Today, we had a fun problem... Someone, or something is modifying /tmp on an AIX server, with chmod command (from 777 + sticky to 755 ).
Nothing in .sh_history, neither bash_history, so i decided to use a simple probevue script to catch the mouse :
darkstar:root:/home/moi# cat pvchmod
int chmod(char *buf, unsigned long size);
@@BEGIN
{
}
@@syscallx:*:chmod:entry
{
__auto String arg[128];
arg = get_userstring(__arg1, 128);
if (arg == "/tmp")
{
printf("%s sur %s ,pid => %d, ppid => %d , uid => %d \n",__pname,arg,__pid,__ppid, __uid) ;
exit();
}
}
simple command to send a mail, when mouse is in the box :
darkstar:root:/home/moi# probevue pvchmod | mail -s moi@gmail.com
and from another screen, i tryed to test the trap.
darkstar:root:/home/moi# chmod 755 /tmp
darkstar:root:/home/moi#
it, then, triggered the following mail :
et voila !
Nothing in .sh_history, neither bash_history, so i decided to use a simple probevue script to catch the mouse :
darkstar:root:/home/moi# cat pvchmod
int chmod(char *buf, unsigned long size);
@@BEGIN
{
}
@@syscallx:*:chmod:entry
{
__auto String arg[128];
arg = get_userstring(__arg1, 128);
if (arg == "/tmp")
{
printf("%s sur %s ,pid => %d, ppid => %d , uid => %d \n",__pname,arg,__pid,__ppid, __uid) ;
exit();
}
}
simple command to send a mail, when mouse is in the box :
darkstar:root:/home/moi# probevue pvchmod | mail -s moi@gmail.com
and from another screen, i tryed to test the trap.
darkstar:root:/home/moi# chmod 755 /tmp
darkstar:root:/home/moi#
it, then, triggered the following mail :
chmod sur /tmp ,pid => 54460624, ppid => 3080846 ,
uid => 0
et voila !
Aucun commentaire:
Enregistrer un commentaire