|
|
|
|
| |
Credit:
The information has been provided by C.J. Steele, CISSP.
To keep updated with the tool visit the project's homepage at: http://sodaphish.com/files/tattle
|
| |
Tattle is a Perl script that crawls through your SSHd logs (usually /var/log/messages) and finds hosts who've connected to your SSH server. All hosts who connect to your box, and that are not accounted for in the exception list, are reported to the point-of-contact for the domain the host is registered too (where available).
Code:
#!/usr/bin/perl
# tattle by C.J. Steele, CISSP <coreyjsteele@yahoo.com>
# (C)opyright 2005, C.J. Steele, all rights reserved.
#
# NOTICE: you're on your own with whatever 'messes' reporting this sort of
# activity may create...you've been warned.
#
# This script processes log files and attempts to automatically notify domain
# authorities of machines in their domain that are actively performing SSH
# brute-force attacks. Mangle the variables above the warning to your liking,
# but it would be adviseable not to venture past the warning unless you know a
# bit of perl and are comfortable doing so.
#
#
use strict;
use MIME::Lite;
use File::MkTemp;
my $logfile = "/var/log/messages"; #the place where ssh logs to
my $tmpdir = "/tmp"; #for use when we write out our logs
my @exceptions = ( "10.10.10.10", "your.net" ); #domains not to notify of ssh attacks, i.e. your domains
my $smtp_host = "localhost"; #your mail server
my $smtp_sendas = "your\@email.com"; #a VALID e-mail address to send the e-mails out as
my $smtp_message = "An attempt to brute-force account passwords over SSH has been detected by a machine in your domain. Attached are logs indicating the times and dates of the activity. Please take the necessary action(s) to stop this activity. If you have any questions, please reply to this email or contact me at $smtp_sendas."; #the nasty-gram
########################################################################
# DO NOT MUCK AROUND BELOW THIS POINT UNLESS YOU KNOW WHAT YOU'RE DOING
########################################################################
my @offenders = getoffenders( $logfile );
foreach my $offender ( @offenders )
{
my $tld = gettld( $offender );
my @addies = getemails( $tld );
if( scalar( @addies ) )
{
my $logpath = writelogs( getlogs( $offender ) );
foreach my $addie ( @addies )
{
#create the email...
my $email = MIME::Lite->new(
From => "$smtp_sendas",
To => "$addie",
Cc => "$smtp_sendas",
Subject => "SSH Brute-force Attack",
Type => "TEXT",
Data => "$smtp_message"
);
#attach our log files/evidence...
$email->attach(
Type => 'text/plain',
Path => $logpath,
Filename => "$offender.txt"
);
$email->send( 'smtp', "$smtp_host" );
print "I: e-mail sent to $addie ($offender)\n";
} #end foreach
} else {
print "E: no e-mail addresses found for $tld\n";
} #endif
} #end foreach
exit( 0 );
sub getlogs
# this routine parses the log file and finds entries that match the $mark,
# which is passed in as a parameter, and creates an array, each element of
# which is a matching line of the log, the single array is returned.
{
my $mark = shift;
my @logentries = ();
open( LOG, $logfile ) or die( "$!" );
while( <LOG> )
{
chomp();
if( $_ =~ /$mark/ )
{
push( @logentries, $_ );
} #endif
} #end while
close( LOG );
return @logentries;
} #end getlogs()
sub writelogs
# this writes the array of log entries passed via args to a randomly created
# temporary file, the name of which is returned as a single scalar value, with
# fully-qualified path.
{
my @logs = @_;
my $tmpfile = mktemp( "$tmpdir/rptbdgys.XXXXXX" );
open( OUT, ">$tmpfile" ) or die( "$!" );
foreach( @logs )
{
print OUT $_, "\n";
}
close( OUT );
return $tmpfile;
} #end writelogs
sub getoffenders
# this returns an array of offending hostnames from the logfile, except those
# who are listed in the @exceptions array.
{
my $log = shift;
my @offs;
open( LOG, $log ) or die( "$!" );
while( <LOG> )
{
chomp( $_ );
if( $_ =~ /sshd/ and $_ =~ /rhost/ )
{
my @e = split( /\s/, $_ );
my $off = $e[12];
$off =~ s/rhost\=//;
$off =~ s/ruser\=//; #why do I need this?
if( $off ne "" )
{
push( @offs, $off ) if( ! isin( $off, @offs ) and ! isin( $off, @exceptions ) );
} #endif
} #endif
} #endwhile
close( LOG );
return( @offs );
} #end getoffenders()
sub gettld
# this returns a single scalar value containing the top-level domain or
# the ip address fed in. This won't work for a site who's address is
# dom.com.co
{
my $in = shift;
if( $in =~ /[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*/ )
{
# its an IP address... try reverse lookup, if that fails, return IP
return $in;
} else {
# its a hostname
my @bits = split( /\./, $in );
my $bitslen = scalar( @bits );
if( $bitslen > 2 )
{
if( length( $bits[$bitslen-1] ) == 2 )
{
# country-level tld
if( length( $bits[$bitslen-2] ) > 3 ){
return "$bits[$bitslen-2].$bits[$bitslen-1]";
} else {
return "$bits[$bitslen-3].$bits[$bitslen-2].$bits[$bitslen-1]";
} #endif
} else {
# tld
return "$bits[$bitslen-2].$bits[$bitslen-1]";
} #endif
} else {
return $in;
} #endif
} #endif
} #end gettld()
sub getemails
# gets a list of unique email addresses that were returned for as part
# of the domain's `whois` records. The results are returned as a
# singular array.
{
my $tld = shift;
my $whois = `/usr/bin/whois $tld`;
my @emailaddies;
foreach( split( /\n/, $whois ) )
{
chomp();
if( $_ =~ /[a-zA-Z0-9]*\@[a-zA-Z0-9]*/ )
{
# the line had an e-mail address in it...
my @bits = split( /\s/, $_ );
foreach my $bit ( @bits )
{
if( $bit =~ /[a-zA-Z0-9]*\@[a-zA-Z0-9]*/ and $bit !~ /\@apnic\.net$/ )
{
push( @emailaddies, $bit ) if( ! isin( $bit, @emailaddies ) );
} #endif
} #end foreach
} #endif
}#end foreach
return @emailaddies;
} #end getemails
sub isin
# this boolean function simply checks to see if an element ($e) is in the
# supplied array (@a) -- it returns 1 if the element is in the array and 0
# otherwise.
{
my( $e, @a ) = @_;
foreach( @a )
{
return 1 if( $e eq $_ );
}
return 0;
} #end isin()
#EOF
|
|
|
| Subject:
|
error |
Date: |
10 Jun. 2006 |
| From: |
ilovespamcogeco.ca |
Can't locate MIME/Lite.pm in @INC (@INC contains: /usr/lib/perl5/5.8.7/i486-linux /usr/lib/perl5/5.8.7 /usr/lib/perl5/site_perl/5.8.7/i486-linux /usr/lib/perl5/site_perl/5.8.7 /usr/lib/perl5/site_perl .) at report.pl line 16.
BEGIN failed--compilation aborted at report.pl line 16.
huh?
im stupid........sorry.
DF |
|
| Subject:
|
help |
Date: |
19 Jun. 2006 |
| From: |
ap0k |
install the module
type:
perl -MCPAN -e shell
if you have never used this module you will have to do some configuration. not to hard so don't worry.
once you done with that.
you should get;
cpan>
then type.
cpan> install MIME::Lite
and i should install
hope this helps |
|
|
|
|
|
|
