Bugtraq mailing list archives

antizap2.

From: dreamer () garrison inetcan net (Digital Dreamer)
Date: Tue, 8 Oct 1996 22:31:01 -0600


Here's a little utility I wrote to detect if zap2 has been used on your
wtmp file.  I've tested it on Linux, it works fine on that, and it
_should_ theoretically work on any other platform that zap2 works on.
It just searches for null blocks in wtmp.  I have another version that
will intelligently warn about UT_UNKNOWNs, null hostnames, etc, so a
simple hack to zap2 won't defeat it, but that one isn't complete yet.
I'll email the url I've put it up at when I complete it.  But until then,
here's az2.c.

-- cut here

/* antizap2, by Digital Dreamer (dreamer () flatline gateway com)
 * this will detect if zap2 has been used on your wtmp file.
 * handy for telling if someone has a) zapped themselves previously
 * on your system, or b) is currently on your system in a zapped state.
 *
 * usage:
 *   az2 tmpfilename [-v]
 *
 * tmpfilename is the filename of either a wtmp or utmp.
 *
 * -v makes it a bit more verbose.
 *
 */

#include <stdio.h>
#include <utmp.h>

void usage(char *st) {
  printf("usage: %s tmpfilename\n", st);
}

int main(int argc, char **argv) {
  struct utmp inutmp;
  FILE *utmpfile;
  char *stptr;
  int count=0,zflag,i,verbose=0;

  if(argc < 2) {
    usage(argv[0]);
    exit(1);
  }
  if(argc > 2) {
    if(!strcmp(argv[2], "-v")) { /* i didn't think getopt was justified
                                    for only one opt.  what, me
                                    defensive? */
      verbose=1;
    }
  }
  if((utmpfile=fopen(argv[1],"rb")) == NULL) {
    fprintf(stderr,"%s: unable to open %s!\n",argv[0], argv[1]);
    exit(1);
  }
  if (verbose)
    printf("Munching...\n");
  while(!feof(utmpfile)) {
    fread(&inutmp, sizeof(inutmp), 1, utmpfile);
    stptr=(char *)&inutmp;
    zflag=1;
    for(i=0;i<sizeof(inutmp);i++) {
      if(*stptr++ != '\0') {
        zflag=0;
        i=sizeof(inutmp);
      }
    }
    if(zflag == 1)
      printf("Zap detected! (count == %d)\n",count);
    if(verbose)
      printf("%d\r",count);
  count++;
  }
  fclose(utmpfile);
  if(verbose)
    printf("Done.\n");
  exit(0);
}

-- cut here

Enjoy.

dreamer
--
# mv `which emacs` /vmunix ; shutdown -r now

Current thread:

antizap2. Digital Dreamer (Oct 08)
- Re: antizap2. Wolfgang Ley (Oct 09)
- novell utility BlackHeart (Oct 09)
  - Re: novell utility Bruce M. (Oct 09)
  - Re: novell utility Doctor Who (Oct 10)
  - Sun Security Bulletin #136 Mark Graff (Oct 10)
  - SECURITY HOLE IN AUTHENTICATION FORWARDING Charles M. Hannum (Oct 10)
    - Re: SECURITY HOLE IN AUTHENTICATION FORWARDING Tatu Ylonen (Oct 13)
  - InterNIC Shenanigans (crypt-pw) Sean B. Hamor (Oct 11)
    - Re: InterNIC Shenanigans (crypt-pw) Yiorgos Adamopoulos (Oct 11)
    - Re: InterNIC Shenanigans (crypt-pw) Igor Chudov @ home (Oct 11)

(Thread continues...)