1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
|
#!/usr/local/bin/perl
#
# $Id: idrlogin.perl,v 1.5 2001/11/18 12:20:46 abe Exp $
#
# idrlogin.perl -- sample Perl script to identify the network source of a
# network (remote) login via rlogind, sshd, or telnetd
# IMPORTANT DEFINITIONS
# =====================
#
# 1. Set the interpreter line of this script to the local path of the
# Perl executable.
#
# Copyright 1997 Purdue Research Foundation, West Lafayette, Indiana
# 47907. All rights reserved.
#
# Written by Victor A. Abell
#
# This software is not subject to any license of the American Telephone
# and Telegraph Company or the Regents of the University of California.
#
# Permission is granted to anyone to use this software for any purpose on
# any computer system, and to alter it and redistribute it freely, subject
# to the following restrictions:
#
# 1. Neither the authors nor Purdue University are responsible for any
# consequences of the use of this software.
#
# 2. The origin of this software must not be misrepresented, either by
# explicit claim or by omission. Credit to the authors and Purdue
# University must appear in documentation and sources.
#
# 3. Altered versions must be plainly marked as such, and must not be
# misrepresented as being the original software.
#
# 4. This notice may not be removed or altered.
# Initialize variables.
$dev = $name = $proto = ""; # fd variables
$fdst = 0; # fd state
$pidst = 0; # process state
$cmd = $login = $pid = $ppid = ""; # process var.
# Set path to lsof.
if (($LSOF = &isexec("../lsof")) eq "") { # Try .. first
if (($LSOF = &isexec("lsof")) eq "") { # Then try . and $PATH
print "can't execute $LSOF\n"; exit 1
}
}
# Open a pipe from lsof.
open(P, "$LSOF -R -FcDfLpPRn|") || die "Can't pipe from $LSOF\n";
# Process the ``lsof -FcDfLpPRn'' output a line at a time
while (<P>) {
chop;
if (/^p(.*)/) {
# A process set begins with a PID field whose ID character is `p'.
$tpid = $1;
if ($pidst && $fdst) { &save_proc }
$pidst = 1;
$pid = $tpid;
$cmd = $login = $ppid = "";
$fdst = 0;
$dev = $name = $proto = "";
next;
}
# Save process-related values.
if (/^c(.*)/) { $cmd = $1; next; }
if (/^L(.*)/) { $login = $1; next; }
if (/^R(.*)/) { $ppid = $1; next; }
# A file set begins with a file descriptor field.
if (/^f/) {
if ($pidst && $fdst) { &save_proc }
$fdst = 0;
$dev = $name = $proto = "";
next;
}
# Accumulate file information.
if (/^D(.*)/) { $dev = $1; next; }
if (/^P(.*)/) { $proto = $1; next; }
if (/^n(.*)/) { $name = $1; $fdst = 1; next; }
}
# Flush any stored file or process output.
if ($pidst && $fdst) { &save_proc }
# List the shell processes that have rlogind/sshd//telnetd parents.
$hdr = 0;
foreach $pid (sort keys(%shcmd)) {
$p = $pid;
if (!defined($raddr{$pid})) {
for ($ff = 0; !$ff && defined($Ppid{$p}); ) {
$p = $Ppid{$p};
if ($p < 2 || defined($raddr{$p})) { $ff = 1; }
}
} else { $ff = 2; }
if ($ff && defined($raddr{$p})) {
if (!$hdr) {
printf "%-8.8s %-8.8s %6s %-10.10s %6s %-10.10s %s\n",
"Login", "Shell", "PID", "Via", "PID", "TTY", "From";
$hdr = 1;
}
printf "%-8.8s %-8.8s %6d %-10.10s %6s %-10.10s %s\n",
$shlogin{$pid}, $shcmd{$pid}, $pid,
($ff == 2) ? "(direct)" : $rcmd{$p},
($ff == 2) ? "" : $p,
($shtty{$pid} eq "") ? "(unknown)" : $shtty{$pid},
$raddr{$p};
}
}
exit(0);
# save_proc -- save process information
# Values are stored inelegantly in global variables.
sub save_proc {
if ($cmd eq ""
|| $login eq ""
|| $ppid eq ""
|| $pid eq ""
|| $name eq ""
) { return; }
if (!defined($Ppid{$pid})) { $Ppid{$pid} = $ppid; }
if ($proto eq "TCP"
&& (($cmd =~ /rlogind/) || ($cmd =~ /sshd/) || ($cmd =~ /telnetd/))) {
if (defined($raddr{$pid})) { return; }
if (($name =~ /[^:]*:[^-]*->([^:]*):.*/)) {
$raddr{$pid} = $1;
$rcmd{$pid} = $cmd;
return;
}
}
if (($cmd =~ /.*sh$/)) {
if (defined($shcmd{$pid})) { return; }
if ($proto eq "TCP") {
if (defined($raddr{$pid})) { return; }
if (($name =~ /[^:]*:[^-]*->([^:]*):.*/)) {
$raddr{$pid} = $1;
$shcmd{$pid} = $cmd;
$shlogin{$pid} = $login;
}
}
if (($name =~ m#/dev.*ty.*#)) {
($tty) = ($name =~ m#/dev.*/(.*)#);
} elsif (($name =~ m#/dev/(pts/\d+)#)) {
$tty = $1;
} elsif (($name =~ m#/dev.*pts.*#)) {
$d = oct($dev);
$tty = sprintf("pts/%d", $d & 0xffff);
} else { return; }
} else { return; }
$shcmd{$pid} = $cmd;
$shtty{$pid} = $tty;
$shlogin{$pid} = $login;
}
## isexec($path) -- is $path executable
#
# $path = absolute or relative path to file to test for executabiity.
# Paths that begin with neither '/' nor '.' that arent't found as
# simple references are also tested with the path prefixes of the
# PATH environment variable.
sub
isexec {
my ($path) = @_;
my ($i, @P, $PATH);
$path =~ s/^\s+|\s+$//g;
if ($path eq "") { return(""); }
if (($path =~ m#^[\/\.]#)) {
if (-x $path) { return($path); }
return("");
}
$PATH = $ENV{PATH};
@P = split(":", $PATH);
for ($i = 0; $i <= $#P; $i++) {
if (-x "$P[$i]/$path") { return("$P[$i]/$path"); }
}
return("");
}
|
