Sunday, 20 February 2011

How I log the hacking on my computer

One day I decided that I had had enough of script kiddies and the like trying to hack my computer and so I was thinking how can I shame them....
Having never used twitter before and needing more challenges, I came up with the idea of sending out an automated stream in real time to twitter and so was born https://twitter.com/breakinlog

This has worked out well so far.

I have been asked "how did I do it?" and so here goes.......

I installed rsyslog on to my computer and setup a new rule for auth logging.

The rule is as follows,
auth,authpriv.*                 ^/root/tw3.sh

This executes the wrapper (tw3.sh) on each auth event in the logger sending the data to it.

Next its tw3.sh that does the work sending information to a Perl twitter agent
#!/bin/bash
message="$@"
echo ${message} >> /tw.log
filter1=`echo ${message}|grep -i invalid |grep user`
if [ $? -eq 0 ]
then
        echo " Invalid User" >> /tw.log
        datetime=`echo $filter1 |awk -F"localhost" '{print $1}'`
        field=`echo $filter1 |awk -F"]:" '{print $2}'`
        output=`echo $datetime $field`
        /root/t2.pl "${output}"
        exit
fi

filter1=`echo ${message}|grep  "Did not receive identification string from" `
if [ $? -eq 0 ]
then
        echo "No Identification" >> /tw.log
       datetime=`echo $filter1 |awk -F"localhost" '{print $1}'`
        field=`echo $filter1 |awk -F"]:" '{print $2}'`
        output=`echo $datetime $field`
        /root/t2.pl "${output}"
        exit
fi

filter1=`echo ${message}|grep  "Authentication failure for"`
if [ $? -eq 0 ]
then
        echo "Auth Failed" >> /tw.log
        datetime=`echo $filter1 |awk -F"localhost" '{print $1}'`
        field=`echo $filter1 |awk -F"PAM:" '{print $2}'`
        output=`echo $datetime $field`
        /root/t2.pl "${output}"
        exit
fi

Last on the list is the t2.pl which sends the filtered output to twitter (need to register to get consumer key and secret). The following was found on the net a long time ago and unfortunately it is not mine nor can I remember whose it is .

#!/usr/bin/perl
#
# Net::Twitter::Lite - OAuth desktop app example
#
# From what I can figure out, this code can only perform one operation
# ie, you can get a timeline or update but not both.
# Trying multiple actions results in "503 Bad Gateway" error.

use warnings;
use strict;

# You need to install all of these from CPAN
# along with dependencies (and having
# Bundle::CPAN installed will help)
# Data::Dumper is just for debugging.
#
# >sudo cpan
# cpan> install Net::Twitter::Lite
#
use Net::Twitter::Lite;
use File::Spec;
use File::HomeDir;
use Storable;
use Data::Dumper;

# You need to register for key and secret at http://dev.twitter.com/
# They are private-ish, don't share.  Anyone using these values
# will show up as using your code.
my %consumer_tokens = (
  consumer_key    => 'consumer_key',
  consumer_secret => 'consumer_secret',
);

# $datafile = oauth_desktop.dat ($0 is program name)
# This will place the dat file in users HOME dir (/home/$user/.net_twitter_example.dat)
# each user needs a .dat file to authenticate.
my (undef, undef, $datafile) = File::Spec->splitpath($0);
my $home = File::HomeDir->my_data;
$datafile = File::Spec->catfile($home,".$datafile.dat");

my $nt = Net::Twitter::Lite->new(%consumer_tokens);
my $access_tokens = eval { retrieve($datafile) } || [];

if ( @$access_tokens ) {
  $nt->access_token($access_tokens->[0]);
  $nt->access_token_secret($access_tokens->[1]);
}
else {
  my $auth_url = $nt->get_authorization_url;
  print " Authorize this application at: $auth_url\nThen, enter the PIN# provided to continue: ";
 
  my $pin = ; # wait for input
  chomp $pin;
 
  # request_access_token stores the tokens in $nt AND returns them
  my @access_tokens = $nt->request_access_token(verifier => $pin);
 
  # save the access tokens
  store \@access_tokens, $datafile;
}

# Authentication done, now process requests
# if nothing was supplied on the command line, get timeline
if (!@ARGV) {
  eval {
    my $statuses = $nt->friends_timeline();
    for my $status ( @$statuses ) {
      #                 dayofweek,month,day,time,  offset, year
      my (undef, $month, $day,undef, undef, $year) = split(' ',"$status->{created_at}");
      print "$month/$day/$year <$status->{user}{screen_name}> $status->{text}\n";
      }
      };
      warn "$@\n" if $@;
      }
      # otherwise, post the string that was supplied
      # this should probably be sanatized at some point
      else {
    my $message = shift(@ARGV);
    eval {
      my $twit = $nt->update($message);
    };
    warn "$@\n" if $@;
      }