Page 1 of 3 123 LastLast
Results 1 to 10 of 28

Thread: Send your logs/rootkits report on email

  1. #1
    Join Date
    May 2007
    Location
    sLOVEnia
    Beans
    223
    Distro
    Kubuntu 8.04 Hardy Heron

    Get your logs/rootkit reports and send it to email daily

    Well my system was hacked a week ago, so i decided to keep an extra eye on the logs and rootkits. You need 4 things in order to get this working. Luckily, all the packages are available via apt-get (dont you love this?)

    well you need these
    Code:
    sudo apt-get install mutt rkhunter chkrootkit logwatch
    apt-get will install all the necessary packages... So lets get on.

    You need an email script
    Code:
    #!/bin/bash
    if [ $# -eq 0 ]; then
        echo Usage:
        echo $0 user@gmail.com subject attachment_file
        exit 1;
    fi
    
    date=`date +%d-%m-%y`
    to=$1
    sub=$2
    subject="`hostname` $sub $date"
    attach="$3"
    
    mutt -s "$subject" -a $attach $to < /dev/null
    Copy this and paste it into a file named "email".
    Save it in /usr/local/bin/
    Also make sure you change it to executable file.
    Code:
    sudo mv email /usr/local/bin/
    sudo chmod +x /usr/local/bin/email
    And try it if it works
    Code:
    echo "test 123" > readme ; email your@mail.here "testing script" readme ; rm readme
    If it works, you are good to continue, if it doesnt, please write here, i probably forgot what to install to get mutt to work.

    Than you need a script which will be executed daily.

    Code:
    #!/bin/bash
    date=`date +%d-%m-%y`
    email="your email here"
    
    ## rkhunter
    rkhunter --update
    rkhunter --checkall --cronjob --report-warnings-only > rkhunter-check-$date.log
    email $email rkhunter-check rkhunter-check-$date.log
    rm rkhunter-check-$date.log
    tar -cf rkhunter-log-$date.tar /var/log/rkhunter.log
    gzip rkhunter-log-$date.tar
    email $email rkhunter-log rkhunter-log-$date.tar.gz
    rm rkhunter-log*.tar.gz
    
    ## chkrootkit
    chkrootkit > chkrootkit-$date.log
    email $email chkrootkit chkrootkit-$date.log
    rm chkrootkit-$date.log
    
    ## logwatch
    logwatch --output html --detail High --range All > logwatch-all-$date.html
    logwatch --output html --detail High --range Today > logwatch-today-$date.html
    logwatch --output html --detail High --range Yesterday > logwatch-yesterday-$date.html
    email $email "logwatch all" logwatch-all-$date.html
    email $email "logwatch today" logwatch-today-$date.html
    email $email "logwatch yesterday" logwatch-yesterday-$date.html
    rm -f logwatch-*.html
    Save it to what ever you like. Lets say "report-log". Chmod it and move to /etc/cron.daily/
    Code:
    sudo chmod +x report-log
    sudo mv report-log /etc/cron.daily/
    Also make sure you change the email.

    This is it. You should get few mails per day about your systems log and security...
    I hope this helps. You can edit it and you can ask for questions, how to make.. etc

    Please reply to let me know if it works with only these packages installed...
    Last edited by qstraza; September 10th, 2008 at 01:08 PM.

  2. #2
    Join Date
    May 2008
    Location
    Cape Town, South Africa
    Beans
    Hidden!

    Re: Get your logs/rootkit reports and send it to email daily

    Hi,

    I really like this idea and have given it a try. All seems to run fine, except that I end up with a text file in my home directory instead of an email going out. The test script gives the following(´...´=removed):

    From michael@... Thu Aug 28 23:35:24 2008
    Date: Thu, 28 Aug 2008 23:35:24 +0200
    From: ... <michael@...>
    To: ...@....com
    Subject: ... testing script 28-08-08
    Message-ID: <20080828213524.GA9307@...>
    MIME-Version: 1.0
    Content-Type: multipart/mixed; boundary="k+w/mQv8wyuph6w0"
    Content-Disposition: inline
    User-Agent: Mutt/1.5.17+20080114 (2008-01-14)
    Status: RO
    Content-Length: 236
    Lines: 13


    --k+w/mQv8wyuph6w0
    Content-Type: text/plain; charset=us-ascii
    Content-Disposition: inline


    --k+w/mQv8wyuph6w0
    Content-Type: text/plain; charset=us-ascii
    Content-Disposition: attachment; filename=readme

    test 123

    --k+w/mQv8wyuph6w0--
    Any idea where I am going wrong?

    Thanks in advance,
    Michael

  3. #3
    Join Date
    May 2007
    Location
    sLOVEnia
    Beans
    223
    Distro
    Kubuntu 8.04 Hardy Heron

    Re: Get your logs/rootkit reports and send it to email daily

    install exim4.
    Code:
    sudo apt-get install exim4
    Than run a setup for it
    Code:
    sudo dpkg-reconfigure exim4-config
    Select the first option
    Code:
    internet site; mail is sent and received directly using SMTP
    Than just press enter milion times, than try emailing again.
    Code:
    echo "test 123" > readme ; email your@mail.here "testing script" readme ; rm readme
    Please write the results

  4. #4
    Join Date
    Jul 2008
    Location
    Atlanta, GA
    Beans
    813

    Question Re: Send your logs/rootkits report on email

    qstraza
    Save it in /usr/sbin/ ?
    How do you save in /usr/sbin/? I click save and get option of documents, pictures.

    Pasted mutt rkhunter chkrootkit logwatch run and file not created yet. Create? Is this where i post the email?

    Pressed internet site; mail is sent and received directly using SMTP and then got IP-addresses to listen on for incoming SMTP connections. Stopped there for uncertain what to do?
    Last edited by Camilia; August 29th, 2008 at 07:08 AM. Reason: add

  5. #5
    Join Date
    May 2007
    Location
    sLOVEnia
    Beans
    223
    Distro
    Kubuntu 8.04 Hardy Heron

    Re: Send your logs/rootkits report on email

    copy this
    Code:
    #!/bin/bash
    if [ $# -eq 0 ]; then
        echo Usage:
        echo $0 user@gmail.com subject attachment_file
        exit 1;
    fi
    
    date=`date +%d-%m-%y`
    to=$1
    sub=$2
    subject="`hostname` $sub $date"
    attach="$3"
    
    mutt -s "$subject" -a $attach $to < /dev/null
    and paste it in to a file.
    Do it like in windows. Open your text editor, paste above code in it and save it in your home directory as email.
    Than open a terminal type "cd" so you will be in your home dir and type "chmod +x email" and than "sudo mv email /usr/local/bin/", now your email script should be in /usr/local/bin/.

    The same goes for
    Code:
    sudo apt-get install mutt rkhunter chkrootkit logwatch
    Copy this and paste it in your TERMINAL. You should see stuff installing...

    Than try that thing which sends you mail to check if it is working, and follow the steps...

    Hope this helps, if not, ill try to explain it even more
    Last edited by qstraza; August 30th, 2008 at 10:18 AM.

  6. #6
    Join Date
    Jul 2008
    Location
    Atlanta, GA
    Beans
    813

    Re: Send your logs/rootkits report on email

    Now I am very confused. I don't know what a text editor is. Also why do make a program that is mailed to me. Seems this leaves an opening for a virus. I thought this to be a simple root test.

    Why Get your logs/rootkit reports and send it to email daily?
    I just want a program to scan my computer. For don't want to a chance that I accidentally let a virus in, as happened in windows after copying pictures for my avatar.
    Last edited by Camilia; August 30th, 2008 at 07:21 AM.

  7. #7
    Join Date
    Mar 2006
    Location
    Williams Lake
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: Send your logs/rootkits report on email

    To Camilla:

    You can find a test editor in Applications-->Accessories-->Text Editor. You can use it to edit configuration files and create scripts.

    to qstraza:

    You should never save scripts in /usr/sbin, the proper place would be /usr/local/bin

    Jim

  8. #8
    Join Date
    May 2007
    Location
    sLOVEnia
    Beans
    223
    Distro
    Kubuntu 8.04 Hardy Heron

    Re: Send your logs/rootkits report on email

    Quote Originally Posted by cariboo907 View Post
    To Camilla:

    You can find a test editor in Applications-->Accessories-->Text Editor. You can use it to edit configuration files and create scripts.

    to qstraza:

    You should never save scripts in /usr/sbin, the proper place would be /usr/local/bin

    Jim
    Ok, changed, thanks

  9. #9
    Join Date
    May 2007
    Location
    sLOVEnia
    Beans
    223
    Distro
    Kubuntu 8.04 Hardy Heron

    Re: Send your logs/rootkits report on email

    Quote Originally Posted by Camilia View Post
    Now I am very confused. I don't know what a text editor is. Also why do make a program that is mailed to me. Seems this leaves an opening for a virus. I thought this to be a simple root test.

    Why Get your logs/rootkit reports and send it to email daily?
    I just want a program to scan my computer. For don't want to a chance that I accidentally let a virus in, as happened in windows after copying pictures for my avatar.
    well if you dont like emailing reports, than you can edit the script, which wont send you an email but will save reports on hdd. Or you can run checking manually if you want

  10. #10
    Join Date
    Jul 2008
    Location
    Atlanta, GA
    Beans
    813

    Question Re: Send your logs/rootkits report on email

    You can run checking manually if you want. How is this done?

    Clicked save. Save to kim as hd.
    #!/bin/bash
    if [ $# -eq 0 ]; then
    echo Usage:
    echo $0 user@gmail.com subject attachment_file
    exit 1;
    fi

    date=`date +%d-%m-%y`
    to=$1
    sub=$2
    subject="`hostname` $sub $date"
    attach="$3"

    mutt -s "$subject" -a $attach $to < /dev/null

    What does this mean?

    If I save it as email where does the email get sent?
    Last edited by Camilia; September 26th, 2008 at 07:37 AM.

Page 1 of 3 123 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •