#!/usr/bin/perl
# SuMon(itor) by bansh33 [www.r00tabega.com]
# r00tabega security labs 2000
# ---------------------------------
# Description:
# Runs in the background to monitor
# ps -aux and /var/log/messages for successful user attempts to 
# su to root.  Immediately upon detecting one,
# a log is created in /tmp/sumon.log and it is mailed somewhere
# so that even if the original log is cleaned, there
# will still be a copy.
# If you want to play around with this, you can easily change
# what action is taken when it detects an opening su session.
# This is basically a quick hack thrown together in a few minutes,
# but it wouldn't be much work to add many more features (i.e. 
# ignore su -'s from certain users, etc.)
#
# Run as root with: ./sumon.pl
#
# ---------------------------------
# Set the following variables:
$mailprog = "/usr/sbin/sendmail";
$emailaddy = "root";
# ---------------------------------
print "Starting SuMon by bansh33 [www.r00tabega.com]...\n";
@current = `date`;
$line2 = "";
$realdate = "$current[0]";
chomp($realdate);
print "Process ID:";
print $$;
print "\nMonitoring...";
while () {
open (MAIL, "|$mailprog -t");
open (logfile, ">>/tmp/sumon.log");
@add = `w`;
$number = 0;
# begin infinite loop of monitoring
@check = `ps -aux`;
@check2 = `cat /var/log/messages`;
foreach $line (@check) {
if ($line =~ "su -") {
if ($line ne $line2) {
print logfile "---SuMon by bansh33 [www.r00tabega.com]---\n";
print MAIL "---SuMon by bansh33 [www.r00tabega.com]---\n"; 
print logfile "Detected attempt while monitoring ps -aux on $realdate:\n";
print MAIL "Detected attempt while monitoring ps -aux on $realdate: \n";
print logfile "$line";
print MAIL "$line";
print logfile "Additional information:\n";
print MAIL "Additional information:\n";
foreach $info (@add) {
print logfile "$info"; 
print MAIL "$info";
}
print MAIL "\n\n";
print logfile "\n\n";
$line2 = $line; 
}
}
}
# end routine for monitoring ps -aux. begin monitoring
# of /var/log/messages.
foreach $msg (@check2) {
$number++;
}
if ($number != $number2) {
if ($check2[$number] =~ "\(su\) session opened for user root") {
print logfile "---SuMon by bansh33 [www.r00tabega.com]---\n";
print MAIL "---SuMon by bansh33 [www.r00tabega.com]---\n";
print logfile "Detected attempt while monitoring /var/log/messages";
print MAIL "Detected attempt while monitoring /var/log/messages";
print logfile "on $realdate:\n";
print MAIL "on $realdate:\n";
print logfile "$check2[$number]\n";
print MAIL "$check2[$number]\n";
print logfile "Additional information:\n";
print MAIL "Additional information:\n";
foreach $piece (@add) {
print logfile "$piece";
print MAIL "$piece";
}
print MAIL "\n\n";
print logfile "\n\n";
}}
$number2 = $number;
close(logfile);
close(MAIL);
}