Dev – Phocean.net

Soktspy

phocean — Wed, 20 Jun 2012 20:45:54 +0000

Soktspy is a small script that may be helpful for some investigation.

Sometimes, you may detect that some suspicious network traffic coming out from a machine. In general, it is easy to spot the process from which the packets originate. You somehow connect to the PC and look for open sockets.

But sometimes, the behavior may be very sneaky, consisting of one or two packets, at rare and random intervals. Unless you spend all the day before the screen, it may be very difficult to trace.

Especially with stock tools or without installing any intrusive hardware, which is also the reason why I did this tool. On a production server, you want to install as little dependencies as possible, right?

So here is the Soktspy, a python script that easily build into a portable and standalone executable to deploy on the target machine.

Once launched, it just loops in the background and log sockets that are created for some given peers (the IP addresses you found involved in the suspicious network activity).

Maybe, some other tool exist, but I could not find anything similar. Let me know if you have any suggestion. Anyway, it was a nice exercise to do :)

Download

soktSpy v1.2

Pre-requisites

Install Visual C++ Runtime libraries with vcredist_x86.exe (not necessary if the target machine happens to have Python already installed)

So far, I tested it successfully on Windows XP, Windows 2003, Ubuntu 11.10 and Mac OS Lion. But as it is a simple Python script, it is supposed to work on all platform.

Compiling

You may recompile the program as a Windows binary executable by issuing this command:

> setup.py py2exe

How to use

Copy soktSpy.exe and its configuration file config.cfg.
Edit config.cfg with the IP you want to monitor
Start soktSpy.exe.

Then, as soon as the sneaky process will send out a packet toward the monitored IP, a log record will be triggered:

The log file contains the following info, in that order:

Detection time (based on the system local time)
Process creation time
PID
Process Name
Protocol Family (2 = IPv4, 23 = IPv6)
Process Owner
Source socket (IP, port)
Destination socket (IP, port)
Socket Status

Future Plans

Please tell me if you have any idea on how to improve it.

For now, I plan to add a feature that will dump the memory of the suspicious processes when it is executing.

Netios 0.76

phocean — Tue, 13 Jul 2010 17:48:46 +0000

Netios 0.76 is out!

Complete changelog :

* fix prompt for enable issue
* fix issue with log directory
* add timeout option
* remove fail check for password mode (source of confusion and not so useful on second thought)

Check there for more details and a download link.

Netios 0.75

phocean — Sat, 24 Apr 2010 17:06:51 +0000

Netios 0.75 is out.

Complete changelog :

2010-04-24 (0.75) Phocean

2010-04-24 (0.75) Phocean

* always force to specify the user to update and remove useless options concerning tacacs and newuser mode

Check there for more details and a download link.

Netios 0.74

phocean — Sun, 18 Apr 2010 17:07:56 +0000

Netios 0.74 is out.

Complete changelog :

2010-04-08 (0.74) phocean

2010-04-08 (0.74) phocean

* improve logging and error handling
* clean up some crapy code

Check there for more details and a download link.

Netios 0.73

phocean — Wed, 10 Feb 2010 14:51:59 +0000

Netios 0.73 fixes some bugs and

Complete changelog :

2010-02-10 (0.73) phocean

2010-02-10 (0.73) phocean

* remove useless options
* fix various bugs

Check there (tools page) for more details and a download link.

Hostcheck

phocean — Fri, 15 Jan 2010 12:44:21 +0000

I continue to publish some my coding.

Hostcheck is a simple Perl script that can be useful to quickly check if a list of host is up.
It just read a host file and check if the host are available doing a ping test or trying to open a socket.

Nothing great, but it may help to quickly check that most of things are right after a network change, for instance.
Because we want to test many hosts, and not to scan, the pace is fast so it may not be 100% reliable. The idea is to see roughly is the connectivity is correct or if your whole LAN is down.
It uses colors and is easy to read, so it might be good to show to your manager ! :)

I hope it will be useful. More info and download link are there.

Netios 0.72

phocean — Fri, 15 Jan 2010 10:20:55 +0000

Netios 0.72 fixes some bugs with the show_run mode and large config files. I also found some issues concerning the prompt detection, so it should be fixed now.

Complete changelog :

2010-01-14 (0.72) phocean

2010-01-14 (0.72) phocean

* ciscoclass.py : forgot to remove a debug print
* ciscoclass.py : finish and fix a bunch of bugs in the show run function, format the config file properly
* ciscoclass.py : fix the prompt regex

Check there (tools page) for more details and a download link.

Netios 0.71

phocean — Sun, 20 Dec 2009 16:34:37 +0000

I release a new version of Netios : 0.71.

There are a lot of changes, starting with cosmetics, but the biggest one is the support of multiprocessing.

It is now able to process several routers at the same time, so using it on a large list of machines results in a big speed up.

A downside is that it now requires at least Python 2.6, as multiprocessing started to be supported with this version only. Most Linux distributions now include Python 2.6, but still not all. Anyway it will be more and more the case. If you can’t uprade your distribution, you can stick with 0.60 which still do most of the work fine.

It is also now able to fetch a configuration file remotly, but it requires more testing before I feel confident in the way it works.

The complete changelog :

2009-12-20 (0.71) phocean ;

2009-12-20 (0.71) phocean ;

* ciscoclass.py : handle correctly the cisco pager — More — so that “show run” mode should work even with large config files
* sshclass.py : allow to override terminal size system settings (make use of the cisco pager to avoid filling the buffer)

2009-11-16 (0.70) phocean (private release)

2009-11-16 (0.70) phocean (private release)

* implement multiprocessing
* improve code documentation
* clean up UI
* reduce useless logging
* netios.py : bug : missing startTime parameter in f_skip_error and f_command functions

I cross my fingers so that there are not too many bugs, but if so, please don’t forget to report it to me.

Check there (tools page) for more details and a download link.

Netios

phocean — Sat, 07 Nov 2009 15:53:30 +0000

I just released an alpha release of a little tool that may help network administrators with a large park of Cisco routers or switches :

Netios is a little tool aimed to help network administrators to administrate a large number of Cisco network devices.
Providing it with a list of equipments, it connects within SSH to remotly apply IOS commands.

It can automatically :

retrieve and export in a CSV file the list of local users

update the local user, the enable password

change NTP settings

execute a file of customed IOS commands

retrieve configuration files

It can read the targets from the command line or from a text file.

Its primary goal is to improve the security by making it easier to renew regularly the local password of these equipments, but it can do more convenient things (and I will continue to work to add more of them).

Check there (tools page) for more details and a download link.

Automatic backup when inserting a drive

phocean — Mon, 28 Sep 2009 09:34:11 +0000

I bought a 500 GB 2.5″ external disk drive to backup the data of my laptop. It is small, quiet, easy to move and far enough for the important data I want to backup, mostly documents, e-mails or script from work.

Being lazy, it happened that I did not backup my data. Yes, it is a shame, but inserting a drive and launching the commands to rsync the discs was preventing me from this best practice.

So, I decided to make it automatic. The goal was that the only thing I would have to do would be to insert the drive, and then remove it when it is done.

Thanks to the magic of Gnu/Linux, it had been very easy. I will show below how I did it, thought they are many things that could be improved (but I haven’t felt the need so far).

Udev

Udev not only allows to create /dev entries dynamically, but offers a lot of triggers to perfom all kind of actions when some hardware is inserted.

The udevinfo command will show you a lot of output concerning your drive. What we want is a unique way to differenciate the backup drive from any other drive that will be inserted in the future.

What would be better than the manufacturer serial ?

So let’s look for it :

$ udevinfo -a -p /sys/block/sdc | grep serial

*UPDATE 06/2011* It seems that on recent versions, the syntax of this command slightly changed into this :

$ udevadm info -a -p /sys/block/sdc | grep serial

Copy the serial.

Now we have to create a rule file, that will tell to udev what to do when this particular drive is inserted.

This is done in the /etc/udev/rules.d folder. Let’s create a file 30-mnt.rules or anything you like.

We edit this file so that it contains :

ACTION=="add",KERNEL=="sd*",SUBSYSTEMS=="usb", ATTRS{serial}=="57442D57584E3430394C5A38", RUN+="/home/jc/bin/backup/bckp-home.sh %k"

ACTION==”add” will tell udev that this action must be triggered when the drive is inserted.
SUBSYSTEMS could be changed according to the drive you are using (scsi, usb, …).
ATTRS{serial} must contain the serial you just grabbed.
RUN+=”/path/to/bin/backup.sh %k” tells udev to launch the backup script. %k, which contains the device name, sdc, is passed as an argument.

Optionally, it is quite convenient, you may want to make a symlink to the /dev/sd? device, with :

KERNEL=="sd*",SUBSYSTEMS=="scsi", ATTRS{model}=="GJ0250EAGSQ     ", SYMLINK+="ultrabay%n"

The shell script

Now, the script itself :

#!/bin/sh
LOGFILE=/PATH/TO/bckp.log
echo "--- BCKP - INFO : \$1=_${1}_" >> $LOGFILE
[[ $1 ]] || { echo "ERROR : missing parameter">>$LOGFILE; exit 1; }

# give time for the user, if needed to kill the process
sleep 6
MOUNT_PATH=$(grep $(echo $1) /etc/mtab | awk '{print $2}')
[[ $MOUNT_PATH ]] || {
  echo "ERROR fretching mount point">>$LOGFILE;
  exit 1;
}
echo " Synchronizing $MOUNT_PATH)">>$LOG

# add here all you rsync commands
rsync -av --delete /PATH/TO/DATA $MOUNT_PATH/backup/
...
exit 0

Testing it

Now, let’s reload udev :

$ sudo udevadm control --reload-rules

To test if it works :

$ sudo udevadm trigger

or maybe :

$ /etc/init.d/boot.udev restart

Plug off/in your drive, and the script should be executed as expected.

Optional : setting more options with Hal

It is not necessary at all for the backup script to work, but it would be very practical to have a fixed mount point for a drive.
For instance, I use a second drive (in the untrabay slot of my thinkpad) that contains all my virtual machines.

The benefice is to prevent a performance drain of the system when many virtual machines are doing I/O like swapping or anything else.

Create a file like /etc/hal/fdi/policy/15-static-mount.fdi, containing :



  
    
      true
      ext4
      ultrabay
      Fuji
      true
      true

The drive is matched by it uuid. You can get the uuid of your disk with :

$ ls -la /dev/disk/by-uuid/

You can, if you want, set the volume label and specify several options of the file system.

However, the most interesting option is the “desired_mount_point” one which allow you to fix the mount point. In the example, the disk will always be mounted in

/media/ultrabay

, and not the system disk, or disk_1, etc.

Coming next !

That’s all for today folks. Let me know if there are some things not clear or that can be optimized.

Next time, we will see how to run the same script from Hal instead. We will also use Zenity to get a nice GUI prompt when the disk is inserted.