diff options
Diffstat (limited to 'scripts/idrlogin.perl')
-rwxr-xr-x | scripts/idrlogin.perl | 201 |
1 files changed, 201 insertions, 0 deletions
diff --git a/scripts/idrlogin.perl b/scripts/idrlogin.perl new file mode 100755 index 0000000..d244dc7 --- /dev/null +++ b/scripts/idrlogin.perl @@ -0,0 +1,201 @@ +#!/usr/local/bin/perl +# +# $Id: idrlogin.perl,v 1.5 2001/11/18 12:20:46 abe Exp $ +# +# idrlogin.perl -- sample Perl script to identify the network source of a +# network (remote) login via rlogind, sshd, or telnetd + + +# IMPORTANT DEFINITIONS +# ===================== +# +# 1. Set the interpreter line of this script to the local path of the +# Perl executable. + + +# +# Copyright 1997 Purdue Research Foundation, West Lafayette, Indiana +# 47907. All rights reserved. +# +# Written by Victor A. Abell +# +# This software is not subject to any license of the American Telephone +# and Telegraph Company or the Regents of the University of California. +# +# Permission is granted to anyone to use this software for any purpose on +# any computer system, and to alter it and redistribute it freely, subject +# to the following restrictions: +# +# 1. Neither the authors nor Purdue University are responsible for any +# consequences of the use of this software. +# +# 2. The origin of this software must not be misrepresented, either by +# explicit claim or by omission. Credit to the authors and Purdue +# University must appear in documentation and sources. +# +# 3. Altered versions must be plainly marked as such, and must not be +# misrepresented as being the original software. +# +# 4. This notice may not be removed or altered. + +# Initialize variables. + +$dev = $name = $proto = ""; # fd variables +$fdst = 0; # fd state +$pidst = 0; # process state +$cmd = $login = $pid = $ppid = ""; # process var. + +# Set path to lsof. + +if (($LSOF = &isexec("../lsof")) eq "") { # Try .. first + if (($LSOF = &isexec("lsof")) eq "") { # Then try . and $PATH + print "can't execute $LSOF\n"; exit 1 + } +} + +# Open a pipe from lsof. + +open(P, "$LSOF -R -FcDfLpPRn|") || die "Can't pipe from $LSOF\n"; + +# Process the ``lsof -FcDfLpPRn'' output a line at a time + +while (<P>) { + chop; + if (/^p(.*)/) { + +# A process set begins with a PID field whose ID character is `p'. + + $tpid = $1; + if ($pidst && $fdst) { &save_proc } + $pidst = 1; + $pid = $tpid; + $cmd = $login = $ppid = ""; + $fdst = 0; + $dev = $name = $proto = ""; + next; + } + +# Save process-related values. + + if (/^c(.*)/) { $cmd = $1; next; } + if (/^L(.*)/) { $login = $1; next; } + if (/^R(.*)/) { $ppid = $1; next; } + +# A file set begins with a file descriptor field. + + if (/^f/) { + if ($pidst && $fdst) { &save_proc } + $fdst = 0; + $dev = $name = $proto = ""; + next; + } + +# Accumulate file information. + + if (/^D(.*)/) { $dev = $1; next; } + if (/^P(.*)/) { $proto = $1; next; } + if (/^n(.*)/) { $name = $1; $fdst = 1; next; } +} + +# Flush any stored file or process output. + +if ($pidst && $fdst) { &save_proc } + +# List the shell processes that have rlogind/sshd//telnetd parents. + +$hdr = 0; +foreach $pid (sort keys(%shcmd)) { + $p = $pid; + if (!defined($raddr{$pid})) { + for ($ff = 0; !$ff && defined($Ppid{$p}); ) { + $p = $Ppid{$p}; + if ($p < 2 || defined($raddr{$p})) { $ff = 1; } + } + } else { $ff = 2; } + if ($ff && defined($raddr{$p})) { + if (!$hdr) { + printf "%-8.8s %-8.8s %6s %-10.10s %6s %-10.10s %s\n", + "Login", "Shell", "PID", "Via", "PID", "TTY", "From"; + $hdr = 1; + } + printf "%-8.8s %-8.8s %6d %-10.10s %6s %-10.10s %s\n", + $shlogin{$pid}, $shcmd{$pid}, $pid, + ($ff == 2) ? "(direct)" : $rcmd{$p}, + ($ff == 2) ? "" : $p, + ($shtty{$pid} eq "") ? "(unknown)" : $shtty{$pid}, + $raddr{$p}; + } +} +exit(0); + + +# save_proc -- save process information +# Values are stored inelegantly in global variables. + +sub save_proc { + if ($cmd eq "" + || $login eq "" + || $ppid eq "" + || $pid eq "" + || $name eq "" + ) { return; } + if (!defined($Ppid{$pid})) { $Ppid{$pid} = $ppid; } + if ($proto eq "TCP" + && (($cmd =~ /rlogind/) || ($cmd =~ /sshd/) || ($cmd =~ /telnetd/))) { + if (defined($raddr{$pid})) { return; } + if (($name =~ /[^:]*:[^-]*->([^:]*):.*/)) { + $raddr{$pid} = $1; + $rcmd{$pid} = $cmd; + return; + } + } + if (($cmd =~ /.*sh$/)) { + if (defined($shcmd{$pid})) { return; } + if ($proto eq "TCP") { + if (defined($raddr{$pid})) { return; } + if (($name =~ /[^:]*:[^-]*->([^:]*):.*/)) { + $raddr{$pid} = $1; + $shcmd{$pid} = $cmd; + $shlogin{$pid} = $login; + } + } + if (($name =~ m#/dev.*ty.*#)) { + ($tty) = ($name =~ m#/dev.*/(.*)#); + } elsif (($name =~ m#/dev/(pts/\d+)#)) { + $tty = $1; + } elsif (($name =~ m#/dev.*pts.*#)) { + $d = oct($dev); + $tty = sprintf("pts/%d", $d & 0xffff); + } else { return; } + } else { return; } + $shcmd{$pid} = $cmd; + $shtty{$pid} = $tty; + $shlogin{$pid} = $login; +} + + +## isexec($path) -- is $path executable +# +# $path = absolute or relative path to file to test for executabiity. +# Paths that begin with neither '/' nor '.' that arent't found as +# simple references are also tested with the path prefixes of the +# PATH environment variable. + +sub +isexec { + my ($path) = @_; + my ($i, @P, $PATH); + + $path =~ s/^\s+|\s+$//g; + if ($path eq "") { return(""); } + if (($path =~ m#^[\/\.]#)) { + if (-x $path) { return($path); } + return(""); + } + $PATH = $ENV{PATH}; + @P = split(":", $PATH); + for ($i = 0; $i <= $#P; $i++) { + if (-x "$P[$i]/$path") { return("$P[$i]/$path"); } + } + return(""); +} |