#!/bin/sh # ... or other sh path # # This little script is to do some quick checks of system security. # # this is GPL'ed, ~11/2000, sans warranty. Originally written for Solaris, # but it can be adapted as desired # # it runs as root # # Trojaned ssh binary (/usr/bin/ssh). # put in your ssh binary paths accordingly # Do a: echo "trojaned ssh binary?" strings /usr/bin/ssh | grep hMz strings /usr/local/bin/ssh | grep hMz # If it matches, your ssh is trojaned. echo "trojan check done" # Backdoor in /usr/bin/newgrp. # put in newgrtp path # Do a: echo "newgrp backdoor?" strings /usr/bin/newgrp | grep wh33l strings /usr/bin/newgrp | grep c0mpt0n # If either matches, your newgrp binary has been replaced. echo "newgrp check done" # Sniffer logs: in /dev/fds/ echo "sniffer logs?" ls -la /dev/fds # If they exist, a sniffer has been installed on the machine. # IF YOU FIND SUCH LOGS, please back them up and/or have them analysed echo "sniffer log check done" # Trojaned tcpd (tcp wrappers). # not implemented yet # sadmind exploit (grep on 'ingreslock', libgh.so will be on the system. # the find can take a while echo "sadmind exploit?" more /usr/sbin/sadmind | grep ingreslock find / -name libgh.so -print echo "sadmind ingreslock check done" # calfdrop.c echo "calfdrop.c?" find / -name calfdrop.c -print echo "calfdrop check done"