# # Start tocsin # PROG=/secure/tocsin; killproc() { # kill the named process(es) echo "Killing $1 : \c" for pid in `/usr/ucb/ps -aux | grep $1 | egrep -v /usr/ucb/ps| awk '{print $2}'`; do echo "$pid..\c" kill $pid done; echo " " } case "$1" in 'start') if [ -f $PROG ]; then echo "Starting $PROG.." # Simple example: #$PROG rje courier link hostnames # Monitor lots of ports, but TCP only: #$PROG -T tcpmux telnet login exec 31337 31338 12345 12346 24 143 943 1524 109 514 515 3306 98 6667 7000 2001 2023 # Monitor lots of ports, but log in tcpdump format for later analysis: #$PROG -o /var/log/tocsin.snoop tcpmux telnet login exec 31337 31338 12345 12346 24 143 943 1524 109 515 3306 98 6667 7000 2001 2023 # Specify whether ports are udp or tcp to minimise false positives: #$PROG -o /var/log/tocsin.snoop tcpmux:t telnet:t login:t exec:t 31337:t 31338:t 12345:t 12346:t 24:t 143:t 943:t 1524:t 109:t 515:t 3306:t 98:t 6667:t 7000:t 2001:t 2023:t # DMZ Example: # Monitor less ports above 1024, to avoid false positive from # heavily used Web servers/proxies. Log results. $PROG -o /var/log/tocsin.snoop tcpmux:t telnet:t login:t exec:t 31337:t 31338:t 12345:t 12346:t 24:t 143:t 943:t 109:t 515:t 98:t 6667:t 7000:t ## Explanation of services: ## ## A postfix of "t" or "u" above, indicates a tcp or udp service. #(3133[78] - back orifice # 12345/12346 - netbus # 143/943 - IMAP # 1524 - ingreslock - also used by some trojans # 109 - pop2 # 137/139 - samba/nbt stuff # 3306 - mysql # 98 - linuxconf # 6667/7000 - ircd # 24 - unregistered # 2001 - trojan cow # 2023 - ripper # 514 - rsh - again risky # 515 - lpd/lpr - once again risky # other candidates # 161/162 (snmp) - could be triggered by automatic network discovery tools # 177 - xdmcp - could be triggered by XDM broadcasts (for anybody using this) # 194/994 - irc # 389 - ldap (more and more legitimate stuff) # 80/443 - web server - risky # 512 biff/comsat - also risky # 25 - SMTP VERY risky fi ;; 'stop') killproc $PROG ;; *) echo "Usage: $0 { start | stop }" ;; esac