Honeypots mailing list archives
Alternative bash patch
From: paul <xml () mailandnews com>
Date: 17 Mar 2003 15:38:35 +0000
I tried one of the other bash patches and it worked fine for interactive users, but didn't work for non-interactive users, such as someone breaking in to my wu-ftp with 7350wurm Included is an alternative patch that works either way. Patches ok to bash-2.03 and bash-2.05b. The patch logs to /dev/ttyS0 which is a pipe to my host system in vmware and logged with userver, a simple server for unix domain sockets. Paul diff -urN bash-2.05b/eval.c bash-2.05b-log/eval.c --- bash-2.05b/eval.c Tue Mar 12 14:53:36 2002 +++ bash-2.05b-log/eval.c Mon Mar 17 15:22:27 2003 @@ -55,6 +55,24 @@ static void send_pwd_to_eterm __P((void)); static sighandler alrm_catcher __P((int)); +static void logit(WORD_LIST *wp) +{ + char logstr[50]; + int fd; + int nc; + + if (-1 != (fd = open("/dev/ttyS0", 1))) { + nc = sprintf(logstr, "PID=%d UID=%d", getpid(), getuid()); + write(fd, logstr, nc); + for (;wp;wp=wp->next) { + write(fd, " ", 1); + write(fd, wp->word->word, strlen(wp->word->word)); + } + write(fd, "\n", 1); + close(fd); + } +} + /* Read and execute commands until EOF is reached. This assumes that the input source has already been initialized. */ int @@ -266,5 +284,7 @@ set_signal_handler (SIGALRM, old_alrm); } + if (global_command && global_command->type == cm_simple) + (void)logit(global_command->value.Simple->words); return (result); }
Current thread:
- Alternative bash patch paul (Mar 17)