jeudi 16 octobre 2014

fun with probevue...

Today, we had a fun problem... Someone, or something is modifying /tmp on an AIX server, with chmod command (from 777 + sticky to 755 ).
Nothing in .sh_history, neither bash_history, so i decided to use a simple probevue script to catch the mouse :


darkstar:root:/home/moi# cat pvchmod

int chmod(char *buf, unsigned long size);

@@BEGIN
{
}


@@syscallx:*:chmod:entry
{
        __auto String arg[128];
        arg = get_userstring(__arg1, 128);
        if (arg == "/tmp")
        {
                printf("%s sur %s ,pid => %d, ppid => %d , uid => %d \n",__pname,arg,__pid,__ppid, __uid) ;
                exit();
        }
}


simple command to send a mail, when mouse is in the box :

darkstar:root:/home/moi# probevue pvchmod | mail -s moi@gmail.com

and from another screen, i tryed to test the trap.

darkstar:root:/home/moi# chmod 755 /tmp
darkstar:root:/home/moi#

it, then, triggered the following mail :


chmod sur /tmp ,pid => 54460624, ppid => 3080846 , uid => 0

et voila !