Category Archives: Scripts

Easy BASH for making data difficult to recover without damaging your filesystem.

There are a many programs designed specifically to recover lost data, even when a file has been “deleted” from a users hard-drive. This is not difficult to do because when a file is “deleted,” all that is happening is the pointer to a specific block of data is removed. The removal of this pointer is instantaneous, the removal of the data-block is not. However, once the pointer is removed the filesystem allows overwriting of the data-block. This means that files you meant to delete are still sometimes recoverable even months after they are removed from your computer. Most modern recovery programs are able to reverse this process by looking at the headers of data-blocks, and determining what type of file it resides there.

If you are paranoid about your security like I am you may ask yourself how do I prevent this from happening. One way is to utilize software that overwrites this data-block, with random patterns of data several times. Obviously the more passes the harder it is for the original data to ever be recovered. Another method, that works on a much larger scale, is to create so much write activity on the disk, that the original data will almost always be corrupted.

This script does just that, by generating a specified number of temporary files and then deleting them, overwriting the equivalent amount of data stored at that location.

[code language=”bash”]

#! /bin/bash

read -p "How much space do you want to overwrite? [MB]" space
read -p "Enter a valid directory path [example: /home/user/]: " directory
i=0
overwrites=$(($space/2))
while [ $i -lt 8500 ]; do
template+=$RANDOM
(( i = i+1 ))
done
i=0
while [ $i -lt $overwrites ]; do
clear
echo $(($i + 1))/$overwrites overwrites ~$(( 2*$i )) MB
(( i = i+1 ))
j=0
while [ $j -lt 50 ]; do
(( j = j+1 ))
echo $template >> $directory/$i-temp
done
done

i=0

while [ $i -lt $overwrites ]; do
(( i = i+1 ))
rm $directory/$i-temp
done
[/code]

Still if you want to guarantee the permanent deletion of your data, Thermite is the way to go.

~Jamin Becker

Tagged , , , , , , , , ,

Fast easy Linux Monitoring with Bash

When it comes to security on a large scale it is usually necessary to setup IDS/IPS to monitor network traffic. But what happens if the attacker already has backdoors installed on your Linux box? The following script will take care of just that, giving the admin a bird’s eye view of what is currently going on, on his system.

This script monitors network traffic, system changes, recent and current logins, user permissions, command aliases, and cronjobs.

[code language=”bash”]
if [ $(whoami) != "root" ];then
echo "THIS SCRIPT MUST BE RUN AS ROOT!"
exit
fi

find / -name .bashrc > temp4 &
md5sum /etc/passwd /etc/group /etc/profile md5sum /etc/sudoers /etc/hosts /etc/ssh/ssh_config /etc/ssh/sshd_config > temp2
ls -a /etc/ /usr/ /sys/ /home/ /bin/ /etc/ssh/ >> temp2
while true;
do
netstat -n -A inet | grep ESTABLISHED > temp
outgoing_ftp=$(cat temp | cut -d ‘:’ -f2 | grep "^21" | wc -l)
incoming_ftp=$(cat temp | cut -d ‘:’ -f3 | grep "^21" | wc -l)

outgoing_ssh=$(cat temp | cut -d ‘:’ -f2 | grep "^22" | wc -l)
incoming_ssh=$(cat temp | cut -d ‘:’ -f3 | grep "^22" | wc -l)

outgoing_telnet=$(cat temp | cut -d ‘:’ -f2 | grep "^23" | wc -l)
incoming_telnet=$(cat temp | cut -d ‘:’ -f3 | grep "^23" | wc -l)

echo "ACTIVE NETWORK CONNECTIONS:"
echo "—————————"
if [ $outgoing_telnet -gt 0 ]; then
echo $outgoing_telnet successful outgoing telnet connection.
fi

if [ $incoming_telnet -gt 0 ]; then
echo $incoming_telnet successful incoming telnet session.
fi

if [ $outgoing_ssh -gt 0 ]; then
echo $outgoing_ssh successful outgoing ssh connection.
fi

if [ $incoming_ssh -gt 0 ]; then
echo $incoming_ssh successful incoming ssh session.
fi

if [ $outgoing_ftp -gt 0 ]; then
echo $outgoing_ftp successful outgoing ftp connection.
fi

if [ $incoming_ftp -gt 0 ]; then
echo $incoming_ftp successful incoming ftp session.
fi

if [ $incoming_ftp -gt 0 ]; then
echo $incoming_ftp successful incoming ftp session.
fi
cat temp
sleep 5
clear

echo "CURRENT LOGIN SESSIONS:"
echo "———————–"
w
echo
echo "RECENT LOGIN SESSIONS:"
echo "———————-"
last | head -n5
sleep 5
clear

sleepingProcs=$(pstree | grep sleep)
if [[ ! -z "$sleepingProcs" ]];then
echo "SLEEP PROCESSES:"
echo "—————-"
sleep 5
clear
fi

#Check for changes to important files.

md5sum /etc/passwd /etc/group /etc/profile md5sum /etc/sudoers /etc/hosts /etc/ssh/ssh_config /etc/ssh/sshd_config > temp3
ls -a /etc/ /usr/ /sys/ /home/ /bin/ /etc/ssh/ >> temp3
fileChanges=$(diff temp2 temp3)
if [[ ! -z "$fileChanges" ]];then
echo CHANGE TRACKER:
echo -e "\n"
echo "$fileChanges"
sleep 5
clear
fi

echo "CRON JOBS:"
echo "Found Cronjobs for the following users:"
echo "—————————————"
ls /var/spool/cron/crontabs
echo
echo "Cronjobs in cron.d:"
echo "——————-"
ls /etc/cron.d/
sleep 5
clear

echo "ALIASES:"
echo "——–"
alias
echo
echo ".BASHRC LOCATIONS:"
echo "——————"
cat temp4 | while read line
do
echo $line
done
sleep 5
clear

echo "USERS ABLE TO LOGIN:"
echo "——————–"
grep -v -e "/bin/false" -e "/sbin/nologin" /etc/passwd | cut -d ‘:’ -f1
sleep 5
clear

echo "CURRENT PROCESS TREE:"
echo "———————"
pstree
sleep 7
clear
done

[/code]

~Jamin Becker

5,000 whois lookups in under a minute

There have been many times in my IT career I have been required to solve very specific problems. My first step to solving these problems almost always begins with the same question: “Has it been done before?” Most of the time, if the problem is specific enough the answer is a resounding, “No.”

The other day I came across the following conundrum. I was asked to whois 5000 hosts in a reasonable amount of time (minutes) given a server with only one processor core and 2GB of RAM.

I ended up creating a BASH script to do the following:

1. Break down the huge text file into smaller text files each containing only a few IPs.

2. Spin up a separate process for each of these text files to do the whois lookups.

[code language=”bash”]
#!/bin/bash
#Super fast whois lookup – Jamin B
echo Enter the file you want to read in:
read file
echo Spawn into how many threads?
read splitNumber
totalLines=`<$file wc -l` #determine the total number of lines
currentLine=0
currentFile=0
splitSize=$(($totalLines/$splitNumber))
echo Each file will contain $splitSize IPs.
rm -rf tmpdir
mkdir tmpdir
rm -rf whois
mkdir whois
cat $file | while read line
do
(( currentLine = currentLine +1))
if [ $(($currentLine%$splitSize)) == 0 ]; then
(( currentFile = currentFile + 1))
clear
echo Creating file $currentFile in tmpdir
cat /proc/meminfo | grep MemFree
fi
echo $line >> tmpdir/$currentFile
done
i=0
while [ $i -lt $splitNumber ]; do
(( i = i + 1 ))
clear
echo Spawning process for file number $i
cat tmpdir/$i | while read line
do
whois $line > whois/$line.txt &
done
done
[/code]

The result: 5000 whois reports generated in under a minute!

Screen Shot 2014-01-10 at 1.27.54 PM

-Jamin Becker