Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
Home  Ask the Team  Mailing Lists  Advertising Info  Advisories  About SecuriTeam  Blogs Brought to you by: Suppliers of: Website Testing Tools Network Testing Tools Software Testing Tools SecuriTeam in Your Inbox New vulnerability? New tool? Tell us (Our PGP key). Confidence 2013 5% Off any SANS course Use Code: SecuriTeam_5 Hack In Paris La Nuit du Hack Subjects of Interest: Vulnerability Management SQL Injection Buffer Overflows Active Network Scanning Fuzzing Fuzzer Report Network Security Network Scanner Pen Testing Security Scanner	TCPLogD, TCP logging daemon. 2 Jan. 1999     Credit: The modified version was provided by: phroid. The original package can be downloaded from: http://cgi.debian.org/www-master/debian.org/Packages/stable/net/iplogger.html. Free Website Security Scan Free Fuzzer Report Vulnerability Assessment Detect web app vulnerabilities University study comparing the top Accurate and automated scanning Get guidance from professionals. 6 commercially availble fuzzers. for networks of any size.    Details Protect your website! Free Trial, Nothing to install. No interruption of visitors. www.beyondsecurity.com/vulnerability-scanner TCPLogD is part of the IPLogger package. The IPLogger package provides two daemons that log all incoming TCP attempts and important ICMP events (ping, source route, etc.) to the syslog. IPLogger has been recently modified by phroid to provide extended functionality, to better detect and log incoming FTP bounce attacks, FIN packet based scans and Null packet based scans. The original source code follows: /* tcplogd.c v 2.1 (20th dic. 1998) for linux by phroid (phroid@cyberdude.com) (a simple hack of Mike Edulla's tcplogger) the difference are: initial release: 0 - compiles on libc5 AND glibc2 system. 1 - stripped ident support (would reveal the logger IMHO!) 2 - added tcp FIN packet logging, they are used in many attacks since 2.1: removed LOG_ALL_FIN option, not useful anymore 3 - added FIN+URG+PUSH packet logging ("Xmas tree scan" attack) 4 - added logging of tcp packets w/o any flag set ("Null scan" attack) write me if you like this or if you are interested in IPdump and IPlogd IPdump is a single packets DETAILED dumper for advanced diagnostic use IPlogd would be the definitive tcp/ip log daemon, supporting tcp, udp, icmp, and even raw data using user defined matching parameters. */ #include <netdb.h> #include <signal.h> #include <stdio.h> #include <arpa/inet.h> #include <fcntl.h> #include <syslog.h> #include <sys/ioctl.h> #ifdef __GLIBC__ #include <net/if.h> #include <netinet/ip.h> #include <netinet/tcp.h> #else #include <stdlib.h> /* some of these were included in the original */ #include <unistd.h> /* but not really needed */ #include <sys/types.h> #include <sys/socket.h> #include <sys/wait.h> #include <sys/stat.h> #include <netinet/in.h> #include <linux/ip.h> #include <linux/tcp.h> #endif extern int errno; #ifndef NOFILE #define NOFILE 1024 #endif int go_background(void); char *hostlookup(unsigned long int); char *servlookup(unsigned short); struct ippkt { struct iphdr ip; struct tcphdr tcp; char buffer[10000]; }pkt; int go_background(void) { int fd; int fs; if(getppid() != 1) { signal(SIGTTOU, SIG_IGN); signal(SIGTTIN, SIG_IGN); signal(SIGTSTP, SIG_IGN); fs=fork(); if(fs < 0) { perror("fork"); exit(1); } if(fs > 0) exit(0); setpgrp(); fd=open("/dev/tty", O_RDWR); if(fd >= 0) { ioctl(fd, TIOCNOTTY, (char *)NULL); close(fd); } } for(fd=0;fd < NOFILE;fd++) close(fd); errno=0; chdir("/"); umask(0); } int main(void) { int s; int i; char tmpbuff[1024]; setuid(0); if(geteuid() != 0) { printf("This program requires root privledges\n"); exit(0); } go_background(); s=socket(AF_INET, SOCK_RAW, 6); openlog("tcplog", 0, LOG_DAEMON); while(1) { read(s, (struct ippkt *)&pkt, 9999); if(pkt.tcp.syn == 1 && pkt.tcp.ack == 0) if(ntohs(pkt.tcp.source) == 20) syslog(LOG_NOTICE, "probable FTPBounce attack detected from %s", hostlookup(pkt.ip.saddr)); else syslog(LOG_NOTICE, "%s connection (SYN) attempt from %s", servlookup(pkt.tcp.dest), hostlookup(pkt.ip.saddr)); if(pkt.tcp.fin == 1 && pkt.tcp.ack == 0) if(pkt.tcp.urg == 1 && pkt.tcp.psh == 1) syslog(LOG_NOTICE, "%s connection (Xmas tree probe) attempt from %s", servlookup(pkt.tcp.dest), hostlookup(pkt.ip.saddr)); else syslog(LOG_NOTICE, "%s connection (FIN) attempt from %s", servlookup(pkt.tcp.dest), hostlookup(pkt.ip.saddr)); if(pkt.tcp.syn == 0 && pkt.tcp.fin == 0 && pkt.tcp.ack == 0 && pkt.tcp.rst == 0 && pkt.tcp.urg == 0 && pkt.tcp.psh == 0) syslog(LOG_NOTICE, "%s connection (Null probe) attempt from %s", servlookup(pkt.tcp.dest), hostlookup(pkt.ip.saddr)); } } char *hostlookup(unsigned long int in) { static char blah[1024]; struct in_addr i; struct hostent *he; i.s_addr=in; he=gethostbyaddr((char *)&i, sizeof(struct in_addr),AF_INET); if(he == NULL) strcpy(blah, inet_ntoa(i)); else strcpy(blah, he->h_name); return blah; } char *servlookup(unsigned short port) { struct servent *se; static char buff[1024]; se=getservbyport(port, "tcp"); if(se == NULL) sprintf(buff, "port %d", ntohs(port)); else sprintf(buff, "%s", se->s_name); return buff; }  Comments: blog comments powered by Disqus	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews  Related Articles 'Apache mod_rewrite Vulnerability PoC' 'netsniff-ng - A Linux Network Analyzer and Networking Toolkit' 'Simple Local File Inclusion Exploiter' 'NiX A Linux Brute Forcer' 'Nchop - A TCP Session Splicing Tool Used to Rvade Intrusion Detection Systems' 'Netifera - Modular Open Source Platform for Security Tools' 'WarVOX - Tools for Exploring, Classifying, and Auditing Telephone Systems' 'Webshag - Web Server Audit Tool' 'Browser Fuzzer' 'FSpy - Linux Filesystem Activity Monitoring' 'telnetrecon - Telnet Recon' 'Zerowine Sandbox' 'JPEG Fuzzer' 'VNC Server Fuzzer' 'RSH Fuzzer' 'Exomind' 'Browser Rider' 'MP3 TAG Fuzzer' 'PDFuzzer - PDF File Standard Fuzzer' 'Miranda - UPNP Administration and Audit Tool'  Featured Articles 'MP3 TAG Fuzzer' 'ArpON - ARP Management System' 'PktAnon - Packet Trace Anonymization Tool' 'The Cookie Tools' 'SWFIntruder - Analyzing and Testing Security of Flash' 'SSHatter - SSH Password Brute Forcer' 'FireMaster - Firefox Master Password Recovery' 'BackTrack - a Linux Live Distribution Focused on Penetration Testing' 'MD5CRACK - MD5 Bruteforce Tool' 'Technika - Attack Scripting Environment' 'Windows Live Messenger v8 Password Finder' 'XSS Shell' 'ASP Auditor - Identify Vulnerable ASP.NET Servers' 'SWAAT Web Application Analysis' 'John The Ripper MPI Patch' 'loggy - Advanced Log Cleaner' 'GZIP_Encoding - Tools for Simple Manipulation of Gzip Encoding HTTP Transfers' 'objdump2shellcode - Convert Objdump Into Shell Code' 'r57-pid-check' 'ARP Tools - Collection of ARP Utilities'
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus - Blogs - CVEs

Copyright © Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®