # # do_tcplog: Process and look for security problems in the log file created # by the TCP Wrapper program. # sub do_tcplog { # # Read through the tcplog file for basic connect/refusal info. # Print results for the following services. # $Serv[0]= "ftp"; $Serv[1]= "sendmail"; $Serv[2]= "finger"; $Serv[3]= "rlogin"; $Serv[4]= "rsh"; $Serv[5]= "telnet"; # # Initialise stats values # foreach $i (@Serv) { $Conn{$i} = $Ref{$i} = 0; } open(IN, $Tcplog) || print("Cannot open $Tcplog, $!\n"); while() { $ref=0; $found=0; # Break the line into fields ($mon, $day, $time, $host, $serv, $c, $f, $src, $x)= split(/\s+/); if ($c eq "refused") { $src= $x; $ref=1; } foreach $i (@Serv) { # Parse for each service if ($i eq substr($serv, 0, length($i))) { $found=1; if ($ref == 1) { $Reflist[$Refcnt++]= sprintf("\t%s %15s %s\n", $time, $serv, $src); $Ref{$i}++; } else { $Conn{$i}++; } last; } } if ($found != 1) { print("Unknown tcp service in $Tcplog: $time $serv from $src\n"); } } close(IN); print("TCP Connections\n"); print("---------------\n"); foreach $i (@Serv) { # Print results printf("%9s connections: %5d\t%9s refusals: %5d\n", $i,$Conn{$i},$i,$Ref{$i}); } print("\n"); for ($i=0; $i < $Refcnt; $i++) { print($Reflist[$i]); } print("\n\n"); } # # do_xferlog: Process and look for security problems in the xfer log file # created by wu ftpd 2.x # sub do_xferlog { # # Retrieves from the following directories may be a security risk. # Deposits ARE a security risk. # $Riskdir[0]="/bin"; $Riskdir[1]="/etc"; # # Retrieves from the following users may be a risk. Same for deposits. # $Riskuser[0]="root"; $Riskuser[1]="bin"; $Riskuser[2]="adm"; $Riskuser[3]="toor"; $Riskuser[4]="sys"; $Riskuser[5]="man"; $Riskuser[6]="mail"; $Riskuser[7]="games"; $Riskuser[8]="daemon"; $Riskuser[9]="shroot"; $Riskuser[10]="operator"; $Riskuser[11]="sysop"; $Riskuser[12]="guest"; $Riskuser[13]="field"; $Riskuser[14]="nobody"; $ftpout = $ftpin = $Anonin = 0; $Riskin = $Riskout = 0; $Riskuin = $Riskuout = 0; open(IN, $Xferlog) || print("Cannot open $Xferlog, $!\n"); while() { # Break the line into fields ($day, $mon, $day, $time, $year, $txtime, $src, $size, $file, $ttype, $how, $io, $grp, $who, $service, $auth, $authwho)= split(/\s+/); $Riskio = 0; $Riskuio=0; foreach $i (@Riskdir) { # Parse for risky I/O if ($i eq substr($file, 0, length($i))) { $Riskio = 1; } } foreach $i (@Riskuser) { # Parse for risky users if ($i eq $who) { $Riskuio = 1; } } if ($io eq "o") { $ftpout++; if ($Riskuio == 1) { $Riskuoutlist[$Riskuout++] = sprintf("\t%s %s %s %s\n", $time, $src, $who, $file); } if ($Riskio == 1) { $Riskoutlist[$Riskout++] = sprintf("\t%s %s %s %s\n", $time, $src, $who, $file); } } else { $ftpin++; if ($Riskio == 1) { $Riskinlist[$Riskin++] = sprintf("\t%s %s %s %s\n", $time, $src, $who, $file); } if ($Riskuio == 1) { $Riskuinlist[$Riskuin++] = sprintf("\t%s %s %s %s\n", $time, $src, $who, $file); } if ($grp ne "r" ) { $Anoninlist[$Anonin++]= sprintf("\t%s %s %s %s\n", $time, $src, $who, $file); } } } close(IN); print("FTP Transfers\n"); print("-------------\n"); print("Total files out: $ftpout\tTotal files in: $ftpin\n"); if ($Anonin>0) { print("Anonymous/guest Uploads: $Anonin\n"); for ($i=0; $i< $Anonin; $i++) { print($Anoninlist[$i]); } } if ($Riskout > 0) { print("Risky Downloads: $Riskout\n"); for ($i=0; $i< $Riskout; $i++) { print($Riskoutlist[$i]); } } if ($Riskin > 0) { print("*** EVIL UPLOADS: $Riskin ***\n"); for ($i=0; $i< $Riskin; $i++) { print($Riskinlist[$i]); } } if ($Riskuout > 0) { print("Risky User Downloads: $Riskuout\n"); for ($i=0; $i< $Riskuout; $i++) { print($Riskuoutlist[$i]); } } if ($Riskuin > 0) { print("*** Risky User Uploads: $Riskuin ***\n"); for ($i=0; $i< $Riskuin; $i++) { print($Riskuinlist[$i]); } } print("\n\n"); } # # do_ftpfails: Process and look for security problems in the log file # that contain ftp login failures # sub do_ftpfails { # # Failed logins from the following users may be a risk. # $Riskuser[0]="root"; $Riskuser[1]="bin"; $Riskuser[2]="adm"; $Riskuser[3]="toor"; $Riskuser[4]="sys"; $Riskuser[5]="man"; $Riskuser[6]="mail"; $Riskuser[7]="games"; $Riskuser[8]="daemon"; $Riskuser[9]="shroot"; $Riskuser[10]="operator"; $Riskuser[11]="sysop"; $Riskuser[12]="guest"; $Riskuser[13]="field"; $Riskuser[14]="nobody"; $Riskuser[15]="fred"; $Riskuser = 0; $Ftpfails=0; open(IN, $Daemlog) || print("Cannot open $Daemlog, $!\n"); while() { if (! /ftpd\[/) { next; } # Break the line into fields ($datebit, $failedbit)= split(/\]\:/); ($mon, $day, $time, $host, $serv)= split(/\s+/,$datebit); ($_, $user, $pass)= split(/\s*,\s*/, $failedbit); s/failed login from //; $src=$_; $_= $pass; s/(.*)\n/$1/; $pass=$_; $Ftpfails++; foreach $i (@Riskuser) { # Parse for risky users if ($i eq $user) { $Riskuserlist[$Riskuser++] = sprintf("\t%s %s %s\n", $time, $src, $user); last; } } } close(IN); if ($Ftpfails>0) { print("FTP Failed Logins: $Ftpfails\n"); } if ($Riskuser>0) { print("Risky FTP Failed Logins: $Riskuser\n"); for ($i=0; $i<$Riskuser; $i++) { print($Riskuserlist[$i]); } } if ($Ftpfails || $Riskuser) { printf("\n\n"); } } sub do_badftpcmds { $Wuftp_ign{"ABOR"}=0; $Wuftp_ign{"ALLO"}=0; $Wuftp_ign{"CDUP"}=0; $Wuftp_ign{"CWD"}=0; $Wuftp_ign{"HELP"}=0; $Wuftp_ign{"LIST"}=0; $Wuftp_ign{"MDTM"}=0; $Wuftp_ign{"MODE"}=0; $Wuftp_ign{"NLST"}=0; $Wuftp_ign{"NOOP"}=0; $Wuftp_ign{"PASS"}=0; $Wuftp_ign{"PASV"}=0; $Wuftp_ign{"PORT"}=0; $Wuftp_ign{"PWD"}=0; $Wuftp_ign{"QUIT"}=0; $Wuftp_ign{"REST"}=0; $Wuftp_ign{"SIZE"}=0; $Wuftp_ign{"STAT"}=0; $Wuftp_ign{"STRU"}=0; $Wuftp_ign{"SYST"}=0; $Wuftp_ign{"TYPE"}=0; $Wuftp_ign{"USER"}=0; $Wuftp_ign{"RETR"}=0; $Wuftp_ign{"gateways$"}=0; $Wuftp_ign{"timed out"}=0; $Wuftp_ign{"closed"}=0; $Wuftp_ign{"connection from"}=0; $Wuftp_ign{"failed login from"}=0; $Wuftp_ign{"not logged in"}=0; $Wuftp_ign{"ANONYMOUS FTP LOGIN"}=0; $cmd=0; close(IN); open(IN, $Ftplog) || print("Cannot open $Ftplog, $!\n"); while() { $j=0; foreach $i (keys(%Wuftp_ign)) { if (/$i/) { $j=1; last; } } if ($j==1) { next; } { $Badftpcmds[$cmd++]= $_; } } close(IN); if ($cmd>0) { print("Bad FTP Commands\n"); print("----------------\n"); for ($i=0; $i<$cmd; $i++) { print($Badftpcmds[$i]); } print("\n\n"); } } # # do_reboots: Process and look for security problems in reboots # sub do_reboots { # # Only these logins can reboot/shutdown # $Rebootuser[0]= "root"; $Rebootuser[1]= "fred"; $Reboots= $Badreboot= $Okreboot= 0; open(IN, $Rebootlog) || print("Cannot open $Rebootlog, $!\n"); while() { if (/(\d\d\:\d\d\:\d\d).*reboot\:.*by (\w+)/ || /(\d\d\:\d\d\:\d\d).*shutdown\:.*by (\w+)\:/) { $Reboots++; $j=1; foreach $i (@Rebootuser) { # Parse for safe users if ($i eq $2) { $j=0; $Okrebootlist[$Okreboot++]=sprintf("\t%s %s\n", $1, $2); last; } } if ($j == 1) { $Badrebootlist[$Badreboot++] = sprintf("\t%s %s\n", $1, $2); } } } close(IN); if ($Reboots || $Badreboot) { printf("Shutdowns\n"); printf("---------\n"); print("Shutdowns: $Reboots\n"); if ($Okreboot>0) { for ($i=0; $i<$Okreboot; $i++) { print($Okrebootlist[$i]); } } if ($Badreboot>0) { print("*** Unauthorised Shutdowns: $Badreboot\n"); for ($i=0; $i<$Badreboot; $i++) { print($Badrebootlist[$i]); } } printf("\n\n"); } } # # do_sus: Process and look for security problems in su attempts # sub do_sus { # # Only these logins can su to root # $Suser[0]= "fred"; $Sus= $Failedsus= $Evilsus= $Rootsu= 0; open(IN, $Sulog) || print("Cannot open $Sulog, $!\n"); while() { if (/(\d\d\:\d\d\:\d\d).*su\: (\w+) to (\w+) on (\S+)/) { $Sus++; if ($3 eq "root") { $Rootsu++; $j=1; foreach $i (@Suser) { # Parse for safe users if ($i eq $2) { $j=0; } } if ($j == 1) { $Evilsulist[$Evilsu++] = sprintf("\t%s\t%s to %s on %s\n", $1, $2, $3, $4); } } next; } if (/(\d\d\:\d\d\:\d\d).*su\: BAD SU (\w+) to (\w+) on (\S+)/) { $Sus++; if ($3 eq "root") { $Evilsulist[$Evilsu++] = sprintf("\t%s\tBAD SU %s to %s on %s\n", $1, $2, $3, $4); } } } close(IN); print("Su Attempts\n"); print("-----------\n"); print("Total sus: $Sus\n"); print("Root sus: $Rootsu\n"); if ($Evilsu>0) { print("*** Evil Root sus: $Evilsu\n"); for ($i=0; $i<$Evilsu; $i++) { print($Evilsulist[$i]); } } printf("\n\n"); } # # do_cronlog: Process and look for security problems in crontab activity # sub do_cronlog { $Cronlist= $Cronreplace=0; open(IN, $Cronlog) || print("Cannot open $Cronlog, $!\n"); while() { if (/$(\w+)$ LIST $(\w+)$/) { $usr= $1; $who= $2; $Cronlist++; $Crlist{$who}++; next; } if (/(\d\d:\d\d:\d\d).*$(\w+)$ REPLACE $(\w+)$/) { $time= $1; $usr= $2; $who= $3; $Crreplacelist[$Cronreplace++]= sprintf("\t%s %s replaces crontab for %s\n", $time, $usr, $who); next; } } close(IN); if ($Cronlist || $Cronreplace) { print("Crontab Details\n"); print("---------------\n"); print("Crontab list commands: $Cronlist\n"); foreach $i (keys(%Crlist)) { print("\t$i: $Crlist{$i}\n"); } print("Crontab replace commands: $Cronreplace\n"); for ($i=0; $i< $Cronreplace; $i++) { print($Crreplacelist[$i]); } print("\n\n"); } } # # do_loginlog: Process and look for login security problems # sub do_loginlog { $Infails= 0; $cnt=0; open(IN, $Loginlog) || print("Cannot open $Loginlog, $!\n"); while() { if (/FAILURE/) { ($m, $d, $time, $us, $login, $num, $l, $f, $r, $host, $user)= split(/\s+/); $Infails = $Infails + $num; $Faillog[$cnt++] = "\t$time $num from $host $user\n"; } } close(IN); if ($cnt) { print("Login Failures\n"); print("--------------\n"); print("$Infails login failures:\n\n"); for ($i=0; $i<$cnt; $i++) { print("$Faillog[$i]"); } print("\n"); } } # # do_mailerrs: Check mail logs for potential attacks # sub do_mailerrs { $Okpipe[0]= "exec /usr/home/prog1"; $Okpipe[1]= "exec /usr/home/prog2"; $Okpipe[2]= "exec /usr/home/prog3"; $Mail_badword[0]="setsender"; $Mail_badword[1]="debug"; $Mail_badword[2]="wiz"; $Mail_badword[3]="vrfy"; $Mail_badword[4]="expn"; $cnt=0; open(IN, $Maillog) || print("Cannot open $Maillog, $!\n"); while() { foreach $i (@Mail_badword) { if (/$i/i) { ($m, $d, $time, $us, $sm, $dbug, $c, $f, $host, $ipaddr)= split(/\s+/); $Badmail[$cnt++] = $_; last; } } if(/\|/) { $j=1; foreach $i (@Okpipe) { if (index($_, $i) > -1) { $j=0; last; } } if ($j==1) { $Badmail[$cnt++] = $_; } } } close(IN); if ($cnt) { print("Mail Errors\n"); print("--------------\n"); for ($i=0; $i<$cnt; $i++) { print("$Badmail[$i]"); } print("\n"); } } # # do_badftplog: Check for bad ftp logins # sub do_badftplog { $cnt=0; open(IN, $Ftplog) || print("Cannot open $Ftplog, $!\n"); while() { if (/failed login/) { ($m, $d, $time, $us, $sm, $f, $l, $f, $host, $ipaddr, $user)= split(/\s+/); $Badftp[$cnt++] = "\t$time, $host $ipaddr $user\n"; } } close(IN); if ($cnt) { print("Ftp Login Errors\n"); print("----------------\n"); for ($i=0; $i<$cnt; $i++) { print("$Badftp[$i]"); } print("\n"); } } # # do_rootexec: Check for bad root execs # sub do_rootexec { $Minhour= 11; # 11am to 1pm is okay. $Maxhour= 13; # These programs are ok $Rootok{"ftpd"}= 1; $Rootok{"/libexec/ftpd"}=1; $Rootok{"/libexec/telnetd"}=1; $Rootok{"telnetd"}=1; $Rootok{"login"}=1; $Rootok{"/libexec/conversd"}=1; $Rootok{"/usr/sbin/sendmail"}=1; $Rootok{"named-xfer"}=1; $cnt=0; open(IN, $Kernlog) || print("Cannot open $Kernlog, $!\n"); while() { if (/ROOT exec/) { s/\<5\>//g; ($m, $d, $time)= split(/\s+/); ($hour, $min, $sec)= split(/:/,$time); if ($hour < $Minhour || $hour > $Maxhour) { s/.*ROOT exec//; s/\n//; $cmd= $_; ($m, $argv)= split(/\s+/,$cmd); if ( $Rootok{$argv} == 1) { next; } $Rootexec[$cnt++] = "$time, $cmd\n"; } } } close(IN); if ($cnt) { print("Out of Hours Root Execs\n"); print("-----------------------\n"); for ($i=0; $i<$cnt; $i++) { print("$Rootexec[$i]"); } print("\n"); } } # Read through the kernlog file for connect attempts on unused ports sub do_portlog { $hi_tport=0; $hi_uport=0; $tcp_noconns=0; $udp_noconns=0; open(IN, $Portlog) || print("Cannot open $Portlog, $!\n"); while() { if (/Conn attempt/) { if (/131\.236\.21\.221 port 520/) { next; } # Ignore, local domain ($m, $d, $time, $us, $kern, $c, $a, $o, $proto, $p, $dport, $f, $ipaddr, $p, $sport, $f, $flags)= split(/\s+/); if ($proto eq "TCP") { if ($dport==20 || $dport==113) { next; } # Ignore ftp-data conns $tcp_noport[$dport]++; $tcp_npl[$tcp_noconns++]= $time . " TCP proto " . $dport . " from " . $ipaddr . ", " . $sport . " flags " . $flags; if ($dport > $hi_tport) { $hi_tport= $dport; } } if ($proto eq "UDP" && $ipaddr != 0) { $udp_noport[$dport]++; $udp_npl[$udp_noconns++]= $time . " UDP proto " . $dport . " from " . $ipaddr . ", " . $sport . " flags " . $flags; if ($dport > $hi_uport) { $hi_uport= $dport; } } } } close(IN); if ($hi_tport > 0) { print("Attempted TCP Port Connects: $tcp_noconns\n"); print("--------------------------------\n"); for ($i=0; $i <= $hi_tport; $i++) { if (defined($tcp_noport[$i])) { ($name, $aliases, $port, $proto)= &Getservbyport($i, "tcp"); if ($name ne "") { print("Port $i ($name): $tcp_noport[$i] attempts\n"); } else { print("Port $i: $tcp_noport[$i] attempts\n"); } } } print("\n"); for ($i=0; $i <= $tcp_noconns; $i++) { print("\t$tcp_npl[$i]\n"); } print("\n"); } if ($hi_uport > 0) { print("Attempted UDP Port Connects: $udp_noconns\n"); print("--------------------------------\n"); for ($i=0; $i <= $hi_uport; $i++) { if (defined($udp_noport[$i])) { ($name, $aliases, $port, $proto)= &Getservbyport($i, "udp"); if ($name ne "") { print("Port $i ($name): $udp_noport[$i] attempts\n"); } else { print("Port $i: $udp_noport[$i] attempts\n"); } } } print("\n"); for ($i=0; $i <= $udp_noconns; $i++) { print("\t$udp_npl[$i]\n"); } print("\n"); } } # Print null sogetopts and Src routing sub do_nullSrc { open(IN, $Kernlog) || print("Cannot open $Kernlog, $!\n"); while() { if (/Src/) { print; } } close(IN); print("\n\n"); } # Print basic info on suspicious packets sub do_suspackets { open(IN, $Pktlog) || print("Cannot open $Pktlog, $!\n"); while() { if (/Pkt/ || /Data/) { s/^.......//; # Remove month, day s/minnie.*\]: //; # and minnie's name s/port [0-9]+ to/to/; # and client's port print; } } close(IN); print("\n\n"); } &do_tcplog; &do_suspackets; &do_xferlog; &do_ftpfails; &do_badftplog; &do_badftpcmds; &do_reboots; &do_sus; &do_cronlog; &do_loginlog; &do_mailerrs; &do_rootexec; &do_portlog; &do_nullSrc; exit(0);