#! /bin/sh
#  Welcome to Cdgxn Local Bsd Security Auditer
#  Checks the security of a bsd system to the full extent


# ILLEGAL ACTIVITIES ARE NOT ENCOURAGED!  I WILL NOT BE HELD
# RESPONSIBLE NOR ANYONE BUT YOUR SELF

VERSION='$Id: Cdgxn Local Bsd Security Auditer$     '

cdver="[cdgxn-bsd]"

clear

echo "  ____ ____   ______  ___   _"
echo " / ___|  _ \ / ___\ \/ / \ | |"
echo "| |   | | | | |  _ \  /|  \| |"
echo "| |___| |_| | |_| |/  \| |\  |"
echo " \____|____/ \____/_/\_\_| \_|"
echo ""
echo "  http://www.pr0phet.net/cdgxn/"
echo "  Cdgxn Local Bsd Security Audit."
echo "  Version One - cdgxn-bsd.tar.gz"
echo "  Visit it for updates and news."
echo ""

echo -n "$cdver Press any key to set up for the scan..."
read fucksuck
echo ""

echo -n "$cdver Checking for root priveledges... "
if [ 'whoami' != "root" ]; then
 echo " Done. "
fi
echo -n "$cdver Checking for a previous log... "
if [ -f cdgxn.lg ]; then
 mv cdgxn.lg cdgxn.lg.bak
fi
echo " Done."
echo -n "$cdver Checking if this is a Bsd system... "
if [ 'uname' != "Bsd" ]; then
 echo " Done. "
fi
echo -n "$cdver Checking for variables for scan... "
log="cdgxn.lg"
cdhost=`hostname`
cddate=`date`
cdsystem=`uname -sr`
MYDATE=`date | cut -c5-10`
shadow_char=`cat /etc/passwd | grep ":root" | cut -d: -f2`
cdrel="cdgxn-secure"
echo " Done. "

echo -n "$cdver Creating Log File for use... Done."
echo "   ____ ____   ______  ___   _  " >>$log
echo "  / ___|  _ \ / ___\ \/ / \ | | " >>$log
echo " | |   | | | | |  _ \  /|  \| | " >>$log
echo " | |___| |_| | |_| |/  \| |\  | " >>$log
echo "  \____|____/ \____/_/\_\_| \_| " >>$log
echo "" 
echo "  Cdgxn Bsd Security Auditer " >>$log
echo "  http://www.pr0phet.net/cdgxn/" >>$log
echo "" >>$log
echo " Logfile: $cdhost [$cdsystem] @ $cddate " >>$log
echo "" >>$log
echo ""

echo -n "$cdver Check Complete press enter to start..."
read hoedank
echo ""

echo -n "$cdver Checking Passwd File... "
cat /etc/passwd | grep ::0 >/dev/null 2>&1
if [ $? -eq 0 ]; then
 echo "---- Hole Found @ `date` ----" >>$log
 echo "" >>$log
 echo "Hole: un-passworded protected root accounts" >>$log
 echo -n "[/etc/passwd]: " >>$log
 cat /etc/passwd | grep ::0 >>$log
 echo "The Hole that was found says that people can gain root access!!" >>$log
 echo "Fix: edit the /etc/passwd and remove the lines that are shown above. " >$log
 echo "" >>$log
fi
echo " Done. "

echo -n "$cdver Checking in inetd.conf... "
itmp="0"
if [ "$no_inetd" = "1" ]; then
 itmp="7"
fi
while [ "$itmp" != "7" ]; do itmp=`expr $itmp + 1`
if [ "$itmp" = "1" ]; then
 serv="in.telnetd"
fi
if [ "$itmp" = "2" ]; then
 serv="in.ftpd"
fi
if [ "$itmp" = "3" ]; then
 serv="in.fingerd"
fi
if [ "$itmp" = "4" ]; then
 serv="in.rshd"
fi
if [ "$itmp" = "5" ]; then
 serv="in.rlogind"
fi
if [ "$itmp" = "6" ]; then
 serv="imapd"
fi
cat /etc/inetd.conf | grep $serv >/dev/null 2>&1
if [ $? -eq 0 ]; then
 cat /etc/inetd.conf | grep $serv | grep "#" >/dev/null 2>&1
 if [ ! $? -eq 0 ]; then
  echo "" >>$log
  echo "---- Hole Found @ `date` ----" >>$log
  echo "" >>$log
  echo "The Hole: Rootable Inetd Services are open ($serv)" >>$log
  echo "The Hole that was found says that your passwords may be brute-forced!!" >>$log 
  echo "Fix: Comment out the line containing $serv in /etc/inetd.conf" >>$log
  echo "" >>$log
 fi
fi
done
echo " Done. "

echo -n "$cdver Checking for writeable root owned executables..."
echo "---- Root Executables @ `date` ----" >>$log
echo "" >>$log
find /bin -user root -type f -perm -007 -exec ls -l {} \; >>$log
find /boot -user root -type f -perm -007 -exec ls -l {} \; >>$log
find /cdrom -user root -type f -perm -007 -exec ls -l {} \; >>$log
find /home -user root -type f -perm -007 -exec ls -l {} \; >>$log
find /dev -user root -type f -perm -007 -exec ls -l {} \; >>$log
find /etc -user root -type f -perm -007 -exec ls -l {} \; >>$log
find /mnt -user root -type f -perm -007 -exec ls -l {} \; >>$log
find /root -user root -type f -perm -007 -exec ls -l {} \; >>$log
find /sbin -user root -type f -perm -007 -exec ls -l {} \; >>$log
find /shlib -user root -type f -perm -007 -exec ls -l {} \; >>$log
find /tmp -user root -type f -perm -007 -exec ls -l {} \; >>$log
find /usr -user root -type f -perm -007 -exec ls -l {} \; >>$log
find /var -user root -type f -perm -007 -exec ls -l {} \; >>$log
echo "" >>$log
echo " Done. "

echo -n "$cdver Checking your Su..."
ls -al /bin/su | grep rws >/dev/null 2>&1
if [ $? -eq 0 ]; then 
 echo ""
 echo "---- Hole Found @ `date` ----" >>$log
 echo "" >>$log
 echo "The Hole: /bin/su is suid root (+s)" >>$log
 echo "Damage: Local Users can obtain root" >>$log
 echo "Fix: chmod -s /bin/su" >>$log
 echo "" >>$log
fi
echo " Done. "

echo -n "$cdver Checking for non device files in /dev..."
echo "---- Non Device files @ `date` ----" >>$log
echo "" >>$log
ls -alF /dev | egrep -v '(lrw|drw|srw|brw|crw|cr-)' | grep -v -i total >>$log
echo "" >>$log
echo " Done. "

echo -n "$cdver Checking for Exploitable Daemons in netstat..."
netstat -a | grep ":domain" >/dev/null 2>&1
if [ $? -eq 0 ]; then
 netmp=`./binfo-udp localhost`
 echo "$netmp" | grep 4.9 >/dev/null 2>&1
 if [ $? -eq 0 ]; then
  bvuln="1"
 fi
 echo "$netmp" | grep 8.1.1 >/dev/null 2>&1
 if [ $? -eq 0 ]; then
  bvuln="1"
 fi
 echo "$netmp" | grep 8.1-REL >/dev/null 2>&1
 if [ $? -eq 0 ]; then
  bvuln="1"
 fi
 if [ "$bvuln" = "1" ]; then
  echo "---- Hole Found @ `date` ----" >>$log
  echo "The Hole: Vulnerable Version of Bind is up and running" >>$log
  echo "The Damage: Your Box can be rooted remotely!" >>$log
  echo "Fix: killall -9 named" >>$log
  echo "Another Fix: Install the latest version of BIND" >>$log
  echo "" >>$log
 fi
fi
netstat -a | grep ":ftp" >/dev/null 2>&1
if [ $? -eq 0 ]; then
 telnet localhost 21 1>.ftp.tmp 2>.ftp.tmp &
 sleep 1
 cat .ftp.tmp | grep "wu-2.4.2-academ[BETA-18]" >/dev/null 2>&1
 if [ $? -eq 0 ]; then
  echo "---- Hole Found @ `date` ----" >>$log
  echo "" >>$log
  echo "The Hole: Vulnerable wu-ftpd is running" >>$log
  echo "The Damage: root privelages may be obtained " >>$log
  echo "The Fix: cat /etc/inetd.conf | grep -v in.ftpd 1>/etc/inetd.conf" >>$log
  echo "" >>$log
  rm .ftp.tmp
 fi
 rm .ftp.tmp
fi
echo " Done. "
rm .passwd.tmp 1>/dev/null 2>/dev/null

echo -n "$cdver Checking for failed SU attempts..."
echo "---- Failed Su's @ `date` ----" >>$log
echo "" >>$log
grep "$MYDATE" /var/log/messages | grep " - tt" >>$log
echo "" >>$log
echo " Done. "

echo -n "$cdver Checking your remote root logins...  Done. "
echo ""

echo -n "$cdver Checking your exports..."
etmp="rw"
if [ "$no_exports" = "1" ]; then
 etmp="bhashashashashashashashsahashashashsahsa"
fi
if [ ! -f /etc/exports ]; then
 echo "" >>/etc/exports
fi  
cat /etc/exports | grep $etmp >/dev/null 2>&1
if [ $? -eq 0 ]; then
 echo "---- Hole Found @ `date` ----" >>$log
 echo "" >>$log
 echo "The Hole: /etc/exports is vulnerable" >>$log
 echo "The Damage: Could be compromised with nfsd" >>$log
 echo "The Fix: rm -rf /etc/exports" >>$log
 echo "" >>$log
fi
echo " Done. "

echo -n "$cdver Checking latest reboots, shutdowns and crashes..."
echo "---- Reboots, Shutdowns, Crashes @ `date` ----" >>$log
echo "" >>$log
last | grep "$MYDATE" | egrep '(reboot|shutdown|runlevel|crash)' >>$log
echo "" >>$log
echo " Done. "

echo -n "$cdver Checking contents of hosts.equiv..."
echo "---- Contents of /etc/hosts.equiv @ `date` ---- " >>$log
echo "" >>$log
cat /etc/hosts.equiv | grep -v '#' >>$log
echo "If there are any entries, We encourage you to" >>$log
echo "delete them as they're security concerns" >>$log
echo "" >>$log 
echo " Done." 

echo -n "$cdver Checking users with .rhosts and .shosts..."
 echo "---- Hole Found @ `date` ----" >>$log 
 echo "If users appear with .rhosts or .shosts are below" >>$log
echo "" >>$log
find /boot -type f -name .rhosts -exec ls -al {} \; >>$log
find /bin -type f -name .rhosts -exec ls -al {} \; >>$log
find /dev -type f -name .rhosts -exec ls -al {} \; >>$log
find /home -type f -name .rhosts -exec ls -al {} \; >>$log
find /etc -type f -name .rhosts -exec ls -al {} \; >>$log
find /mnt -type f -name .rhosts -exec ls -al {} \; >>$log
find /root -type f -name .rhosts -exec ls -al {} \; >>$log
find /sbin -type f -name .rhosts -exec ls -al {} \; >>$log
find /tmp -type f -name .rhosts -exec ls -al {} \; >>$log
find /usr -type f -name .rhosts -exec ls -al {} \; >>$log
find /var -type f -name .rhosts -exec ls -al {} \; >>$log
find /bin -type f -name .shosts -exec ls -al {} \; >>$log
find /boot -type f -name .shosts -exec ls -al {} \; >>$log
find /dev -type f -name .shosts -exec ls -al {} \; >>$log
find /etc -type f -name .shosts -exec ls -al {} \; >>$log
find /mnt -type f -name .shosts -exec ls -al {} \; >>$log
find /home -type f -name .shosts -exec ls -al {} \; >>$log
find /root -type f -name .shosts -exec ls -al {} \; >>$log
find /sbin -type f -name .shosts -exec ls -al {} \; >>$log
find /tmp -type f -name .shosts -exec ls -al {} \; >>$log
find /usr -type f -name .shosts -exec ls -al {} \; >>$log
find /var -type f -name .shosts -exec ls -al {} \; >>$log
echo "" >>$log
echo " Done."

echo -n "$cdver Checking Last 20 User Logins..."
echo "---- Last 20 Users @ `date` ----" >>$log
echo "Below is the last 20 Users who logined into your system" >>$log
echo "" >>$log
last | egrep -v -i '(root|ftp|reboot|shutdown|runlevel)' | head -20 >> $log
echo "" >>$log
echo " Done. "
echo ""

echo -n "$cdver To check for Sniffers and Backdoors press enter..."
read hoedank
echo ""

echo -n "$cdver Checking for sniffers... "
echo "---- Sniffers @ `date` ----" >>$log
echo "" >>$log
ifconfig |grep -i promisc >>$log
echo "" >>$log
echo "If you see a promisc above, your machine might be set" >>$log
echo "to allow any incoming packets and possibly log them to" >>$log
echo "a hidden file somewhere for your logins" >>$log
echo "" >>$log
echo " Done."

echo -n "$cdver Checking for backdoors... "
echo "---- Backdoors @ `date` ----" >>$log
echo "" >>$log
grep /bin/csh /etc/inetd.conf >>$log
grep /bin/bash /etc/inetd.conf >>$log
grep /bin/tcsh /etc/inetd.conf >>$log
grep /bin/ksh /etc/inetd.conf >>$log
grep /bin/bash /etc/inetd.conf >>$log
grep /bin/sh /etc/inetd.conf >>$log
grep /bin/ash /etc/inetd.conf >>$log
grep /bin/zsh /etc/inetd.conf >>$log
echo "" >>$log
echo "If you see anything above this line, then you could" >>$log
echo "possibly have a backdoor installed on your system" >>$log
echo " Done."
echo "" >>$log

echo -n "$cdver Checking for trojans..."
echo "---- Trojans @ `date` ----" >>$log
echo "" >>$log
strings /bin/login | grep "HEL0" >>$log
echo "" >>$log
echo "If you see anything above you have a trojan installed" >>$log
echo "on your system " >>$log
echo "" >>$log
echo " Done."
echo ""

echo -n "$cdver To check your ports and exploits press enter..."
read hoedank
echo ""

echo -n "$cdver Checking your ports... "
echo "---- Open Ports @ `date` ----" >>$log
echo "Rememeber: Dont have ports open you dont need open" >>$log
echo "" >>$log
./strobe -q localhost >>$log
echo "" >>$log
echo " Done. "

echo -n "$cdver Checking for Suid Programs..."
echo "---- Suid Programs @ `date` ----" >>$log
echo "" >>$log
find /bin \( -perm -4000 -o -perm -2000 \) -exec ls -ldb {} \; >>$log
find /boot \( -perm -4000 -o -perm -2000 \) -exec ls -ldb {} \; >>$log
find /dev \( -perm -4000 -o -perm -2000 \) -exec ls -ldb {} \; >>$log
find /etc \( -perm -4000 -o -perm -2000 \) -exec ls -ldb {} \; >>$log
find /home \( -perm -4000 -o -perm -2000 \) -exec ls -ldb {} \; >>$log
find /mnt \( -perm -4000 -o -perm -2000 \) -exec ls -ldb {} \; >>$log
find /root \( -perm -4000 -o -perm -2000 \) -exec ls -ldb {} \; >>$log
find /sbin \( -perm -4000 -o -perm -2000 \) -exec ls -ldb {} \; >>$log
find /tmp \( -perm -4000 -o -perm -2000 \) -exec ls -ldb {} \; >>$log
find /usr \( -perm -4000 -o -perm -2000 \) -exec ls -ldb {} \; >>$log
find /var \( -perm -4000 -o -perm -2000 \) -exec ls -ldb {} \; >>$log
echo "" >>$log
echo " Done. "

echo -n "$cdver Fixing Known Vulnerable Suid Programs..."
chmod -s /usr/X11R6/bin/X
chmod -s /usr/X11R6/bin/color_xterm
chmod -s /sbin/dip
chmod -s /bin/mount
chmod -s /bin/umount
chmod -s /usr/bin/resizecons
chmod -s /usr/X11R6/bin/rxvt
chmod -s /usr/X11/bin/SuperProbe
chmod -s /usr/bin/lpc
chmod -s /usr/bin/gnuplot
echo " Done. "

echo ""
echo "$cdver Checking is complete check cdgxn.lg for info"
echo "---- Security Info @ `date` ----" >>$log
echo "" >>$log
echo "Thank you for choosing Cdgxn Security" >>$log
echo "Any questions or comments email them to" >>$log
echo "sistym@attrition.org" >>$log
echo "" 





