Re: Security - how to notice compromises.

["Richard Stevenson" <nospam [at] webmasters.co.nz>]

On 24 Feb 2000, at 19:41, Damion Yates wrote:

> > How do folk pick up on attempts at entry to machines?
> 
> More usefully though, check that ls /proc/* |wc -l matches ps waux |wc -l
> correctly, they should always be N lines different, where N is worked out
> before you go on line ie after a fresh install.

I found this a couple of years ago - I think someone posted it to Bugtraq.  
ps written in Perl - it's small enough that it's easy to figure out what 
it's doing, and you may even be able to reproduce it from memory when 
you're familiar with it, just in case you don't trust the ps binary.

Cheers

Richard

---------- Cut here ----------
#! /usr/bin/perl
opendir(D, '/proc');
while (defined ($_ = readdir(D))) {
    next unless /^\d+$/;
    open(F, "/proc/$_/cmdline") || next;
    local($/) = "\0";
    $did = 0;
    while (defined ($l = <F>)) {
 chomp;
 print "$_: " unless $did++;
 print $l;
    }
    close(F);
    print "$_: (none)" unless $did;
    print "\n";
}
closedir(D);
---------- Cut here ----------


---------------------------------------------------------------------
Sheffield Linux User's Group - http://www.sheflug.co.uk
To unsubscribe from this list send mail to
- <sheflug-request [at] vuw.ac.nz> - with the word 
 "unsubscribe" in the body of the message. 

  GNU the choice of a complete generation.